|
INFORMATION
TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL |
||
|
All questions were simple and mostly candidates attempted all questions but their performance was not up to the mark. |
||
|
|
||
|
It is being observed again that candidates were not able to relate the amount of material to be produced in their answer with reference to marks allocated, besides producing heavy and unnecessary details. |
||
|
|
||
|
Question-wise comments are as follows: |
||
|
|
||
|
Q.1 |
It required students to describe computer crimes and frauds as well as their preventive or detective controls. The question was relatively easy in the sense that the topic under discussion is quite common and very relevant to practical issues faced today. While a reasonable number of students attempted this question well, the majority of the students were not able to mention more than three types of crimes. Most of them knew about hacking, viruses and theft. However, there are other crimes such as data diddling, superzapping, piggybacking and eavesdropping etc. which were missed by most candidates. It should be noted that physical theft of computers/ hardware and terrorists’ attack on computer installations are considered as crimes and not computer based crimes. Some candidates had repeatedly written salami-technique and rounding off as two different crimes, whereas they represent the same thing. |
|
|
|
|
|
|
Q.2 |
This was the easiest question where results were above average, as it only required definition of commonly used terminologies. However, a number of candidates were unable to define Router, Switch, Multiplexer and ISDN. Some of them had written the File-Server and NIC as the software used to connect computers. Similarly ‘switch’ was explained in the context of supplying power to computers and ‘firewall’ as the wall built to protect computers from fire. Candidates should note that role of each of the given terms is clearly defined in the context of networking. For example, switch is a device which acts like a hub but instead of transmitting message/data to whole network, it wisely transmits it to the original recipient. |
|
|
|
|
|
|
Q.3 |
(a) |
Candidates had described the CAATs as computer assisted techniques but most of them were unable to identify the avenues where these can generally be used. CAATs may be used in performing various audit procedures including: |
|
|
|
Test of details of transactions and balances |
|
|
|
Analytical review procedures |
|
|
|
Compliance tests of controls |
|
|
|
Penetration Testing |
|
|
|
|
|
|
(b) |
A number of candidates were unable to write the factors to be considered while using CAATs. Some of the factors which the auditor should consider are: auditor’s computer knowledge and expertise; efficiency and effectiveness of using CAATs over manual techniques; time constraints, level and type of audit risk and cost benefit analysis etc. |
|
|
|
|
|
|
(c) |
Candidate mostly mentioned test data and generalized audit software only. Very few could mention other types of CAATs such as Utility Software, Specialized Audit Software, Audit Expert Systems etc. |
|
|
|
|
|
Q.4 |
This was attempted in detail by most of the candidates. However, mostly the students did not follow the requirement of addressing risk analysis, functional user procedures and testing/recovery procedures separately. On average the students were able to list at least some points about these areas, with or without the category heading and were able to obtain passing marks. |
|
| Q.5 |
(a) |
Majority of candidates successfully described an ERP and secured good marks. |
|
|
|
|
|
|
|
|
(b) |
A number of candidates listed three examples of ERP system instead of four examples. Many candidates mentioned Oracle, without taking the trouble to add the word ‘Financials’. |
|
|
|
|
|
|
|
|
(c) |
It was one of the poorly attempted question. Candidates were required to discuss the two phases of implementation, in the light of IFAC guideline. These phases are described in Appendix 1 of IFAC guideline # 4. According to which the two phases of package software implementation are: (i) Prototyping and (ii) Full deployment of the software. Many candidates discussed SDLC or IFAC guidelines in general which was not required. |
|
|
|
|
|
|
| Q.6 |
This question pertaining to distributed data processing was one of the easy questions and was attempted well by most of the candidates. However, some of them were confused and wrongly formulated their answers on the basis that the technique involves usage of a central mainframe computer. |
||
|
|
|
||
| Q.7 |
The question required explaining of the term IT governance and listing its basic elements. Most of the candidates were ignorant of its definition and core components. This constitutes a worrying sign about level of knowledge of the candidates about issues currently at the heart of IT management and audit discipline. Candidates should note that IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structure and processes which ensure that the organization’s IT sustains and extends its strategies and objectives. |
||
|
|
|
||
| Q.8 |
This question was attempted at addressing a contemporary issue which has practically changed the IT landscape of today. From the stifling monopoly of Microsoft Windows and Internet Explorer, to the success and openness of Linux operating system, Fire fox explorer and more, the signs of open source revolution are everywhere. However, most of the students failed to list down the key characteristics of open source software. Most of the candidates listed vulnerability, low system support, platform independence and availability of source code to the users. However, they were unable to identify that in case of open source software there is no restriction on redistribution and modifications and derived works are allowed to be distributed under the same terms as those of the original software. |
||
|
|
|
||
| Q.9 |
This question addressed a very relevant topic, but majority of candidates showed their lack of touch with the real issues. Major weaknesses observed in each part were as follows: |
||
|
|
|
||
|
|
(a) |
Only a few candidates included, job specification, background references and screening applicants for mental and physical health, in their list of key considerations. |
|
|
|
|
|
|
|
|
(b) |
Majority of the candidates focused only on education and training of employees and ignored the importance of performance monitoring and constructive feedback by the management. |
|
|
|
|
|
|
|
|
(c) |
Most of the candidates focused on scenarios in which a worker should be fired, rather than listing the factors to be considered prior to take such a decision. |
|
|
|
|
|
|
| Q.10 |
Majority of the candidates obtained poor marks. The question required the candidates to list the steps to be followed in evaluating system efficiency, such as objective formulation, performance criteria identification etc. However, most of the candidates explained the tests conducted and areas reviewed during the fieldwork phase such as system testing and reporting capability, which were not performed. |
||
|
|
|
||
| Q.11 |
It was about the factors to be considered while reviewing replacement/updating of IT solutions. The question was generally well attempted by students, most of whom provided at least some of the valid factors which should be considered prior to making such a decision. |
||
|
|
|
||
| Q.12 |
It was one of the easy questions as it required students to draft a sample IT security policy. However, variety of answers were obtained. Some of them focused on addressing small areas such as password change, invalid login counts, usage of door locks instead of addressing high-level policy areas such as logical and physical access controls. Other candidate chose not to formulate a policy at all; and rather listed the properties of a formal IT security policy, an approach which resulted in loss of at least some marks. |
||