IT Management Audit & Control (ICAP Booklet)

The Institute of Chartered Accountants of Pakistan
Information Technology (IT) Management, Audit and

Controls
PAPER F21
TEACHERS GUIDE
ICAP Information Technology Management, Security and Control
Preface
This material has been specifically written for the Information Technology Management,
Security and Control Module (Paper F 21) of the Foundation Course for the Institute of
Chartered Accountants of Pakistan (ICAP).
The authors gratefully acknowledge the support of the Institute of Chartered Accountants of
Australia (ICAA) in the development of this material.
Written as a guide for teachers and assessment markers, rather than a prescriptive text, this
book should be used in conjunction with the Student Guide. It provides references for
reading, activities, information and self assessment and students are encouraged to
supplement their workbook with other resources including:
• access to a computer and the Internet for activities and research work
• access to text books and journals as indicated within the introduction and throughout
the Guide
Students have been advised that those who only work through this Study Guide will not be
able to answer all the questions in the examinations and that teachers will provide
additional information during the lessons. References and articles my supplement the work
with Students. Guidance on assessment in the form of suggested solutions are provided in
this document to enable the teacher to provide valuable feedback on the solutions to
students.
Suggested solutions are also provided for the Student Revision Guide.
© Alexer Pty Ltd

All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the written permission of Alexer Pty Ltd.
Alexer Pty Ltd
113 Watkins Rd,
Wangi Wangi NSW 2267
AUSTRALIA
Email: alexer@hunterlink.net.au
Paper F21 Page i

Syllabus
Aims
To provide:
• Essential body of IT knowledge related to business systems
• IT security, control and governance knowledge related to business systems
• Application of knowledge to manage and evaluate IT
Indicative Grid
SYLLABUS CONTENT AREA WEIGHTAGE
1. IT Strategy and Management 30
2. Information Technology Security, 40
Control and Management
3. Case Studies 30
TOTAL 100
Paper F21 Page ii

ICAP Information Technology Management, Security and
Control
Table of Contents
Preface..................................................................................................................................i
Syllabus ..............................................................................................................................ii
Aims ................................................................................................................................ii
Indicative Grid.................................................................................................................ii
Table of Contents..............................................................................................................iii
Introduction........................................................................................................................1
Overview of Student’s Guide...........................................................................................1
Resources ........................................................................................................................1
Essential Texts.............................................................................................................1
Other Textbooks..........................................................................................................1
COURSE MATERIAL .....................................................................................................4
1. IT Strategy and Management ......................................................................................4
1.1 IT Strategy.................................................................................................................4
What is Strategy? ........................................................................................................4
The Strategic Plan........................................................................................................4
The IT Strategic Plan...................................................................................................5
Considerations for IT Strategic Planning.....................................................................6
Aligning the IT and Business Strategic Plans .............................................................8
Components of Long Range Plans...............................................................................8
E-Business Models......................................................................................................9
1.2 Management of IT....................................................................................................13
Management of computer operations........................................................................14
Management of inter-organisational computing........................................................16
Management of end-user computing.........................................................................19
Financial analysis and control....................................................................................19
IT Control Objectives................................................................................................21
1.3 Software ..................................................................................................................22
Supply Chain Management (SCM)............................................................................22
Enterprise Resources Planning (ERP) ......................................................................22
Customer Relationship Management (CRM)............................................................25
Paper F21 Page iii

Control
Sales Force Automation (SFA)..................................................................................25
eBusiness Products....................................................................................................26
1.4 IFAC Guidelines/Discussion papers........................................................................28
Managing Security of Information ...........................................................................28
Managing Information Technology Planning for Business Impact...........................29
Acquisition of Information Technology....................................................................29
Implementation of Information Technology Solutions.............................................29
IT Service Delivery and Support...............................................................................30
IT Executive Checklist...............................................................................................31
Other Papers and Guidelines......................................................................................31
2. Information Technology Security, Control and Management................................33
Control Frameworks......................................................................................................33
Introduction....................................................................................................................33
Control frameworks.......................................................................................................33
Risks and exposures in computer-based information systems...................................33
IT control frameworks...............................................................................................34
Control objectives..........................................................................................................34
Effectiveness, efficiency, economy of operations.....................................................35
Reliability of financial reporting................................................................................37
Effectiveness of design..............................................................................................37
IT asset safeguarding.................................................................................................38
Compliance with applicable laws and regulations.....................................................38
System reliability.......................................................................................................39
Data integrity ............................................................................................................40
Layer of control .............................................................................................................40
Societal ......................................................................................................................40
Organisational environment.......................................................................................40
Technology infrastructure..........................................................................................41
Software ....................................................................................................................41
Business process........................................................................................................41
Responsibility for control .............................................................................................42
Role and responsibilities of key parties.....................................................................42
Control environment .....................................................................................................42
External regulatory controls.......................................................................................42
Board/audit committee governance...........................................................................42
Management philosophy and operating style............................................................42
Plans/structure of organisation...................................................................................43
Method to communicate the assignment of authority and responsibility..................43
Paper F21 Page iv

