Part (1) Case Study Questions

Case 1: Encosta Memories 1. (a) De Lagos statement Once the system is acquired then the business can get back to normal and do what it does best take photos without having to spend money on IT is not correct.

(b) A number of issues need to be resolved before Encosta Memories can continue their daily operations. They might need to spend money on IT, such as in the training and/or employment of staff in using the system and making sure they understand how it operates as they might not be familiar with the new technology. They might even need to conduct maintenance and monitor the system as a security check to prevent any problems and/or errors in its operation.

2. It may not be necessary for Encosta Memories to employ a programmer to design a new system if the company decides to use pre-developed programs or systems that can be applied to the business easily. These are usually ready to be used and implemented in the business which also waives the cost of programming and development since the program exists.

3. Encosta Memories should consider using the Application Service Provider (ASP) over SDLC and Outsourcing. Under ASP, Encosta Memories would be able to lease up-to-date software applications and remain competitive. The cost of maintaining the system would also be reduced since many organisations and users can also use the same software, meaning the cost can be shared amongst others. This would be cheaper than developing the system. The ASP has the ability to update and fix bugs therefore reducing the cost of maintenance. This does not mean maintenance does not occur. Encosta Memories still needs to have protections in place to make the system and company more secure. It would also be quicker to put the ASP system in place, giving Encosta Memories more time to focus on its core areas and manage its daily operations in an effective and efficient way. Although customisation and quality plays a major role in the business with a reputation for having high-quality photos and long period arrangements with their customers, which may be a holdback, most tasks can be performed by the ASP.

Encosta Memories should not use outsourcing since their business is of a relative small size, meaning it should be able to handle its data and manage technology. Whilst the SDLC method covers the quality aspect of the business, it would also be unsuitable for Encosta Memories as it is a time-consuming process. The SDLC approach needs a lot of people to manage the system and is also costly in terms of maintenance and implementing the system. Thus, Encosta Memories should be encouraged to use the ASP method as it minimises cost of maintenance due to its inbuilt function of updating and automatic fixing up of some and/or most faults.

4. Five typical problems of systems development Encosta Memories may face when developing the new system include conflict, escalation of commitment, project goal issues, technical skills and interpersonal skills.

When there is no common ground or no clear agreement between the employees of the business, management, the designers and the users, conflict can arise. This can result from poor communication, leading to results different from what Encosta Memories actually wanted.

There can also be an escalation of commitment where progress on a project is not going to plan and should therefore be modified or discarded. Encosta Memories needs to make sure they choose a project that can be delivered in a reasonable timeframe and follow procedures without incurring extra costs and time.

Furthermore, Encosta Memories may also have project goal issues. It is important that the business adopted project has clear goals and objectives at all stages of the development process and also understand the significance of what the system would bring to the organisation.

Encosta Memories need to make sure they have staff are knowledgeable and are skilled when developing the system and making sure all tasks are accomplished on time. This can also be linked to process and people skills relating to communication and solving conflicts and the business operation in development of the system. Encosta Memories should identify any errors regarding skills early in order to avoid future problems.

Finally, Encosta Memories should look at enhancing interpersonal skills. This can be linked to communication, where the designers idea of what the solution should be may be different to what the organisation wants. Therefore, working together as a team and understanding all viewpoints before coming to a proposed solution is very important and would lead to satisfaction among users.

5. Encosta Memories would buy the new system as it takes a long time to develop a process and needs a lot of people and expertise to come up with a system that suits the business. Although a customised system is favourable, this takes a lot of time to develop, so by the time the system is tested and ready to be used, it may be out-dated again. This is because the system may need to be modified or changed in the future due to the changing environment such as technology and also users needs. There are a lot of technology and systems that are readily available. This would reduce time and cost in the business to discuss, program and develop a new system. Training employees to use the new system may be a cost and user acceptance may take some time, but weighed against the other benefits, buying the new system instead of making the system would be a better option.

6. Encosta Memories could select a vendor based on the request for proposal (RFP) approach. They should give someone the responsibility of looking after the selection process and prepare an RFP from. This is a form that is sent to potential vendors which contain valuable information about the companys current system, problems associated with systems development, the companys aims and future expectations. The chosen vendors should be asked to come and give a brief demonstration about their product and how it would meet the needs of Encosta Memories. They could even check customer satisfaction of the vendors previous clients before negotiating and selecting a vendor for the new system.

7. Encosta Memories should not rely on one vendor. If their single vendor fails to perform or complete the tasks as scheduled or misses out important details, this would halt the whole design system process and the operations of the business. For example, if there is an error with the photo machine or photo camera, this would lead to the loss of customers and the business can therefore not operate due to the systems and technology failure, which is the main part of the business. Everything would be in chaos and contracts with the school about photo dates would have to be delayed. This could even bring down the companys reputation, and all of Encostas hard work to get its image into the market would have been wasted.

Another point could be bargaining power. Since Encosta Memories is a small company, it should have more than one vendor available. Having only one vendor for the system would give them the opportunity to charge higher rates, as it knows the company does not have any others and is therefore heavily reliant on that one vendor. This is not cost effective or logical. Furthermore, having one vendor would lead to less suggestions and perspectives as the business would only take into the account the expertise of one vendor for the system. Having more than one could lead to having a more efficient and accurate system as the management could negotiate with the vendor about other options and/or ways to make the system better, be up-to-date technology and last in the long-run. Thus, it is not recommended for Encosta Memories to rely only one vendor due to the wide-ranging consequences and its effects in the long term.

