Information Technology Knowledge - 100 Marks

Module aim To introduce students to the reasons for the use of IT in enterprises, the link between the strategy of a business and the IT that it uses in practice, and methods for managing IT, and to outline the types and systems of internal control used in computer-based business systems. On completion of this module, students will be able to: explain the importance of information within an organization in decision making and financial reporting and describe the features of information systems that organizations use explain general systems concepts and to describe and state the characteristics of the components of IT processing and communication systems explain general systems concepts and to describe and state the characteristics of the components of IT processing and communication systems describe how transactions are processed, how data is organized and stored and the roles and responsibilities within the IT function outline the organization and management required relating to IT within organizations describe the types of software used by individuals within organizations and by accounting professionals describe how organizations manage electronic communication and explain the risks and benefits in relation to electronic communication identify and explain the components of internal control within computer-based business systems Specification Grid This grid shows the relative weightings of subjects within this module and should guide the relative study time spent on each. Over time the marks available in the assessment will equate to the weightings below, while slight variations may occur in individual assessments to enable suitable questions to be set. Weighting (indicative %) 15 25 30 30

1 2 3 4 5

Information within organizations Information Technology architecture Management of IT Communication and IT Internal control in computer-based business systems

5 Internal control in computer-based business systems Candidates should be able to identify and explain the components of internal control within computer-based business systems. In the examination, candidates may be required to a. describe the general internal control environment for information technology within organizations b. explain how and why IT control objectives are set by organizations c. describe and explain the treatment of risk in design and operating systems of internal control in computer-based business systems d. describe how IT internal control activities are conducted within organizations e. identify the information and communication needs of internal controls over information technology f. explain the IT monitoring activities that organizations undertake.

Information Technology Chapter # 5: Management

of IT

Q-1) Q-2) Q-3) Q-4) Q-5) Q-6) Q-7) Q-8) Q-9)

Q-10)
Q-11) Q-12) Q-13) Q-14) Q-15) Q-16) Q-17) Q-18) Q-19) Q-20) Q-21) Q-22) Q-23) Q-24) Q-25) Q-26) Q-27) Q-28) Q-29) Q-30) Q-31) [MQ10]

What is internal control? What are the purposes of internal control? What are the phases of evaluating internal control? What are the components of internal control? Describe the control activities for Information Technology. [ND10] What are the components of internal control activity? What are the internal control limitations? What are the elements of a good system? What are needs for control? What is the IT General Control (ITGC)? How do certain IT areas and IT general controls (ITGC) affect almost all financial audits?

Q-32)
Q-33) Q-34) Q-35) Q-36) Q-37) Q-38) Q-40) Q-41) Q-42) Q-43) Q-44) Q-45) Q-46) Q-47) Q-48)

Q-39)

Q-49)
Q-50) Q-51) Q-52) Q-53) Q-54)

What are the IT Application Controls? What is COBIT? What are the elements of complete package of COBIT? What is COBIT structure? What is COSO? What are the effects of IT on internal Audit? What are the main types of IT audit? Suppose you have to audit IT investment and activities of an organization. Name at least 8 (eight) components of your IT audit. [ND10] Briefly describe Computer Aided Audit Techniques CAAT? [MQ10] What are the advantages of CAAT? [MQ10] What are the objectives of systematic and proactive measures? What are the purposes of information system control? What are the information system control techniques? What are the auditor categorizations of control? What are preventive controls? What are the detective controls? What are the corrective controls? What is audit trail? What are the objectives of audit trail? What are the key elements of system development and acquisition control? Classification of information[ST] Define data integrity. [MQ10] What factors affect the importance of data integrity to an entity? [MQ10] What are the integrity controls? What is risk? What is threat? What is top threat to privacy? [MQ10] What are the threats to computerized environment? [ST] What are the threats due to cyber crime? What is vulnerability? How to minimize the risk of internal security vulnerabilities? [MQ10] What is exposure? What is attack? What is risk assessment? What are the stages of risk assessment process? What do you mean by risk management process? [ND10] What are the process of risk management? Show the risk management cycle. [ST, ND10]

What are responsibility of control? What are the control Objectives for Information and related Technology? Why is there a need for control and audit of computer system? 3 [MQ10] Why does information system security important? Explain it. [ND10] What is information system security?

- Ujjal Das ujjalhfc@gmail.com

Q-55)

Information Technology Chapter # 5: Management of IT What information is sensitive?