Control
Management control methods....................................................................................43
Human resource policies and practices......................................................................44
Financial policies and practices.................................................................................44
Risk assessment.............................................................................................................45
Risk categories...........................................................................................................45
Probability of loss......................................................................................................46
Consequences.............................................................................................................46
Control activities............................................................................................................46
Control design............................................................................................................46
Control procedures.....................................................................................................48
Control over data integrity, privacy and security......................................................49
Availability / continuity of processing, disaster recovery planning and control.......52
IS processing /operations...........................................................................................54
Monitoring of control compliance.................................................................................56
Roles of management, users, auditors.......................................................................56
Computer-assisted audit techniques...........................................................................57
3. Case Studies..................................................................................................................59
3.1 Join In Inc................................................................................................................59

Suggested Solution....................................................................................................60
3.2 Reedit Publications..................................................................................................62
3.3 Veemax....................................................................................................................66
3.4 Patak’s Fine Silks.....................................................................................................68
3.5 Controls....................................................................................................................71
Required.....................................................................................................................71
Revision Material.............................................................................................................80
R1. IT Strategy and Management .................................................................................80
R1.1 IT Strategy.............................................................................................................80
Strategic Considerations in IT Development ............................................................80
E-Business Models....................................................................................................80
Questions...................................................................................................................80
Paper F21 Page v

Control
R1.2 Management of IT.................................................................................................83
Management of computer operations........................................................................83
Management of inter-organisational computing........................................................84
Management of End-User Computing.......................................................................84
Financial analysis and control....................................................................................84
IT Control Objectives................................................................................................85
Questions...................................................................................................................85
R1.3 Software ...............................................................................................................90
eBusiness Enabling Software.....................................................................................90
Questions...................................................................................................................90
R1.4 IFAC Guidelines/Discussion papers.....................................................................90
Questions...................................................................................................................91
R2 Information Technology Security Control and Management................................93
R2.1 Control frameworks...............................................................................................93

Key Points..................................................................................................................93
Questions...................................................................................................................93
R2.2 Control objectives.................................................................................................94
Key Points..................................................................................................................94
Questions...................................................................................................................95
R2.3 Layer of control ....................................................................................................96
Key Points..................................................................................................................96
Questions...................................................................................................................97
R2.3 Responsibility for control......................................................................................97
Key Points..................................................................................................................97
Questions...................................................................................................................97
R2.5 Control environment.............................................................................................98
Key Points..................................................................................................................98
Questions...................................................................................................................98
R2.6 Risk assessment.....................................................................................................99
Key points..................................................................................................................99
Questions...................................................................................................................99
R2.7 Control activities.................................................................................................100
Key Points................................................................................................................100
Questions.................................................................................................................102
R 2.8 Monitoring of control compliance......................................................................104
Key Points................................................................................................................104
Paper F21 Page vi

Control
Questions.................................................................................................................104
Summary......................................................................................................................105
R3. Revision Case Studies............................................................................................106
R3.1 Tarash Food.........................................................................................................106
R3.2 Kavak Manufacturing..........................................................................................108
R3.3 KVT Insurances...................................................................................................110
Glossary..........................................................................................................................114
Paper F21 Page vii