Case 2: Dealing with Computer Systems

Risk

Control be prevented

Present

Gen/App

Confidentiality of results and details Could

through Control is indirectly hinted General

of customers regarding their address, segregation contact number and order details

of

duties

and where only John, one of the Control

responsibilities as well as having staff members is allowed to security measures in place. This is perform data entries. There where only some employees have could also be extra

the authority to access certain precautions such as having sections. Also need to make sure separate computers or

only that selected people such as passwords in place, so that John can log onto the computer general users have limited with customer details and orders. access to important files and This can eliminate fraud. other programs such as data entry details. User access regarding secure Could have stronger password This control is currently not General and more unique available in the organisation Control

passwords. Passwords that are fixed settings

and generated for each employee and usernames and ID. Instead of and should be applied. user may cause them to write it having a fixed password for each down. This can cause security issues, user, the option of changing especially when another employee or passwords on a periodic basis any user comes across the written should be made available. This password. This problem is amplified would address the security issue when the usernames are very simple, of confidential passwords made using the letters of their names. This public. User names should also be makes it easier for someone to know made more complex, so it would the password and username. The be harder for someone to guess. passwords can also not be changed, meaning the employee may not know if someone has logged on the computer system using their details. Since there is only one staff member, Having an independent review of The computer automatically Application John, in charge of data entry, there is the orders and balances before checks for errors in the Control a risk of manipulation of results. He submitting the orders to suppliers business and indicates the may have omitted some transactions or other parts of the organisation. number of orders, but it will whilst performing this key task and The organisation could also run a not pick up any missed may not be honest with the results. reconciliation check to make sure information in quantity and

there are no errors in the system amounts not typed and/or regarding the number of orders. transferred correctly. John should also not ignore the results generated by the system and check through the orders. Data entry routines focusing on the John could use run-to-run totals This control is missing, but Application manual entering of customer orders and batch totals as a control they do have a computer Control and details into the system. John, in measure to make sure he hasnt system that gives a signal charge of data entry may accidently missed any vital records and that and have error messages record something wrong in the price figures entered match up to when not all details are system, such as the number and types the orders. Could also have a log filled in. However, this does of orders. analysis and review the stores past not cover the accuracy of events and past data so it is the results and figures being possible to trace back and fix the entered. mistake if an error has been detected. Risk of the data entering system in There should be a back-up system The breaking down from threats such as in place, stored in idea of having a General

another recovery plan is absent from Control

viruses or natural disasters such as a location. The back-up procedure the case. fire, which may lead to loss of could be conducted on a regular information/data of the orders and basis to achieve current accurate the system itself. results if there is system failure.

Part (2) Short answer questions

1. (a) Corporate Governance has several departments, where IT Governance falls into one of its categories. IT Governance deals with the control and management of IT systems in an

organisation. This forms a clear structure and determines the goals and visions of the organisation and how they can be accomplished. IT governance also links IT processes and its resources to achieve its short and long-term objectives and be successful in the future.

Some objectives of IT governance is making sure those strategies adds value and are aligned with to the goals of the organisation those objectives also have to be achievable. It is also important that the strategies, goals and IT being implemented would aid in the business operation lead to opportunities in the future. The organisation should also have the correct measures and techniques in place to manage risks in case there is an IT problem and have a back-up plan in place. Furthermore, it is essential that efficient and accurate information and data are provided from IT and its resources and that those resources are responsibly used in an ethically and morally manner.

(b) The COSO models have five components, two of which are risk assessment and control activities. Risk assessment is basically the organisation in knowing possible risks that can affect and/or delay the achievement of their objectives. This has a relationship between control activities where a response is devised to prevent the risk from occurring from in the first place. The control activities act as a barrier to prevent errors that may occur in the organisation and reduce the risks. An example could be introducing systems or processes to check for missing transactions or data which would prevent the risk of having incomplete transactions and therefore incorrect reports which management use to make decisions.

2. Positions/Duties Cashier Payroll Processor Recording, or authorisation, or custody Custody Recording

Credit Clerk Mailroom Clerk Data Entry Clerk Deliver Paychecks Deliver the Bank Deposit Prepare the Bank Reconciliation Check Signer Inventory Warehouse Supervisor

Authorisation Custody Recording Custody Authorisation Recording Authorisation Recording

3. Not all of the information systems development methodologies are mutually exclusive. For example, a large company may be able to have more than one going on at the same time, such as prototyping and the systems development life cycle if they have can afford for the lost time and cost because they are concerned about issues such as quality and customisation, where the benefits outweigh the negatives.

Prototyping, a scale down model, is an alternate methodology from the commonly used Systems Development Life Cycle (SDLC). Prototyping speeds the development process and can improve products or add features much quicker than the SDLC method. There is also more customisation as an agreement is made together with the users who provide feedback and changes are made to correspond to their needs. Using the SDLC approach is not only more time consuming but also more costly. By the time the SDLC method has come to a conclusion there may be other issues that have arisen in the organisations environment. This means they have to go back and do more research before beginning and adapting its system again. Prototyping is a more efficient methodology looked from those two perspectives development process and customisation occurs much quicker and is also less costly.