Q-56) Q-57) Q-58)

Q-59)

What is Enterprise Resource planning (ERP)? [ST, ND08] What do you understand by ERP and MRP system? [MJ08] Name two products as examples for an ERP system. [MJ08] What are the benefits of ERP solutions? List some of the advantages and disadvantages of ERP. [ND08] How do you implement ERP system? [ST] What issues pop up in the integration and implementation of ERP? What is SAP? Ware the three layers of ERP? What are the areas of involvement of an accountant in implementing and operating ERP system? [MJ08 Differentiate the individual application software package for payroll, accounting, tax, management etc. from the same modules of an ERP system. [MJ08] What is MIS? What are the differences between MIS and ERP? [ND08] What is acceptance testing? [ST] What should address in performance testing? [ST] Describe post implementation review? [ST] What are the change management control policy and procedures? [ST] Which area should follow to create a disaster recovery plan? [ST] How do you develop a business continuity plan? [ST] What information is sensitive in an organization? [ST] What is the single largest risk for business today? [MQ10] How can inadequate controls in a computer system lead to incorrect decision making? [MQ10] Define (i) Encryption, (ii) SQL injection, (iii) XSS, (iv) Phishing, [MQ10] How do IT systems of an entity cause risk of material misstatement? [MQ10] How does assessment of the level of IT sophistication in the entity helps to determine the nature, extent and scope of IT procedure in the financial audits? [MQ10] What is a generalized audit software package? [MQ10] What is system and program change control? [ND10] How can you apply management control over system and program changes? [ND10] How do you implement internal controls in IT systems? [ND08] How to design internal controls over financial reporting, when financial reporting is performed totally from the software application? Explain briefly the major points. [ND08] What are the additional controls needed, when the software interfaces are web based? [ND08] Explain the materiality of the payroll processing functions to be performed by web interfaces from the control perspective. [ND08] Relate the terms identification, authentication and authorization with the terms access control, user name and password. What are social engineering and shoulder surfing? [MJ08] Briefly describe internal control environment. Explain, with reasons, two levels of access that could be given to different categories of users of an online stock control system. [MJ09] The manager of the company feels that some of his employees are misusing the network facilities as he has noticed an increase in the use of printer consumables. Explain two methods the manager can use to monitor and control the usage of the printers on the network. [MJ09] Give two ways by which data can be transferred between different computer systems. [MJ09] Who defines the users access to data? In a large computing environment, where data ownership is shared among departments, who may take the charge of this function? What is the backup inventory control and security? [MJ08] Whilst planning to install a network accounting system, a company has become concerned about the security of its local computer network. [MJ09] Explain three procedures that the company could adopt to discourage breaches of security. [MJ09] What are the various security aspects that an operating system normally needs to deal with as part of the internal security of a computer system? What is cryptography? How does it help in improving the security of a computer system? [ND09] 5 What are the security concerns of the backed-up data? [ND08] How do you depreciate a software asset? Should the expenditure for enhancing (not procuring) IT security be recognized as asset, or expense in the accounting process? Explain your opinion. [ND08] What are the various security aspects that an OS normally needs to deal with as part of the internal security of a computer system. [ND08]

Q-60) Q-61)
Q-62) Q-63) Q-64)

Q-65) Q-66) Q-67) Q-68) Q-69) Q-70) Q-71) Q-72) Q-73) Q-74)

- Ujjal Das ujjalhfc@gmail.com

Information Technology Chapter # 5: Management of IT What is security policy? To protect an organizations information what security policy need to follow according to you. [ND08] What are the reasons for increase in security problem? Differentiate between authentication and authorization. [ND08] Information systems need to be protected from both internal and external threats. Explain, using examples, the differences between an internal and an external threat to an Information. [MJ09] Write down types of information system threat.

- Ujjal Das ujjalhfc@gmail.com

Information Technology Chapter # 5: Management Q-1)

of IT
(i)

5
Encryption tools, protocols or similar features of software applications that protect confidential or sensitive information from unauthorized individuals. (ii) Back-up and restore features of software that reduce the risk of lost data. (iii) Virus protection software. (iv) Passwords that restrict users access to network, data and application. Control activity: Approvals Authorization Verifications Reconciliations Review of Security of assets Segregation of duties

What is internal control? Internal controls are the process that auditor develop to administer unit effectively. They generally include rules and procedures.

Q-2)

What are the purposes of internal control? The overall purpose of internal control is to help an organization to achieve its mission. Internal control also helps an organization to: Promote orderly economical, efficient and effective operations and produce quality products and services consistent with the organizations mission. (ii) Safeguard resources against loss due to waste, abuse, mismanagement, errors and frauds. (iii) Promote adherence to laws, regulations, contracts and management directions. (iv) Develop and maintain reliableQ-6) financial and management data and accurately present that data in timely report. (i)

performance

operating

What are the components of internal control activity? (i) (ii) (iii) (iv) (v) Personnel authorization procedure segregation of duties physical restriction documentation and retention (vi) monitoring operations What are the internal control limitations? (i) (ii) (iii) skill Resource constraint Inadequate skill, knowledge or

