INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Suggested Answers
Final Examination - Winter 2013

Ans.1 (a) Significance of the internal auditor’s findings is as follows:

(i) Insufficient controls over personnel would weaken the organization’s ability to
mitigate information security risk inherent in human interactions.
(ii) Absence of Information Security objectives related to personnel may lead to
improper/insufficient users awareness and training in the area of information security
which in turn may lead to increased confidentiality breaches.
(iii) Insufficient Acceptable Usage Policy (AUP) could lead to misuse of organization’s
technology resources/organisation’s resources.

(b) Following information security objectives may become part of the information security
policy of the company:

(i) Ensure that all employees understand their responsibilities and liabilities related to
information security.
(ii) Reduce the risk of human error by ensuring that all employees are aware of
information security threats and concerns.
(iii) Reduce the risk of theft, fraud or misuse of information technology facilities.
(iv) Reduce the human dependency for availability of systems by imparting appropriate
training and implementing delegations in a controlled manner.

(c) Following points should be included in the Acceptable Usage Policy (AUP) of the company:

(i) The users must ensure that the Information Technology assets are used in accordance
with the prescribed policies of the organisation.
(ii) Users shall be responsible for activities performed with their personal User IDs/access
cards. They must not permit any other user to perform any activity with their User
IDs, and vice versa.
(iii) Computers including desktops, portable computers/laptops, servers and
communication devices must be locked when unattended or logged off at the end of
an active session.
(iv) Users shall exercise good judgment and take reasonable care to safeguard mobile and
portable computing equipment like laptops etc., while taking such devices outside the
office premises.
(v) Only authorised application programs shall be installed on the laptop and other
mobile devices.
(vi) All employees shall return all the company’s technological assets in their possession
upon termination of their employment, contract or agreement.
(vii) Sending inappropriate email messages using company’s email ID shall not be
allowed.

Ans.2 (a) Following factors have necessitated the use of concurrent auditing techniques:

(i) With the implementation of ERP, paper based audit trail is less likely to be found for
various critical processes. Concurrent auditing techniques provide a way to capture
the evidence that previously existed in documentary form.
(ii) Errors or irregularities in ERP systems can propagate quickly to most of the integrated
modules which may cause material losses. Through concurrent auditing techniques
these systems can be monitored on timely basis.
(iii) Performing transaction walkthroughs in ERP systems is more difficult because they
often have a large number of complex execution paths. Concurrent auditing
techniques provide means of tracing transactions through different execution paths.
(iv) Majority of the controls to be tested during the audit exist inside the system.
Concurrent auditing techniques provide ways to verify the accuracy of such controls.

                                                                                                                                   Page 1 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers
Final Examination - Winter 2013

(v) All systems have entropy, which is their tendency to move towards internal disorder
and eventual collapse. In ERP systems entropy arises due to various reasons e.g.,
change in user requirements, significant increase in number of transactions resulting
in workload which the software and hardware are unable to handle satisfactorily etc.
Concurrent auditing techniques provide early warning of the presence of entropy in
application systems.
(vi) Since ERP has been implemented across the country wide branch network, it would
be difficult for the auditors to be present at information system facilities to gather
evidence. The embedded audit routines used with concurrent auditing techniques
provide a way of collecting audit evidence when application system processing is
being carried out at remote locations.

(b) Three common concurrent auditing techniques are as follows:

(i) Integrated test facility (ITF)

It involves establishing a dummy entity on an application system's files and processing
audit test data against this dummy entity. By comparing the processed result of
dummy entity with its independently calculated result, the auditor can verify
authenticity, accuracy and completeness of application system processing.

(ii) Snapshots
In this technique embedded audit modules take pictures of transactions as they flow
through various points in an application system. Auditor must decide place of
snapshot points in an application system and which transactions will be subject to
snapshot and how and when snapshot data will be presented for audit evaluation
purposes.

(iii) The system control audit review file (SCARF)

It involves embedding audit modules in an application system to provide continuous
monitoring of a system's transactions. The data collected via these routines may
include errors and irregularities, policy and procedural variances, system exceptions,
statistical samples and snapshots and extended records etc. The collected data is
written to a special SCARF file for immediate or subsequent audit evaluation.

Ans.3 (a) AKL should adopt Business to Business (B2B) e-business model. B2B model automates the
process of buying and selling among companies via Internet. The B2B transactions occur
between organizations (businesses) and not between individuals.

