AF302: INFORMATION SYSTEMS

Faculty of Business and Economics / School of Accounting & Finance

Final Examination
Semester 2 2018

Online Mode
REVISION GUIDE
Duration of Exam: 3 hours + 10 minutes
Reading Time: 10 minutes
Writing Time: 3 hours

Instructions:
1. This exam has THREE (3) sections; Multiple Choice, Discussion Questions,
Case Studies
2. Questions start from Page TWO (2)
3. There is a total of 11 (1-11) pages including the cover page.
4. Section A has 40 MULTIPLE CHOICE Questions. ALL are Compulsory.
5. Answers for Section A should be marked by a circle (O) in the answer
sheet provided separately.
6. Submit Answer Sheet for SECTION A with the ANSWER Booklet (Page 12).
7. All questions in SECTION B and SECTION C are COMPULSORY.
8. Write answers for Section B and Section C on a fresh page in the answer
booklet provided.
10. The examination is worth (Total 100 marks) 50% of your overall mark.
SECTION A: MULTIPLE CHOICE (40 MARKS)
Circle the letter which corresponds to the best answer in the Multiple-Choice
Grid provided. Each question is worth 1 mark. [Suggested Time: 72
minutes]
There is a practice quiz on Moodle. Please refer to Week 15/16 tile or follow this link.
https://elearn.usp.ac.fj/mod/quiz/view.php?id=204173

SECTION B: DISCUSSION QUESTIONS (15 MARKS)

Answer all questions [Suggested Time: 27 minutes]
There will be 4 questions in this section

1. Some technologies can create privacy concerns. Explain two (2) privacy concerns that
might arise from the use of biometric authentication techniques.

Many people may view biometric authentication as invasive. That is, in order to gain access to
a work related location or data, they must provide a very personal image of part of their body
such as their retina, finger or palm print, their voice, etc. Providing such personal information
may make some individuals fearful that the organisation collecting the information can use it to
covertly track or monitor the individual’s movements.

Biometric identifiers could also be stolen. It's easy to replace a swiped credit card, but good luck
changing the patterns on your iris.

In addition, some biometrics can reveal sensitive information. For example, retina scans may
detect hidden health problems – and employees may fear that such techniques will be used by
employers and insurance companies to discriminate against them.

2. Experts argue that RFID tags and barcodes can significantly improve the process of
receiving goods from suppliers for several reasons. Discuss four (4) business benefits of
scanning electronically goods received from suppliers.

Electronically capturing the unique number of a product not only provides identification and
quantity data about the product; it can also provide specific production information such as date
and time of manufacture, production run information, etc. Electronically encoding such
information into an integrated AIS provides up-to-the-minute inventory counts, as well as counts
of units sold, and returns for use in a perpetual inventory system. Also, both vendor and
customers can read tags and bar codes, and certain formats are universal in nature. This allows
goods to be sold virtually anywhere in the world, allowing for easier global marketing efforts to
be made by businesses. It also eliminates the need for human data entry (and errors associated)
and reduces the risk of stockouts.

Page 2 of 7
 3. Identify and explain how two (2) technologies (other than biometric authentication
techniques) might create privacy concerns.

Cell phones and social networking sites are some of the other technologies that might cause
privacy concerns. Most cell phones have GPS capabilities that can be used to track a person’s
movement – and such information is often collected by “apps” that then send it to advertisers.
GPS data is also stored by cell phone service providers. Social networking sites are another
technology that creates privacy concerns. The personal information that people post on social
networking sites may facilitate identity theft.

4. What are the four different implementation methodologies?

There are several different methodologies an organization can adopt to implement a new system.
Four of the most popular are listed below.
• Direct cutover. In the direct-cutover implementation methodology, the organization
selects a particular date that the old system is not going to be used anymore. On that
date, the users begin using the new system and the old system is unavailable. The
advantages to using this methodology are that it is very fast and the least expensive.
However, this method is the riskiest as well. If the new system has an operational problem
or if the users are not properly prepared, it could prove disastrous for the organization.
• Pilot implementation. In this methodology, a subset of the organization (called a pilot
group) starts using the new system before the rest of the organization. This has a smaller
impact on the company and allows the support team to focus on a smaller group of
individuals.
• Parallel operation. With parallel operation, the old and new systems are used
simultaneously for a limited period of time. This method is the least risky because the old
system is still being used while the new system is essentially being tested. However, this
is by far the most expensive methodology since work is duplicated and support is needed
for both systems in full.
• Phased implementation. In phased implementation, different functions of the new
application are used as functions from the old system are turned off. This approach
allows an organization to slowly move from one system to another.

5. What are the steps in the SDLC methodology?

Various definitions of the SDLC methodology exist, but most contain the following phases.
1. Preliminary Analysis. In this phase, a review is done of the request. Is creating a solution
possible? What alternatives exist? What is currently being done about it? Is this project
a good fit for our organization? A key part of this step is a feasibility analysis, which
includes an analysis of the technical feasibility (is it possible to create this?), the
economic feasibility (can we afford to do this?), and the legal feasibility (are we allowed
to do this?). This step is important in determining if the project should even get started.
2. System Analysis. In this phase, one or more system analysts work with different
stakeholder groups to determine the specific requirements for the new system. No
programming is done in this step. Instead, procedures are documented, key players are
interviewed, and data requirements are developed in order to get an overall picture of
exactly what the system is supposed to do. The result of this phase is a system-
requirements document.
3. System Design. In this phase, a designer takes the system-requirements document created
in the previous phase and develops the specific technical details required for the system.