Q-3)

What are the phases of evaluating internal control? Define internal control Organize project team and plan Evaluate control at the entity level Q-7) (iv) Evaluate control at the process, Transactions or application level (v) Evaluate, improve and monitor (i) (ii) (iii)

record

Q-4)

What are the components of internal control? (i) (ii) (iii) (iv) (v) Control environment Risk assessment Control activities Information and communication Q-8) Monitoring

Degree of motivation by management and employees (iv) Faulty judgment (v) Unintentional error What are the elements of a good system? (i) (ii) (iii) (iv) Separation of duties Authorization Documentation Reconciliation What are needs for control? What is the IT General Control (ITGC)?

Q-5)

Describe the control activities for Information Technology. [ND10] Some of the control activities relating to information technology are the responsibility of specialized IT personnel; other IT controlQ-9) activities are the responsibility of all employees who use computers in their work. Any employee may use: Q-10)

- Ujjal Das ujjalhfc@gmail.com

Information Technology Chapter # 5: Management Q-11)

of IT
Q-19) Suppose you have to audit IT investment and activities of an organization. Name at least 8 (eight) components of your IT audit. [ND10] Briefly describe Computer Aided Audit Techniques CAAT? [MQ10]

How do certain IT areas and IT general controls (ITGC) affect almost all financial audits? [MQ10] What are the IT Application Controls? What is COBIT? The Control Objectives Benefits for Information related Technology (COBIT) is a set of best practices (framework) for Information Technology (IT) management created by Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGC) in 1996. COBIT provides managers, auditors, and IT users a set of generally accepted measures to assist them in maximizing benefit derived through the use of IT and developing appropriate IT governance and control in a company. Q-21) Q-20)

Q-12) Q-13)

Computer Aided Audit Techniques (CAATs) are tools/utilities to help auditors select, gather, analyze and report audit findings. Starting with basics, many computer applications have useful built in data analysis/audit facilities. CAATs is growing field within the financial audit profession. CAAT is the practice of using computer to automate or simplify the audit process. Using CAAT auditor can test the whole population rather than a sample. What are the advantages of CAAT? [MQ10] Reduced level of audit risk Greater independence from auditee (iii) Broader and more consistent audit coverage (iv) Faster availability of information (v) Greater opportunity to quantify internal control weakness (vi) Enhanced sampling What are the objectives of systematic and proactive measures? (i) (ii)

Q-14)

What are the elements of complete package of COBIT? The complete COBIT package consists of: (i) Executive summary (ii) Governance and control framework (iii) Control activities (iv) Management guidelines (v) Implementation guides (vi) IT assurance guides Q-22)

Q-15)

What is COBIT structure? COBIT covers four domains: (i) Plan and organize (ii) Acquire and implement (iii) Deliver and support (iv) Monitor and evaluate

Q-23)

What are the purposes of information system control? To ensure that the business objectives are achieved (ii) To ensure that undesired risk events are prevented or detected, and corrected. (i)

Q-16) Q-17)

What is COSO? What are the effects of IT on internal Audit? (i)

Q-24)

What are the information system control techniques? The information system auditor will be more familiar with accounting Control Other two types of control: operational control administrative control

Change in the audit trail and audit evidence (ii) Change in the internal control environment (iii) New opportunities and mechanism for fraud and errors (iv) New audit procedure Q-18) What are the main types of IT

Q-25)

audit?

What are the auditor categorizations of control? (i) Preventive control

- Ujjal Das ujjalhfc@gmail.com

Information Technology Chapter # 5: Management of IT (ii) Detective control (iii) Corrective control (iv) Compensatory control

Q-34)

What factors affect the importance of data integrity to an entity? [MQ10] Three major factors affect the importance of data integrity to an entity: The value of the information content of the data item for individual decisions makers (ii) The extent to which the data item is shared among decision makers (iii) The value of data item to competition (i)

Q-26) Q-27) Q-28)

Q-29)

What are preventive controls?

What are the detective controls? What are the corrective controls?

What is audit trail?

