Preface.doc.doc

The Institute of Chartered Accountants of Pakistan

Information Technology (IT) Management, Audit and Controls

PAPER F21

TEACHERS GUIDE

ICAP Information Technology Management, Security and Control

PrefaceThis material has been specifically written for the Information Technology Management, Security and Control Module (Paper F 21) of the Foundation Course for the Institute of Chartered Accountants of Pakistan (ICAP).

The authors gratefully acknowledge the support of the Institute of Chartered Accountants of Australia (ICAA) in the development of this material.

Written as a guide for teachers and assessment markers, rather than a prescriptive text, this book should be used in conjunction with the Student Guide. It provides references for reading, activities, information and self assessment and students are encouraged to supplement their workbook with other resources including:

access to a computer and the Internet for activities and research work

access to text books and journals as indicated within the introduction and throughout the Guide

Students have been advised that those who only work through this Study Guide will not be able to answer all the questions in the examinations and that teachers will provide additional information during the lessons. References and articles my supplement the work with Students. Guidance on assessment in the form of suggested solutions are provided in this document to enable the teacher to provide valuable feedback on the solutions to students.

Suggested solutions are also provided for the Student Revision Guide.

© Alexer Pty Ltd

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the written permission of Alexer Pty Ltd.

Alexer Pty Ltd113 Watkins Rd,Wangi Wangi NSW 2267AUSTRALIA

Email: [email protected]

Paper F21 Page i


Syllabus

Aims To provide:

Essential body of IT knowledge related to business systems

IT security, control and governance knowledge related to business systems

Application of knowledge to manage and evaluate IT

Indicative GridSYLLABUS CONTENT AREA WEIGHTAGE

1. IT Strategy and Management 30

2. Information Technology Security, Control and Management

40

3. Case Studies 30

TOTAL 100

Paper F21 Page ii


Table of Contents

Preface i

Syllabus ii

Aims ii

Indicative Grid ii

Table of Contents iii

Introduction 1

Overview of Student’s Guide 1

Resources 1

Essential Texts 1Other Textbooks 1

COURSE MATERIAL 4

1. IT Strategy and Management 4

1.1 IT Strategy 4

What is Strategy? 4The Strategic Plan 4The IT Strategic Plan 5Considerations for IT Strategic Planning 6Aligning the IT and Business Strategic Plans 8Components of Long Range Plans 8E-Business Models 9

1.2 Management of IT 13

Management of computer operations 14Management of inter-organisational computing 16Management of end-user computing 19Financial analysis and control 19IT Control Objectives 21

1.3 Software 22

Supply Chain Management (SCM) 22Enterprise Resources Planning (ERP) 22Customer Relationship Management (CRM) 25

Paper F21 Page iii


Sales Force Automation (SFA) 25eBusiness Products 26

1.4 IFAC Guidelines/Discussion papers 28

Managing Security of Information 28Managing Information Technology Planning for Business Impact 29Acquisition of Information Technology 29Implementation of Information Technology Solutions 29IT Service Delivery and Support 30IT Executive Checklist 31Other Papers and Guidelines 31

2. Information Technology Security, Control and Management 33

Control Frameworks 33

Introduction 33

Control frameworks 33

Risks and exposures in computer-based information systems 33IT control frameworks 34

Control objectives 34

Effectiveness, efficiency, economy of operations 35Reliability of financial reporting 37Effectiveness of design 37IT asset safeguarding 37Compliance with applicable laws and regulations 38System reliability 39Data integrity 40

Layer of control 40

Societal 40Organisational environment 40Technology infrastructure 41Software 41Business process 41

Responsibility for control 42

Role and responsibilities of key parties 42

Control environment 42

External regulatory controls 42Board/audit committee governance 42Management philosophy and operating style 42Plans/structure of organisation 43Method to communicate the assignment of authority and responsibility 43

Paper F21 Page iv


Management control methods 43Human resource policies and practices 44Financial policies and practices 44

Risk assessment 45

Risk categories 45Probability of loss 46Consequences 46

Control activities 46

Control design 46Control procedures 48Control over data integrity, privacy and security 49Availability / continuity of processing, disaster recovery planning and control 52IS processing /operations 54

Monitoring of control compliance 56

Roles of management, users, auditors 56Computer-assisted audit techniques 57

3. Case Studies 59

3.1 Join In Inc 59

Suggested Solution 60

3.2 Reedit Publications 62

Suggested Solution. 64

3.3 Veemax 66

Suggested Solution 67

3.4 Patak’s Fine Silks 68

Suggested Solution. 69

3.5 Controls 71

Required 71Suggested Solution 72

Revision Material 80

R1. IT Strategy and Management 80

R1.1 IT Strategy 80

Strategic Considerations in IT Development 80E-Business Models 80Questions 80

Paper F21 Page v


R1.2 Management of IT 83

Management of computer operations 83Management of inter-organisational computing 84Management of End-User Computing 84Financial analysis and control 84IT Control Objectives 85Questions 85

R1.3 Software 90

eBusiness Enabling Software 90Questions 90

R1.4 IFAC Guidelines/Discussion papers 90

Questions 91

R2 Information Technology Security Control and Management 93

R2.1 Control frameworks 93

Key Points 93Questions 93

R2.2 Control objectives 94


R2.3 Layer of control 96


R2.3 Responsibility for control 97


R2.5 Control environment 98


R2.6 Risk assessment 99

Key points 99Questions 99

R2.7 Control activities 100


R 2.8 Monitoring of control compliance 104

Key Points 104

Paper F21 Page vi


Questions 104

Summary 105

R3. Revision Case Studies 106

R3.1 Tarash Food 106

R3.2 Kavak Manufacturing 108

R3.3 KVT Insurances. 110

Glossary 114

Paper F21 Page vii


Introduction

Overview of Student’s GuideThis Student’s Guide is designed to assist the student study the Information Technology (IT) Module and prepare for the Institute of Chartered Accountants of Pakistan (ICAP) Foundation Examination (Paper F 21). It will form the basis of the teaching courses conducted by the ICAP and will direct students to supplementary materials and readings as well as other resources.

Structured according to the syllabus content areas, the Guide provides reading material, exercises and activities for the student. Teachers may provide additional exercises during class. When asked to prepare a summary or report, the students should be prepared to hand-in their response or to present their findings to the class. All activities may be used in class as a presentation topic.

Resources With the pace of developments in the IT industry accelerating, many textbooks have failed to keep up with developments and are now out-of-date. Much more relevant material is available in journals, magazines and through selected sites on the Internet. While some specific texts are recommended below, the student is encouraged to refer to other texts as a comparison and as a way of understanding the impacts that developments have had on the traditional methods and processes.

Essential Texts

Robson, W Strategic Management & Information Systems. Second Edition, Financial Times - Prentice Hall. McGraw-Hill

IFAC Handbook 2000 Technical Pronouncements New York (ISBN 1-887464-58-1)

IT Guideline 1: Managing Security of Information, Jan 1998

IT Guideline 2: Managing Information Technology Planning for Business Impact, Jan 1999

IT Guideline 3: Acquisition of Information Technology July 2000

IT Guideline 4: The Implementation of Information Technology Solutions July 2000

IT Guideline 5: IT Service Delivery and Support July 2000

The main textbook referred to in the Controls section is Information Systems Control and Audit, Ron Weber, ISBN 0-13-947870-1

Reference is also made to the COBIT Guidelines.

Other Textbooks

Title Author(s)

Accounting Information Systems Ulric J. Gelinas, Jr. and Steve G. Sutton

Paper F21 Page 1


Title Author(s)

Auditing: An integrated Approach Alvin A. Arenas and James K. Loebbecke

Auditing Information Systems: A comprehensive guide

Jack Champlain

Information Systems Management handbook

Jae Shim, Joel Siegel, Anique Qureshi and Robert Chi

Information Technology Control and Audit

Fredrick Gallegos, Daniel P. Manson and Sandra Allen-Senft

Risk Management: Best practices, case studies and related materials.

David McNamee, Joseph R. Pleier and Dr. John D. Tongren

Standards and Guidelines for Information Systems Audit and Control Professionals

Information Systems Audit and Control Association

Systems Audit M. Revathy Sriram

Corporate Information Systems Management

Lynda M. Applegate, F. Warren McFarlan and James L. McKenney

Electronic Commerce: business principles & strategies,

Technical Bulletin, Institute of Chartered Accountants in Australia - IT Chapter, 1999

URL Comments

http://www.aicpa.org/pubs/jofa/mar98/courtney.htm Reviews several accounting packages and discusses control and audit trail issues.

http://www.color1.com/3.htm “Five Online Business Models”

http://www2.bc.edu/~gallaugh/stratinnetage.html

"Strategy in the Internet Age"

http://www.computeruser.com/resources/dictionary/index.html

Computer User high Tech Dictionary

http://www.uwm.edu/People/ceil/audit/computerassignment.html

Page used for an auditing course at University of Milwaukee and provides useful links.

http://www.bcs-irma.org/ British Computer Society site on Risk Management and Audit.

http://favorites.powersearch.com/published/view.asp?DID=851570

Collection of information security and computer audit web resources

http://www.pcorp.u-net.com/risk.htm COBRA risk analysis information

http://www.idrc.ca/acacia/old/studies/ir-govern.html Information and Communications Technologies (ICTs) and Governance: Linkages and Challenges.

The Institute On Governance

http://www.isaca.org/ The Information Systems Audit and Control

Paper F21 Page 2

http://www.pcorp.u-net.com/risk.htm





http://www.color1.com/3.htm


URL Comments

Association & Foundation

http://www.intnews.com/isa.htm IS Audit newsletter

http://www.icaew.co.uk/index.cfm?AUB=TB2I_6242&CFID=783071&CFTOKEN=41875938

English Institute’s Internal Control Guidance – the Turnbull Report.

http://www.nao.gov.uk/intosai/edp/pubindex.html INTOSAI EDP Audit Committee Publications

http://www.nao.gov.uk/intosai/edp/it_controls.html INTOSAI EDP Training

http://www.itgovernance.org/resources.htm IT Governance Portal

http://www.theiia.org/itaudit/index.cfm?fuseaction=catref&catid=5

Institute of Internal Auditors, Audit controls information

http://www.methodware.com/products/cobit/?idx-cobit.shtml

Information about Internal audit software.

http://lists.insecure.org/pen-test/2000/Sep/0457.html Audit discussion threads

Paper F21 Page 3

http://www.itgovernance.org/resources.htm

http://www.intnews.com/isa.htm


COURSE MATERIAL

1. IT Strategy and Management

1.1 IT Strategy

What is Strategy?

To introduce the topic it is important that students understand what a strategy is and the need for one. Ask students for examples from their own experience.

Strategy: The general direction set for the organisation with the aim to achieve a desired state in the future.

Read Section 1.1.1 on Definitions of Strategy. With reference to other articles and books, find two (2) other definitions of strategy. Choose the definition that you prefer and describe why you prefer it.

There is no one correct answer for this question. The aim is to get students thinking about Students

Discuss the differences between strategy and strategic planning.

The Strategic Plan

It is important for the students to understand the focus of the Strategic Plan and the level at which is pitched.

Read section 1.6 A Model of the Strategic Planning Process in the text Strategic Management and Information Systems.

There are various methodologies for strategic planning and various “templates’ for a Strategic Plan. Apart from the text, there are some interesting and simplistic articles on strategic planning on the Internet. You might like to use the following sites to draw out discussion about any of the topics covered:

http://www.mapnp.org/library/plan_dec/str_plan/str_plan.htm

You might like to invite some owners from local businesses into class for an open discussion on strategic planning.

Paper F21 Page 4

http://www.mapnp.org/library/plan_dec/str_plan/str_plan.htm


Prepare a case study of 2 local businesses (one large and one small) and how they approach the strategic planning exercise. While they might not want to provide you with a copy of their strategic plan, they may be willing to provide you with the Table of Contents for their Plans.

Compare and contrast the approaches taken by the businesses to that described in the text. What do you consider the main issues and challenges for businesses undertaking strategic planning?

Some students might find it difficult to find access to businesses and/or their strategic plans. In this case you might like to suggest that they review some sample strategic plans located on the web such as:

National Oceanic and Atmospheric Administration http://www.strategic.noaa.gov/

Bplans – the planning people site http://www.bplans.com/sp/?a=bc

Academic Departmental Strategic Plans http://www.montclair.edu/pages/Planning/DepartmentPlans.htm

The suggested solution should include discussion of the following points:

The approach to strategic planning differs according to the size of the company

The frequency of updating

The staff and management who are involved with the planning process (skills and decision-making responsibility)

The use of a standard methodology

The use of the Plan once it is produced

The nature of the marketplace

The IT Strategic Plan

More and more, today’s organisations rely on technology to support their business processes and to provide the information needed for decision-making. So what is the relationship between Strategic Planning and IT Strategic Planning? How do we go about developing the IT Strategy for a business? How do we go about planning for information systems?

Before thinking about planning for IT and for information systems we must understand what the terms “IT” and “management information systems” mean? As a refresher on the topic, read “Chapter 3: “What are management information systems?” in the recommended text.

When we talk about an IT Strategic Plan there are many views on the form of the Plan. You could use the example of many of the consulting firms have their own “methodology” and approach to strategic planning assignments.

Paper F21 Page 5

http://www.montclair.edu/pages/Planning/DepartmentPlans.htm

http://www.bplans.com/

http://www.strategic.noaa.gov/


Discuss the issues in the Student Guide.

Read “Chapter 4: Strategy planning for information systems” in recommended text.

IT planning occurs at a number of levels. It is important that the students understand the different levels and the reasons why each is important.

Why do companies develop IT Strategic Plans? In your own words describe at least 3 reasons why a company might develop an IT strategic plan.

Students need to have an understanding of the purpose behind an IT Strategic Plan. Suggested solution should include some of the following reasons:

Effective management of a costly but essential part of the organisation

Improving communication between the business and the IT departments in an organisation

Ensuring that the business direction can be supported and is linked with the IT direction

Planning the priorities of IT to work with those of the organisation

Provide a framework for effective resource management

Provide a focus on what IT does so that costs and benefits are recognised.

Considerations for IT Strategic Planning

Understanding the business

Lead a discussion on the effect that the following would have on IT Strategic Planning.

Size of the organisation – large, small

Structure of the organisation – roles and responsibilities

Type of organisation e.g. not-for-profit, community-owned, public, private, national, international

Maturity of an organisation e.g. start-up, conglomerate

Positioning the Business

In order to understand what direction the business should move in, it is important to understand the position of the business in the marketplace. What products are offered and what are still needed? What markets are served? Who and where are your competitors?

You may want to draw out some of the tools described in Section 5.4 for positioning the business and for understanding the context for the Strategy.

Paper F21 Page 6


Knowing the Business Environment

You might want to discuss the following in terms of how they impact on the business and the business environment. Remember that the students are asked to discuss C customers in detail so you might want to just concentrate on the other categories. Ask for other suggestions.

Customers

Suppliers

Regulatory agencies

Government

Identify at least 4 possible requirements from customers that might impact an IT Strategic Plan and describe the implications.

Answers will very for this question. There are many things that customers might require or need within the current business environment that would impact on the IT Strategic Plan. Students should be able to demonstrate an understanding of how customer needs might be reflected in the Plan. Answers could include:

Credit card processing. Customers wanting to use credit cards will mean that the organisation will have to look at online verification with credit card providers or alternate providers. Changes will need to be made for database access, new external partnerships and networking capabilities etc.

Improved lead times. This might necessitate a review of the current ordering systems and/or inventory systems and plans to upgrade systems, acquire or redevelop.

Ability to provide electronic documentation (e.g. CD-ROM). This might mean the purchasing of new equipment to provide CD-ROMs, and systems to control publishing and distribution.

Bar-coding. Introducing bar coding into a company needs careful planning. It can impact right across the organisation and supply chain – new printers, bar-code readers, systems to work with the codes etc.

Ability to handle special orders and requests. This sort of requirement (improvements to existing processes) could mean upgrades to systems, investigations into new systems or review of ordering process and resources.

Ability to interface with distributors of customers and affiliates. This could mean allowing for further investigation into the requirements to see how widespread the need is and assess the sort of changes that might need to be made to existing systems.

Understanding the Risks

Lead a discussion on the following categories of risk:

Economic

Paper F21 Page 7


Technical

Operational

Behavioural

Ask whether the students think that risks are increasing or decreasing and what they think poses the greatest risk.

Rate the following examples in terms of risk where L is Low, M is medium and H is high

i) a small manufacturer using a financial package to record their financial transactions from paper records

ii) a large but conservative bank using commercial packages that are readily available with minimal modification

iii) a medium sized bank with in-house developed system which are regularly changed to ensure that the bank stays ahead of the competition

Suggested solution is:

i) L

ii) M

iii) H

Aligning the IT and Business Strategic Plans

There is little debate that IS Strategic plan must be aligned with the Business Strategic Plan.

Read Chapter 6 “Frameworks for integrating IS Strategies with business strategy” (Strategic and Management Information Systems)

You might want to lead a debate on what the students think might happen when an IT plan is NOT aligned with the Business plan.

Discuss the IT trends identified in the Student Guide and open the discussion for other trends that might impact the alignment between the IT and the Business Strategic Plan.

Components of Long Range Plans

What is in an IT Strategic Plan? Each organisation will answer this question differently. Discuss any experience that the students might have with strategic planning.

You might want to invite an IT Manager into the class for discussion about the role and how the IT Strategic Planning process works in the company.

Paper F21 Page 8


“All organisations should prepare their IT Strategic Plans for a period of 3-5 years and review their long term plans regularly”.

In your opinion, should the horizon or period for a Strategic Plan be the same for all organisations? Should the review period be defined the same for all organisations? Would the IT Strategic Planning time frame differ for organisations in different industries?

Give examples to highlight your views.

The student’s answers will very a great deal. The question seeks to explore the student’s understanding of how the IT Strategic Planning process differs across organisations of different sizes and in different industries.

The answer should emphasise that IT Strategic Planning will differ across industries and that every organisations will need to determine what is an appropriate time frame for the planning and review process.

A small company will usually have a less formal process for IT Strategic Planning.

The position of IT within the company structure will impact on how IT is viewed and how it rates as a strategic consideration.

Young companies will usually be less structured in their planning and focus on short term issues as they struggle to survive.

Business planning is key to smaller companies as they seek to establish their business credentials.

Industries can affect the time frame for planning. An organisation in a more traditional sector such as agriculture may have a longer time frame for strategic planning than an industry in a more contemporary industry such as electronics.

Consider those companies in industries that have been spawned as a direct result of technology such as electronic commerce. With the rapid pace of change and new developments and trends almost daily, a company in this industry would need to almost constantly revise its IT Strategic Plan.

E-Business Models

It is timely for the students to revise the concept and meaning of e-business. You might wish to lead a discussion on what is e-business before commencing this section to ensure that the students have a sufficiently broad definition.

Revise material in Module D21 on e-business.

You might want to demonstrate some websites that demonstrate some of these models or ask the students to share their experiences.

Suggest leading a discussion to identify the business communication processes and ensure that the students understand this term.

Paper F21 Page 9


Business to Consumer (B2C)

You might want to demonstrate www.amazon.com as the most well known B2C site.

Through class discussion compare and contrast the physical shopping experience to the online experience. Ask if any students have bought anything online and ask them to share their experiences with the class.

Lead a discussion of the advantages and disadvantages of online shopping. Issues that might arise include:

Issue of consumer privacy, security and trust have become critical factors for the online store

Problems with intermediaries and long term relationships between seller and distribution channels.

Delivery and distribution challenges

Convenience factor for busy people

Differences in online goods e.g. clothes that people traditionally like to try one or feel compared to standard grocery items.

in remote areas of even overseas have caused logistics problems for those businesses without such processes in place.

Lead a discussion on electronic payment systems.

Choose 2 electronic payment systems prepare a comparison addressing issues such as:

* Description of system

* Target market

* Advantages

* Disadvantages

Students might choose 2 of the following to compare:

e-cash: Various products developed which attempted to provide the online equivalent of cash by utilising public key cryptography. The banking industry was the greatest barrier as there was no general acceptance of this as valid currency.

Smart card e-payments: Similar to phone cards where smart cards are built with a microchip as an online “purse” to store money. Suitable for smaller valued transactions, the “purse” is reloaded from banking machines or proprietary systems. Required the user to have card readers attached to PC.

Electronic Purse: developed by several online vendors. Consumer could purchase a large denomination using standard credit card details that was “held” by the online store for purchases within that store. As the consumer purchases smaller valued transactions the value was deducted from the purse value automatically. The consumer would “reload” the virtual “purse” with value as required. Great for

Paper F21 Page 10

http://www.amazon.com/


smaller transactions but restricted the consumer’s choice of where they could shop – if tied to one online store.

Credit Cards: Traditional credit cards such as MasterCard, Visa, and American Express have been accepted as the most common way of purchasing online goods. The main challenges are that these transactions are not suitable for smaller amounts and there have been 9oissues with authorisation and security of the cards.

Business to Business (B2B)

Lead discussion about the emergence of this model. Discuss some of the possible benefits that B2 B offers.

Review the article at http://b2b.ebizq.net/exchanges/kenjale_1.html

Choose an industry and describe a B2B example. Give your opinion about the future of the B2B model.

Do you agree with the authors that this term may soon become obsolete?

There is no ”correct” answer to this question. What we are looking for is demonstration that student understands the model and its position in the business environment. If there are no such models locally in Pakistan, you might like to lead a discussion on whether the students think that the local market will follow the same trends as the western world or if it will take shortcuts and learn from other experiences.