Following are the key characteristics of B2B model;

(i) Need for following standards amongst business partners is a pre-requisite.

(ii) The systems and procedures of business partners are closely aligned.
(iii) There is a high level of co-ordination between the business partners.
(iv) Paperless transactions.

(b) Benefits of B2B model are as follows:

(i) Reducing inventory on hand. /Managing inventory more efficiently.

(ii) Enhancing just-in-time manufacturing.
(iii) Getting products to market faster
(iv) Bringing sellers closer to their customers.

                                                                                                                                   Page 2 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers
Final Examination - Winter 2013

(c) Barriers in implementing the B2B model are as follows:

(i) Different culture of the transacting organizations.

(ii) Interoperatability between e-commerce applications.
(iii) International trade barriers.
(iv) Lack of user authentication and lack of public key infrastructure.
(v) Lack of qualified personnel.
(vi) Legal issues. (Different laws may be applicable to different partners / stakeholders.)

Ans.4 (i) Password policy

 Check whether appropriate controls over setting of password are in place to avoid the
use of weak passwords.
 Check whether password settings include maximum age and password history, e.g.,
password may be changed after every 30 days and that new passwords should not be
any of the last ten passwords.
 Check whether password policy includes appropriate account lockout e.g., users
accounts may be locked after certain number of unsuccessful attempts and then
unlocking is only done by the administrator after investigation.

(ii) User access authorisation policy

 Check whether user accounts for new recruits (joiners) are set up only on appropriate
formal/documented authorization.
 Check whether user accounts of Terminated (leavers) and/or Transferred employees
have been disabled/removed from the network and all applications, as appropriate.
 Check whether User Authorisation Matrix (UAM) exists and is updated.

(iii) Monitoring of logical access control procedures

 Check whether system generated log is maintained for each logical access attempt i.e.,
for both success and failure.
 Check whether logical access logs are checked at appropriate level.
 Check whether logical access logs can be edited.

(iv) Information Security incident handling procedures

 Assess the adequacy of procedures for timely reporting, resolution and containment of
the security incidents.
 Interview relevant users and assess their understanding as regards the said procedures.
 Enquire about any past security incident and review its documentation to check how it
was handled.

Ans.5 (a) Comments on current backup strategy

SF’s current backup strategy is useful in conjunction with retrieving record from stock
exchange. However, recording full backup on every alternate day leads to handling of 36
tapes in three months which seems inefficient and cumbersome. A better approach is stated
in recommendation.

Comments on strategy proposed by former IT Manager

One of the key objectives of adopting real-time backups or mirroring strategy is to establish a
‘failover’ mechanism. If the backup is taken on the same machine, it would defeat the
purpose of failover because if the server crashes, the backup will not be available to facilitate
the failover requirement, and the backups may also be lost.

The effectiveness of monthly backup will diminish with each passing day of the following
month. It is only useful in conjunction with the backup retrieved from the local stock
exchange.
                                                                                                                                   Page 3 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers
Final Examination - Winter 2013

Comments on CEO’s view

CEO’s idea of retaining one year backup is good as it would enhance the company’s ability
to retrieve 12 months data as compared to present policy of maintaining 3 months backup.
However, discontinuation of recording own backup set would create strong dependency on
local stock exchange.

(b) Recommended policy and justification

SF may have three sets of backups, i.e., daily, weekly and monthly. The daily backup tapes
are re-used (recycled) in the following week, and the weekly backup tapes are re-used in the
following month while the re-usability of monthly backup tapes depends upon the backup
retention period. For example, if only three months backup is to be retained then the
monthly backup can be re-used after every three months. Similarly, if backup is to be
retained for a year, it should not be re-used before 12 months. At year-end, full year backup
may be taken which could be retained on a permanent basis for reference and risk
avoidance.

For a three months backup, the above policy would require only 12 tapes as follows:

 5 tapes for daily backup;

 4 tapes for weekly backups; and
 3 tapes for monthly backups.

This shows that three times less tapes would be used as compared to the current backup
strategy.

The daily backups are recorded on week days, in which at least one full backup is created
each week; the rest of that week's backups can be differential. Weekly and monthly backups
should always be taken as full backups of the week and month respectively.

Taking real-time backup on another server at another location would provide further
security against loss of data during a particular day.