Audit trails are log that can be designed to record activity at the system, application and user level. It provides an important detectiveQ-35) What are the integrity controls? control to help accomplish security policy objectives. There are six categories of integrity control: (i) Source data control (ii) Input validation routines Q-30) What are the objectives of audit (iii) On-line data entry controls trail? (iv) Data processing and storage control Audit trail can be used to support security (v) Output control objective in three ways: (vi) Data transmission control (i) Detecting unauthorized access to the system (ii) Facilitating the reconstructionsQ-36) What is risk? of events (iii) Promoting personal Risk is likelihood that an organization would accountability face a vulnerability being exploited or a threat becoming harmful Q-31) What are the key elements of system development and acquisition control? System development and acquisition control include the following key element: (i) (ii) (iii) (iv) Strategic master plan Project control Data processing schedule System performance measurement (v) Post implementation review Q-38) Classification of information (i) (ii) (iii) (iv) Q-33) Top secret Highly confidential Proprietary Public document Define data integrity. [MQ10] Data integrity is the quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. Q-39) What are the threats to computerized environment? Common threats to the computerized environment can be: (i) Power loss (ii) Disgruntled employees (iii) Errors (iv) Malicious code (v) Abuse of access privileges by employees (vi) Natural disasters Q-37) What is threat? A threat is an action, event or condition where there is compromise in the system, its quality and ability to inflict harm to the organization. Threat is any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data and denial of services. What is top threat to privacy? [MQ10]

Q-32)

- Ujjal Das ujjalhfc@gmail.com

Information Technology 8 Chapter # 5: Management of IT (vii) Theft or destruction of computing resources Q-48) What are the process of risk (viii) Downtime due to technology management? failure (ix) Fire (i) Identify the technology related risk (ii) Assess the identified risks (iii) Classify the risks (iv) Identify various managerial Q-40) What are the threats due to cyber actions crime? (v) Look out for technological solutions (i) Embezzlement (vi) Identify the contribution of the (ii) Fraud technology (iii) Theft of proprietary information (vii) Evaluate the technology risk (iv) Denial of services premium (v) Vandalism or sabotage (viii) Match the analysis (vi) Computer virus (vii) Other Q-49) Q-41) What is vulnerability? Vulnerability is the weakness in the systemQ-50) safeguards that exposes the to threats Q-51) Q-42) How to minimize the risk of internal security vulnerabilities? [MQ10] What is exposure? An exposure is the organization has to materializes. Q-52) Q-53) Q-54) Q-43) Q-55) Q-56) extent of loss the face when a risk [ND10] What are responsibility of control? What are the control Objectives for Information and related Technology? What is business continuity planning? What are the objectives of business continuity planning? What are phases of developing business continuity planning? Types of plan. Why does information system security important? Explain it. [ND10] What are the causes of gap of information protection? What is information system security? When the security objective is met? What information is sensitive? What steps do they need to take to keep all of their critical information protected? Why is there a need for control and audit of computer system? 3 [MQ10] Show the risk management cycle.

Q-57)

Q-58) Q-59) Q-44) What is attack? Q-60) Q-61) Attack is a set of actions designed to compromise confidentiality, integrity, availability or any other desired feature of an Q-62) information system. Simply, it is the action of trying to defeat IS safeguard. Q-45) What is risk assessment?

Q-63)

Risk assessment is the analysis of threats to resources (assets) and determination of the amount protection necessary to adequately safeguard resources. So that vital system, operations and services can be resumed to normal status in the minimum time in case of a disaster. Q-46) What are the stages of risk assessment process? What do you mean by risk management process? [ND10]

What is Enterprise Resource planning (ERP)? [ND08] An enterprise resource planning system is a fully integrated business system covering functional area of an enterprise like logistics, production, finance, accounting and human resource management. It organizes and integrates operation process and information flows to make optimum use of resources such as men, materials, money and machines. A modern ERP system enhances a manufacturer ability to accurately schedule production, fully utilize capacity, reduce inventory, and meet promised shipping dates.

Q-47)

- Ujjal Das ujjalhfc@gmail.com

Information Technology Chapter # 5: Management

of IT

Q-64)
Q-65)

What do you understand by ERP and MRP system? [MJ08] What are the benefits of ERP solutions? ERP solutions provide the following benefits: (i) Integrated Financial Standard: A fully integrated ERP system captures the information needed to prepare financial statements from the source, making it easier to report on real-time transactions with fewer errors. Standardized process: An ERP system provides standard methods for automating process. Shared real-time information: An ERP system enables information from sale to production, increasing the accuracy of demand-forecasting models. An ERP system can create financial statements on a daily basis. Drilldown capabilities allow for faster analysis to find exceptional items that may impact trends and forecasting.

(ii)

(iii)

(iv)

Q-66)

List some of the advantages and disadvantages of ERP. [ND08] What issues pop up in the integration and implementation of ERP? Name two products as examples for an ERP system. [MJ08] What is SAP? Ware the three layers of ERP? What are the areas of involvement of an accountant in implementing and operating ERP system? [MJ08] Differentiate the individual application software package for payroll, accounting, tax, management etc. from the same modules of an ERP system. [MJ08] What is MIS? What are the differences between MIS and ERP? [ND08]

Q-67)

Q-68)
Q-69) Q-70)

Q-71)

Q-72)

Q-73)
Q-74)

- Ujjal Das ujjalhfc@gmail.com