THE INSTITUTE OF CHARTERED ACCOUNTANTS OF PAKISTAN

Final Examinations Winter 2008

December 1, 2008

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

(MARKS 100)
Module E (3 hours)

Q.1 Tehqeeq (Private) Limited (TPL) provides research and development services to varied
businesses. TPL makes intensive use of Information Technology (IT) to support its
activities. Two high configuration machines are dedicated for important research
activities. Besides, several other machines are installed in other departments of TPL.

Mr. Ghalib has recently joined TPL as their IT Head. In due course, he has realized that
there is no formal planning of the company’s information technology needs. Although
the Management understands the importance of IT function and need of upgrading IT
resources to meet its needs, it has not yet prepared a formal documented IT strategy.
High costs associated with the preparation and maintenance of a documented IT
strategy has been one of the reasons for the management’s reluctance in this regard.

Required:
Prepare a note addressed to the BoD explaining the following:
(a) Operational and strategic IT plans and their typical contents (08)
(b) Advantages of developing an IT strategic plan. (04)
(c) Factors to be considered while developing the IT strategy. (04)

Q.2 After a recent security breach of information systems in PRB Enterprises, an emergency
meeting was called by Board of Directors of the company in which members of
executive management, steering committee and chief information security officer also
participated. Unfortunately, instead of finding the root cause of security breach and
determining future course of action for managing various risks to which the
organization may be exposed to, the meeting was marred by finger-pointing.

Required:
(a) List major steps for a ‘security incident handling and response’ mechanism in an
organization. (07)

(b) Identify at least two important responsibilities related to “Risk Management”, for
each of the following:

ƒ Board of Directors
ƒ Steering Committee
ƒ Executive Management
ƒ Chief Information Security Officer (06)

Q.3 Talib Dairy Limited (TDL) produces various milk products. Its dairy farm is situated in
the northern part of the country and it has a countrywide chain of sales and distribution
outlets. In order to meet the growing needs of their products and timely availability at
all places, the management is considering implementation of a web based solution for
their sales and inventory management. Initial study in this regard shows that the
solution will involve high up-front costs and a time span of around eighteen months for
 (2)

complete implementation of the solution. However, their consultant has suggested that
TDL should make arrangements with a reputable ‘Application Service Provider’ (ASP)
instead of going for their own software.

Required:
The management does not have clear understanding the role of ASPs and it has
requested the consultant to explain the following:
(a) Why the appointment of an ASP is a better option for TDL? (06)
(b) The important factors which TDL needs to consider while negotiating
arrangements with an ASP. (08)
(c) Drawbacks of using an ASP. (03)

Q.4 Elite Textiles Limited (ETL) was established in 1995 as a spinning unit. Over the years,
it has diversified into other related businesses and has established various units across
the country. Meanwhile, the company has developed software for various areas of its
operations. However, it is felt that there is lot of duplication of work and complex
reports have to be prepared by using spreadsheets. The management has now decided to
switch to an ERP System. To ensure the success of the project, the management has
formed an ERP Steering Committee, headed by the CFO.

Required:
You are required to explain the following to the CFO:
(a) The role and responsibilities of ERP Steering Committee. (05)
(b) Three common ways of implementing ERP solution and the method which is most
appropriate for ETL. (05)
(c) The steps that are generally involved in implementation of an ERP solution. (06)

Q.5 During a recent meeting, the management of Mahir Chemicals Limited (MCL) had
noted with serious concern that the knowledge base available with the company is not
being used efficiently. Quite frequently, valuable resources are wasted on generating
information which is already available with other departments/location. To cope with
the situation, a senior executive had suggested creation and maintenance of Knowledge
Management System (KMS).

Required:
As the Head of IT, the Management has asked you to explain:
(a) Knowledge Management Systems and their functions. (03)
(b) The advantages of Knowledge Management Systems. (03)
(c) Give three examples of systems that can facilitate:
ƒ Knowledge distribution
ƒ Knowledge sharing (03)

Q.6 In the current environment, almost every aspect of personal information is increasingly
being stored in digital form. Consequently, the organizations acknowledge the need for
protecting personal and confidential data available with them, from unauthorized
individuals and entities.

Required:
(a) Explain the benefits of good privacy controls for businesses. (03)
(b) List six best practices to be adopted for effective data privacy management in a
business environment. (06)
 (3)

Q.7 The Human Resources Department of Sensible Investment Fund (SIF) is in the process
of compilation of staff manual. While formulating policies for recruitment and
termination of IT staff, the HR Manager requested the IT Manager to give his input on
the same.

Required:
You are required to:
(a) Identify common controls which should be considered while hiring IT personnel. (02)
(b) List the control procedures that should be followed when an IT staff leaves SIF. (03)

Q.8 Business organizations face a number of risks which are at times, unavoidable.
Progressive business concerns seek to create an environment that can identify and
manage those risks. Developing a Business Continuity Plan (BCP) helps to develop
such environment, in an organization.

Required:
List any nine steps which you would consider important while assessing whether or not
the BCP is effective and comprehensive. (09)

Q.9 Mr. Akhlaq is conducting the information systems audit of Varied Services Limited
(VSL). Some of the policies regarding users’ account listed by the IT Manager are as
follows:

(i) Users’ accounts are created by the system administrator only.

(ii) Initial passwords are communicated to the users confidentially.
(iii) Password must follow a complex syntax.
(iv) Users can not repeat their last seven passwords.
(v) Users’ accounts can only be unlocked by the system administrator on written
request from the user.
(vi) Logon IDs of employees who take more than one week’s leave are made
inactive on intimation from HR department.

Required:
Describe the manual tests that Mr. Akhlaq should perform to verify that the settings
communicated by the IT manager are actually working. (06)

(THE END)