Introduction
Overview of Student’s Guide
This Student’s Guide is designed to assist the student study the Information Technology (IT)
Module and prepare for the Institute of Chartered Accountants of Pakistan (ICAP) Foundation
Examination (Paper F 21). It will form the basis of the teaching courses conducted by the ICAP
and will direct students to supplementary materials and readings as well as other resources.
Structured according to the syllabus content areas, the Guide provides reading material,
exercises and activities for the student. Teachers may provide additional exercises during
class. When asked to prepare a summary or report, the students should be prepared to hand-in
their response or to present their findings to the class. All activities may be used in class as a
presentation topic.
Resources
With the pace of developments in the IT industry accelerating, many textbooks have failed to
keep up with developments and are now out-of-date. Much more relevant material is available
in journals, magazines and through selected sites on the Internet. While some specific texts are
recommended below, the student is encouraged to refer to other texts as a comparison and as a
way of understanding the impacts that developments have had on the traditional methods and
processes.
Essential Texts
Robson, W Strategic Management & Information Systems. Second Edition, Financial Times -
Prentice Hall. McGraw-Hill
IFAC Handbook 2000 Technical Pronouncements New York (ISBN 1-887464-58-1)
• IT Guideline 1: Managing Security of Information, Jan 1998
• IT Guideline 2: Managing Information Technology Planning for Business Impact, Jan
1999
• IT Guideline 3: Acquisition of Information Technology July 2000
• IT Guideline 4: The Implementation of Information Technology Solutions July 2000
• IT Guideline 5: IT Service Delivery and Support July 2000
The main textbook referred to in the Controls section is Information Systems Control and
Audit, Ron Weber, ISBN 0-13-947870-1
Reference is also made to the COBIT Guidelines.
Other Textbooks
Title Author(s)
Accounting Information Systems Ulric J. Gelinas, Jr. and Steve G. Sutton
Paper F21 Page 1

Title Author(s)
Auditing: An integrated Approach Alvin A. Arenas and James K. Loebbecke
Auditing Information Systems: A Jack Champlain
comprehensive guide
Information Systems Management Jae Shim, Joel Siegel, Anique Qureshi
handbook and Robert Chi
Information Technology Control and Fredrick Gallegos, Daniel P. Manson and
Audit Sandra Allen-Senft
Risk Management: Best practices, case David McNamee, Joseph R. Pleier and
studies and related materials. Dr. John D. Tongren
Standards and Guidelines for Information Information Systems Audit and Control
Systems Audit and Control Professionals Association
Systems Audit M. Revathy Sriram
Corporate Information Systems Lynda M. Applegate, F. Warren
Management McFarlan and James L. McKenney
Electronic Commerce: business Technical Bulletin, Institute of Chartered
principles & strategies, Accountants in Australia - IT Chapter,
1999
URL Comments
http://www.aicpa.org/pubs/jofa/mar98/courtney.htm Reviews several accounting packages and discusses
control and audit trail issues.
http://www.color1.com/3.htm “Five Online Business Models”
http://www2.bc.edu/~gallaugh/stratinnetage. "Strategy in the Internet Age"
html
http://www.computeruser.com/resources/dic Computer User high Tech Dictionary
tionary/index.html
http://www.uwm.edu/People/ceil/audit/computerassi Page used for an auditing course at University of
gnment.html Milwaukee and provides useful links.
http://www.bcs-irma.org/ British Computer Society site on Risk Management and
Audit.
http://favorites.powersearch.com/published/view.asp Collection of information security and computer audit web
?DID=851570 resources
http://www.pcorp.u-net.com/risk.htm COBRA risk analysis information
http://www.idrc.ca/acacia/old/studies/ir-govern.html Information and Communications Technologies (ICTs)
and Governance: Linkages and Challenges.
The Institute On Governance
http://www.isaca.org/ The Information Systems Audit and Control
Paper F21 Page 2

URL Comments
Association & Foundation
http://www.intnews.com/isa.htm IS Audit newsletter
http://www.icaew.co.uk/index.cfm? English Institute’s Internal Control Guidance – the
AUB=TB2I_6242&CFID=783071&CFTOKEN=418 Turnbull Report.
75938
http://www.nao.gov.uk/intosai/edp/pubindex.html INTOSAI EDP Audit Committee Publications
http://www.nao.gov.uk/intosai/edp/it_controls.html INTOSAI EDP Training
http://www.itgovernance.org/resources.htm IT Governance Portal
http://www.theiia.org/itaudit/index.cfm? Institute of Internal Auditors, Audit controls information
fuseaction=catref&catid=5
http://www.methodware.com/products/cobit/?idx- Information about Internal audit software.
cobit.shtml
http://lists.insecure.org/pen-test/2000/Sep/0457.html Audit discussion threads
Paper F21 Page 3

