INFORMATION

TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Suggested Answers 
Final Examination ‐ Summer 2014 

Ans.1 (a) IT Outsourcing

IT outsourcing refers to outsourcing all or parts of IT functions to an external party. By
this option, XBL may hire an outsourcing agent and use its well trained, experienced
and polite workforce for the fulfillment of the desired tasks.

XBL may derive following advantages by outsourcing its IT support services:

(i) XBL may start its full fledge operations within targeted time.
(ii) Experienced working team would be available to XBL from Day 1.
(iii) XBL would be free from substantial HR related overheads and issues as
outsourcing agent would be responsible for hiring, firing, training and salary
issues.
(iv) More services may be available to XBL at lower price, especially for 24/7/365
days requirement.

(b) There are some inherent risks associated with the outsourcing of IT services; however,
most of these risks could be mitigated if appropriate clauses have been included in the
outsourcing agreement.

No. Risks Suggested measures

(i) High security risk, as system will be Confidentiality agreement with the
exposed to outsiders. outsource service provider.
(ii) Outsourced staff may be frequently Appropriate clauses shall be included
changed by the outsourcing agent which in the agreement to bound the
may extend the learning curve and XBL outsourcing agent to:
may never be able to get the efficiency of  deploy staff on long term basis.
a fully trained team.  deploy dedicated resources at the
critical areas.
(iii) There is a risk to business continuity of  Business continuity management
XBL on account of either any dispute would be part of the contract.
with the outsourcing agent or if the  Make arrangement with another
outsourcing agent goes out of business. outsourcing agent to handle the
XBL’s systems incase contract with
outsourcing agent is terminated
abruptly.
(iv) Outsourcing agent may fail to deliver the Define penalty clause incase of non-
agreed level of services. fulfilment of agreed service levels.

(c) XBL should consider the following matters in making a choice between the two service
providers:
(i) Prices offered by each vendor for its deliverables in comparison with other.
(ii) Financial viability – through its past annual reports and market feedbacks etc.
(iii) Available resources – manpower, machines, infrastructure etc.
(iv) Commitment to quality – through its existing clients and market feedback.
(v) Controls in place for disaster recovery and continuity of operations.
(vi) Comprehensive insurance and commitment to compensate the client’s loss.

Ans.2 (a) The hacker may have been able to penetrate NC’s network due to following reasons:
(i) Though the firewall was well configured, its default password may not have been
changed. This gives hacker an easy opportunity to break in the network.
(ii) The firewall logs may not be reviewed vigilantly or may not be reviewed
periodically at an appropriate level. Hence any unauthorized attempt to violate
the firewall policy may remain undetected which gives hacker ample opportunity
to find and exploit the weaknesses in the firewall policy.
                                                                                                                                   Page 1 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers 
Final Examination ‐ Summer 2014 

(iii) There may exist some systems on the network that may connect to the Internet
bypassing the firewall. Such systems give the hacker a firewall free passage to
attack the network.
(iv) The method and periodicity of antivirus repository updates is not specified. The
larger the difference between two successive updates of antivirus repository, the
greater the chances for a hacker to inject his code in the system.
(v) No software is installed at NC that can analyse and detect files/objects with
suspected behavior. This gives rise to the possibility of advance attacks like zero-
day or advanced persistent threat attacks as having a properly configured firewall
and updated antivirus definitions are not capable to counter such attacks.
(vi) Users may not be aware of the risks associated with sharing of passwords and or
keeping a common password for official and all personal/social networking sites.
Such mistakes by users give hackers an opportunity to exploit.
(vii) Controls as regards the terminated employees are not specified. If the user IDs of
terminated employees is not deleted immediately, such employees may access
the company’s network using their credentials.
(viii) Users may not be aware of the risks of storing confidential documents on the
shared drive. Some high privilege user may have stored such information on the
shared network drive which may have been exposed to low privilege users and
hence reached in the hands of unauthorized users.

(b) Penetration Testing

A penetration test is an authorized, carefully managed and structured analysis of the
security of a system or network. The purpose of a penetration test is to simulate the type
of attack that an unethical hacker would conduct in order to determine if the client is
vulnerable to a hacking attack.

NC should undertake penetration testing because it would help to:

(i) determine the effectiveness of the security controls NC has put into place;
(ii) determine the vulnerabilities relating to a particular threat;
(iii) alert the upper management to the security threat that may exist in its systems or
operations;
(iv) identify the areas for improvement or areas where additional countermeasures are
required;
(v) regain its lost trust and confidence after the network security breach and enhance
its position in the marketplace; and
(vi) fulfil the audit recommendation.

Ans.3 (a) To ensure successful data migration following objectives should be achieved:

 Completeness: Ensure the completeness of the data conversion i.e., the complete
data is converted from source to destination
 Integrity: The data should not be altered by the person or program during transfer
to the new system.
 Confidentiality: The confidentiality of the data should be ensured.
 Consistency: Ensure that the data is consistent within the defined ranges of data
conversion.