Business to Employee (B2E)

Lead discussion as to whether the students have any experience with this model. You might like to ask the question if the students to identify what model their current relationship with the Institute follows. I suggest that it is closest to this model.

Prepare a list of information that is shared in a normal business i.e. information to which everyone needs access.

Students might suggest the following information:

Spreadsheet and document templates which are corporate standards

Policy and procedures manuals

Quality document (e.g. ISO 9000)

Software and hardware manuals

Telephone directories (both internal and external)

Training manuals

Company newsletters

Forms required for administration e.g. annual leave forms. Absentee forms.

Paper F21 Page 11

http://b2b.ebizq.net/exchanges/kenjale_1.html


Research the emergence of the B2E model and describe the technologies that could be used by an organisation to support this model.

Describe 2 issues that might impact the success of such a model.

Suggested solution could cover technologies such as Intranet, Extranet, CUCMe, and bulletin boards.

Issues that might arise include:

the current technology infrastructure of the organisation and whether it is capable of supporting the technologies required.

the skills of the staff

the level of access to the technology by all staff

the willingness of staff to use the technology

the need to keep it up to date and ensure that the right people have responsibility.

Consumer to Consumer (C2C)

This is an interesting model to discuss as it has also introduced new business types

Research this model on the Internet and describe it in your own words. Provide some examples of this model.

Identify one product that could be used to create a C2C opportunity. Describe the scenario and the benefits that this would provide.

You will find all students will answer this differently. The most common answers will probably introduce technologies such as bulletin boards, Chat forums, and online auctions where consumers directly interact with other consumers.

Students might choose an online auction where consumers post what they want to sell and other consumers can purchase. Expected benefits from this type of model could include:

Cost savings – no expensive paper communications

Time savings – electronic communications are faster

Provides greater power to the consumer – greater choice and more control over the purchases

Greater power to the seller – can reach far greater audiences than ever before

Government to Citizen (G2C)

Many governments have a strategy to deliver online services and information. You might want to lead a discussion about the issues of inequity and access that this introduces into societies.

Paper F21 Page 12


Identify 3 common communication processes or transactions that a citizen must conduct with government. Describe the transactions and how technology could be used to improve the current processes.

Suggested solution could include:

Taxation

Notifying departments of change of addresses

Registering on the electoral role

Applying for a visa or passport

The students might identify the used of the following technologies as a way of improving access:

Internet,

WWW

Email

Public information kiosks

Video-conferencing

SMS – mobile solutions

Research the objectives of the Citizen Online Project of the Pakistan Government.

Give a list of at least 6 types of information that will be available.

Site is at http://www.itcommission.gov.pk/itnews/images/citizenproj.htm Students should identify some of the following:

organizational details,

rules and procedures,

contact persons

e-mails addresses,

downloadable forms and

data of interest to the general public.

1.2 Management of ITIT is still a relatively new industry and the most rapidly developing industry that the world has even known. You might want to lead a discussion about how the role of IT management has changed from the centralised operation of the Electronic Data Processing (EDP) department to the contemporary IT Department.

Many new technologies have had a profound impact on the organisation of IT.

Paper F21 Page 13

http://www.itcommission.gov.pk/itnews/images/citizenproj.htm


Survey 3 companies (one large, one medium and one small). Describe the organisation itself and describe the organisation structure in terms how IT is managed.

You might want to invite 3 IT managers into the class to discuss how IT is managed in their organisations in relation to the size of the organisation.

Students should identify the differences between centralised management and decentralised management. Also in some smaller companies, the IT management role might be incorporated into other roles whereas in larger companies, there may be several IT-related managers e.g. IT Operations, IT Development, IT Strategy.

Management of computer operations

This section has defined “Computer Operations” in a broad sense as everything concerned with ensuring that an organisation can access and use its information systems.

IT Operations Strategy

Ensure that the students understand the relationship of the IT Operations Strategy with the other Strategic Plans.

In your option would the IT Operations Strategy be a long-term plan or a short-term plan? Why?

Students should describe this Strategy as a tactical plan for implementing the IT Strategy. The Operations Strategy will cover a shorter term than the overall plan and will be a more detailed plan. It will address the priorities of IT acquisitions and installations to support the overall IT Strategic Plan and will guide the Operations Department in its activities.

Technology Planning

Supporting the organisations technology infrastructure for opportunities and protecting it from obsolescence are critical tasks of operations planning. Discuss the diagram included in the Student Guide.

Lead a discussion on who the students think should be included in this activity.

Measuring and Managing Capacity

You might want to draw out the differences in small organisations who make decisions about purchasing a more powerful, faster computer for a particular function when needed as opposed to larger organisations who need to consider and plan upgrades and purchase.

IS Operations Staffing

IS staffing issues are not just confined to the Operations area. However there are increasingly technical skills required to work in this complex area. You might want to discuss the issue of Operations staffing with the class.

Paper F21 Page 14


You might want to discuss the Computer Society of Pakistan and what the students’ understand about the organisation (http://www.csp.net.pk/) Ask the students how membership might impact staffing and what impact his might have on recruitment.

Production Planning and Control

While many organisations run online systems that are required for staff to service customers, there are many systems that run in batch mode and may require large amounts of processing power and time.

You might want to lead a discussion about what Production Planning and Control means in a small business. For example, it might mean that no one can use the accounts systems while the end of month accounts are processed.

Security

Security is a complex issue and the IT infrastructure of an organisation must be protected. While the costs of security can be significant, just what level of security the organisation needs is dependent on the risk to the organisation and needs to be a strategic decision.

Within a single site, describe some of the ways that the site security can be improved.

There are many answers to this questions and it really is a matter of appropriateness. Weighing up cost versus risk is critical. Some of the more common ways that the students might suggest include:

Limiting physical access to the computer room

Access codes for authorised personnel only

Monitoring access using remote TV cameras

Storing significant files and backup off site

Ensuring an uninterrupted power supply and fire protection is in place

Physical separation of development and operations staff

Privacy

You might want to direct students to this article titled Technology and concept - privacy and authentication at http://www.bcs.org/ereview/2001/html/p119.htm for a good discussion of some overall principles of privacy.

With respect to your personal and business life, identify what transactions that you participate in that may have resulted in personal data being held in a database.

List at least 6 instances.

Paper F21 Page 15

http://www.bcs.org/ereview/2001/html/p119.htm

http://www.csp.net.pk/


You might wish to discuss this question in terms of the diagram on P528 of the text “Strategic Management & Information Systems”. Students could nominate many instances here including:

Birth records

University records and exam results

Institute enrolment records and exam results

Driving records

Passport records

Bank records, Credit cards and/or debit cards

Management of inter-organisational computing

Early users of computer processing bureau services and early adopters of Electronic Data Interchange (EDI) were the first to deal with issues arising from inter-organisational computing.

Consider a company that produces fabrics for export and which is restricted in its IT resources.

Identify as many partners as you can with whom the IT Department might consider a partnership and describe the broad technology environment that might be adopted for each.

The students might identify many different partners for this example. Suggested solution might include:

Customers. Using a website for reaching out to global customers might be a desired outcome so the IT Department might consider using an outsource provider for their services such as web development and hosting or could consider and ASP service.

Suppliers. Adopting an online system with suppliers so that orders for raw materials, can be readily sourced when needed could help. This could be approaching suppliers to establish extranets with them or to develop an industry portal.

Government. The IT department should consider forming a relationship with Government so that export, customs documents can be simply used and more effective communications forged.

IT Vendors. Many IT vendors give partners direct access to their order systems which can be used without the need to develop costly systems.

Collaborative computing

Read Section “11.5 Group-Based User Computing” in Strategic Management & Information Systems pp 413 - 418

Paper F21 Page 16


You might want to discuss concepts and if any of the students have direct experience with collaborative computing.

Intranets have been heralded as a great new tool for organisations. Research information about Intranets. Describe at least 4 benefits that an organisation might realise by employing an Intranet. State any assumptions that you have made about the organisation.

There are many benefits that might accrue with an Intranet. Student’s answers may include:

Improved control over data. No replication and assigned responsibilities.

Improved responsiveness to customers. Information may be accessed by all staff and the customer given an answer to their query immediately.

Better staff efficiencies. Data is collected and entered only once and yet everyone can access the latest information. No need to run around trying to find out who has the latest information.

Able to capture improved information about operations and information access and thus improve what information is being captured and how it is being used.

Distributed Systems

Discuss the concepts raised in the material in the Student Guide.

There are many benefits of distributed data processing and many potential pitfalls. Describe at least 4 benefits and 4 potential weaknesses of using distributed systems.

Students may have widely varied answers. The following is a suggested solution:

Advantages:

User involvement. There is greater user involvement in distributed solutions.

Availability. Confines the effects of computer breakdown to smaller segments and thus reduces the reliance on one computer.

Flexibility and growth. Allows for phased approaches to upgrades and systems rollouts.

More cost effective solutions able to be developed and implemented because this is normally associated with PCs.

Responsiveness and productivity are increased. Smaller jobs, better understanding of the data.

Disadvantages.

Maintenance and hardware problems not as easily diagnosed. Networks are more complex and there are more points for failure introduced.

Paper F21 Page 17


Controls. There is much less control over distributed systems. Backup and security issues in particular can be a problem.

Integration of data and information is more complex. Data can become fragmented or not synchronised.

Possible for costs to escalate as there are many costs that are hidden.

For example, consider the Distributed Devices described above. Who is responsible for the planning associated with the devices? Who would be responsible for the maintenance of the devices? Who would be responsible for the training of the uses of the devices? Who would be responsible for managing the devices? Who is responsible for managing the risks?

Read Chapter 9 “IS Resource management” for some insights into the difficulties facing managers of a distributed systems site.

EDI and Electronic Commerce

Lead a discussion about EDI. There may be logical industry examples that you can quote.

EDI can be defined as: the direct computer-to-computer exchange of information”.

Ensure that the students understand the difference between EDI and other forms of ecommerce by discussing the example of a company who emails an order versus one who uses an EDI system for an order.

Summarise the benefits of EDI and provide examples of how the EDI benefits could be achieved if applied to the traditional order processing systems of a business.

EDI Benefits Order Processing Benefits

Save costs

High costs of resources for preparation, handling and data entry of orders can be eliminated.

Input orders directly from phone or use Internet-based forms to allow customers to enter orders themselves directly into your order processing system.

Increase Sales SEE 1998 PY Technical Guide P 237

Reduce time for fulfilment

Reduce Errors

Improve Security

Improve Integration

Reduce Inventory levels

Paper F21 Page 18


Outsourced Services

Outsourced is a term that has been widely used over recent years but is it anything new? Discuss the concept of the computer bureau and its relationship with some of the modern day outsourcing arrangements.

Read the article “Ins and Outs of Outsourcing”

One of the most crucial parts of outsourcing is maintaining the quality of services delivered through the third party. The SLA thus is the most important document in an outsourcing agreement. You might want to discuss what sort of things should be included in an SLA.

Outsourcing can involve a little of the organisation or the whole IT department. And there are various ways of outsourcing specific functions. Discuss the role of ISPs as outsource providers. Lead into a discussion of ASPs.

For an in-depth look at ASPs, read the 4 part article “All about ASPs”.

You might want to lead a discussion based on some of the issues raised in the article.

Management of end-user computing

“End-user” is a term that can have several different connotations and as a consequence different implications for management. You might wish to lead a discussion on the various levels of end-user computing.

Financial analysis and control

Managing the increasing risks and the costs of IT needs greater control today and is subject to more pressures. Implementing IT Strategies is a balance between the direct costs, indirect costs and benefits. While tangible costs and benefits are easier to manage, there are increasingly complex intangible costs and benefits.

Read Chapter 7: Information value and IS investment in the text Strategic Management and Information Systems.

Capital Costs

There are several choices to obtaining IT hardware and software including renting, leasing and buying outright. The choice of financing options is largely determined by the organisation policies, the availability of funds and the other spending choices. Outright purchase might involve consideration also of taxation and depreciation regulations and the impacts on the financial position of the company.

Consideration of rental and lease options may vary according to the marketplace, business environment, availability of these options and the time over which the organisation is looking to rent or lease.

Paper F21 Page 19


What do you think would be the benefits of rental or lease over outright purchase?

Student might suggest the following points:

Capital is not tied up in IT which allows greater investment in the company’s main business

Reduced risk of paying too much for IT. With costs decreasing for some technologies quite dramatically as it matures, there is a danger that the early adopters pay high prices and the late adopters pay far less.

Less obsolescence. Rented or leased equipment can be quickly disposed of and there are greater opportunities for upgrading the configuration

Improved performance. Depending on the performance clauses in the contracts, any hardware or software that is rented or leased can be disposed of or pressure put on the provider to improve service.

Taxation advantages might exist.

Capital costs can also incur other costs that are sometimes ignored. Also there are many flow-on costs associated with capital investments that are often hidden.

You are an IT manager. Your mainframe computer is from a supplier, Cant Computers, who has been providing service to you for several years. You have made a decision that implies you need to upgrade and have received notification from your supplier that the cost to upgrade will be in the vicinity of Rs100,000. You immediately think – I will change suppliers and get a quote from another supplier, Butt Computing, for Rs 90,000 for similar specification.

Which supplier would you choose and why?

Student answers should demonstrate an understanding of the associated costs with a capital purchase. Answers could be either depending on the arguments but suggested solution would be Cant Computers since a change to Butt Computing would involve not only the capital cost but also include many other flow-on costs such as:

Reskilling the IT support staff for the new computers

Changes to maintenance and support arrangements for computers

Potential changes to systems and programs

Potential changes for some users and training costs

Need to investigate the extent of changes necessary for integration of the new computer with existing equipment

Need for changes to disaster recovery plans

Paper F21 Page 20


Time and expense Tracking

Lead a discussion with the students about mechanisms they may have seen that allow the time and expense tracking.

Cost charge out and Monitoring

Lead a discussion on the different ways that an IT department might operate.

Desktop computing has introduced complexity and enormous hidden costs into the IT Manager’s budget in many companies. In your opinion, what which of the following do you think could offer the greatest cost benefits and why?

i) standardisation of desktop computers

ii) centralisation of purchasing

Students should demonstrate an understanding of desktop computing and the potential issues. Answers could include mention of the following:

Standardisation – if user departments purchase diverse computers in terms of specifications, operating systems and software then IT support becomes a major issue. In many organisations, these departments will still ring the IT department for support assuming that the skills and knowledge are there to support anything! Also software clashes can occur on different computers if the specifications are different and undermine any rollout of effective desktop tools. Standardisation means skills, tools and support can be managed more effectively.

Centralisation of purchasing. Many suppliers offer bulk discounts and discounts for their better customers. If each department buys from different suppliers, costs can be more overall. Also managing warranties acne support becomes easier if managed centrally.

IT Control Objectives

Currently there are 2 distinct classes of control models available – the business control model “COSO” and the more focused control models for IT “DTI”. A relatively new control

framework, COBIT has been developed by the Information Systems Audit and Control Association Foundation (ISACF).

Discuss the need for controls to assist IT Management meet their responsibilities.

CoBIT management guidelines identify a list of generic Key Goal Indicators. Define in your own words a “Key Goal Indicator” and list 6 that are applicable to all IT processes.

Students should be able to provide a definition based on the one supplied in the COBIT guidelines but not word for word

Students might identify any of the following list of KGIs:

• Achieving targeted return on investment or business value benefits

Paper F21 Page 21


• Enhanced performance management

• Reduced IT risks

• Productivity improvements

• Integrated supply chains

• Standardised processes

• Boost of service delivery (sales)

• Reaching new and satisfying existing customers

• Creation of new service delivery channels

• Availability of bandwidth, computing power and IT delivery mechanisms fitting the business, and their uptime

and downtime

• Meeting requirements and expectations of the customer of the process on budget and on time

• Number of customers and cost per customer served

• Adherence to industry standards.

1.3 Software Strategies for adopting eBusiness practices are supported by many products, technologies and types of systems. While this area is constantly changing there are some systems that are recognised by many companies as key strategies. We will look at some of those systems here but students are encouraged to research this topic further for new and emerging trends.

Supply Chain Management (SCM)

Trading involves a number of partners across the supply chain. You might want to take an industry and talk about the supply chain for that industry as an example.

Enterprise Resources Planning (ERP)

Ask the students if any of them have experience with the more common ERP packages e.g. SAP, PeopleSoft and Oracle applications. Discuss how these packages are used and if there were any issues arising from the implementation.

While the direct costs of an ERP project can be significant there are many indirect costs that also need to be considered.

Describe at least 4 cost categories, apart from the cost of the software that need to be considered in an ERP project.

Paper F21 Page 22


Students should recognise that many costs in an ERP project are hidden but can include:

Planning and project management

It takes time and effort to properly prepare for an ERP deployment. The company's IT staff and the appropriate business managers must be given the time and clear responsibility to conceive and evaluate the project's scope, costs, and timeline. It's important to assign the planning responsibilities to staff members who not only have a good grasp of the technology, but who also understand the company's business requirements and processes. Also make sure that whoever leads the planning sees the project through--from the initial deployment to some extended period after deployment to work out the inevitable kinks.

Integration

Companies almost always underestimate the time and cost necessary for enterprise software integration. ERP systems rarely exist in a vacuum and they usually need to be tied into software and complex business processes that predate the ERP system. In addition to software from a primary ERP vendor, the enterprise may also want to use applications provided by other software vendors. For example, a company may want to tie its core ERP suite from SAP into a CRM application from Siebel and global trading management software from Vastera. Mergers and acquisitions also create difficult integration challenges because the merged companies may use different ERP packages and other different applications with which they've already integrated. Dick Kuiper, a vice president with Meta Group, says that a large enterprise typically operates five or more ERP systems and some companies are known to have more than 20 ERP systems.

Dirty data

A number of problems and hidden costs crop up when handling real-world data. When an enterprise converts its legacy systems to ERP, it must convert large amounts of data for use in the new system. Much of the old data is difficult--if not impossible--to convert, which means a lot of time and money will be spent re-entering it into the system or putting it through complex conversion processes. Even after a system is fully deployed, you can't take the data for granted because it ages. For instance, every month some of the company's customers, employees, and business partners change their address or other parts of their profile. Gartner Group analyst Beth Eisenfeld estimates that 2 percent of a company's customer data goes bad every month. She recommends an ongoing effort to clean up obsolete data. Finally, when data is combined from multiple systems for analysis or as a result of integration projects, more work can be involved to clean it up and convert it.

Testing

Given the mission-critical nature of a company's ERP system, it should be thoroughly tested before it's fully deployed. Don't just test the system with dummy data. Use actual data from different real-world scenarios. For example, a manufacturing company should pull up historic orders from customers and route the orders through the entire process of creating the product, shipping it, and billing

Paper F21 Page 23

http://techupdate.cnet.com/enterprise/0-9500-721-7854251.html

http://techupdate.cnet.com/enterprise/0-9500-721-1594442.html


for it. Ideally, employees who actually operate the specific business processes on a day-to-day basis should perform these tests. Of course, all of this costs money, but the investment will significantly reduce other costs that result from the downtime and poor implementations that occur when systems aren't properly tested.

Documentation

ERP systems take a long time to deploy and are used for many years within a company. That means they usually outlast the IT employees and business-process managers who conceptualise, deploy, and modify the systems. Documenting the system is crucial so that future employees can make sense of the software and business-process logic the system encompasses. Documentation is also needed to help future workers deal with the inevitable updates, extensions, and integration projects that occur as a company evolves. In addition, documentation can save consultants time and help them map out the scope of projects properly to improve cost accountability.

Training

One of the biggest mistakes enterprises make is forgetting that employees must adapt to a new ERP system. Employees must be trained on how to operate the system and how to apply it to familiar business tasks such as looking up and entering data, Furthermore, a new ERP system almost always means changes to business processes. That requires change management to teach employees about new business practices and manage staff reorganization. Employees often resent change and resist it when it means they have to let go of established work habits and take up new reporting relationships. Despite all the money a company spends, an ERP deployment can fall flat on its face or simply operate at vastly reduced efficiency if the company fails to adequately train the staff and manage the change effectively.

Consulting fees

Since few IT departments are staffed to handle the extra work required to implement each phase of a big ERP project, many of the items mentioned earlier require consultants. Without proper management, though, consulting fees can eat through your budget faster than a pack of mice through a chunk of cheese. It's important to make sure that in-house staff is capable of managing consultants. Consulting contracts should carefully define key deliverables, schedules, skill levels of available staff, and objectives for training internal staff. The contract should also be accompanied by a detailed specification that clearly points out the desired business objective and technical requirements. Proper planning and project management (as mentioned earlier) are important for managing consultants and holding them accountable.

The bottom line on ERP

Although ERP projects are complex and expensive, properly implemented, they are nonetheless worthwhile. Meta Group found that once fully deployed, the median annual savings from a new ERP system was $1.6 million per year.

Paper F21 Page 24


But every ERP system must be continually maintained and upgraded to take advantage of new applications, technologies, and features. ERP software is hardly static, and there are major new developments as the software grows to embrace the Internet and as companies open up their data and business processes to partners

When you realize how much is involved with ERP, you quickly realize that it is this software and the business process it describes--not the computing hardware--that lies at the real centre corporate information technology

Customer Relationship Management (CRM)

Definitions of this category of software are wide and varied. Discuss the student’s understanding of the term. You might like to find some other examples of definitions and discuss those as well.