(c) Besides taking backup, the SFS should take the following steps to ensure that it is able to
restore the data whenever required:

(i) Specific duties should be assigned for recording and restoration of backup.
(ii) Physical Backup tapes should be checked periodically to ensure that all tapes are
available for completed years, months, weeks and days.
(iii) Any change in backup plan or in duties of the responsible persons or in the location
of the backup storage should be properly documented.
(iv) The backups should be restored periodically to ensure that system could be restored
from the available backups.
(v) Backups should be stored at a suitable distance from the main IT site so that they may
be available when required for disaster recovery. Preferably, backup storage location
shall not be subject to the same social and environmental threats as that of the
original site.
(vi) Necessary training should be provided to the staff responsible for recording and
restoration of data.

                                                                                                                                   Page 4 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers
Final Examination - Winter 2013

Ans.6 (a) The WebTrust assurance could help Wola & Co. to improve sales and reduce the associated
risks in the following manner:

(i) Having WebTrust certification can help in removing the customers’ reluctance to
make trades online.
(ii) Assessment of risks and controls by an independent competent authority reveals the
true strength of existing controls and highlights the deficiencies in current system and
enables the company to deploy further controls whenever required.
(iii) WebTrust assurance requires regular compliance checks at least every six months.
Such periodic confirmation enables the company to monitor/control any new risks
that may have arisen;

(b) WebTrust principles include:

(i) Online Privacy

(ii) Confidentiality
(iii) Security
(iv) Business Practices/Transaction Integrity
(v) Availability.

Brief description of procedures to ensure compliance of three of the WebTrust principles is

as follows:

Online Privacy
 Prepare a policy for collecting private information clearly specifying what information is
essentially required, how it will be used and to whom it could be distributed/disclosed
etc.
 Prepare a policy for use of cookies and such policy should be displayed to the visitors.
Cookies should be stored on the visitor’s computer only after the visitor agrees to accept
cookies.

Confidentiality
 Deploy adequate controls over collection and transmission / distribution of confidential
information. For example, deploying Secure Socket Layer (SSL) on pages through
which confidential information is collected or transmitted.
 Store confidential information in encrypted form.
 Prepare appropriate procedures for handling confidentiality breaches and ensure
compliance thereof.
 Deploy appropriate safeguards against unauthorised access to storage of backup media.

Availability
 Prepare an appropriate functioning disaster recovery plan (DRP).
 Awareness and training of relevant users in the area of disaster recovery and business
continuity management.
 Periodic testing and updation of DRP.
 Develop appropriate policies to conform with legal, contractual and other requirements.

Ans.7 For effective control of the change management process following control measures are
recommended.

(i) Requisition
The request for change may be raised by users, or by IT department/personnel itself. While
making such a request, appropriate justification should be provided.

                                                                                                                                   Page 5 of 6   
 INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answers
Final Examination - Winter 2013

(ii) Authorization
The request should be assessed and authorized for development by a more senior level
person or a committee. The person responsible for making the changes should be identified
and duly authorised.

(iii) Development and programmer testing

The requested change should be developed and tested in test environment to ensure that it
does not make any unwanted changes in the associated programs and routines.

(iv) User Acceptance Testing

Once the change has been developed, it should be tested adequately by the user to ensure
that it achieves the desired objective.

(v) Approval
After successful user acceptance testing, the change must be formally approved and
documented before being moved/implemented in the live/production environment
(transport approval).

(vi) Segregation of incompatible duties

The change should be implemented by someone other than the person requesting the
change. A developed change should be transported by someone other than the developer.
The developers should not have access to the live/production environment.

Ans.8 The committee should consider following factors while evaluating the proposal of each vendor:

(i) Technical competence – whether the vendor has relevant technical in the desired field.
(ii) Proven track record – whether the vendor has successfully provided or providing such
services to a similar organisation.
(iii) Available resources – manpower, machines etc.
(iv) Controls in place for disaster recovery and continuity of operations.
(v) Access controls and security administration at the vendor’s premises.
(vi) Financial soundness of the vendor – through its past annual reports and market feedback
etc.
(vii) Prices offered by the vendor for its deliverables in comparison with others.
(viii) Comprehensive insurance and commitment on the part of the vendor to compensate the
client’s loss.
(ix) Commitment to quality – through vendor’s existing clients and market feedback etc.
(x) Location of vendor’s business.

(THE END)

                                                                                                                                   Page 6 of 6