(b) Key steps that should be taken during data conversion are as follows:
(i) Establish the parameters/criteria for successful conversion.
(ii) Identify business owners responsible for data conversion validation and signing
off.
(iii) Determine what data should be converted programmatically and what, if any,
should be converted manually.
(iv) Perform the data cleansing ahead of conversion.
                                                                                                                                   Page 2 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers 
Final Examination ‐ Summer 2014 

(v) Identify the methods to be used to verify the conversion, such as automated file
compressions, comparing record counts and control totals etc.
(vi) Scheduling the sequence of data conversion tasks
(vii) Design audit trail reports to document the conversion, including data mappings
and transformations.
(viii) Design exception reports that will record any items that cannot be converted
automatically.
(ix) Development and testing of conversion programs, including functionality and
performance.
(x) Performing one or more conversion rehearsals to familiarize persons with the
sequence of events and their roles and to test conversion process end-to-end with
real data.
(xi) Running the actual conversion with all necessary personnel onsite, or at least
able to be contacted.
(xii) Final testing of the converted data.

Ans.4 (a) SS may gain following potential benefits by making use of latest IT tools and resources:

(i) Enhancing the scope of business by making an e-commerce enabled website.

(ii) Better inventory management that would result in cost savings.
(iii) Effective and efficient use of resources may lead to time saving.
(iv) Gathering of relevant and timely information for strategic, as well as tactical and
operational management.
(v) Such tools may also enable SS to locate cross-selling and up-selling opportunities.

(b) Following are the key responsibilities that would be handled by an IS/IT Manager:

(i) Development of IT strategy, duly aligned with the overall strategy of the
organization.
(ii) Management of IT risks by implementing appropriate disaster recovery plan.
(iii) Play key role in establishing and supporting IT Steering Committee, facilitate
Board and executive management in understanding and their involvement in
overseeing IT.
(iv) Setting standards for the purchase and use of hardware and software.
(v) Ensuring that knowledge and skills of IT department’s staff remain updated.

(c) Due to the following reasons, it is important for SS to have an IT Strategy:

(i) Effective management of expensive and critical asset to the organisation. IT is
a high cost activity. The expense on IT is wasted if IT does not align with
established business priorities/objectives, and required benefits are not achieved.
(ii) Improving communication between the business and information systems
organisations. Business management will obtain an excellent understanding of
their current systems, as well as identify any risks and opportunities. Information
Systems will understand the business direction and how technology can help
business management achieve the company’s objective. This mutual
understanding will help establish a solid direction, and it will also assist in the
approval process necessary to get the new direction sold through the organisation.
(iii) Planning the flow of information and processes. Planning and managing the
flow of information throughout the organisation can minimise labour, data
redundancy, and inconsistency, in addition to increasing the quality and accuracy
of the information.
(iv) Efficiently and effectively allocating Information Systems resources. Planning
will direct the effective allocation of Information Systems resources and minimise
the costs of redesign, rework, or correction of errors. It also helps to utilise the
human resources in most valuable manner for the entity.
                                                                                                                                   Page 3 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers 
Final Examination ‐ Summer 2014 

(v) Reducing the time and expense of the Information Systems life cycle. Adding
time to the beginning of the process for strategic planning will significantly reduce
the amount of time spent in vendor review, selection and project approval.
Careful planning and prioritising the implementation can reduce the
implementation time.

Ans.5 Five components of an Information System are as follows:

No Component Associated key security Controls
issues
(i) Software comprises  Undetected errors/bugs.  Thorough testing.
of applications,  Failure to incorporate  Keeping security features at
operating systems security features at the the time of development.
and other utilities development stage.  Independent review of source
software.  Back doors left by code. / Security assessment.
developers
(ii) Hardware comprises  Theft.  Lock and key including
of computers,  Unauthorised access casing locks and door locks.
printers, switches etc.  Restricted access.
(iii) Data  Lost/deleted.  Encryption.
 Corrupted.  Passwords.
 Leaked.  Restricted access.
 Modified.
(iv) People  Errors.  Checks.
 Override controls.  Controls.
 Social engineering.  Training.
(v) Procedures  Inadequate.  Review.
comprises of Obsolete/outdated.  Timely updation.
defined/documented  Leaked.  Dissemination on need-to-
instructions for using know basis.
computer systems
and implementing
controls

Ans.6 (a) Following areas should be covered in a software testing strategy:

(i) Strategy approach: testing strategy should detail the approach to be taken for the
testing, tests to be conducted, and tools/techniques to be used.
(ii) Test plan: The plan should state what will be tested, in what sequence (when) and
the test environment.
(iii) Test design: The logic and reasoning behind the design of the tests should be
explained.
(iv) Performing comprehensive tests: Detailed procedures for all tests to ensure
consistency in testing.
(v) Documentation: Results of tests must be documented for future reference,
including errors and starting point for error correction procedures.
(vi) Re-testing: After correction, all aspects of the software should be re-tested to
ensure the corrections have not affected other aspects of the software.