COURSE MATERIAL
1. IT Strategy and Management

1.1 IT Strategy
What is Strategy?
To introduce the topic it is important that students understand what a strategy is and the need
for one. Ask students for examples from their own experience.
Strategy: The general direction set for the organisation with the aim to achieve a desired
state in the future.
Read Section 1.1.1 on Definitions of Strategy. With reference to other articles and books,
find two (2) other definitions of strategy. Choose the definition that you prefer and
describe why you prefer it.
There is no one correct answer for this question. The aim is to get students thinking
about Students
Discuss the differences between strategy and strategic planning.
The Strategic Plan

It is important for the students to understand the focus of the Strategic Plan and the level at
which is pitched.
Read section 1.6 A Model of the Strategic Planning Process in the text Strategic
Management and Information Systems.
There are various methodologies for strategic planning and various “templates’
for a Strategic Plan. Apart from the text, there are some interesting and simplistic
articles on strategic planning on the Internet. You might like to use the following
sites to draw out discussion about any of the topics covered:
http://www.mapnp.org/library/plan_dec/str_plan/str_plan.htm
You might like to invite some owners from local businesses into class for an open discussion
on strategic planning.
Paper F21 Page 4

Prepare a case study of 2 local businesses (one large and one small) and how they
approach the strategic planning exercise. While they might not want to provide you with
a copy of their strategic plan, they may be willing to provide you with the Table of
Contents for their Plans.
Compare and contrast the approaches taken by the businesses to that described in the
text. What do you consider the main issues and challenges for businesses undertaking
strategic planning?
Some students might find it difficult to find access to businesses and/or their strategic
plans. In this case you might like to suggest that they review some sample strategic
plans located on the web such as:
• National Oceanic and Atmospheric Administration
http://www.strategic.noaa.gov/
• Bplans – the planning people site http://www.bplans.com/sp/?a=bc
• Academic Departmental Strategic Plans
http://www.montclair.edu/pages/Planning/DepartmentPlans.htm
The suggested solution should include discussion of the following points:
• The approach to strategic planning differs according to the size of the company
• The frequency of updating
• The staff and management who are involved with the planning process (skills and
decision-making responsibility)
• The use of a standard methodology
• The use of the Plan once it is produced
• The nature of the marketplace
The IT Strategic Plan

More and more, today’s organisations rely on technology to support their business processes
and to provide the information needed for decision-making. So what is the relationship
between Strategic Planning and IT Strategic Planning? How do we go about developing the IT
Strategy for a business? How do we go about planning for information systems?
Before thinking about planning for IT and for information systems we must understand
what the terms “IT” and “management information systems” mean? As a refresher on
the topic, read “Chapter 3: “What are management information systems?” in the
recommended text.
When we talk about an IT Strategic Plan there are many views on the form of the Plan. You
could use the example of many of the consulting firms have their own “methodology” and
approach to strategic planning assignments.
Paper F21 Page 5

Discuss the issues in the Student Guide.
Read “Chapter 4: Strategy planning for information systems” in recommended text.
IT planning occurs at a number of levels. It is important that the students understand the
different levels and the reasons why each is important.
Why do companies develop IT Strategic Plans? In your own words describe at least 3
reasons why a company might develop an IT strategic plan.
Students need to have an understanding of the purpose behind an IT Strategic Plan.
Suggested solution should include some of the following reasons:
• Effective management of a costly but essential part of the organisation
• Improving communication between the business and the IT departments in an
organisation
• Ensuring that the business direction can be supported and is linked with the IT
direction
• Planning the priorities of IT to work with those of the organisation
• Provide a framework for effective resource management
• Provide a focus on what IT does so that costs and benefits are recognised.
Considerations for IT Strategic Planning
Understanding the business

Lead a discussion on the effect that the following would have on IT Strategic Planning.
• Size of the organisation – large, small
• Structure of the organisation – roles and responsibilities
• Type of organisation e.g. not-for-profit, community-owned, public, private, national,
international
• Maturity of an organisation e.g. start-up, conglomerate
Positioning the Business

In order to understand what direction the business should move in, it is important to understand
the position of the business in the marketplace. What products are offered and what are still
needed? What markets are served? Who and where are your competitors?
You may want to draw out some of the tools described in Section 5.4 for positioning the
business and for understanding the context for the Strategy.
Paper F21 Page 6