Sales Force Automation (SFA)

Sales teams carry out 3 important functions – finding, acquiring and maintaining customers. You might like to talk about various ways of supporting the sales force using technology. Foe example, introduce the laptop, the palm pilot and mobile phone as simple examples of how technology may be applied to “automate” a mobile work force and the benefits it might bring to the organisation. .

You are the IT Manager and have been asked to provide advice to the Sales Manager about SFA systems. They want to buy a package and have asked what might be available and what it might do for them.

Research the web and identify a product that might help them. Describe the product, its advantages and disadvantages.

There are many projects in the market. Most of the well-known CRM packages or ERP packages have a module for the Sales Force. If the students have difficulties with this point them to a product called Salesnet to use as the basis for their answer. The following is the sort of benefits claims from Salesnet that students might include in their answers.

You benefit from real-time access to critical sales team activities, sales reports, forecasts, and customer information, via the Web. Salesnet also offers wireless access to all preferred mobile devices (including RIM devices) at no additional cost.

Salesnet is an application service provider (ASP) that offers a robust Web-based Sales Process Management (SPM) and Sales Force Automation (SFA) service. Salesnet's online Sales Process Management (SPM) solution offers the fastest CRM/SFA deployment in the industry, with a 100 percent successful track record. Salesnet's Professional Services team guarantees that your best sales business practices will be automated within weeks, from pilot to rollout, and at one-fifth the cost of traditional client/server CRM/SFA deployments. Salesnet's ASP model eliminates the need for a huge up-front capital investment in software and hardware. And, sales professionals get real-time access to critical sales team activities, sales reports, forecasts, and customer information -- via their desktop computer, laptop, or preferred wireless device -- regardless of their geographic dispersement

Paper F21 Page 25


Advantages of this sort of product are improved quality of information, faster responses to customers, improved communication with workers who are mainly out of the office and greater efficiency in mobile workforce operations.

Disadvantages is increased security risks, need for improved controls over remote operations, greater investment in technology and more complex networks.

eBusiness Products

There are literally hundreds of software and hardware products that lay claim to be eBusiness Products. Many of the products address only one specific part of the business or one particular function. Since this is a relatively new area, products emerge onto the market almost daily so the best place to research what it available is via the Internet.

Visit the Computer Associates website at http://www.cai.com/products/ to find out how Computer Associates categorise and sell eBusiness Solutions. Download the white paper “The Software that manages eBusiness” for one view about the complexity of servicing organisations wanting to conduct eBusiness.

Some of the different types of products that you might find are described below.

Online Shopping Carts

There are many companies that have developed online shopping cart products. These products tend to service the needs of smaller businesses with little resources to develop their own solutions.

Once such product is Merchant Order Form (MOF). Visit their website at http://www.merchantorderform.com/ to find out more about their product. Search the web to find another shopping cart product and compare/contrast the features of the 2 products.

From the website – the student will find that MOF is a Perl based shopping cart program. Its features are:

It can be installed on any server

It is industry standard CGI program that is stand alone program

Web based shopping cart with flexible payment methods, design and layout options.

MOFcart can accept unlimited product input and options for size, colour, text, and price.

There are many others that the student can choose from to compare and contrast. If they are having problems locating some – you might suggest the following:

http://www.easycart.com/main.html

Paper F21 Page 26

http://www.easycart.com/main.html

http://www.merchantorderform.com/


http://www.cartit.com/

http://www.netconcepts.com/

http://www.pdgsoft.com/index.shtml

The features that will differentiate products and which the students should be aware of include:

Flexibility. Limitations and constraints in the number of products, categories, customer etc that can be handled by the product

Shipping options available

Management reporting options

Service and support arrangements and cost

Security features

Industry standard languages or databases

Location of data, information etc

Ability to integrate with other systems such as billing, debtors, stock control etc

Online Payments

Products for offering online secure payment systems also abound. These products vary from direct online verification of credit card details with either banks, or branded cards through to smart card developments to handle micro-payments for goods.

Consider options for online payments. Compare and contrast the following products in terms of what sort of businesses might be interested in each of the solutions.

i) Flexegate (http://www.ehost.com.au/ecommerce/index.htm)

ii) http://www.paypal.com/

iii) http://www.billpoint.com/

Describe what sort of features businesses should look for in online payments systems.

The 3 products featured would all appeal to small to medium businesses. The questions that the businesses would need to have asked are:

Do I want international currency?

How many products do I have and what is the average value of transactions?

How familiar are my customers with online payments and technology

What systems or other products will this need to interface with?

When looking at any online payments systems, businesses should look for:

International currency arrangements

Transaction fees and other monthly or annual charges

Paper F21 Page 27

http://www.billpoint.com/

http://www.paypal.com/

http://www.ehost.com.au/ecommerce/index.htm

http://www.pdgsoft.com/index.shtml

http://www.netconcepts.com/

http://www.cartit.com/


Security features

Liability issues

Integration features with other software products e.g. shopping carts, databases

Most online shoppers use credit cards to pay for their online purchases. But other options such as debit cards - which authorize merchants to debit your bank account electronically - are increasing in use. Other developments in recent years looked at systems to emulate money. "Electronic money" or "e-money" aim to make purchasing simpler. These sorts of products can include "stored-value" cards that let you transfer cash value to a card. Some cards can be "reloaded" with additional value at a cash machine while others are "disposable. The equivalent Internet-based payment systems called "e-wallets aim to allow "micropayments" - very small payments. Most e-wallets work by decreasing the sales amount from the online balance.

Online Forms

Online forms can then be used to capture information from visitors to the business’s website such as an order, a request or feedback that can be collated.

You might like to discuss some examples such as eFORMS or Dyno Forms http://www.dynoform.com/v3/dynoInfo.asp

Knowledge Management Systems

Lead a discussion to ensure that student’s understand what corporate knowledge is i.e. more than just corporate information.

Discuss some of the products mentioned in the Student Guide and ask for a discussion about other local products.

1.4 IFAC Guidelines/Discussion papersEnsure that these guidelines are available to the students either through the library or via downloads.

Managing Security of Information

You might want to lead a discussion about the core principles and relate it to the students’ experience.

If you were in a position to convince senior management about the need for information security, how would you go about it?

Describe the approach you would take, the risks that exist and what benefits they might receive.

Paper F21 Page 28

http://www.dynoform.com/v3/dynoInfo.asp


Managing Information Technology Planning for Business Impact

Discuss how this guidelines relates to the work the students’ have already done on IT planning.

In your own words, describe how the guideline achieves the principle alignment

The students’ answer should demonstrate an understanding of the Guideline. The Assessment phase established a baseline for the planning process. With an understanding of the scope, this phase pf the planning also confirms the ebusiness directions and drivers to ensure that the IT plan is synchronised with the Business plan.

Acquisition of Information Technology

Discuss the definitions of this guideline and how it might be adopted by a small business.

Kenthurst University is considering building versus buying its new procurement management information system. The Director of Procurement is strongly biased toward purchasing one of the many new web-based procurement software packages. He has stated that “purchasing will be faster and cheaper since we don’t have to do any design or programming”

Do you agree or disagree with the Director? Explain why.

Students should understand the need to establish and confirm requirements before making a decision to make or buy. Without doing the user requirements there is no support for this statement. It might be that there are more changes required to the package because it doesn’t suit the user’s needs. It may be that there is a better package out there. There is work to be done to prepare a RFP, issue it, evaluate responses and negotiate a contract. The package might not suit the internal IT architecture and as a results there would be enormous costs required to obtain and install new hardware so that the package might run. There is also work needed during the design phase to develop test plans.

Implementation of Information Technology Solutions

This guideline covers a lot of potential scenarios or routes. Lead a discussion to ensure that the students understand the options for implementation.

Describe in your own words at least 5 levels or types of testing that might be included in a contract negotiation associated with implementing IT solutions.

Testing can occur at many levels depending on the type of contract being negotiated and the scope of work to be covered by the contract. Student’s answers should include some of the following:

Unit testing – the first level of testing in any system designed to ensure that programs work according to the specifications.

Paper F21 Page 29


System Testing – testing that all program units operate together as a system in accordance with systems test plans.

Hardware and Component testing – designed to ensure that hardware and other equipment work in accordance with specifications.

Integration testing – ensures that the IT Solution delivered works in conjunction with other systems and equipments as required in a production environment.

Load and Stress testing – designed to test that the IT solution can perform with maximum volumes and loads.

User acceptance testing – designed to ensure that the IT solution delivered works as expected by the users.

Procedure testing – tests that the procedures that make up the IT Solution perform as expected

Pilot testing – tests that the IT Solution delivered works for a subset of real live circumstances and data.

IT Service Delivery and Support

You might like to lead a discussion to link the work done previously with IT Management and Operations Management to this guideline. Highlight that there are various approached adopted by organisations in terms of the methodologies and standards that they adopt.

Select 4 of the functions mentioned in the guideline and describe how a small organisation without an operations department might address each of them

Students can of course select any of the functions listed in the guideline. What we are looking for is that they understand the functions and can think through the objectives of each. Students should understand the options in a small organisation and might consider how a company with mainly packages might address each function For example:

Training and help desk functions might be outsourced in a small organisation to a training company and or to a consultant.

Version control might be something simple like the purchasing department keeping a register of the softer licenses and versions purchases.

There may be no way of formally addressing some of the functions e.g. Capacity Planning other then monitoring the usage of equipment and software and ensuring that money is put aside for upgrade and refreshing the equipment or that a policy exists for dealing with obsolete equipment.

IT Executive Checklist

Lead a discussion about the problems with IT Projects that have received a lot of press and how this checklist might be applied. .

Paper F21 Page 30


Other Papers and Guidelines

While the IFAC IT Committee was disbanded in 2001, there are several other publications that have been issued that deserve attention.

Managing IT Monitoring (Exposure Draft)

IT Monitoring is essential and has an impact on IT governance. This guideline emphasizes the main principles on which IT monitoring should be based as well as provides a generic approach for implementing effective monitoring. While IT monitoring activities will be unique to each organisation, the seven principles can guide development of the approach. These principles are:

Comprehensiveness – monitoring activities should be comprehensive

Relevance – Monitoring must be relevant to the mission, vision, goals and strategies of the enterprise.

Acceptability – monitoring approach must be acceptable to those being monitored

Timeliness – monitoring data must be available to detect deviations for immediate action if necessary

Verifiability – information should be verified by another means to ensure it is accurate and based on fact

Action-Oriented – monitoring results must enable expedient action to be taken.

Flexibility/Adaptability – monitoring system should be adaptable to a changing environment.

Outsourcing (Exposure Draft)

In recent years, many organisations have adopted outsourcing a strategy for either all or part of their IT systems or facilities.

Outsourcing is the act of contracting with an outside vendor to assume responsibility for one or more IT function or services.

While the original driver for outsourcing was cost reduction the trend today is to look more toward value added to the business then on straight cost reduction. This guideline provides an overview the different types of outsourcing contracts, the problems associated with outsourcing and resource issues.

Paper F21 Page 31


2. Information Technology Security, Control and Management

Control Frameworks

IntroductionThere was some information about controls and security in Module D. This module builds on the knowledge gained there and you may wish to ensure that all students have undertaken that module and see if there are any outstanding questions or issues.

You may want to find out if the students have any experiences or know of computer security issues such as

Loss of data.

Theft of data.

Computer abuse.

Computer fraud.

Privacy.

Describe major types of computer abuse that an organisation may experience.

Suggested solutions should include incidents of

Hacking.

Viruses.

Unauthorised access.

Denial of service.

Theft of assets.

Control frameworksDiscuss why controls are needed. Ensure that students do not start focusing on particular IT control procedures until they have identified the “big picture”, organisational requirements for control, which stem from the need to safeguard the business.

Risks and exposures in computer-based information systems

Organisations should start by determining the risks. Explain that Risk Analysis was discussed in module D and will also be revisited later.

You should discuss each of the events listed, that is error, fraud, vandalism/abuse, business interruption, competitive disadvantage, excessive cost, deficient revenues, statutory sanctions, social costs, etc

Paper F21 Page 32


Pay particular attention to error as this is not always seen as a risk but it is the most common. Ask for some more examples.

Describe how losses can occur through error, fraud and social costs.

Solutions to this question may be varied. Error and fraud should not pose much problem as these can be directly linked to money. Social costs can also occur if the government wastes money or an organisation wastes money. In the former it may result in higher taxes, with the latter there could be cost cutting and retrenchments.

Explain what “auditing around the computer” (that is, only auditing the input and output and ignoring what the computer does) means and why this may not be suitable in today’s environment. Today the systems are mainly real-time and on-line rather than batch systems. Traditionally systems carried out relatively simple processing on data and it was easy to match what went in with what came out. Today systems may generate transactions and there is not the same paper trail. What the computer does becomes very important to check and audit.

The Weber text has been used as the main reference and it covers controls in great detail. There are also good explanations of technologies.

IT control frameworks

You should discuss the importance of the associations mentioned and the reason why students may want to consider joining them after qualifying.

Visiting the relevant web sites is the best way to find out about the associations and the publications that they may have.

You may want to set groups of students the task of visiting a site and then giving a preparation to the rest of the group on a particular topic such as WebTrust or COBIT.

When would an organisation consider a WebTrust review?

The solution should refer to the fact that this basically provides assurance that a Website is credible and secure. It would be a useful review if an organisation wanted to have independent proof that it can conduct e-commerce or other network services.

Control objectivesThis section should explain why we have controls. It is important to stress that even controls should have objectives. The dot points list some of them, that is,

Effective, efficient and economical operations.

Reliable financial reporting.

Effective control of systems design.

Paper F21 Page 33


IT asset safeguarding.

Compliance with applicable laws and regulations.

System reliability and

Data integrity.

Most of these are discussed in the coming sections but students may be prompted to think of any other objectives of controls.

Effectiveness, efficiency, economy of operations

COBIT stresses the need for this. Not normally a direct concern of external auditors but it may be an objective of an internal audit review. Of course it is a basic principle of management custodianship and duty of care.

You may wish to discuss IT management structures and different approaches. Weber discusses this in his chapter on Top Management Controls (Chapter 3).

Explain how a planning process might operate and the need to set organisational goals.

How would you determine whether the IT strategic planning process was effective?

The solution should cover areas such as:

Obtain policies and procedures documents to identify the planning process.

Review the long-term goals and objectives of the organisation.

Check that the IT strategic plan supports the business.

Evaluate the long and short term plans to ensure that they are in accordance with the strategy.

Review minutes of meetings to understand how decisions may have been arrived at.

Consider the process to handle change and how this could impact the plans.

Examine how the plans have been turned into operation tasks and activities.

Explain how a top down approach may lead to more detailed plans or models of operation.

Since controls are normally applied to safeguard data and information, the organisation should have plans in place to develop their information models. The model can then link to the levels of control depending upon how critical the data is.

Paper F21 Page 34


Discuss the fact that organisations should have another plan to deal with emerging technologies. Some large organisations now have a specific role that examines changes in the IT industry and how these may be applied at the organisation.

How does having a clear IT strategy assist an organisation decide when (or whether) to adopt a new technology?

The solution should cover issues such as:

New technologies should not be adopted just because they are new.

There must always be a cost benefit analysed as part of a business case.

New technologies should be researched.

The technology should support the organisation’s strategic plan.

The organisation should have a policy regarding adoption of standards or new proprietary methods.

Stress that people and interpersonal skills are still important in the IT area. The quality, skill and experience of IT staff must not be overlooked as part of the overall control framework.

Network administrators will often be granted high level security privileges so they can administer the network. What security concerns does this raise and what can be done about this?

The solution should consider:

Network administrators will be in a position of trust.

They should be carefully recruited and references and security checked.

Parts of the job can be boring but require high-level security clearance. For example setting up a senior manager as a user and allocating this manger access to files, normally requires the administrator to have high security access.

Administrators will know much more about the network than managers and possibly auditors.

If administrators are to be restricted in their actions then someone will need to know the intricacies of the system to be able to shut them out.

There may be a need for levels of administration with appropriate restricted access rights.

All audit logs should be independently reviewed to monitor administrator accesses as necessary.

Paper F21 Page 35


Discuss the use of budgets as a control mechanism. Explain that once projects are started management will often continue to pour money into them. Find some local examples of failed IT projects that wasted funds.

Briefly discuss the need for adequate Project Management procedures as a control mechanism.

Reliability of financial reporting

Explain that external auditors are normally concerned with the reported financial figures. Obviously mangers will expect that any data that is produced from the IT system will be reliable even if it is not specifically a financial report.

Take the students through the examples and ask for other examples that they can think of.

Give other examples of different interpretation of data.

Examples include:

Timing of transaction, i.e. goods shipped on the 30th of a month but not processed until the 1st of the next month.

Different definitions of sales value, i.e. does it include transport costs or not?

Goods or services provided over a long period of time may be treated as a one off sale in one report but apportioned over time in another.

Are orders really sales?

If goods are returned should they reduce the sales amount?

Effectiveness of design

Briefly discuss the systems development design cycle and when auditors may be involved. Explain the need for auditors not to be an active, regular part of the control process.

As an auditor you may be called upon to review aspects of the design of the new system. Describe briefly how data flow diagrams and entity-relationship modelling are used to represent a system.

The solution should cover the fact that a DFD is a representation of the flow of data. ERM shows relationships between entities that are more attuned to the real world way a system operates.

Discuss how specialist auditors may need to be trained to read these and other types of diagrams in order to verify designs.

IT asset safeguarding

Everyone should be aware that computers are now much more portable than their mainframe ancestors. Discuss the ways that PCs in particular may be secured.

Paper F21 Page 36


Also students should be aware that technology is rapidly changing and equipment can quickly become obsolete. You can show them how important it is to have strategic plans that deal with this issue.

You may see how many of the students have a computer at home and what consumables they use. This could lead to a discussion of how to prevent pilferage of small items.

Stress that the “outer layer” of control here will be the physical security around the office area.

Prepare a set of procedures that could be handed to staff who are to be issued with notebooks that could help minimise theft or loss.

In the solution we would expect to see issues such as:

Make use of any built in password/security to use the computer.

Do not check in but carry on board when flying.

Do not hand to porters but carry always.

Lock away at night in a desk or storage area.

Do not leave in cars.

Do not place on back seat of a car.

You should discuss the use of an asset register as a control procedure.

Compliance with applicable laws and regulations

You should refer to any recent rulings or cases that have been in the press.

Distinguish between acts of employees and third parties.

Discuss any special frameworks that students may be familiar with. Are there differences between working for a government agency as regards a private company?

Identify other examples of actions that employees could take that would be illegal or fraudulent. You need to balance the user’s requirements to do their job and misuse of information.

What controls may be incorporated to ensure that users do not misuse data?

In the solution students should consider:

Logical and physical controls that may be used to identify the user.

Grouping of users to manage access.

Paper F21 Page 37


Identification of confidential data and categorisation of information.

Effective use of permissions to control access.

Log files and audit review to ensure appropriate access.

You may wish to refer to the Copyright laws and the need for organisations to carefully control their software as well as their data.

System reliability

Unreliable systems are a waste of time. This is a major control issue and one that is of great interest to external auditors. Obviously managers also want reliable systems.

In this section we focus on the availability of the system. In many organisations IT is mission critical.

Discuss the devices that may be utilised to ensure systems are operational. Stress that UPS only provide temporary power and some organisations may require standby generators.

Backup to removable media is essential if the system ever has to be rebuilt.

Controls do not work in isolation and even simple batch controls may pick up processing problems as shown in the example given.

How could you design controls to at least warn of the processing error that was described in the example?

The specific controls would depend upon the scheduling software that was used but in principle the solution should cover:

Batch controls could be used to calculate the new, expected totals and if these did not balance a warning issued.

If batch controls are not used other control totals or numbers of records could provide a similar warning.

As the process progresses files may be created and subsequent operations could check for the existence of a file.

File dates and times could be checked.

Error logs may be manually reviewed before users start operations.

Data integrity

Use the diagram to discuss in detail all the controls that are shown. Students should remember what they learnt from module D but this would be a good way of revising the controls.

Paper F21 Page 38


Summarise why we need controls. Compare with the COBIT guidelines.

Layer of control Earlier we discussed that physical access to the equipment was an outer layer of control. We now take the concept of controls as layers further.

Societal

Discuss the students’ view of how society accepts (or doesn’t) crime or criminal acts. Ideally discuss any recent cases that may have appeared in the press.

Give examples of socially accepted behaviour that may actually be illegal

The solution will vary but in most countries the general public accepts the following:

Speeding a little over the limit.

Recording television programs for later viewing or sharing with friends.

Copying software for use on more than one computer.

Recording music from a friend’s CD.

Taking office supplies.

You may want to discuss the following statement:

10% of the population will never cheat or steal, 10% will always cheat and steal, and 80% of the population may cheat and steal if they think that they will get away with it.

Organisational environment

Now you need to consider the impact of the organisations that students work in. Discuss both the culture that an organisation may try to promote and the way the managers behave and the example they set.

Assume that an organisation’s security policies state that passwords should not be revealed to others. You discover that a senior manager has told an administrative assistant what their user id and password is so that the assistant can log on as the manager and check the manager’s e-mail. Describe how you would handle this situation.


Risks faced but we could assume a senior manager has access to confidential data.

Whether the AA would normally be able to see the same information as the manager and do they have similar access.

Assuming the AA now has greater access than they should, this is a weakness.

Also manager is not setting a good example to others.

Paper F21 Page 39


Manager should be trained so they can get mail or if it is acceptable for AA to get mail, the AA should be given the appropriate access to get the manager’s mail.

