|
INFORMATION
TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL |
|
|
General: The performance of examinees in the IT Management, Audit and Control
paper was in overall terms, quite disappointing. Some of the examinees
performed poorly even while attempting questions pertaining to contemporary
IT concepts such as Internet Banking, Outsourcing, and Biometrics.
Question wise comments are provided below: |
|
|
|
|
|
Q.1 |
The question was about various aspects of Internet Banking. Part (a) required examinees to explain 'business to consumer' (B2C) strategy in the context of Internet banking. Most of the examinees concentrated on explaining B2C strategy alone, without reference to Internet banking. Part (b) required examinees to elaborate main differences between conventional and Internet banking. Unfortunately some examinees restricted themselves to relief from physically visiting the branch and did not bother to explain other differences like paperless environment, logical security controls versus physical security controls, 24 X 7 banking etc. Part (c) was the most poorly attempted part. It required identification of major risks associated with Internet banking along with relevant controls. These risks include hacker attack, customer authentication, risk of repudiation and risk due to reliance on third party service providers. However, a number of examinees only mentioned hacking & denial of services as risks with antivirus and backup recovery plan as controls. Only few discussed about authentication of customer and none of them were able to mention about refusal of transaction. Most of the examinees tried to describe the general IT risks which can be associated with any IT environment and are not specific to Internet banking. This approach was not correct and was marked accordingly. |
|
|
|
|
Q.2 |
The question was about IT outsourcing. Part (a) required examinees to define IT outsourcing and its major benefits. Most of the examinees provided correct answers in this area. The second part required identification of measures to be taken
prior to entering into an outsourcing relationship. Most of the
students emphasized on matters related to Service Level Agreement
(SLA) such as establishment of SLA, legal opinion, contents of SLA
and renewal/termination clauses etc. However very few mentioned
other points such as alignment of outsourcing with business strategy,
due diligence, internal organizational buy-in etc. |
|
Q.3 |
This question about processing and output controls was one of the most poorly attempted questions. While examinees had some idea about output controls, majority provided wrong answers regarding processing controls. A number of examinees mentioned virus protection, uninterrupted power supply, physical and logical access controls as processing controls. The processing controls actually include range checks, limit/credibility/reasonableness checks, existence checks, format checks, consistency checks, completeness checks, check digits and batch total controls etc. The output controls include logging of sensitive and critical forms, control over computer generation of important documents, control over report distribution, printing run-to-run totals, output error handling, report retention and verification of receipt of reports etc. |
|
|
|
| Q.4 | This question described a highly insecure IT environment and required examinees to identify key risks, consequences and relevant controls. While some examinees attempted this question well either partly or fully, a significant number of examinees could not provide valid answers to this practical but very easy question. The risks in the given case study environment included use of generic branch name as the ID, lack of password controls, lack of system and user documentation, lack of change management controls, internet connectivity without firewall usage, lack of disaster recovery plan and placement of back-up in the server room. The controls to mitigate these risks are self-evident. Most examinees could not capitalize on this easy scoring opportunity. |
| Q.5 | The question about ERP was generally well-attempted. Interestingly, some examinees mentioned typical ERP packages like JD Edward, SAP and BAAN as sub-systems of an ERP. The sub-systems of ERP include General Ledger, Material Management, Procurement, Order Entry, HR, Production Planning, Fixed Assets etc. Most of the examinees specified at least four of these sub-systems. The benefits of ERP include company-wide integrated system, paperless environment, cost control, elimination of duplication etc. The part regarding hidden ERP costs was also well-attempted however some examinees included costs like implementation cost, security cost, hardware and software costs. Such costs cannot be classified as hidden cost. |
| Q.6 | The question about Cobit was poorly attempted by majority of the examinees. Cobit is one of the leading IT governance models and lack of awareness regarding the same is quite surprising. Examinees should know that audience of Cobit includes management, users and auditors. The four domains of high level classification of control objectives of Cobit include planning and organization; acquisition and implementation; delivery and support; and monitoring. |
| Q.7 | The question was about help desk which is a common IT service function. Although majority of the examinees secured passing marks, the answers should have been better. Some stated that help desk is a software tool, just like online help facility of Microsoft Windows. Some examinees tried to explain the process of establishing the help desk, which was not required. Examinees should know that help desk is a facility provided to facilitate IT users in solving routine IT problems. |
| Q.8 |
This question was focused on 'Generalized Audit Software' (GAS). Many examinees confused this with computer assisted audit techniques (CAATs) and described CAATs which was not required. Examinees should note that GAS is one of the tools used in CAATs and the question was focused on GAS not on CAATs. Common functions of GAS include testing integrity of data files, testing the functions of data editing and validation controls, checking accuracy of calculations by the system, selecting a statistical sample, selecting transactions meeting specific criteria etc. Many of the examinees expressed cost effectiveness as one of the advantages of using GAS, however GAS, are usually very costly. In fact licensing cost is one of the factors prohibiting their extensive usage. |
| Q.9 |
The question pertaining to capacity planning was indisputably, the most poorly attempted question of the paper. Although some aspects of this question require a deeper knowledge of the subject, the concept itself is a commonly known one. The goals of capacity planning include cost savings, ensuring that application systems are properly designed and configured to give efficient performance and ensuring that they have sufficient capacity for present and future operations. The units of measurement of computer capacity include millions of instructions processed per second (MIPS), network instructions per second (NIPS), total megabytes of disk storage allocated or used at a time etc. Most of the examinees provided general examples like processor speed, hard disk usage etc, rather than specific examples like those mentioned above. Extremely few examinees could identify methods of capacity planning, which include intuitive models, mathematical or statistical models and simulation etc. |
| Q 10 | The question about identity management was one of the easiest questions of the paper, and surprisingly it was also not as well attempted as it should have been. Many examinees correctly identified approaches to verify a person's identity which include something you know (password), something you have (an access card) and something you are (biometric solutions). However, some of them totally ignored the requirement of selecting the best solution out of the above whereas in certain cases appropriate reason for their selection were not given. As a password can be cracked and an access card can be stolen therefore biometric solution provides greatest level of security. In part (b) most of the examinees did mention at least some of the commonly used biometric solutions such as fingerprints, hand geometry and Iris recognition etc. |