Page 3 of 7
 It is in this phase that the business requirements are translated into specific technical
requirements. The design for the user interface, database, data inputs and outputs, and
reporting are developed here. The result of this phase is a system-design document. This
document will have everything a programmer will need to actually create the system.
4. Programming. The code finally gets written in the programming phase. Using the system
design document as a guide, a programmer (or team of programmers) develop the
program. The result of this phase is an initial working program that meets the
requirements laid out in the system-analysis phase and the design developed in the
system-design phase.
5. Testing. In the testing phase, the software program developed in the previous phase is
put through a series of structured tests. The first is a unit test, which tests individual parts
of the code for errors or bugs. Next is a system test, where the different components of
the system are tested to ensure that they work together properly. Finally, the user-
acceptance test allows those that will be using the software to test the system to ensure
that it meets their standards. Any bugs, errors, or problems found during testing are
addressed and then tested again.
6. Implementation. Once the new system is developed and tested, it has to be implemented
in the organization. This phase includes training the users, providing documentation, and
conversion from any previous system to the new system. Implementation can take many
forms, depending on the type of system, the number and type of users, and how urgent it
is that the system become operational.
7. Maintenance. This final phase takes place once the implementation phase is complete. In
this phase, the system has a structured support process in place: reported bugs are fixed
and requests for new features are evaluated and implemented; system updates and
backups are performed on a regular basis.

6. Security awareness training is necessary to teach employees “safe computing” practices.

The key to effectiveness, however, is that it changes employee behaviour. Make two (2)
recommendations so organisations can maximise the effectiveness of their security
awareness training programs.

Top management support is always essential for the success of any program an entity undertakes.
Thus, top management support and participation in security awareness training is essential to
maximize its impact on the employees and managers of the firm.

Effective instruction and hands-on active learning techniques help to maximise training. “Real
life” example should be used throughout the training so that employees can view or at least
visualise the exposures and threats they face as well as the controls in place to address the
exposures and threats. Role-playing has been shown to be an effective method to maximise
security awareness training especially with regard to social engineering attack training.

Training must also be repeated periodically, at least several times each year, to reinforce
concepts and update employees about new threats. It is also important to test the effectiveness
of such training. Including security practices and behaviours as part of an employee’s
performance evaluation is also helpful as it reinforces the importance of security.

7. Define data visualization

Data visualization is a general term that describes any effort to help people understand the
significance of data by placing it in a visual context. Patterns, trends and correlations that might

Page 4 of 7
go undetected in text-based data can be exposed and recognized easier with data visualization
software.

8. What is an Enterprise System?

An enterprise system is a packaged application that supports and automates business processes
and manages business data. They come with pre-implemented and customizable modules that
reflect best practice for common business operations. Business data from different functional
areas are integrated and kept consistent across the organization.

9. Identify and explain three 3 reasons why technology projects fail.

Projects rarely fail for just one reason. Project post-mortems often point to a combination of
technical, project
management, and business decision blunders. The most common factors include the following:
• Unrealistic or unclear project goals
• Poor project leadership and weak executive commitment
• Inaccurate estimates of needed resources
• Badly defined system requirements and allowing “feature creep” during development
• Poor reporting of the project’s status
• Poor communication among customers, developers, and users
• Use of immature technology
• Unmanaged risks
• Inability to handle the project’s complexity
• Sloppy development and testing practices
• Poor project management
• Stakeholder politics
• Commercial pressures (e.g., leaving inadequate time or encouraging corner-cutting)
Managers need to understand the complexity involved in their technology investments, and that
achieving success rarely lies with the strength of the technology alone.

10. Recommend one (1) internal control that would provide protection against the following
threats:
a. Making a credit sale to a customer who is already four months behind in making
payments on his account.
b. Authorising a credit memo for a sales return when the goods were never actually
returned.
c. Unauthorised disclosure of buying habits of several well-known customers.

a. Up-to-date credit records must be maintained to control this problem. During the credit
approval process, the credit manager should review the accounts receivable aging
report to identify customers with past-due balances to prevent additional sales to those
customers. Alternatively, the computer system could be programmed to determine if the
customer had any past due balances over a specified length of time (such as 60 days). If
not, the sale would be approved. If they had a past-due balance, a notice could be sent

Page 5 of 7
 to the credit manager who could review the sale and make a decision about extending
additional credit.

A credit limit check would not be sufficient, because a customer could have a balance
below the credit limit but be past due. A computer system could be programmed to
check both credit limit and past due accounts and authorise sales. Sales not passing
either the credit limit or the past due test would be sent to the credit manager for a
decision.

b. A receiving report should be required before a credit for sales returns is issued. The
system should be configured to block issuance of credit memos without the required
documentation that the goods have been returned.

c. Access to customer information should be restricted using User IDs, passwords, and an
access control matrix.

Employees given such access need to be trained to follow the organization’s privacy
policies. In addition, encryption of the data would prevent snooping by IT employees
who do not have direct access to the application system. Otherwise, such employees
may be able to use their access to the operating system to be able to view data.

Page 6 of 7
SECTION C: CASE STUDIES (45 MARKS)
There are 2 Case Studies. Answer all questions [Suggested Time: 81
minutes]
Please refer to FE Case Studies file on Moodle. See Week 15/16 tile. Read the case studies
and be ready to tackle the questions in the exam.

THE END

Page 7 of 7