Technology infrastructure

Discuss how controls can force someone to adhere to them but procedures can only suggest how they should behave. Use an example such as a road speed sign, which cannot make people slow down, but speed humps can.

Discuss physical access to the office and the computer and options available.

Discuss how networks are making it easier to bypass physical controls and what may be done about this. Ideally use any recent cases.

Software

Users should only be allowed to run appropriate software and this is normally controlled by logical controls.

Discuss what should happen in periods of holiday or sickness.

Business process

Compare the traditional way of operating with several people in the chain with today’s method.

One of the advantages of IT is to improve productivity by removing the separate operations and staff that were involved in data processing. This means that the control process afforded by segregation of duties also disappears. What can be put in its place?

The solution should discuss:

Should balance the need for productivity and security.

Logging of user actions can be an effective control.

Computer controls must be tighter such as over-ride controls.

Management review becomes more important.

Control over assets and recording of assets should be separated.

Responsibility for control

Role and responsibilities of key parties

Auditors are NOT the only people responsible for controls.

Discuss the fact that it starts at the top and works its way down. Stress the difference between responsibility and operational procedures.

Explain what the responsibilities are at the different levels.

Paper F21 Page 40


You are introducing a new financial system to users and will be running training sessions. One of the sections is on security; list the topics you would expect to see in this section.


How users will log on to the system.

Levels of authority.

What users can access and what will be restricted.

Any over-ride facilities.

Typical security messages that may occur.

Security indicators that users should look out for.

Control environment This section provides some more detail about the control framework/environment.

External regulatory controls

Identify what regulations the students think could impact controls. Some examples are given in the text.

Discuss the issues with the “global” corporation.

Board/audit committee governance

Discuss any current standards that may be in the pipeline or recently adopted that may relate to compliance and controls.

You can visit the web sites of the accounting bodies and consider the impact in Pakistan.

Management philosophy and operating style

You should discuss briefly leadership ideals and the impact on staff. Identify any ethical issues with students.

Describe how managers could use IT to act unethically or without integrity.

In the solution we would expect to see:

Using logs to check on how much staff have been working.

Obtaining data about friends and relatives that they should not have access to.

Finding personal information about colleagues.

Deleting incriminating evidence such as e-mails.

Falsifying figures by editing data directly.

Paper F21 Page 41


Plans/structure of organisation

You may wish to use COBIT guidelines in this section since they stress the need for adequate management and planning in the IT area.

Method to communicate the assignment of authority and responsibility

Discuss examples of good and bad communication within organisations that the student may be familiar with.

What would be an effective way to communicate?

1. a new e-mail policy

2. stricter control over password and user identifier sharing

In solution the student should:

Distinguish when face-to-face communication is preferred to written communication.

All policies should be written down but they need to be communicated effectively rather than just added to the procedures manual.

Policies may be sent out by e-mail or in meetings.

Some polices may require a signed response. For example an employee may be required to sign a document stating that they understand the policy and its impact on them.

Management control methods

We keep stressing the controls start at the top and this section continues the theme.

Appropriate high level plans need to be set for the organisation. You may wish to discuss how well this is done and how they should then flow down to more detailed plans.

An organisation is impacted by budget cuts and they decide not to install a fault tolerant system to save money. What should they have considered before making such a decision?

In this solution we should see:

Reference to the risk analysis (which is covered in more detail in the next section).

Why are there budget costs? Have the long-term plans been changed?

Was a FT system part of the IT plan originally? Were there strategic reasons for FT as part of improved services internally or to customers?

Management may decide to run the risk but should only do so once they have considered all issues.

Paper F21 Page 42


Human resource policies and practices

Students may not normally consider these to be part of control procedures. Discuss how HR procedures could impact controls before reviewing the material.

Why is a disgruntled employee a risk?

In the solution the student should consider:

Why the employee is disgruntled in the first place. If they feel cheated then they may cheat the organisation.

The employee may work to rule or even sabotage the system.

The employee may be planning to leave and may copy confidential files.

The employee may try to break into restricted areas.

The employee may no longer concentrate and so have a higher error rate.

In extreme cases, disgruntled employees have caused bodily harm to others.

Financial policies and practices

Discuss how budgeting may be used to control expenditure.

Examine the issues with IT projects and how these can be a drain on financial and human resources. Try to find cases of large project overruns.

Discuss why IT charge back is not as common as it used to be.

If a project has now exceeded its budget how should management decide whether to abandon it or continue funding it?


Is there still a good business case for the project? That is, does it show a cost benefit?

Why are there overruns? Have more requirements been added or was it poor estimating in the first place?

What are the estimates for the remainder of the project? How reliable are they?

What will be lost if project is abandoned now?

Where will the extra funds come from?

Risk assessmentControls combat risk so stress that one of the first activities to be performed is a risk analysis.

You should discuss the basic approach to a risk analysis and if possible may want to demonstrate or show specific risk methodologies.

Paper F21 Page 43


Risk categories

Some risk analysis material was discussed in Module D but we will go into greater depth here.

Get students to consider what can happen if IT systems fail and consider the various events described in the Student Guide. Identify any others that students can think about.

Can you think of any IT systems that would not be critical for an organisation?


Is it a trick question? If a system is not critical then should the organisation have wasted money on it! Systems must support the business goals and be needed.

All systems today are normally critical to the organisation.

Why do you think that we have so many virus and hacker problems today compared with the days of mainframes and mini computers?


The sheer number of PCs means that a virus can spread rapidly.

In the early days each system was proprietary and so a virus could not spread to incompatible systems. Now most people use a common operating system or standard protocols.

Many people have e-mail access and are not security conscious and so can inadvertently spread viruses.

There are detailed documentation and Internet sites that explain how things work and how to break into them.

Probability of loss

If you have access to a methodology they may use different ways to consider the possibility of loss. In the text we consider a simple approach.

Consequences

Explain that the controls may also be assessed on a cost benefit analysis. That is, what will we lose versus what it will cost us to prevent.

Consider the example in the text and explain that it can be difficult to identify cause and effect.

How can you place monetary and none monetary measures on a virus attack?

Students should consider:

Monetary (assuming time is money) None-monetary

Paper F21 Page 44


IT staff time to recover data and files Reputation of organisation if attack is made public.

Wasted user staff time while waiting for recovery

Staff moral if they suffer down time

Time taken to reconstruct any lost data Restricted activities may impact moral if, say, bans are now placed on using e-mail

Cost of new virus checking software

Time taken to virus check all data in the future.

Control activitiesThis is one of the biggest sections to cover. A lot of detail of controls and associated technologies will be found in the textbook.

You may find that students without a good IT background may not be aware of the technology issues that require a control. You may therefore need to discuss appropriate technology issues.

Control design

Explain that many controls can be implemented as polices and procedures. In some cases the control relies on an individual carrying out a process and this may be difficult to confirm.

It can be useful to summarise the top down approach to controls and responsibilities.

Even if the policy states that staff should behave ethically, how could you confirm that they are?


What does “behave ethically” mean?

Once specific instances have been identified then controls become easier to identify.

Log files may record what and when data was accessed and these may be checked to see that there were valid reasons for access.

User behaviour may be observed by managers and peers.

Other controls such as over-ride controls may identify users that over or under charge customers.

Each textbook may define and group controls differently. Discuss some of the options.

Categorise the following controls as preventative or detective:

Paper F21 Page 45


1. encryption

2. setting file permissions

3. help facilities

4. batch control

5. audit trails

6. check digits

7. log files

8. printing internal tables

Solution:

Encryption P

Setting file permissions P

Help facilities P

Batch control D

Audit trails D

Check digits D

Log files D

Printing internal tables D

There may be discussion as to whether some of these controls such as Batch Controls are Preventative or Detective. Strictly speaking a Preventative control stops an error getting into the computer. The objective of the exercise is to get students thinking about various controls not precisely categorising them.

Control procedures

Discuss the fact that control principles stay the same; it is just the technology that changes.

You can point out that with automatic approval systems, anyone who logs on as a manager can approve funds as if they were that manager. This is why safeguarding user ids and passwords are so important.

Discuss the different levels of access that various operating systems may allow and how a user authorisation matrix may be used to help plan access.

Users often complain about having to think about passwords and so will use easy to guess words. Describe ways of selecting an easy to remember but hard to guess password.

The solution could suggest:

A short statement about what the user likes, e.g. I like golf.

Paper F21 Page 46


This could be refined with special characters and upper and lower case, e.g. I/like/Golf.

Initials of a favourite film e.g. Gone with the Wind = GWTW.

A favourite saying, e.g. 2bornot2b.

It is essential that the user never discloses the method they have chosen.

You may want to discuss the new problems that organisations will now face with on-line transactions. These can be easily lost.

List the advantages of using batch controls over data entry.

The solution should cover:

Provides control totals for verification at end of batch run.

Controls completeness of entry.

Provides independent figures for balancing file.

Keeps like transactions together, which improve input process.

Errors can be restricted to a relatively small batch of transactions.

You should discuss the fact that real-time systems can still generate exceptions and errors and that there should be an adequate way of capturing these and following them through.

The example discussed in the text about over or undercharging is another demonstration of how individuals or organisations can deal un-ethically.

Control over data integrity, privacy and security

So far the controls have been related to getting data into the system. Once in, it becomes useful information that also needs to be protected.

You may wish to discuss any developments in privacy legislation and the importance of looking at legislation in other countries.

Students may want to consider what sort of information about themselves that they would not want to be made freely available. Ask if any have had un-solicited e-mails or other correspondence and questioned how organisations got their address.

Paper F21 Page 47


A manager may review the log of data access to check why employees have accessed data. This manager’s access will also be logged in this report so how can you control what the manager may have been up to?

Solution should cover:

This has been a problem with manual systems as well as IT systems.

One solution is for a higher manager to review but this is often impractical since these managers are normally too busy.

Managers are often controlled by budgets and overall performance. So long as they meet their target the organisation is happy with their performance and may even turn a blind eye to minor errors and security lapses.

The only time that this information is ever reviewed may be during an audit.

Exception reporting may be used but again this needs to be reviewed by a senior manager.

Discuss the need for data classification that can help develop the appropriate control techniques.

What classification scheme could be used in the Institute of Chartered Accountants?

The solution could suggest:

Public

Members only

Staff and Members

Staff only

Executive staff only

You should discuss the basic control principles and ask students what could happen if controls are too restrictive.

You should get examples of the physical controls that students may have experienced at various sites.

Describe security procedures that could apply to contractors working at a secure site.


Are contractors to be treated as employees or guests?

They need access rights such as badges and key cards.

Do they need to travel around to do their work?

Paper F21 Page 48


Security clearance may need to be checked.

Will they be allowed out-of-hours access?

Will they use their own PCs and what is the restriction on copying and removing data.

Do they need user accounts on the system?

Are they also working at competitive companies?

Is there a contract that they need to sign?

Who is to be held responsible for them?

Discuss why most organisations only use the User Id and password access method and have not embraced physical devices such as cards to restrict access to PCs.

Explain that even though operating system permissions can control access to files it is possible for database system to have other access controls.

Describe the database controls that you may want to use to control a payroll clerk’s access to employee information.

The solution should suggest:

The clerk may be restricted in the employees that they can view, i.e. not senior managers.

The clerk may not be able to see all information about employees but only that which they need to know.

There may be restrictions on peers that the clerk can access.

There may be restrictions on the data that can be printed out as opposed to being available on a screen.

Network security is a topic in its own right and some of the ways hackers break into systems is very sophisticated. There is a lot of information on the Internet that you can direct students to including:

http://security.ittoolbox.com/default2.asp

http://www.articsoft.com/whitepapers.htm

http://www.cisecurity.org/

http://www.isalliance.org/

http://www.loc.gov/global/internet/security.html

http://www.sans.org/top20.htm

Paper F21 Page 49


Increasingly networks are using open systems or popular protocols rather than proprietary systems. Why can this be a security weakness?


Open systems have to be very well documented and this may reveal security flaws.

Since so many organisations use the open system there is a great deal of knowledge about the system and statistically there will be more knowledgeable people with criminal intent.

The fact that so many organisations use the system makes it a worthwhile target.

While these are all weaknesses, one strength is the fact that should a weakness be discovered it is usually fixed very quickly.

Discuss the fact that we are now seeing increasing numbers of attacks against popular operating systems.

Visit the Microsoft site and identify any updates for the current operating system.

There is no solution for this question other than to see what are the current security issues at the time of presenting the course. But for example, at the time of writing there was a security fix for IE version 6 posted at:

http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp

See more security issues at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp

Discuss the issues with application software. You could lead the students through the main security issues with typical financial systems and even get software for a demonstration.

An increasingly important control is the monitoring of activity. Discuss why this is required and how it should be implemented.

What are the issues with an organisation monitoring employee’s e-mail?

The main issues are:

Amount of privacy that an employee expects.

Have employees been told that the mail will be monitored?

Paper F21 Page 50

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp

http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp


Who will be doing it and what type of information is being sought?

How will the organisation verify that mail comes from an employee and not from someone posing as the employee?

What are the rules for e-mail and penalties?

What about mail that uses third party organisations such as hotmail?

Discuss the ethics of other forms of monitoring employees. How would students react if they were being monitored constantly?

Availability / continuity of processing, disaster recovery planning and control

Discuss the need for recovery in the event of a major disaster. Again this is a major topic and there are many textbooks and web sites for reference such as

Disaster Recovery Journal's Homepage at http://www.drj.com/

Disaster Recovery Planning at http://www.curtin.edu.au/curtin/audit/disaster/disaster.html

Resources for Security Risk Analysis, Security Policies, BS7799 (or ISO 17799) and Security Audit at http://www.securityauditor.net/

Ask students what might have happened when books were kept manually. Stress that manual systems would often have no backups and if there were a fire an organisation would have most likely lost all their records.

List other systems that would have no manual backup procedures.

Students may be able to come up with several examples such as airline seat allocation. If the computer goes down at check in then there is no way to allocate seats to passengers.

Discuss the need for hot or cold sites. You can even talk about “warm” sites.

Describe why a reciprocal arrangement may not be an effective recovery option.

The solutions should consider:

Most organisations only have limited spare capacity.

Usually when running to full capacity most computer systems slow down or start crashing.

Hardware and software may have been upgraded at one of the sites, not the other, and now they are incompatible.

There may be other conflicts between software that will not work together.

The owner of the system will always take priority.

Paper F21 Page 51


There may be confidentiality issues, especially if both companies are in the same industry.

Students should consider what would make up adequate DRP documentation. Discuss how an escalation process may operate.

The plans should be far reaching as the next question demonstrates.

What should an organisation consider when developing a continuity plan to recover from a major flood?


Floods can impact many square miles. Any offsite storage or hot/cold site will need to be many miles away from the primary site.

How will staff get to these distant sites and how long will it take?

The homes of staff may be affected and they will most likely not come to work but will be protecting their own buildings.

If customers are local then the flood will also impact them. They may not have such a good DRP and so will not be able to pay you even if you send them statements.

Ask students to consider effective ways of testing the DRP.

Discuss what can and can’t be covered by insurance.

IS processing /operations

IT is essential in most organisations. We have discussed the higher level planning of IT and now want to look in more detail at how the department should operate.

One of the COBIT control objectives is that the IT department runs effectively. This is not a primary area of review for external auditors but it may be for internal auditors.

Ask students to define “effectively” and then tie this in with the need for a SLA. Discuss the importance and content of SLAs.

Describe the benefits of an SLA.

The solution should cover:

Level of service is defined.

Responsibilities are defined.

Measurable performance should be identified and monitored.

Paper F21 Page 52


Forms basis for future cost benefit analysis if users want additional service.

Sets expectations.

Can link costs of service to service provided.

Discuss the hardware and software that may be supported by IT and what may need to be excluded.

Explain the link between IT operations and business processes.

How could you justify moving to the latest version of an operating system if the current one suits users fine?


Maybe you cannot!

What is the business strategy and the IT plans. Do they call for latest versions?

What are the benefits and has a business case been prepared?

What are the implications of staying with older versions especially with support?

Will future releases of applications require the latest version?

Reiterate that without the SLA it is difficult to determine if the IT department is effective. Also subsequent development and additions can be shown to improve the levels of service that the user requires.

Ask students to consider the types of organisation that will need to stay up to date and where IT is a major enabler of their business.

How does the move to e-commerce impact the IT department?


New skills required by IT staff.

New networks required.

Increase in volumes that need to be catered for.

Additional risk analysis to be undertaken to see how system will impact business.

Possible 24 by 7 operations that may impact staffing.

Partnerships may be needed with third parties such as ISP.

You may want to discuss the move to outsourcing and its benefits and disadvantages.

Paper F21 Page 53


Ask students who should own data. Distinguish between the job of custodian and owner. In many cases there is no clear owner, discuss the issues that this raises.

Just as batch controls are considered old fashion, so are the controls over input/output distribution. Stress that electronic data may be well protected but a report left on a desk is vulnerable.

Describe the process that could be followed when printing confidential documents in a general office.

Processes could include:

Have a separate, secure printer for confidential documents.

Put managers into appropriate groups so they can print to this printer.

Collect from the printer as soon as printed.

Stand by printer while printing to ensure no one else can see report.

Consider the possibility of printer administrators being able to manipulate the print queue.

Link IT operations back to the risk analysis and discuss how IT staff will be required to implement the DRP. On a day-to-day basis they will need to carry out backup and restore processes.

List three important pieces of information that IT staff should know about the recovery procedures after a major disaster.


Order of priority to recover applications.

Location of backup sites.

How to get backup data from remote site.

Where the Recovery Plan is.

Where to source hardware and software.

Who is required for recovery and their role?

Staff should have been trained and tested the recovery procedures.

Monitoring of control complianceControls must be seen to be effective and complied with.

Paper F21 Page 54


Roles of management, users, auditors

Ask students to consider the different roles and responsibilities. This ties back with earlier work.

You should refer students to the IT governance web sites.

If one of the objectives of the IT department is to provide improved customer services how could this be measured?


Ultimate objective is to sell more, so sales volume could be ultimate test.

Customers that repeat business could be tracked.

Customers could be surveyed to see if they believe service has improved.

Complaints could be monitored.

A reduction in returns could indicate satisfied customers.

A reduction in “churn” in some industries can indicate satisfied customers. Churn is used to describe customers that leave, say, a mobile phone carrier.

Organisations are now trying to use a balanced scorecard to indicate performance. Discuss how this can be applied to IT.

Describe how a balanced score card could be used to measure the performance of the IT department.

IT performance that could be represented includes:

Calls to help desk.

Outstanding faults.

Time to clear problems.

Types of problems.

Down time.

Up time.

Network traffic.

Numbers of users.

Storage used.

Amount of data input, processed, stored and output.

When discussing external monitoring in may be useful to refer back to WebTrust and SysTrust.

Paper F21 Page 55


Discuss what needs to be done if non-compliant. Basically will depend upon what the problem is.

Computer-assisted audit techniques

Ask students what applications and hardware they use regularly. How technically competent have some of them become? Can they write programs?

Discuss the need for IT audit specialists and also the need for all accountants to be computer literate. Are there any accountants that do not need a computer?

Discuss some of the systems development processes and what they will need to know.

Computers normally run a complied version of software. When checking source code how can the auditor be sure that they are looking at the right version of the software?


Dates of files and compilation.

Recompiling and running a program to compare the two compiled files.

Program version control procedures.

Processing controls to ensure correct version is used in production environment.

Testing is an essential control and the way testing is undertaken should be discussed with students. Stress the need for the levels of testing and the way different people, including users will be involved.

When would an organisation choose a parallel implementation instead of a direct change over?


Can systems be run in parallel?

Which one will be considered real?

Will there be enough time to do both and will staff be available?

What is the objective of the parallel run?

What will determine correct operation?

Is this to compensate for poor testing?

Will staff be trained as they go?

Paper F21 Page 56


Discuss the use of reporting tools and ask students if they have already used such tools. Generic tools may be more useful and could be used at different clients.

Lead into a discussion of other computer tools that students can use in an audit environment.

Look at the “Auditing” tools supplied in Microsoft Excel and summarise what they would do for you.

The student should identify:

You can trace dependent cells in the spreadsheet.

You can trace precedents and dependents.

You can track formulas with errors.

The auditing toolbar also allows you to trace cells with data that does not meet a data validation that is created with the data menu.

Should these tools be called auditing tools?

Computers should be effective tools in the hands of accountants.

Paper F21 Page 57


3. Case Studies

3.1 Join In IncYou are a consultant who has been appointed to assist the financial controller to implement a new personal Computer (PC) based financial accounting system selected by the Mr Khan, Managing Director of Joinin Inc (Joinin) and also owner of the company. You have also been asked to help the company develop a strategic plan.

Joinin was established 2 years ago as a computer distributor, specialising in the sale of notebook and laptop computers and a full range of accessories e.g. carrying cases, docking stations. At the time the company was set up, Mr. Khan believed there would be enormous growth in this area and the growth of his company has confirmed this. Joinin now consists of 5 retail branch offices in large regional towns and a warehouse and head office function in Karachi. During the last year, Mr. Kahn has begun to sell through dealers in smaller towns.

Mr. Khan has encouraged the branch stores to operate autonomously. Individual stores have local computer systems to handle customer orders, customer tracking, marketing etc. Sales are normally for cash or credit card, although there has been an increase in orders for specialty notebook computers that are then billed to corporate customers. Dealers place their orders with head office.

Head office keeps track of the dealer orders and fulfilment processes.