(b) Following are the limitations of software testing due to which bugs/errors may have
remained undetected in spite of rigorous testing of the software application by AEW’s
team:

(i) Poor testing process

 Testers may not be adequately trained.
                                                                                                                                   Page 4 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers 
Final Examination ‐ Summer 2014 

 All areas/functionality may not be covered.

 Testing may not be documented.
 Changes made to correct the errors detected during the test may not have
been adequately tested subsequent to the change.
(ii) Inadequate time
 Due to time pressures, shortcuts may be taken and
 testing time may be reduced.
(iii) Future requirements were not anticipated: Range of the test data may have been
used to cater the existing requirements. The errors could have occurred had future
requirements been tested.
(iv) Inadequate test data: Test data may not be selected to test "positively" as well as
"negatively", i.e. it does what it should do, and doesn't do what it shouldn't do.

Ans.7 (a) ZZC may gain following advantages by establishing a centralized IT department:
(i) Uniform security standards can be enforced, and it gives better security/control
over the data and files.
(ii) Standardization of IT equipment and IT processes in all units.
(iii) Economies of scale would be available in purchasing computer equipment and
supplies.
(iv) IT staff and resources are available at a single location, and more expert staff can
be employed. Career paths for IT staff also become available.

ZZC may face following disadvantages due to a centralized IT department:

(i) Local offices might have to wait for IS/IT services and assistance.
(ii) A system fault at head office will impact across the organization.
(iii) IT staff redundancy may occur.
(iv) Existing IT staff of branch offices may be demoralized as they may not find future
growth prospectus.

(b) Comparative advantages and disadvantages of charging out IT costs as an

administrative overhead or on market based methods are as follows:

Administrative overhead Market based

It is simple and cheap to administer, as It can be difficult to decide on the charge
there is no charge out system to operate. out rate, particularly if there is no
comparable service provider outside the
organization.
May encourage innovations and Unnecessary use of IT resources would be
experimentation as user-departments are reduced. / Users would avail the IT
more likely to demand better quality services when they actually need it.
systems if they will not bear any cost.
The relationship between IS staff and user If users feel that rates are excessive, they
departments is not subject to conflict over may reduce their usage to below optimal
costs. levels, and relationships between the
IS/IT department and user departments
may become strained.
Any inefficiencies within the IS/IT The efficiency of the IT department has to
department are less likely to be exposed – improve otherwise the user departments
as user departments will not be monitoring have the right to demand external
cost levels. standards of service.
User departments may accept sub-standard In case of sub-standard services, user
service, as it is ‘free’. departments have the right to demand
external standards of service.
It encourages the view that information It encourages as entrepreneurial attitude
systems and technology are a drain on as IT Manager is in-charge of a profit
                                                                                                                                   Page 5 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers 
Final Examination ‐ Summer 2014 

resources rather than tools in the quest for making department.

competitive advantage.
A true picture of user department’s
financial performance is not obtained, as
significant costs attributable to that
department are held in a central pool.
A true picture of user departments
financial performance is obtained – as the
IS/IT costs charged to each department
are based on market-rates.

Ans.8 The company needs to plan the following matters in order to ensure customers’ satisfaction:

(i) Effective interaction with its existing and prospective customers. For that it needs to:
 develop and post Frequently Asked Questions on its website;
 set fast response standards, at least to match anything offered by the competitors;
 establish ease of navigation around its website and enhance the site’s stickiness.

(ii) Efficient handling of large number of orders. This may involve:

 ensuring sufficient capacity is available for dealing bulk of customer queries in a
timely manner;
 setting targets for customer services for responding to customers and resolving their
queries;
 making effective use of automated systems to handle such scenarios;
 ensuring the performance of relevant staff and system is scalable; and
 making arrangements with courier service to ensure timely delivery of services.

(iii) Maintain the satisfaction level of its existing customers. For this it may need to:
 ensure that accuracy of product’s specification mentioned on the website;
 develop a customer feedback area at the website where customers can give their
feedback on company’s services and products freely; and
 plan the way to follow-up adverse customers’ comments/feedback till the
resolution of the matter.

(iv) Customise solutions to meet needs of different segments of customers. For this it may
need to gather customers’ data to identify their buying behavior and future needs

(v) Payment flexibility and related concerns. This may include:

 offer choice of payment mechanism like acceptance of credit/debit cards and cash
on delivery; and
 implement appropriate security mechanism over website

(THE END)

                                                                                                                                   Page 6 of 6