Summary financial data in provided below:

YEAR ENDED SALESRs

GROSS MARGINRs

STOKC HOLIDNGRs

31/12/1999 225,000 51,750 49,000

31/12/2000 4,650,000 930,000 850,000

31/12/2001 16,440,000 2,350,000 3,750,000

In your initial meeting with Mr. Khan and the Financial Controller, Mr. Addit, the provided an overview of the company. Here is an extract from the meeting notes:

As you can see from our figures, the past 3 years have been extremely successful for Joinin. In a highly competitive industry, we have been able to capture a high proportion of the market, largely due to our ability to deliver specialist notebooks to our customers without lengthy delays. With the current high demand, manufacturers have been unable to supply sufficient stocks to meet industry demands. However we have overcome this by ordering products from our suppliers based on expected demands of our customers and by close liaison with our suppliers to monitor delivery times.

The business has now grown to the extent that we need more computerised controls than those provided by our existing PC based cashbook system. With increasing sales volumes, we have a larger volume of outstanding customer accounts and higher stock

Paper F21 Page 58


levels. Also the risk of obsolescence in our industry means that we cannot afford to let our stock holdings get out of hand.

Another issue is that our competition is increasing. Other sellers of PCs are beginning to move into the notebook market and together with the improved production capabilities of manufacturers this is pressuring us to reduce our prices. We need to look at promoting IT more as a strategic weapon rather than an administrative tool.

As you know, we have purchased the Cashit Accounting software package at a cost of Rs 10,000. It is a multi-user system that comprises the following modules:

General Ledger

Account Receivable

Accounts Payable

Inventory Control

Cashbook

i) Identify 3 key critical success factors (CSFs) for the business and explain why each of these is critical.

ii) What sort of information is required to monitor the performance of Joinin against the CSFs.

iii) List 3 ways in which IT can play a more strategic role for Joinin and provide real or hypothetical examples from various industries. Identify how each way listed might relate to this company

iv) Describe how IT plans should be developed in relation to this organisation’s business plan.

v) Given the current situation in the organisations there is a need to centralise customer information for use in national marketing. Which areas would you want to investigate further to determine their impact on the IT strategic plan?

vi) You are invited to speak for approximately an hour at a meeting of the branch managers and major dealers to explain the IT Strategic Plan. Develop an agenda for the meeting and explain how you would run the meeting. Consider what issues you think the managers might raise and describe how you would handle these in the session.

Suggested Solution

i) CSFs should be directly related to the material in the question and could include:

Purchasing policy. The ability of the company to purchase notebook computes so that they can deliver them to customers more quickly than their competitors

Debtor Control. Cash flow is important especially given the high stock value. Mechanisms need to be in place to collect revenue as soon as possible.

Stock Control. In an industry with a sustained downward pricing pressure, it is critical that slow moving stock is quickly identified and converted to cash.

Paper F21 Page 59


Pricing control, the pricing pressure from competitors will results in decreased margins (evidenced by decreasing Gross Profit margin in the figures supplied). Margins on stock items need to closely monitored.

ii) The sort of information that should in place to monitor these would be:

Purchase order information including costs, outstanding orders, expected delivery dates and forecast sales.

Debtors information including g cash receipts, orders taken and projected sales.

Stock information including % turnover of items, stock items not sold for a certain period and holding times.

Detailed sales information would be required including sales by region, salesman and period, discounts given and difference between buy-in and selling price.

iii) There are man y ways in which IT could play a more strategic role for Joinin. These include:

As a competitive tool

Provide field staff with effective methods of gathering information e.g. using mobile technologies such as laptops and hand-held computers. Dealers with hand-held computers could provide almost instant access to obsolete or slow stock to negotiate deals with priority customers and move the stock.

Provide effective methods for tracking stock items and performing stock takes more easily e.g. introduce bar-coding and scanning technologies. Picking stock in the warehouse could be more timely with bar-codes and scanning technologies. More frequent stock control could move some of the potentially obsolete stock.

Provide a collaborative computing environment to help staff across all department share information e.g. e-mail, and other groupware. By allowing staff in the retail branches and warehouse and head office to communicate and have access to important stock and customer information for better services.

Investigate integrated systems that will provide more information for targeting customer types and special customers e.g. CRM systems. Brining all system together will overcome some inefficacies in each branch looking after its own systems and it will provide head office with better management information for decision-making.

To re-engineer business processes

Rationalise systems and allow staff to share facilities e.g. use the same order and customer management information systems and processes. AC RM or ERP system would necessitate a review of business processes and rationalisation of duplicated processes at remote branches and head office

Provide tools to re-engineer processes and determine effects e.g. CASE tools. By providing a selection of the tools available to management, Joinin will facilitate better analysis and design of information systems.

Paper F21 Page 60


Provide the ability to capture cost information about current processes to determine where there are inefficiencies e.g. investigate activity-based costing

Provide the facilities to automate current manual processes e.g. robotics for picking orders in warehouse

For inter-organisational linking

Provide direct access to supplier systems for ordering and tracking delivery of orders e.g. EDI systems. Many suppliers now use networks and communications software to enable direct access to suppliers systems. This would enable Joinin buyers access to better information and faster order fulfilment.

Provide timely information to partners e.g. extranet and collaborative tools.

c) The student should be able to relate the development of an IT Strategic Plan to Joinin in terms of the major players and issues to be covered. The key to being able to work with the business on the Strategic Planning is that the company has identified using “IT more as a strategic weapon than an administrative tool”.

The company will need to develop its business strategy first in consultation with IT. Once the business knows its goals and objectives, then it can begin to develop and look at the strategic use of IT.

IT Strategic planning should identify opportunities that can then be tested against the Business plan and revised until they are aligned.

Armed with the IT Strategic Plan, the IT Manager will then be able to address the IT planning issues, develop priorities for IT acquisitions and systems, and address the operation’s strategy.

3.2 Reedit PublicationsReedit is a publisher of children’s and educational textbooks. It is planning to upgrade its use of technology including greater automation of its head office and production facilities. Currently it operates production facilities at 3 of the regional centres focussing on children’s books while the remaining centres focus on educational textbooks.

In the past, the company’s technology has been developed in a somewhat ad-hoc manner. Fast growth has meant that systems have been developed in reaction to problems rather than in any planned manner.

The following briefly summarize the company’s information architecture:

Technology. The company runs 2 mid-range computers that have significant capacity and performance issues at present. The processing load on the hardware is very high and this is causing bottlenecks with memory and disk activity.

Network. Local Area Networks (LANS) are in place at the head office, each of the 5 regional distribution centres and in several other locations. Most of the factories have terminal connections with a few stand-alone desktop PCs. A WAN is in place connecting each of the major regional centres.

Paper F21 Page 61


Applications. Reedit purchased a software package for accounting some years ago. The software also provides some functions for sales, manufacturing and distribution areas. The applications have been heavily modified with a few specialized systems development for forecasting and analysis. Several projects are underway at present to improve the existing systems.

Data. A well-known database is being used as recommended by the software vendor.

IT Organization structure. Two teams are in place with separate IT managers. One team is in the production facilities and includes 10 staff to support the production plant as well as the regional distribution centres. The other team is in the Head office. This team, comprising 5 people, supports the WAN and desktop as well as the centralized systems.

The Executive management of Reedit recently announced it is going to change the business approach from a regional basis to offer products at a national level (i.e. all product lines available nationally) plus extend its range into educational games.

The company has been working on its business strategy and the overall approach includes setting its Corporate Mission Statement/Vision and then establishing the broad objectives and strategies by product line. Business Managers will determine specific plans to achieve the corporate mission. The IT managers have been asked to participate in the process.

You are a consultant assigned to help Reedit Publications (Reedit) prepare its Information Technology Strategic Plan.

i) Explain how the proposed restructuring could affect the current information architecture.

ii) The table below outlines some of the tasks in the overall Business Strategic Planning Framework. Using the table, identify and explain the IT Strategic Planning tasks that need to be considered within this framework. (NOTE that not every row of the table needs to be used.

iii) Identify the use of an IT Strategic Plan for Reedit. What information from the IT Strategy document could also be included as separate sections within the Business Strategy document? What sections from the IT Strategic Plan would you recommend are excluded from the Business Strategic Plan and form part of a separate IT document?

Stage Purpose Process Deliverables

Vision Set Business mission statement and vision

Strategy Set broad business objectives and strategies

Paper F21 Page 62


Implementation Set specific business strategies.

Suggested Solution.

i) The proposed restructuring could affect current IT architecture in many ways including:

Technology. Capacity and performance are already an issue. Adding to processing and expanding products lines will impact this and place heavy demands on the systems. The IT implications are to look for adding memory, and disk storage capacity or to evaluate an overall upgrade to the system. More strategically there might be better production control systems that will necessitate a move to client/server architecture.

Network. Local Area Networks must be standardised and able to connect all centres. Greater automation linking all centres might necessitate a review of the entire network. More strategically, an investigation into the Internet, intranets and other network solutions might prove fruitful and require more focus on security issues such as encryption and firewalls.

Applications. IT is unknown how the systems are currently structured but to move to a national product line will require a review of the systems. Can they handle the new expanded product line? Can they handle the new accounting controls and systems? Will they still be appropriate for a new architecture and will they be able to support the centres over a network?

Data. Although no details are given, this area must be reviewed as part of the overall architecture. How does the database relate to the other systems? What sorts of users require access? Should it be integrated across the organization and with all systems? Strategically it might be appropriate to look at an ERP system to integrate all system and provide improved information for management decision-making.

IT Organization structure. This is the area that will have the most impact. With 2 IT managers and various locations, the issue of staff skills and performance will be key. Identifying the location of the IT department and the roles of the 2 current managers will need to be handled carefully. Understanding the resources needed and the skills needed for the new architecture will be crucial.

ii) Typically IT strategic planning is done as a separate exercise however this is changing and the biggest issue today is how to align the business Strategic Plan with The IT Strategic Plan. Student’s answers will vary for this questions and there is no one correct solution.

What we are looking for is an understanding that the strategic business plan underpins and drives the IT strategy. IT is not a technical document and should be high level.


Stage Purpose Process Deliverables

Vision Set Business mission

Paper F21 Page 63


statement and vision

IT Purpose and Vision

To gain a shared understanding of the IT Direction within the business.

Describe the desired state of IT within the business – including the IT Dept and the rest of the organisation

Brief IT direction.

Strategy Set broad business objectives and strategies

Understand the current IT environment

Complete and inventory and assessment of all systems and infrastructure

Systems overview

Systems assessment

Identify technology trends that could impact the business

Review literature, attend trade shows, and contract consultant’s report about technologies that impact the broad business strategies.

List of key factors and key technologies

Establish IT objectives and Strategies

Identify key business areas that need to be supported and critical success factors

Summary of IT objectives

Implementation Set specific business strategies.

Specify IT strategies and evaluate key business areas

Determine priorities for business areas in terms of projects

Project summaries linked to specific business strategies

Indicative costs/benefits

Develop a high-level IT Architecture

Document standards, direction for each component of the Information Architecture

Application Architecture

Data Architecture

Technology Architecture

Network

Paper F21 Page 64


Architecture

IS Organization structure

iii) The IT Strategic Plan for Reedit should provide a framework that supports future IT decisions about projects, budgets, and resources. The document also provides a communication tool to IT staff and the rest of the organization about the direction, priorities and resources issues for IT.

Sections of the IT Strategic Plan that should be included in the Business Strategic Plan are:

Current IT assessment including overall assessment, status and issues relevant to Reedit

IT Strategy containing an outline of the proposed projects in terms of the business and product strategies that they support. This could also include a high-level information architecture and plan for IT projects.

IT Strategy Implementation Plan highlighting dependencies, transition issues and opportunity factors.

Sections that would not be included in the Business Plan are:

Project Descriptions giving brief scope, name, dependences, critical success factors

Information Architecture models that are more technical in nature e.g. network architecture and data architecture

3.3 VeemaxVeemax manufactures and distributes solar power systems for homes and are recognised overseas as being leaders in their field. The company deals directly with home builders and some residential architects but plan to develop larger systems for office buildings and hotels.

Veemax has separately managed data centres in 4 large towns across Pakistan. There are 3 types of hardware platforms in use by the company. Veemax recently acquired new hardware the head office based on an expected life of 5 years. Applications are mainly purchased, fairly old and undocumented, with some modifications made for the business requirements in each town. Each data centre is responsible for all local IT Functions, and involves systems analysts, business analysts, computer operations staff and user support representatives. Network communications is arranged in a coordinated manner across the data centres.

The proposed investigation needs to assess the cost, benefit and ability of two or three IT operating alternates. A management committee consisting of the business managers and IT managers for each town will approve the recommendation.

You have been asked by Veemax to propose consulting services to help assess the future operating alternatives for its data centres, based on outsourcing and centralisation options.

Paper F21 Page 65


i) Prepare a presentation to the Veemax management committee that outlines the alternatives you propose to investigate and your initial reasoning. Describe the areas/factors you will investigate to help Veemax assess each of the alternatives.

ii) Provide a list of the IT functions that Veemax could separately outsource.

Suggested Solution

This questions is designed to assess the student’s understanding of centralised processing versus distributed and the issues involved with each.

i) We would expect the students’ to identify 3 alternatives including:

Centralise data centres

Outsource data centres

Combination of outsourced and centralised data centres e.g. retaining the moist critical functions and outsourcing the less critical ones.

The factors that the student should assess includes:

Cost of each option.

Centralisation costs that need to be taken into consideration include environment and infrastructure costs, maintenance costs, administration, support costs, technology obsolescence costs, data communications costs, software license costs and data recovery/redundancy costs.

The outsourcing option will incur many of the above factors and will also depend on contracting arrangements. These must include support, location of work and support, ownership of applications that will be used and how the deal is structure.

Transition, conversion and long-term costs likely should also be investigated.

Infrastructure.

Requirements that need to be assessed include the space required for the data centres, the network and communications links, staffing and the IT organisation itself. These considerations all have important implications for Veemax. For example, consider the business continuity issues concerned with providing a satisfactory response time to the centres.

Applications.

Consider the impact on applications in each option if there are regional differences, or if there are licensing implications of choosing a centralised system and if all requirements are the same for each centre.

Considerations should also look at the longer-term requirements of Veemax and if the option chosen will impact on the strategy or future choices.

Hardware.

Paper F21 Page 66


Centralised and decentralised systems will mean different capacity and performance issues. Also need to consider life expectancy of equipment and whether it fits in with Veemax’ strategic direction.

Business

The impact on business service must be assessed. What is best to serve the customers? How will the business units be co-coordinated if the systems are outsourced? What impact will this have on budgets? How much training and re-training will be needed for each option?

ii) Outsourced Services

Almost all the current IT Services could be outsourced from planning to support. Recommendation to management should consider:

What systems and activities are strategic to the company’s business?

How much will outsourcing save the company?

Does the company have access to the necessary skills and knowledge?

Will outsourcing help support the company’s future directions?

While there isn’t a great deal of information available for making this decision, the student should have a sufficient understanding of outsourcing to be able to identify some of the more common outsourcing options that might suit Veemax including:

Centralised data centre

Operate the data centre

Maintain current applications

Develop future systems

Operate the network

Provide user support

Provide PC and system support

Handle systems administration functions.

3.4 Patak’s Fine SilksPatak’s Fine Silks manufactures silk for the fashion industry. Patak’s has been operating for over 15 years and it now commands a healthy 30 % of the local market. Its systems work well although the IT Manager has repeatedly requested additional funds to upgrade the equipment and systems that are running near capacity.

The company has just been sold and the new owner is looking to make the company more profitable and undertake an expansion program to raise its profile. Patak’s new owner is extremely interested in the opportunities that ecommerce could offer the company and wants the Board to support him in pursuing such a strategy. The Board comprises 12 members, 8 members who have served more than 3 years and 4 new members.

Paper F21 Page 67


You are the IT Manager and the new owner has asked you to prepare a presentation to the Board on the opportunities and risks of adopting an ecommerce strategy and what the company might do about it.

You may use PowerPoint but include the notes you might use to guide you through the presentation.

Would you provide any handout? Why or why not? If so include these in your answer.

Suggested Solution.

The questions seeks to test if the student can distil a lot of information into a meaningful, short presentation on a real IT issue with a specific audience in mind. Even though there is no provision for the students to present their answers, the answers submitted should demonstrate an understanding of the use of PowerPoint to present the facts and back that up with the written words.

Students’ answers will vary but the format and presentation should be well structured to suit the intended audience of senior management level. We would expect slides to contain no more than 6 – 8 dot points, be clear and follow a standard template.

Handouts would be advisable for this presentation as the new owner seeks to obtain support from the Board. Handouts will provide the Board members with material that they can refer to on an ongoing basis.

The student’s should assume no, or limited, knowledge at Board level about ecommerce and the latest technologies. A suggested outline for the presentation follows:

Agenda – tell them what you are going to cover in the presentation.

Current IT System – it would be a good idea to set the scene for the new Board members in terms of the current architecture and issues. This should be high level only but should highlight that something must be done even if the Board decides not to proceed with an ecommerce strategy.

What is ecommerce? Introduce the topic and explain what it means. Use examples where possible.

Terms and technologies. Provide a high level introduction of some of the new terms they might not have heard about e.g. website, extranet. A handout of definitions might prove useful to the Board members.

What are the advantages?

What are the risks?

Next Steps – present some alternatives for taking the next step for example it would be necessary to undertake a Strategic Planning exercise to establish the framework for an ecommerce strategy. .

Questions

The answer on benefits and risks should include some of the following considerations.

Paper F21 Page 68


Advantages

Competition. New markets are available through ecommerce technologies such as website which has global reach and it also permits targeted marketing.

Wider audiences. Traditional marketing for Patak’s is confined to the local market. Ecommerce technologies will allow Patak’s to expand its customer base regionally, nationally and globally. A Website will extend its reach to a potentially broad audience.

Cost effective marketing channels. Extranets will allow Patak’s to form closer relationships with manufacturers and designers and thus establish multiple marketing channels quite cheaply.

Innovative marketing. New technologies allow more meaningful material to be produced e.g. streaming videos to demonstrate the product or detailed catalogues complete with pictures and price lists.

Cost Reduction. Many ecommerce technologies allow streamlining of the supply chain, new cost-effective alliances and more effective warehousing and delivery modes. Consider the cost reduction effect of technologies enabling virtual warehousing – producing goods only when orders are received and avoiding costly inventory collections.

Risks

There are many risks associated with ecommerce and the IT risks may be categorised into 3 areas.

IT Infrastructure risks. These risks relate to the hardware and infrastructure that is required to keep systems accessible and operational to support the business. Risks can arise from unauthorised access, physical loss of equipment, inadequate emergency plans, improper disclosure of information or inadequate encryption.

IT application risk. Most of these risks are the same as the traditional risks of IT applications including bugs and errors, inadequate testing, inadequate integration of systems, inadequate reconciliation, lack of audit trails and lack of version control of programs.

IT Business process risks include transaction date not transmitted efficiently or completely to accounting systems, backup systems only addressing the ebusiness processes, design and implementation of interfaces not appropriate, and controls applied to one process without regard to the entire process.

Other risks include legal risks e.g. privacy, confidentiality and regulatory issues that may differ from one country to another e.g. textile standards.

3.5 ControlsYou are the Computer Audit Manager of GGG Limited (GGG). The company manufactures and distributes ceramic tiles throughout Asia. The company is in the processes of restructuring its operations and implementing a new financial system called BIGSYS. The new system

Paper F21 Page 69


includes modules for sales orders, accounts receivable, purchase orders, accounts payable, fixed assets, general ledger and financial statements as well as a report writer.

In the past, a lot of company time and money was spent on non-value added reporting. Extensive reporting requirements have been imposed by head office and the branch sites have also tailored some of their accounting systems to fit their own internal and external reporting needs. The changes are typically made by one of the in-house programmers very quickly as part of their daily support duties. This has led to information that is not used and information that is not comparable between the different branches. Further, there is a lack of confidence in the accuracy of information from the current systems unless double-checked or additional manual controls are established. The external auditors have chosen not to rely on system controls in a few areas such as inventory and accounts receivable.

Users are provided access to all the current system modules and are cross-trained in different areas to allow for extra help during busy periods or when key staff are away due to illness or annual leave. There continues to be pressure to better leverage employees including extensive empowerment of management and staff at all levels.

The new financial system is being used to help establish more cost-effective and consistent financial processes across the business. The system will provide for a more distributed computing environment and additional features will be available such as remote access, Internet access and integrated system controls.

A project team has been formed to:

set-up and configure the system parameters to satisfy GGG’s requirements based on the business needs and industry best practices;

tailor, where critical, the new system primarily in the sales order and reporting areas; and

complete data conversions and establish interfaces with a few other systems such as the payroll and manufacturing systems.

Required

a) Prepare a brief overview to management outlining internal audit’s proposed involvement in the security, audit and control design and implementation work for the new financial system. The overview should include explanations about the:

i) current control environment and business plans that could give rise to added control risks;

ii) key outcomes and benefits from internal audit’s involvement in the control work; and

iii) control work approach including scope and key steps.

b) Outline the topics that need to be addressed in an information security policy for GGG. This should not be just a list of security mechanisms but rather a structure for preparing a security policy document for GGG. Describe in more detail the key security policy matters that need to be addressed regarding GGG’s future use of the Internet including topics related to scope, requirements and responsibilities.

Paper F21 Page 70


Suggested Solution

The following lists key issues and principles associated with this question:

As with any consultant or resource’s involvement in a system project, management need to understand the value of involving audit staff to proactively assist in the control design and implementation work for new systems. Early involvement of control specialists will help ensure that the new systems will be implemented with an integrated set of controls, avoiding a subsequent “band aid” approach.

An Information Security Policy is provided to confirm the company’s security goal, clarify rights and responsibilities, provide guidance / requirements and rely on employees’ common sense and good judgement.

Potential Problem Areas

The following lists possible problems candidates may encounter with this case study:

Many candidates should be comfortable with this question if they have an audit background and this may result in solutions focusing more on control techniques (e.g., input, process and output control methods) rather than the control design risks, benefits and approach.

Some candidates may focus on audit’s role being more of an adviser, quality assurance or monitor. This is considered less effective than active involvement although such roles can also be included.

Information security topics may be focused on particular security mechanisms (e.g., password control, user access validation) and exclude key matters related to purpose, scope and enforcement processes. Candidates were specifically instructed that the solution “should not be just a list of security mechanisms but rather a structure for preparing a Security Policy document for GGG”.

a) Solution Summary - Control Design

It is well established that appropriate (internal) audit involvement in system development can contribute significantly to a successful system development or implementation project.

The following is a brief overview outlining Internal Audit’s proposed involvement in the security, audit and control design work for the new system.

i) BACKGROUND – CURRENT CONTROL ENVIRONMENT

The following summarises the current control environment of GGG:

Security - need to strengthen security regarding system access, segregation of duties, remote access and Internet access. Users are multi-skilled and that can be a good thing. However, it is important to maintain reasonable segregation of duties. The fact that controls are poor, users can get changes made and there are and will be extensive report writing features which could give cause for concern.

System Development and Maintenance - need to establish more rigorous / standardised approaches for program changes including testing. GGG has allowed

Paper F21 Page 71


an autonomous method of working that may have advantages in ensuring that staff and managers feel that they have control of their domains but this can cause problems when trying to tailor packages. The definition of user requirements will have to embrace multiple and diverse needs and there could be disagreement between what Head Office (HO) wants and what the branches need. If the user requirements are allowed to evolve the project will never end. Requests for changes need to be evaluated in the light of a cost benefit.

System Controls - need to enhance system controls to ensure information accuracy and reduce need for double-checking or additional manual controls. However, this needs to be balanced with the need for automated controls and reports to have a clear purpose. As a general rule controls and information that cannot be acted on or used to help achieve the business goals are not required. As well, users may not design sufficient controls themselves due to lack of experience thus leading to inaccurate or incomplete data.

Audit Controls - need to enhance controls in systems to allow for greater audit reliance such as for inventory and accounts receivable. External auditors have not relied on controls and this would indicate that they are non-existent or not functioning. While there is no evidence that the systems are producing inaccurate data, such as a qualified audit report, it is not an acceptable situation. It may be that external audit costs are higher because of the additional work performed.

The following business plans of GGG that could give rise to added control risks:

Greater distributed computing - e.g., possibly lack of data synchronisation between branches, loss of traditional audit trails and significant increase in number of users

Reorganisation of business - e.g., possibly employee roles will be unclear

Pressure to leverage employees and staff empowerment - e.g. possibly lack of duties segregation

Interfaces - e.g., possibly poor data integrity between systems

ii) OUTCOMES AND BENEFITS

Controls - help ensure that the processes and systems being established are well controlled, auditable and secure rather than an “add-on”. This includes:

completeness

accuracy

authorisation/confidentiality

timeliness

validity

pertinence

consistency

Paper F21 Page 72


presentation / disclosure

availability/continuity

Practical - strive for an appropriate balance between satisfying control objectives and users’ needs. Internal audit staff should have greater external experience in control design to help apply best practices.

Integrated - early involvement of control specialists will help ensure that the new systems will be implemented with an integrated set of controls, avoiding a subsequent “band aid” approach. This allows for simplified and more precise efficient controls as well as greater technology flexibility that is not restricted by burdensome “add-on” controls.

Assurance - provide audit assurance and the implementation of reliable functionality, controls, audit trails and security will help save audit and operation time and costs (e.g., by automating controls). Internal Audit should be able to consider the “big picture” and have a more independent corporate interest to help ensure realistic expectations and benefits realisation.

Other - general benefits not directly associated with the controls design could include Internal Audit’s more direct access to management, ability to act as an arbitrator, help ensure adequate documentation and ability to carry out quality assurance if necessary.

(iii) APPROACH

Scope - The scope of Internal Audit’s involvement is as follows:

Activities - the controls, audit trails and security work cover both the business processes and computer systems excluding the interface system such as payroll and manufacturing.

Teamwork - the Internal Audit representatives will work closely with representatives from the project team to define, document and implement the controls and will keep management well informed on the work status.

Best Practices - controls will be established based on researched best practices. Sources of the best practices will be confirmed early in the project.

System Reviews - excludes post-implementation audit reviews of the processes, interfaces and controls (both manual and automated) in the live environment that would be performed as part of separate audit assignments, as appropriate.

Steps - the controls design work will include the following steps (candidates may provide other approaches and further details):

Plan the Assignment - to assess the best design approach and support needs. This includes identifying the required resources from Internal Audit.

Paper F21 Page 73


Conduct Controls Workshop (or meetings) - to gain understanding and support of the project team.

Define Control Objectives, Integrity Requirements and Integrity Techniques - for high and medium risk areas within each business process. This will include evaluating inherent risk and control risk of the project by carrying out a risk assessment exercise. As well, a review of the systems development and program maintenance policies and procedures is required with improvements to be proposed.

Support Process Teams in the Configuration of Security, Controls and Audit Trails - including interfaces and data conversion.

Support Testing of Controls and Security - as part of planned systems test activities.

Additional Discussion Questions

What types of controls could be considered early that would be less likely to be considered after the system is implemented?

Why could management resist audit’s involvement in the project, opting just for the post-implementation review approach?

b) Solution Summary - Security Policy

Security policies will primarily focus on the security characteristics of the company’s principal computer platforms or the perceived security risks which if not managed could cause significant loss or inconvenience to the business. The following outline suggests topics that need to be addressed in the Information Security Policy for GGG. The actual format would be dependent on the company’s current format for policies.

SCOPE AND RESPONSIBILITIES

Purpose - state overall purpose such as to help protect company information assets including systems that are to be used for business purposes only. Overall, the policy is provided to confirm the security goal, clarify rights and responsibilities, provide guidance / requirements and rely on employees’ common sense and good judgement.

Staff Covered - state the policy applies to all employees (full-time and part-time), contractors, suppliers, customers, service providers and other parties with approved access to company information assets.

Information Sources - state information sources covered under the policy such as intellectual, electronic and hard copy (written and printed).

Information Assets - state company information asset covered under the policy such as hardware and applications.

Staff Responsibilities - state overall responsibilities of staff such as protecting company data and personal computers, keeping passwords confidential and reporting any security risks or possible breaches.

Paper F21 Page 74


Security Roles and Responsibilities - state key responsibilities for enforcing the security policy such as security function, information and system owners, departmental responsibilities (e.g., audit, human resources, media relations).

Related Regulations and Terms - reference related regulations and employment terms that are applicable in conjunction with the security policy such as ethics, data protection, privacy, and confidentiality agreement.

Compliance - state ramifications of security breach such as failure to comply will result in disciplinary action, including possible termination and legal actions.

REQUIREMENTS / GUIDANCE

Base Security - state the security policies such as those related to access, data protection, and asset protection. The policies should:

not be fixed to hardware or software currently in use.

be a balance between excessive coverage and being too generic.

focus on security risks rather than listing the type of security techniques and tools used.

state the reason for a security requirement and examples of inappropriate use to help clarify each security requirement.

Base security areas to be considered in addressing the risks include:

firewalls;

anti-virus tools;

access control;

enhanced user authentication;

encryption;

physical security: and

disaster recovery plans.

Security Risk Management - state process for assessing and managing security risk such as identifying information assets, assessing threats, and defining actions (e.g., accept risk levels, transfer risks, mitigate risks with controls, or avoid risks).

Feedback/Escalation Procedures - outline incident reporting approach, as well as follow-up requirements and resolution criteria.

Note - Candidates may provide more details on the types of base security topics to be covered for GGG such as remote access, new user accounts, password protection, firewall protection, etc.

Paper F21 Page 75


INTERNET USE

The following describe the key security policy matters that relate to GGG’s future use of the Internet:

Data Security Procedures - policies need to be established regarding the protection of data from GGG’s systems that could be accessed through the Internet. For example:

Establish firewall protection over modem or LAN access;

Encrypt sensitive information being transmitted over the Internet;

Require use of virus protection software (set company standard) and keep employees aware of the virus risks associated with downloading data or systems from the Internet;

Prevent or restrict use of trusted network relationships (i.e., require unique passwords);

Limit or control powerful network management features;

Prevent access ability using command line instructions ;

Disabling system-default accounts;

Require use of passwords that are not easily guessed (e.g., 6-8 alphanumeric characters);

Restrict number of in-valid log-in attempts to help prevent the password guessing;

Restrict display of company information or system help until a user is authenticated;

Record security violations for subsequent review and follow-up; and

Monitor security and immediately correct any weaknesses that become known.

System Access and Use Protection - policies need to be established regarding who and how access will be provided to the company systems through the Internet. For example:

Qualifications and/or approval process for employee user access to/from the Internet. Who should have access? Is all staff to be allowed access or just a few?

Qualifications and/or approval process for external user access to GGG’s financial systems from the Internet. GGG may provide customers with access to systems such as order entry, inventory and accounts receivable. The extent of information they are given access to must be restricted and the prior data security procedures must be adhered to.

Paper F21 Page 76


When is access allowed? Is access restricted to business hours? Can staff access the Internet through the company system from home?

Types of remote access allowed.

External facilities to be allowed access internally.

Which software is to be used? Will GGG standardise on one product only?

What is Internet access to be used for? Can orders be placed to suppliers or from customers?

What is it not to be used for?

Secure E-mail Use - policies need to be established regarding the use of e-mail. A separate e-mail policy may exist for GGG and should be referred to and extended to cover Internet e-mail. For example:

E-mail is to be used for business use although incidental personal use is acceptable bearing in mind the company owns the e-mail account. Incidental personal use could be further defined to exclude advertising, chain letters and offensive material including humour and images.

Business judgement and ethics need to be applied regarding what information is e-mailed over the Internet. The company may wish to further define what sensitive information cannot be sent over the Internet or must be encrypted.

Classes of e-mail may be established with related security requirements (e.g., casual, official, sensitive, graphics and audio, copyright material, non-business related).

Some company representation in e-mail or user groups may need to include disclaimer notices to say that comments are those of the individual.

Additional Discussion Questions

How much of security protection is common sense and does this need to be stated in a policy?

How long should a Security Policy be?

Paper F21 Page 77


Revision Material

R1. IT Strategy and Management

R1.1 IT Strategy

Strategic Considerations in IT Development

Key Points

IT planning occurs at many levels including strategic, tactical and operational

Planning must consider the position of the business in the broader market place and be based on an understanding of the business environment.

IT Strategic planning must be aligned with the Business strategic plan and gain the support of senior management

The time frame for IT strategic planning is constantly being challenged. Originally a long-term plan would have served 3-5 years, but current best practice suggests that plans are reviewed and revised more frequently.

E-Business Models

Key Points

ecommerce has evolved from its original meaning related to transacting electronically with business partners to a broader term embracing all business communications and transactions that are completed electronically commonly called ebusiness

ebusiness has introduced many new business models into the corporate world

These new business models provide significant opportunities but also represent significant threats. They rely on new technologies and must be integrated with business processes for success.

The current models include B2B, B2C, C2C G2C, B2E

Questions

1. What is an IT Strategic Plan?

a. An IT plan that takes longer than 5 years to complete

b. An IT plan that support the corporate business plan

c. An IT Plan that introduces new technologies and methodologies

d. An IT plan that shows what the IT department will be doing in 5 years time.

Suggested solution is b.

2. Who should be involved in developing the IT Strategic Plan?

Paper F21 Page 78


a. IT Manager, IT Auditor, CEO, Chief programmer

b. IT Manager, CEO, all departmental managers

c. IT Manager IT Auditor, Project Managers, all IT senior staff

d. IT Auditor, Sales Manager, Operations Manager


3. Identify in which sort of plan you would expect to find the following (i.e. S- strategic, T – tactical or O – Operational)?

a. Corporate IT architecture

b. Principles behind acquisition of applications

c. Schedule of all projects

d. Resources plan

e. Performance Management Plans

f. Data management policies and procedures

Suggested answer is as follows:

a. S

b. T

c. O

d. S

e. T

f. O

4. Which of the following documents would be most useful when performing an IT strategic planning project?

a. Annual reports from last 2 years, Sales forecasts, investment analysis

b. Sales reports for last 12 months, systems performance results, network management reports for last 6 months

c. Systems performance results for last 6 months, sales forecasts for next 12 months, current project status reports

d. Database management reports, sales forecasts, annual report

Suggested solution is c. Students should be able to demonstrate an understanding of the nature of strategic planning in their answers to Why. While there are many documents that are necessary as input to a Strategic Plan, the documents listed in C, would provide information about demands on the systems in the past and in the future plus an idea of

Paper F21 Page 79


the workload of new systems being developed that might have an impact on the IT architecture, resources needed etc.

5. Which of the following statements are TRUE:

e. A group of vendors in a particular industry who get together to exchange information electronically have produced a B2B exchange

f. An individual who withdraws money from their own bank accounts at an Automated Teller Machine (ATM) is conducting a B2E transaction

g. Customers selecting goods from an online store and entering their credit card details are conducting a C2B transaction

h. A business lodging a corporate tax return electronically is conducting a transaction under the G2C model

Suggested solution is a, and c are True.

6. In your opinion, what impact would the following scenarios have for an organisation wishing to participate in a B2B exchange and why?

i. Company with many legacy systems.

j. A company that is part of a strong industry association

k. A company that has not participated in any online transactions before.

Suggested solution:

a) An exchange must be able to accept and process orders quickly and transmit it onto the supplying organisation. Typically, in an organisation with legacy systems, the order would pass though several systems from order sentry, to inventory, to warehouse picking, to shipping and invoicing. Many of these systems would be running on mainframe systems or mid-range and rely on systems that were developed many years earlier. The format of the order information will usually not match that required by the B2B Exchange.

Such organisations will need to adopt a different strategy necessitating either a rewrite of legacy systems or investment in a new range of Enterprise Application Integration (EAI) tools to interface the older systems with the newer ones of the exchange.

b) Part of the most difficult part of developing or running a B2B exchange is of getting a common and agreed format for the transactions. If the company belongs to a strong industry association this association can take on much of the work on behalf of its members thus allowing the business to focus on its current operations. The industry organisation would be in a position to manage the development and rollout of the exchange and pull parties together. The association would also be in a position to “broker” opportunities for its member companies and have a better understanding of industry issues.

Paper F21 Page 80


c) A company that has not participated in online transactions before will probably have none of the high level of security required to open their systems and processes beyond the organisation. A B2B exchange will necessitate the company looking at investing technologies and process to secure their systems and data. Security measures such as firewalls, access controls, Encryption, and contingency plans will need to be addressed as part of an ebusiness strategy.

7. Describe four (4) features that an organisation should incorporate into a B2E solution and the benefits they would provide.

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

There are many features that a student could include into this answer. Suggested solutions include:

Shared access to documents. Employees would always have the latest version on hand and save time and money from trying to find a copy and maybe have to photocopy it.

Controlled access. Passwords and responsibility levels can ensure employees can only see selected information and forms based on their level of responsibility.

Events, calendar and scheduler. A centralised scheduling system offering these features can save time and money as employees can easily schedule meetings and events across department and teams without numerous phone calls or visits

Address book. A corporate address book can save time and money as the information will be maintained only once and everyone has access to the same information.

Task Management. Providing centralised project or task lists can save time and money and allow supervisors to keep better control over project work.

Corporate-wide search engine. New staff will find enormous benefits from being able to enter keywords and find the information they want rather than having to go or phone around and ask other people where to find the information.

R1.2 Management of IT

Management of computer operations

Key Points

With increasingly reliance on computers systems for normal business transactions, the management and controls of technology is a critical success factor for organisations.

Planning is essential to ensure that the computer operations serve the organisation and support the business in meeting its goals.

Paper F21 Page 81


There are many functions associated with Operations management including infrastructure issues such as capacity management, production planning, and production control; staffing issues including IT staffing, systems training, and user support; and corporate issues such as security and privacy.

Management of inter-organisational computing

Key Points

Improvements in networks and telecommunications have introduced another layer of complexity for IT managers in terms of supporting inter-organisational processes and systems.

Collaborative computing facilitates workers working in teams whether across departments or across organisations.

Distributed systems allow organisations to disperse the processing or storage of data among different departments or company units.

EDI is the direct exchange of data and information between 2 companies. EDI requires agreements between the organisations as to the format and nature of the information to be exchanged plus agreement on the nature of the exchange mechanism.

While outsourced services offer another way for organisations to manage their business processes and staffing across a number of areas, it brings with it a number of issues including performance, security and costs.

Management of End-User Computing

Key Points

End-user computing is a type of distributed computing that needs careful management

Key issues include planning, managing and controlling the acquisition of technology and software in end-user environments

Financial analysis and control

Key Points

Various costing models are available for the acquisition and management of capital items.

Return on investment has long been an issue for IT management.

Monitoring and managing the costs of computing are more difficult as organisations move to outsourcing, end-user computing and inter-organisational models.

Charge back for IT services supplied to other departments within an organisation raises many issues including planning, corporate architecture, research and development etc

Paper F21 Page 82


IT Control Objectives

Key Points

Management must understand the risks and threats to the organisation before developing their controls framework.

Policies, practices, and procedures must be relevant and appropriate to the level of risk faced by and organisation.

CobIT provides a framework that can be used as a guide.

Questions

8. Describe the differences between an operations strategy and an IT strategy

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

Students might choose to describe the differences in terms of the table of contents but the main differences that should be included in any answer should demonstrate an understanding of the difference in scope of the strategy and in timing. The IT Strategy is a high level document that is aligned with the Strategic Plan of the business and describes a framework for evaluating all IT decisions. The Operations strategy is a document at the operational level that describes the overall approach to the technology itself and how it will be managed

9. Are the following statements TRUE or FALSE?

a. The purpose of a Business Continuity Plan is to ensure that steps are taken in advance to maintain continuity of essential business functions should a crisis occur.

b. Logging systems resource usage and monitoring results is essential to ensure that IT Resources are available to meet the demands of the organisation’s business units.

c. Operations management must work 24 hours x 7 days to support the business

d. Problem management involves logging and analysing problems in applications or infrastructure to ensure that problems can be quickly fixed.

e. Configuration management is concerned with identifying, managing, and tracking the components of information system applications.


Paper F21 Page 83


a. The purpose of a Business Continuity Plan is to ensure that steps are taken in advance to maintain continuity of essential business functions should a crisis occur. TRUE

b. Logging systems resource usage and monitoring results is essential to ensure that IT Resources are available to meet the demands of the organisation’s business units. TRUE

c. Operations management must work 24 hours x 7 days to support the business. FALSE

d. Problem management involves logging and analysing problems in applications or infrastructure to ensure that problems can be quickly fixed. TRUE

e. Configuration management is concerned with identifying, managing, and tracking the components of information system applications. FALSE

10. Which is the most important aspect of EDI?

a. The ability of computer applications to communicate automatically

b. The ability to transact using computer links

c. The use of a third party value added network to assist trade electronically

d. Use of agreed industry-wide standards for data interchange

Suggested solution is d.

11. What is the most important element of entering into an ASP agreement?

e. Obtaining a copy of the Annual report of the ASP

f. Developing a mutually agreed Service Level Agreement

g. Checking references of current clients

h. Ensuring that costs of the agreement are less than currently expended


12. List 4 types of software that can be used to provide a collaborative work environment.

There are many answers that the student could provide. Suggested answer includes:

Email

Groupware

Shared Calendar applications

Meeting software

Intranets

Paper F21 Page 84


13. Are the following statements TRUE or FALSE?

Suggested solutions is:

a. Distributed systems are easier to manage than other system architectures FALSE

b. Distributed systems can be defined as systems where corporate data is managed by a number of different user departments. FALSE

c. The trend to distributed data processing has occurred as a result of the decrease in the cost of computer hardware and the increase in functionality and availability of software. TRUE

14. Identify 3 applications that could be well suited to end-user computing.

Suggested solution should identify applications that do not have a corporate-wide impact and which are conducted in functionally separate units. This includes:

Ad-hoc inquiries relying on stored data

Simple reports relying on stored data

What if analysis tools for business

Applications that can be generated using high-level tools

15. Identify and describe 2 methods that are used for financial justification of an IS project.

Students can select from several methods including:

Return on Investment (ROI). This method compares the development and operating costs of a system to the anticipated business cost reduction and revenue increasing activities for the proposed IT investment.

Discounted Cash Flow (DCF). This method acknowledges the time dependent nature of value and looks at when the investment is required and when the benefits will be realised.

Net Present Value (NPV). This methods calculates the difference between the sum of values of cash in-flows, discounted at an appropriate cost of capital, and the present value of the investment.

Internal Rate of Return (IRR). This method is based on NPV but calculated using an interest rate that will cause the NPV to be zero, and aims to make comparisons of projects more realistic.

Payback Period. The method determines the amount of time, usually in years and months that are required to the break-even point.

Paper F21 Page 85


16. From the standard control model and from the IT Governance Framework, a number of Critical Success Factors can be deduced that apply to most IT processes. Are the following TRUE or FALSE?

a. IT processes are defined and aligned with the IT strategy and the business goals

b. IT performance is measured in lines of code written and tested

c. People are focused on processes

d. Cross-divisional co-operation and teamwork should be discouraged in organisations

e. Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and scalability, and avoid breakdowns in internal control and oversight

f. IT governance focuses on how well the organization understands IT.

g. IT governance provides a clear direction for IT strategy, a risk management framework, a system of controls and a security policy

Suggested answers are:

a. TRUE

b. FALSE. Correct answer is IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability. IT management is rewarded based on these measures.

c. FALSE. Correct answer is People are goal-focussed and have the right information on customers, on internal processes and on the consequences of their decisions

d. FALSE

e. TRUE

f. FALSE Correct answer is IT governance focuses on major IT projects, change initiatives and quality efforts, with awareness of major IT processes, the responsibilities and the required resources and capabilities

g. TRUE

17. COBIT Management Guidelines suggests the use of a Maturity Model. What is the purpose of a Maturity Model and what is it based on?

Students answers should demonstrate an understanding of Maturity Models and an understanding of their use. Their description could include the following:

The Maturity Model is a way of measuring how well developed management processes are.

Refer to business requirements and the enabling aspects that are at different maturity levels

Paper F21 Page 86


Provide a scale that lends itself to pragmatic comparison

Provide a scale where the difference can be made measurable in an easy manner

Provide a ready “profile” of the organsiation as it relates to IT governance

Provide a baseline “As-Is” and set the target baseline “To-Be” positions

Provide the basis for a gap analysis to determine what needs to be done to achieve a chosen level

The Model is based on a scale for measurement. Scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable.. Athe scale as described by COBIT includes the following:

0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.

1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.

2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.

3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.

4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

18. COBIT management guidelines is based on 4 management activities. These are:

h. plan, perform, correct, review

i. plan, do, check, act

j. Plan, develop, budget, review

k. Plan, do, budget, review


Paper F21 Page 87


R1.3 Software

eBusiness Enabling Software

Key Points

As eBusiness becomes more common, there are an increasing number of software packages available to organisations.

Corporate-wide systems such as ERP and CRM are modular systems that enable the organisation to implement all or selected modules as part of their strategy.

There are many software packages available to small businesses that enable them to move toward and electronic commerce platform. These include shopping carts, electronic catalogues, online payment processing etc.

Questions

19. What is the best description of an ERP system from the following:

a. Provides and integrated approach for accounting and human resource management

b. Provides a corporate-wide system for managing the supply chain

c. Provides an enterprise approach to managing business information

d. Provides a system for managing the manufacturing and inventory control processes

Suggested answer is b

R1.4 IFAC Guidelines/Discussion papers

Key Points

IFAC IT Committee has produced a series of IT Guidelines promoting a global perspective on best practice.

IT Guidelines are available for the IFAC website and include Information security management, business planning, acquisition, Implementation, IT service delivery and monitoring.

These IT Guidelines provide comprehensive best practice. They will need to be tailored so they are appropriate to organisations no matter what size.

Other publications are available that provide a broader understanding of IT issues for management including Outsourcing, eBusiness and the Accountant and Project checklists.

Paper F21 Page 88


Questions

20. Which of the following are the key principles in developing an IT plan?

a. Alignment, Integration, Achievability?

b. Aligned scope, Awareness, Transparency?

c. Alignment, Accountability, Commitment?

d. Accountability, Evaluation, Integration?

c. is correct.

21. Identify and describe at least 2 factors that are important to implementing a successful information security.

Students could identify any of the following factors as described in the IFAC Guideline:

Policy development. A framework that supports and complements existing corporate policies and recognises the important role theta Information has in the organisation is necessary.

Roles and responsibilities. For effective security, roles and responsibilities, which will be unique for each organisation, must be clearly stated and well understood by all.

Design. Once the policy has been accepted by senior management, the more detailed standards, measures, practices and procedures must be developed and maintained.

Implementation. The standards, practices, procedures and measures should cover a number of areas including accountability controls, Systems development life cycle, authentication controls, business continuity planning.

Monitoring, Measures and procedures for monitoring systems, processes and environment are required to ensure adherence to the information security policy.

Awareness, Training and Education. All staff must be aware of the need for an information security policy and be trained in the standards and procedures required. Staff responsible for the information and security policy should receive more in-depth education.

22. Are the following statements TRUE or FASLE?

The following is a suggested solution.

a. The people who must be included in the acquisition process includes IT, users, IT Audit, senior management, a consultant. FALSE

b. Acquisition requires a concise statement of the business expectations. TRUE

c. The objective of information security is “the protection of the interests of those relying on information and the information systems and communications that

Paper F21 Page 89


deliver the information, from harm resulting from failures of availability, confidentiality, and integrity”. TRUE

d. Rapid Application Development (RAD), Structured Analysis (SA) and Object-Oriented Systems Development (OOSD) are examples of systems implementation methodologies. TRUE

Paper F21 Page 90


R2 Information Technology Security Control and Management

R2.1 Control frameworks

Key Points

You must know what impacts the controls required in an organisation.

Controls must be cost effective and meet an objective.

Organisation risks must be analysed and appropriate controls implanted.

Auditors will now be reviewing IT systems and looking for appropriate controls.

There are IT standards and audit review processes that may need to be adhered to such as – COBIT, SysTrust, WebTrust, SAS70, ITGI

Questions

1 Are these statements true or false?

a. Most IT data theft is carried out by copying the data so the organisation still has the original. This means data theft is not so important. FALSE

b. As the data is stored electronically you automatically get privacy of information. FALSE

c. Unless you sell things on the Internet you are unlikely to be impacted by the loss of a server FALSE.

d. All auditors need to consider computer system issues. TRUE

e. Any organisation operating on the Internet will need a WebTrust certification. FALSE

2 Auditors should –

a. Carry out regular control checks such as looking at logs every week.

b. Ignore the computer system as computers do not make mistakes

c. Examine controls and recommend changes

d. Always employ a specialist IT auditor

3 What would be the three most common IT problems that an organisation will have to deal with?

1 Errors

2 Viruses

3 Disruption

4 Why should an organisation always consider risks before deciding on the controls to implement?

Paper F21 Page 91


The level of control to be implemented will be dependent on the amount the organisation may lose in the event of the system being compromised.

5 A SysTrust review will report on:

a. Security and efficiency

b. Maintainability and response time

c. Management and ethics

d. Availability and integrity

R2.2 Control objectives

Key Points

Management are responsible for controls.

Controls have to support business objectives and safeguard resources and assets.

IT must be efficient and use its resources effectively.

IT must therefore support the business goals and strategic plan. Other plans then flow from this.

Technical and information plans will also be required.

These plans are part of the overall control process and also feed information as to what detailed level of control will be required.

In spite of the use of technology, interpersonal skills are still essential for the IT manager and many IT staff members.

Setting the IT budget is an important control process to manage the funds that are used by IT and to help use them effectively.

IT projects can waste funds and so need to be effectively controlled.

Managers must be able to rely on the data and information provided by IT especially in the financial area.

Systems design must also be carefully controlled.

It is at the design stage that system controls need to be considered and included as user requirements.

Different design approaches will require different control processes but the principles stay the same.

IT department and user workstations may represent a large value asset that needs to be safeguarded.

The right equipment needs to be selected in the first place based upon the strategic plan.

IT equipment is now very portable and so a target for theft and abuse. This needs to be controlled.

Paper F21 Page 92


All organisations should be following the law and this applies to all aspect of IT development and operations. Most importantly copyright rules must be adhered to.

Attempts to thwart controls may come from an employee or external person. The former is the most common but is usually hushed up; the latter gets the largest press.

Users may not be able to do without their systems anymore and so reliability and recovery are big issues.

Data integrity is paramount and there are several control techniques that may be used including – quality processes, change processes, security processes, education of users, completeness, accuracy, currency, timeliness, consistency, comparability, authorisation and auditability.

Questions

1 How do controls link in with the IT strategic plan?

Controls are not just about preventing fraud or errors. They should also be applied to help the organisation operate in an effective and efficient way and to maximise the return on investments. The IT strategic plan should also be about maximising ROI and efficiency. There needs to be controls in place to ensure that effective planning and strategies are implemented.

2 True or False?

a. As technology changes so quickly the IT department’s budget should allow for the latest equipment and versions of software to be installed as soon as they are released. FALSE

b. While budgeting is part of a control mechanism, just setting a budget does not guarantee that only that amount of money will be spent. TRUE

c. If an IT project is fully funded by a user department then it does not need to be controlled. FALSE

d. Just because data is input accurately does not mean that it cannot later be corrupted. TRUE

3 Describe why auditors are interested in the design approach and standards used.

The best time to implement controls is in the design phase before anything has been built. Auditors need to check the design to see that controls are in the requirements. Also the IT department must be efficient and not waste resources. The development process should follow standards to help ensure that the system comes in on time and on budget and does what is required.

4 To help prevent equipment theft you can

a. Put all the equipment into an asset register

b. Use steel cables to fix equipment to desks

Paper F21 Page 93


c. Put a bar code label on the front of the computer

d. Lock all notebook computers away when not in use.

5 Copying software is not theft. True False

6 The most common perpetrator of a fraud is

a. An employee

b. A hacker

c. An Internet user

d. A thief

7 Comment on the following statement – “Software is so easy to use these days that users do not need any training.”

Users still need training in topics such as – control procedures around the system, how to use the non-intuitive options, how to handle errors, how to make corrections, where to store data, how to secure the system, etc.

R2.3 Layer of control

Key Points

Security and control act in layers to protect the resource in the centre.

Society’s view of the law, ethics and business practices will have an influence on what people will try to do to circumvent security and controls.

The same concept applies to the culture of a particular organisation or the way managers operate.

IT security and control processes can be used to protect against behaviour.

Operating system and application software will usually restrict access to users or groups of users but it has to be implemented appropriately.

Management supervision and checking of data by more than one person are still effective controls.

It is ideal to separate the control of assets from the recording of the asset.

Questions

1 If there is poor physical control around an office what impact does that have for other control procedures?

It will be easier for a thief or fraudster to get physical access to the computers. This then requires improved logical controls such as passwords and encryption to safeguard the data in the computer.

Paper F21 Page 94


2 Give examples of how attitudes to security and control may vary between organisations.

Organisations such as banks will be very security conscious as they handle cash. They will have a security culture and staff will probably accept the need for security. Small businesses may not see any need for security and all users may share data and computer access.

3 Hackers will

a. Only attack banks to defraud them

b. Attack anyone for fun

c. Only attack servers running UNIX

d. Always get caught

4 You should always try to separate the recording of assets from the control of assets.True False

R2.3 Responsibility for control

Key Points

Many people at all levels in the organisation are responsible for aspects of control.

The board and senior management have the overall responsibility but are unlikely to undertake any detailed work themselves.

They do need to be involved in planning and approving procedures.

IT staff will implement the procedures and undertake many day-to-day control activities.

Users will also be required to carry out parts of the control process and be on the look out for problems and anomalies.

Auditors will then be reviewing and checking controls and security.

Questions

1 The board of directors will usually know very little about IT security and controls therefore they have no role to play. True False

2 Describe the IT manager’s role as regards security and control.

They will need to provide support and guidance on security and controls to managers when the policies are being developed. They will then need to implement the procedures. They will need to monitor certain aspects of the security such as log files. They will need to set an example to their staff and adhere to all security procedures.

3 If a user sees a peculiar transaction they should

a. Do nothing it is probably a test entry

b. Report it to their manager and the IT manager

Paper F21 Page 95


c. Just ignore it

d. Put in a reversing entry to correct it.

4 Audit trails are special reports used just by the auditors.

True False

R2.5 Control environment

Key Points

What are the external regulatory controls that an organisation has to adhere to?

Accurate books and records must be kept and now these will be computerised.

Other specific legislation relating to IT is now often enacted such as Privacy legislation.

Accountants will often adopt international standards where there are no local standards.

Management of IT is seen by COBIT as a high-level control objective.

Polices and procedures must be communicated to staff and adhered to by managers.

HR policies should ensure that when selecting staff they will adhere to control policies and fit in with the security culture.

COBIT also expects that the funding and management of the IT investment is appropriate.

Questions

1 Why do organisations have to keep proper books of account?

Normally there is a requirement in a Company Act that requires proper books to be kept. In addition the tax department will want to be able to see accounts to assess how much tax has to be paid.

2 If a company operates in multiple countries it could be a good principle to adopt:

a. No privacy standards at all since they are all different.

b. The least difficult to implement as this will cost less

c. The most stringent

d. The privacy standards in the holding company country

3 Why is the management of IT considered a control objective?

A control objective is the effective management of an organisation’s resources. This is often a statutory requirement imposed on directors. IT can consume large amounts of resources and so it must be effectively managed.

4 When recruiting new employees it is important to

a. Explain any special security requirements that are required

b. Check references

Paper F21 Page 96


c. Ensure that they will adhere to the security culture of the organisation

d. All of the above.

5 What are the advantages of adopting a “user pays” approach to charging for IT services.

Users will be keen to keep costs down and so will not waste the resources on offer. They will be more receptive to projects that will help reduce costs. If they are paying for a project then they are more likely not to make flippant requests for ineffective requirements.

R2.6 Risk assessment

Key points

Level of control should depend upon risks faced.

Organisation needs to evaluate the risk it faces.

It then determines the impact and possible financial loss of an event.

It looks at the controls that could reduce or recover from the event.

Cost effective controls can then be put in place.

There are major and minor disasters that can impact an organisation.

Loss of IT systems will now normally have a major impact.

Errors are a common event that must be prevented by appropriate controls.

Attacks can come from within the organisation (employees) or externally.

Investment in IT has to be safeguarded.

Controls may prevent an event, minimise the impact of an event or be used to recover from an event.

Questions

1 The greatest risk facing IT systems is a hacker attack.

True False

2 Describe three common risk events that will need to be controlled.

Virus attackErrorsService disruption

Hacker penetration

Disasters

Hardware failures

Changes in environment that impact systems

Paper F21 Page 97


Power failures

3 If during a risk analysis activity you decide that a particular event is likely to occur, how would you decide on the controls to implement?

You would estimate the likely cost to the organisation of the event. Then consider the controls that could be used to prevent or recover from the incident. Apply a cost benefit analysis and implement if management feel that it is beneficial.

4 Describe why employees pose a risk to an organisation.

They will have some access to data and may misuse it. They are the ones that will input data and may be prone to errors. They will need to adhere to the security procedures and may not want to.

5 When considering theft you should:

a. Only worry about notebook computers as they are portable

b. Consider all IT equipment as being a target

c. Not worry if there are security guards on reception

d. Use logon passwords to deter theft.

R2.7 Control activities

Key Points

You should be aware of possible risks before identifying the controls to incorporate.

Many controls are procedural in nature and are implemented as policies and procedures.

Controls must also fit within the framework of the organisation.

Managers and staff must be aware of their roles and responsibilities.

Controls may prevent an event, detect an event and provide correction to an event.

IT controls can be used to control the user or for the user to control the system.

Contingency plans and the ability to recover from a disaster is an important element of control.

Insurance may be able to cover some of the financial losses suffered.

Authorisation of transactions and segregation of duties are still important controls in IT systems.

User access is often controlled by user identifiers and passwords.

Log files should be reviewed by an independent person.

Controls such as batch control are required to ensure complete processing of transactions.

Errors must be satisfactorily followed up and resolved.

Paper F21 Page 98


Today IT systems must also control data privacy and security.

Many countries have privacy legislation in place that may impact organisations trading over the Internet.

Information and files may be categorised so that appropriate control may be applied.

Access controls may be classed as physical and logical.

Networks will need their own types of physical and logical controls such as firewalls and encryption.

Operating systems may have security weaknesses and so all latest patches must be installed.

An important control is the regular monitoring of the system to examine performance and security issues.

Controls are required to be able to recover quickly from minor problems and backup and recovery procedures are essential.

For major disasters a hot or cold site may be required.

Any DRP needs to be tested and kept up to date to reflect changes in operation.

IT management and the smooth operation of the IT department will be critical to the organisation so control polices and procedures are appropriate.

A SLA may be considered an element of control to determine the levels of service that are to be delivered.

SLA performance will need to be monitored and reported on.

New technologies should be adopted only if they can be shown to provide benefits to the organisation, not just for the fact that they are new.

Specific controls are required to control access to software and database files.

Controls need to embrace all elements of the data life cycle including input and output processes.

Questions

1 Why do IT staff pose a security threat?

IT staff normally have high levels of security clearance to be able to do their job. They will be responsible for many security procedures and if these are not carried out correctly may prevent the organisation recovering. If IT staff make a mistake such as deleting files it can have a major impact.

2 A problem with allowing users to pick their own passwords is:

a. They may share them with other staff

b. They may pick easy to guess passwords

c. They may forget the password

Paper F21 Page 99


d. The administrator will then not know what the password is

3 Describe three techniques that minimise the likelihood of input errors:

Check Digits, Batch Control, Record checking, Exception reporting, reviews.

4 What is a transposition error?

One that occurs when one of more numbers (or letters) are swapped during data entry.

5 Why should batch control processes still be used with an on-line, real-time system?

Errors can still be made with these systems including errors of omission, duplication and incorrect data. Batch controls help detect these errors.

6 How can a manager or auditor verify that an audit log file has not been changed to hide a fraudulent transaction?

The file should have appropriate permissions so that only the auditor or other trusted person can access it. File modification dates may be examined. The file may also have control totals or record counts that will indicate modification.

7 How often should data be backed up and taken off site?

Theoretically this will be determined by the risk analysis and the possible loss that can be suffered. In practice most organisations operate a daily backup cycle.

8 A SLA is:

a. Only used with outsourcing organisations

b. Used as a basis for checking IT department performance

c. Not necessary if you are not charging for IT services.

d. Created the first time the system is implemented and then is no longer required.

9 Describe why an organisation that has all its equipment fully ensured should still develop a DRP.

Insurance may not cover all aspects such as data recreation, loss of goodwill, etc. In addition, while waiting for the insurance to come through the organisation still has to operate.

10 Describe process controls that may operate in a payroll system.

Paper F21 Page 100


Overflow errors in case of a division by zero error, reasonableness checks to ensure that calculated salary is within the normal levels, calculated control totals and run-to-run controls, handling rounding correctly,

11 A user puts their password on a post-it note and sticks this on their monitor. How can you persuade them that this is not good security and to try to remember the password?

Look at policy document and see if there are any penalties for such action. Explain that anyone could log on as them and carry out malicious acts for which they will be blamed. They could log on and send e-mails purporting to be from the user.

12 Wherever possible give one person total responsibility for all aspects of an activity since this gives them greater job satisfaction.

True False

13 Describe why you may want to restrict users to printing only on particular printers.

The printer may be being monitored or observed to identify the printing of confidential data. Consumables on other printers may be costly and so they are restricted to special print jobs. The printer may be close to the user and so the most practical to use. The printer may have special stationery.

14 Managers must:

a. Authorise control procedures

b. Adhere to control procedures

c. Regularly check that control procedures are adhered to

d. All of the above

15 IT controls are only those activities that are performed by the computer.

True False

R 2.8 Monitoring of control compliance

Key Points

Controls must be complied with and be seen to be complied with.

Responsibility lies with senior management and the board.

We need to set objects against which we can compare actual.

Performance monitoring should be an integral management function.

Paper F21 Page 101


Balanced scorecards may be used to show IT performance.

External parties may be used to monitor.

If not meeting targets then appropriate action needs to be taken.

The computer can be used as an audit tool. Either with specialist software or more generic applications.

All accountants need to be computer literate, some more than others.

Auditors may be involved in reviewing design process so need to be able to read diagrams used in modelling.

Testing is an important control and the procedures need to be reviewed.

Auditors may use software to check the data in files and verify totals and reports.

General software such as spreadsheets and word processors may also be used in the audit.

Questions

1 How could an auditor use parallel simulation to verify warranty claims?

The auditor could examine the logic behind the calculation of warranty claims and develop a piece of code to carry out this calculation. This code could then access the same source data and it should arrive at the same figure.

2 Describe three audit tests that could be applied to data using a specialist reporting tool

Verification of control totals

Random selection of data for further checking

Checking for data that falls outside certain ranges

Identification of repetitive transactions

Large value transactions

3 Describe three types of tests that may be performed during the testing phase of systems development.

Unit test

String test

Application test

Module test

Program test

Full system test

Paper F21 Page 102


4 Why should all auditors be familiar with IT audit techniques.

Computers are used in all types and sizes of organisation. They can no longer be ignored when conducting an audit. All auditors should be able to carry out basic IT audit routines.

5 List topics that may be included in the compliance report.

Objectives/controls being tested, method of undertaking review, findings, impact on performance and compliance, recommendations, costings and cost benefit analysis of findings.

SummaryInformation technology is always changing and so will the need for auditors and accountants to keep abreast of the technology and its impact on audit, finance and accounting.

Uncontrolled use of computers can result in erroneous data and misuse of funds. Control principles change slowly but the control processes must continue to evolve to meet the challenges presented by the latest technology.

Paper F21 Page 103


R3. Revision Case Studies

R3.1 Tarash FoodTarash Food is medium sized restaurant franchise with an annual IT operating budget of RS 3 million. Management are concerned that the computer systems currently being used are out-dated when compared to what their competition might be using. Their current systems are unable to be modified, to provide the improved restaurant efficiency that is required, without high cost. Two head office Managers and the IT Manager started to look at new software packages to replace the current financial and restaurant systems. However after several demonstrations, they concluded that none of the packages provided all the functions that they are seeking.

Recently the IT Manager met with Managers at several of the restaurant franchises to gain their views on what they needed from a new computer system. Some of the Managers indicated that they are happy with the current system and do not want to change. Others have indicated that they urgently need new systems to support improved inventory and sales controls. Two of the restaurants have taken steps to identify systems they wish to implement based on their own contacts and market information.

Senior Management has agreed that a system is imperative and wants a new computer system to be selected within the next few months.

You are IT consultant contracted by Tarash Food to help in the selection process. The IT Department support has been good in the past and appears adequately skilled to complete the implementation.

i) Identify problems in the approach taken to date by the IT manager in selecting Tarash’ new systems.

ii) Outline a better process to select the new systems in a 3-4 month time frame.

iii) Indicate how you would involve the restaurant managers and head office management in each sage of the process and what your role would be.

iv) Identify and explain areas for assessing the vendors and their proposed software solutions. Suggest Tarash’s weighting factors for each area (e.g. 0-100%) and explain your rationale for the weightings.

This question seeks to demonstrate an understanding by the student of the management decisions needed in acquiring software through the package route.

i) Student’s should identify that the biggest problem with the approach so far is that they have failed to establish their requirements before beginning to look at packages. Other problems that might be highlighted include:

Time allowed for project is too short for wide consultation needed

There has been a lack of structured processes to collecting and establishing the requirements

Lack of senior management direction in the overall objectives of the process.

Paper F21 Page 104


Criteria to evaluate the potential vendors have not been established.

Lack of involvement of key stakeholders involved in the process – it is essential that the major stakeholders are involved in the process from the beginning. The fact that several franchise owners are already looking at identifying the systems that they wish to use highlights the extent of the problem.

Lack of proper cost-benefit evaluation and scoping

ii) A better process to follow in the allocated time would be to establish a formal project with the following milestones:

Prepare Project scoping and timeline

Prepare application requirements and identify potential vendors or solutions providers. Obtain approval from major stakeholders for the requirements.

Prepare a RFP or RFT and send to vendors with an invitation to respond. This step may involve further briefings for the vendors and must involve identifying the criteria for evaluation.

Evaluate responses from vendors and prepare a shortlist

Agree on what is required from each vendor. Schedule a demonstration of the solution and prepare a list of questions for the assessment. Complete reference checks for the vendors and select.

Negotiate on final conditions for contract and prepare contract.

Next steps will be implementation and planning.

iii) The best way of engaging the restaurant managers would be to continually consult with them and keep them informed of progress. This could be achieved in several ways:

Establish a collaborative working environment so that the group can all contribute and actively debate issues about the requirements etc

Arrange workshops and presentations to keep major stakeholders informed.

Create a subgroup of restaurant managers to act as representatives of the franchise owners. This group would be involved with setting the criteria, attending the demonstrations and undertaking the evaluations.

Constant communication though emails or phone calls would be needed to ensure the rest of the group were kept informed of progress.

iv) Students could identify many criteria but whatever they nominate should be relevant to Tarash. While a difficult question due to the lack of information given, students should emphasis that weightings must reflect the business and its priorities and also the cost of not having a feature included in the package. They should identify some formal approach to establishing criteria for evaluating the responses such as establishing a list of criteria and for apply a ranking say on a scale of 1-10 in importance (meaning 0=Low, 40=Medium, 70=High, 100= Essential)

In terms of the assessment areas the student could include the following:

Paper F21 Page 105


Market Position. The student might want to evaluate the position of the vendor in the marketplace. Vendor credential, years in business, company background could all be considered as well as industry reports

Financial Standing. Businesses looking to establish a relationship with a company selling packages will want to ensure that the company remains in business. Shareholders reports, annual reports and financial statements will all provide information on the company’s financial position.

Customer base. What sort of customers does the company have and how widely are they distributed?

Customer support. A company will normally want good customer support when buying a package. Documentation, training and help desk support should all be considered for customer support. Consider undertaking company reference checks with existing customers.

Product Architecture. Open system and standards in a package will establish a good base for the future and make it easier for integration of other packages and system.

User Interface. Usability of the system interface, navigation around the system, and outputs can make a system easy to use or difficult. This requirement can be quite important to businesses and in Tarash’ case with a large number of users of differing skills this requirement may be crucial for acceptance of the system.

Cost. Costs quoted can vary as to what they actually contain e.g. warranties, annual maintenance charges, training and implementation may or may not be included. Discounts and payments terms may also be important to the business when evaluating response.

Functionality. How well the package meets the requirements without modifications must be considered but also how easy the vendor makes it for the business to make changes or tailor it for the business requirements can be an important consideration for many companies.

R3.2 Kavak ManufacturingKavak Manufacturing (Kavak) has decided to replace its aging accounting and production systems. These systems are absorbing many resources to maintain them and keep the systems running. They run on equipment that is old and which needs regular maintenance. In particular, Kavak needs a new General Ledger system that will provide cost centre information, automate accruals and be able to process foreign currency as its export trade increases. Currently the IT Department has undergone several staff changes and are experiencing difficulties hiring staff with the skills to maintain these old but critical systems.

The Managing Director recently attended a luncheon when a colleague told him that he should invest in an ERP system for the business.

You are the new IT Manager, having been employed only 6 weeks ago. In your previous job, the company you worked for also tried to implement an ERP system with disastrous

Paper F21 Page 106


results. You mentioned this to the Managing Director and cautioned him against rushing into a decision to adopt and ERP system.

The Managing Director has asked you prepare a report for him to help him understand what an ERP is and what some of the challenges might be for Kavak if the decision is made to progress the acquisition of an ERP.

Prepare a report including the following points:

a) a description of what an ERP is and how it might help Kavak.

b) your comments about what the major challenges might be for Kavak to proceed with an ERP implementation

c) your suggested approach to the problem.

The suggested solution for this case study is looking for an understanding of the strategic issues associated with IT Planning as well as an understanding of ERP systems and the students ability as a manager to communicate with senior management on complex IT issues.

Layout, presentation and clarity are key skills for IT Managers to communicate with senior manager. The student’s solution should demonstrate an understanding of these issues with the use of graphs, pictures and references that could help non-IT mangers understand the complex issues. The suggested solution should incorporate the following items:

a) The definition that the student supplies should highlight and understanding of the topic and the complexity of ERP systems. The fact that an ERP system now means many things to many people must be understood and the scoping for such an exercise would be critical. Students should not just use the definition supplied in the Student Guide but expand and recognise who the audience for the definition and explanation is.

The key issues that could help Kavak if they were to implement and ERP would be:

Timely replacement of old and costly systems with modern technology

Integration of data into a single interface for improved management information, compared to the many separate systems they currently have

An accounting system that is capable of supporting global commerce and eBusiness,

Up-to-date manufacturing and integrated inventory systems that manage the whole process

b) The major challenges with implementing an ERP system focus around areas that bring hidden costs to the project such as:

Planning and project management. IT Staff and business staff need to be involved to ensure the success of the project and time must be available from normal duties to ensure no delays to the project.

Integration. ERP systems need to be tied into existing systems and business processes. In companies where there are older systems that staff are used to and

Paper F21 Page 107


which the business relies on, integration of the old data with new processes can impose enormous problems.

Conversion. Many legacy systems have enormous stores of data, both historical and current – some of which is inaccurate, missing or corrupted. Conversion of this data to the new ERP system must take the cleaning and mapping of data into consideration and may even warrant its own project.

Testing. As ERP systems replace core corporate systems, they must be thoroughly tested before being moved into production. Live or real test cases should be available to ensure that testing mirrors the production environment as close as possible.

Documentation. ERPs may have documentation on the system but many companies will need to document how their current practices work with the new ERP system. Consideration must be also given as to how the ERP system impacts current roles and responsibilities.

Training. Training for staff involved with en ERP implementation will normally be a corporate-wide requirement. Timing of the training is of the essence. Training can cost time and money as staff are taken away from current jobs to train on a system that they may not actually use immediately.

Consulting fees. As ERP projects normally require many more resources and skills that an organisation has, consultants are brought in to assist with the project. Management of these resources must pay attention to deliverables, schedules, and skills of the consultants or costly overruns will occur.

Ongoing costs. Many companies ignore the ongoing costs of an ERP system and this can be costly. This needs to be highlighted up front so that careful planning and budgeting will allow these expenses to be managed.

c) The next step should be to review the company’s Strategic Plan and the IT Strategic Plan. This will ensure that a technology is not just acquired without specific goals and objectives. Aligning the plans and reviewing the current IT plans may highlight other less costly solutions that will enable the company to reach its goals. If the decision of the senior management is to proceed with an ERP acquisition then the scope and requirements must be documented.

R3.3 KVT Insurances.KVT currently has systems for developing a CRM system to provide fully integrated information on existing financial, policy, premium and claims systems. They are investigating a fully integrated CRM system to provide decision-making support to their 70 branches across Pakistan.

The security access for the current systems is considered adequate, however over the past few years, enhancements have been continually made to address control and audit improvements.

Management recognises the need for strong controls in the company’s processes and systems without requiring duplicated systems and manual controls. There is increasing pressure from branches to have access to systems that will reduce the amount of manual reconciliation and authorisation checks that they must do. However currently, these checks do uncover input

Paper F21 Page 108


errors or unusual items that are difficult to investigate due to time between data entry and when the exception is identified.

You have been assigned to the development team for the new system as a business analyst. One of your roles it to help in the design of improved security, audit and control features.

You have been asked to present an overview to the business and Project Managers of how the design of the security, audit and controls fits in with the overall design work.

a) Describe the purpose of the security, audit and control design work.

b) Comment on KVT’s approach to complete the control design work during system design.

c) Identify at least 10 types of transaction controls that could be used when designing the system controls for KVT’s new system and outline key considerations when considering the appropriateness of a control.

Suggested Solution.

a) The purpose of the security, audit and control design work is to help ensure that the new processes and system being developed are well controlled, Auditable and secure. The system s should be able to provide KVT Management with reasonable assurance that the business processes and controls achieve the following:

Support the business objectives and operations in a flexible way that will be easily adaptable if the business changes

Reliably execute the business transactions i.e. give confidence in the availability, integrity, and confidentiality of business transactions.

Support staff in improving the efficiency and effectiveness of business processes to deliver improved service to customers.

Identify exceptions and anomalies in a timely way to allow follow-up and correction.

b) Students may choose to answer this in a list form or a comparison with performing the work during another time. The answer must identify that this is the ideal time to address these issues as part of the business requirements phase – reasons might include:

Cost savings. Early identification will allow design to proceed faster and more completely rather than have to come back later and change the design to incorporate controls.

Fewer errors. Helps to remove or prevent past problems when controls were either missed, duplicated or ignored.

Improved integration. Controls are not added on creating another layer of work but can be integrated to improve the flow of business processes.

Best Practices. Helps create best practice by incorporating controls when and where they are needed.

Paper F21 Page 109


Improves profile of audit and controls. These are recognised by management ad being important and helps develop a culture of best practice in the organisation. Audit is seen as a tool and important part of the business.

Methodologies and standards. Design of controls becomes a standards part of a project and will lead to improved systems.

c) Students may provide different answers but should at least identify some of the following:

Access Controls:

Access and authorisation verification and checks

User view restrictions

Input Controls

Data entry validation

Input tolerance levels and parameter checks

Value limit checks

Check digits

Mandatory fields

Sequence checks

Batch input control totals

Error or warning messages highlight anomalies

Processing Controls

New policy holder checks

Automatic premium postings

Controls of reconciliation and suspense accounts

Logging changes to key fields

Standard recurring entries

Automatic collection notices.

Output

Premium notice distribution

Error and exception reporting

Unusual transactions reporting

Audit trails

The appropriateness of controls should consider the following:

Cost/benefit. Is the cost of establishing and maintaining the control justified by the benefit?

Paper F21 Page 110


Does the control provide a balance between the risks and enabling users to make informed decisions and provide effective service to customers?

Does the control require user intervention and other manual support procedures?

Does the control allow flexibility?

Is the control best suited as a preventive or detective control?

Can the results of the control be measured and traced to ensure it is relevant and timely?

Paper F21 Page 111


GlossaryFor more computer definitions please refer to Internet references listed in References section.

Add-ins

Programs that can provide additional functionality to the primary application.

Application

A program used by an individual or an organisation to assist in their operation or work.

Arcnet

A network protocol or standard that used a token to allow network access.

ASP

Applications Service Provider. An organisation that will provide a complete set of services to organisations based around one or more applications that the organisation requires.

Batch Processing

A method of entering transaction data in batches, usually to ensure control of data by the use of batch totals that may be verified before data is updated.

Bridges

A device to connect two networks.

Browser

A program that provides the facilities to access Internet sites and use Internet protocols.

Business Intelligence (BI)

BI applications provide the functionality to analyse business data to identify trends and relationships so as to make better business decisions.

Coaxial cable

A type of cable used in networks. It consists of a pair of conductors, which include a core and outer sheath.

Data

Basic, raw information such as numbers and text.

Data Dictionary

A means of storing details about data items.

Database

Paper F21 Page 112


A structured store of data, usually stored in files.

Database Management System (DBMS)

Software used to create and maintain databases.

Distributed processing

A method by which the processing of an application or other program is split and performed on different computers.

Document Management

A means to control and manage paper based or electronic documents.

Domain Name System

A process by which numerical addresses can be associated with more meaningful names.

EDI

Electronic Data Interchange. The ability to transfer structured commercial transactions and documents vie computer networks or systems.

EFT

Electronic Funds Transfer. The ability to transfer funds between accounts using computer networks or systems.

EFTPOS

Electronic Funds Transfer Point of Sale. The ability to transfer funds between accounts at a point of sale such as a supermarket checkout.

Electronic commerce

Electronic commerce is conducting business transactions and communications electronically.

E-mail

Messages that can be sent electronically using computer networks or systems.

ERP

Enterprise Resource Planning systems provide applications for all aspects of an organisation to allow them to have an integrated view of data.

Ethernet

A networking standard or protocol to manage and control packets of data on a network. It uses a method of collision detection to determine if packets reached their destination.

FAQ

Frequently Asked Questions. FAQs are a list of commonly asked questions and their answers.

Paper F21 Page 113


Field

A collection of data that conveys meaningful information. For example Product code and product description are two fields.

File

A file is an organised collection of data that acts as the basic unit of storage.

File Server

A file server is a computer that provides services to others in a network. It allows files to be shared along with other devices such as printers, disks, etc.

Flat File

A structured file that contains one type of record only. Will have several records that consist of the same fields.

Gateways

Network devices that allow communication to take place between networks using different standards or protocols.

Hard Disk

A storage medium that uses rigid recording surfaces.

HTML

Hyper Text Mark-up Language. A standard for allowing items of information to be associated and pages of information can be linked and referenced.

Hub

A central device used in networking to which all cables are connected.

Index

A reference table that point to records in a file.

Internet

World-wide interconnected network.

ISP

Internet Service Provider. An organisation that is linked to the Internet and can provide subscribers with access to the Internet.

Join

The link between two tables in a database system.

Key

Paper F21 Page 114


A field used to identify a record in a file. For example Product Code.

Knowledge Management

Systems that support the sharing and maintenance of the knowledge accumulated by the staff of the organisation.

LAN

Local Area Network. A network of computers that are within a limited distance of each other. Normally restricted to an office or campus.

Master Data

A file of data such as names and addresses that change infrequently.

Media Access Control Address

Address used by network cards to identify components in a network.

Metadata

Data that describes the relationships and association of other data.

Methodology

An organised, documented set of procedures and guidelines for one or more phases of the software life cycle, such as analysis or design. Many methodologies include a diagramming notation for documenting the results of the procedure; a step-by-step "cookbook" approach for carrying out the procedure; and an objective (ideally quantified) set of criteria for determining whether the results of the procedure are of acceptable quality.

MIS

Management Information Systems. Applications used to provide information to the organisation.

Modem

A device for sending digital signals across the analogue telephone network and named after its function i.e. modulator – demodulator.

Multi-processing

May be used instead of multi-programming or could indicate a computer with more than one processor.

Multi-programming

The ability of a computer to run two or more programs at the same time.

Multi-tasking

Multi-tasking is the ability to split a program into multiple tasks that can be run in parallel.

Paper F21 Page 115


Network

A collection of devices that can operate together and share devices, resources and data.

Network Interface Card

A Network Interface Card (NIC) is a hardware component that is installed in a computer to allow it to connect to a network.

Normalisation

A technique used in data analysis to break down data structures so as to minimise repeated data.

OLAP

On-line Analytical Processing is a technique whereby end users of data can analyse the data to get the information that they require.

OLE

Object Linking and Embedding. A linked object is developed in a source application such as Excel and then inserted in another file such as a Word document. The Excel data does not become part of the Word document but can be seen whenever the document is opened. Any changes made in Excel will be reflected in the Word document. If the same Excel data was embedded in Word then it does become part of the Word document and will be saved with the document. If the Excel data is selected then the Excel application will be invoked and the data can be changed.

On-line processing

Processing that is connected to the central computer.

Object-oriented Design ((OOD)

OOD is a design method in which a system is modelled as a collection of co-operating objects and individual objects are treated as instances of a class within a class hierarchy. Four stages can be identified: identify the classes and objects, identify their semantics, identify their relationships and specify class and object interfaces and implementation. Object-oriented design is one of the stages of object-oriented programming.

Open Systems

Standards that are designed so that products from different vendors can be interchanged and operate together.

Packet

A unit of data sent across a network

PC

Paper F21 Page 116


Personal Computer. A computer based on a microprocessor that is normally used by an individual.

Peer to Peer Network

A network that does not have a file server but rather each computer may share its resources with other users.

Processor

The computer component that undertakes the processing and controls other computer components.

Program

A set of instructions that tell the computer what to do.

Programmer

A person who develops programs.

Query

A request for information from a database.

RAM

Random Access Memory. The component in the computer that stores the programs and data that the processor needs to access.

Real-time processing

The updating of data as and when the event occurs.

Record

A collection of fields that relate to one unit of data. For example each product will be a record.

Relational Database

A way of describing the relationship between tables of data so as to build a more complex data representation of an organisation.

Repeaters

Devices that can amplify a signal and so extend the length of a cable.

Report

A summary of information stored in the computer.

Report Writer

An application that can develop reports.

Paper F21 Page 117


Routers

A network device for sending data to various parts of a large network.

Schema

A description of items of data and their relationships.

Systems Development Life Cycle (SDLC)

The systems development life cycle (SDLC) model is an approach to developing an information system or software product that is characterised by a linear sequence of steps that progress from start to finish without revisiting any previous step. The SDLC model is one of the oldest systems development models and is still probably the most commonly used.

Sequential Access

Accessing data according to some predefined sequence such as alphabetical order.

SNA

Systems Network Architecture. A networking standard developed by IBM.

Software Life Cycle

The phases a software product goes through between when it is conceived and when it is no longer available for use. The software life-cycle typically includes the following: requirements analysis, design, construction, testing (validation), installation, operation, maintenance, and retirement.

Spreadsheet

An application that is primarily used for storing and calculating numeric data.

SQL

Structured Query Language. A standard language for accessing and maintaining data in databases,

Standing Data

A file of data such as names and addresses that change infrequently.

Subschema

A subset of a schema to allow reduced access for a user.

System

A collection if interrelated objects working together.

Table

A collection of rows and columns such that the rows represent records and the columns fields in a data structure.

Paper F21 Page 118


TCP/IP

Transmission Control Protocol/Internet Protocol. A standard for data transmission across networks.

Template

A file that contains formatting information, text and other reusable information. Often used in Word for Letter and Memo layouts.

Token Ring

A standard for data transmission across networks that uses a token to indicate the ability to transmit data.

Transaction Tracking System (TTS)

A method to ensure that all database updates complete successfully and the ability to recover in the event of a failure.

Transactional Data

Data that is based on transactions that will change frequently.

UNIX

An operating system

Unshielded Twisted Pair

A type of cable that consists of one or more pair of wires that are twisted to reduce cross talk interference.

Upgrades

New versions of an application or operating system.

WAN

Wide Area Network. A network that connects geographically separated systems,

Web sites

A collection of information developed by an organisation or individual that is available on the Internet.

Windows

An operating system that used multiple screens of data, a mouse and pull down menus.

Wizard

A feature of an application that takes the user through the steps of a complicated procedure to ensure that no steps are missed and appropriate responses are obtained.

Paper F21 Page 119


Word Processing

An application used to enter and maintain text based information.

WWW

World Wide Web. A standard use mainly to set-up web sites.

XML

Extensible Mark-up Language. A standard for developing hyperlinked pages that can also access variable data.

Goals Goals are specific accomplishments that must be accomplished in total, or in some combination, in order to achieve some larger, overall result preferred from the system, for example, the mission of an organization. (Going back to our reference to systems, goals are outputs from the system.)

Strategies or ActivitiesThese are the methods or processes required in total, or in some combination, to achieve the goals. (Going back to our reference to systems, strategies are processes in the system.)

ObjectivesObjectives are specific accomplishments that must be accomplished in total, or in some combination, to achieve the goals in the plan. Objectives are usually "milestones" along the way when implementing the strategies.

TasksParticularly in small organizations, people are assigned various tasks required to implement the plan. If the scope of the plan is very small, tasks and activities are often essentially the same.

Resources (and Budgets)Resources include the people, materials, technologies, money, etc., required to implement the strategies or processes. The costs of these resources are often depicted in the form of a budget. (Going back to our reference to systems, resources are input to the system.)

Paper F21 Page 120

Preface.doc.doc

Business

Transcript of Preface.doc.doc