Knowing the Business Environment

You might want to discuss the following in terms of how they impact on the business and the
business environment. Remember that the students are asked to discuss C customers in detail
so you might want to just concentrate on the other categories. Ask for other suggestions.
• Customers
• Suppliers
• Regulatory agencies
• Government
Identify at least 4 possible requirements from customers that might impact an IT

Strategic Plan and describe the implications.
Answers will very for this question. There are many things that customers might
require or need within the current business environment that would impact on the IT
Strategic Plan. Students should be able to demonstrate an understanding of how
customer needs might be reflected in the Plan. Answers could include:
• Credit card processing. Customers wanting to use credit cards will mean that the
organisation will have to look at online verification with credit card providers or
alternate providers. Changes will need to be made for database access, new
external partnerships and networking capabilities etc.
• Improved lead times. This might necessitate a review of the current ordering
systems and/or inventory systems and plans to upgrade systems, acquire or
redevelop.
• Ability to provide electronic documentation (e.g. CD-ROM). This might mean the
purchasing of new equipment to provide CD-ROMs, and systems to control
publishing and distribution.
• Bar-coding. Introducing bar coding into a company needs careful planning. It can
impact right across the organisation and supply chain – new printers, bar-code
readers, systems to work with the codes etc.
• Ability to handle special orders and requests. This sort of requirement
(improvements to existing processes) could mean upgrades to systems,
investigations into new systems or review of ordering process and resources.
• Ability to interface with distributors of customers and affiliates. This could mean
allowing for further investigation into the requirements to see how widespread the
need is and assess the sort of changes that might need to be made to existing
systems.
Understanding the Risks

Lead a discussion on the following categories of risk:
Paper F21 Page 7

• Economic
• Technical
• Operational
• Behavioural
Ask whether the students think that risks are increasing or decreasing and what they think
poses the greatest risk.
Rate the following examples in terms of risk where L is Low, M is medium and H is high
i) a small manufacturer using a financial package to record their financial transactions
from paper records
ii) a large but conservative bank using commercial packages that are readily available
with minimal modification
iii) a medium sized bank with in-house developed system which are regularly changed to
ensure that the bank stays ahead of the competition
Suggested solution is:
i) L
ii) M
iii) H
Aligning the IT and Business Strategic Plans

There is little debate that IS Strategic plan must be aligned with the Business Strategic Plan.
Read Chapter 6 “Frameworks for integrating IS Strategies with business strategy”

(Strategic and Management Information Systems)
You might want to lead a debate on what the students think might happen when an IT plan is
NOT aligned with the Business plan.
Discuss the IT trends identified in the Student Guide and open the discussion for other trends
that might impact the alignment between the IT and the Business Strategic Plan.
Components of Long Range Plans

What is in an IT Strategic Plan? Each organisation will answer this question differently.
Discuss any experience that the students might have with strategic planning.
You might want to invite an IT Manager into the class for discussion about the role and how
the IT Strategic Planning process works in the company.
Paper F21 Page 8

“All organisations should prepare their IT Strategic Plans for a period of 3-5 years and
review their long term plans regularly”.
In your opinion, should the horizon or period for a Strategic Plan be the same for all
organisations? Should the review period be defined the same for all organisations?
Would the IT Strategic Planning time frame differ for organisations in different
industries?
Give examples to highlight your views.
The student’s answers will very a great deal. The question seeks to explore the
student’s understanding of how the IT Strategic Planning process differs across
organisations of different sizes and in different industries.
The answer should emphasise that IT Strategic Planning will differ across industries
and that every organisations will need to determine what is an appropriate time frame
for the planning and review process.
• A small company will usually have a less formal process for IT Strategic
Planning.
• The position of IT within the company structure will impact on how IT is viewed
and how it rates as a strategic consideration.
• Young companies will usually be less structured in their planning and focus on
short term issues as they struggle to survive.
• Business planning is key to smaller companies as they seek to establish their
business credentials.
• Industries can affect the time frame for planning. An organisation in a more
traditional sector such as agriculture may have a longer time frame for strategic
planning than an industry in a more contemporary industry such as electronics.
• Consider those companies in industries that have been spawned as a direct result
of technology such as electronic commerce. With the rapid pace of change and
new developments and trends almost daily, a company in this industry would need
to almost constantly revise its IT Strategic Plan.
E-Business Models
It is timely for the students to revise the concept and meaning of e-business. You might wish to
lead a discussion on what is e-business before commencing this section to ensure that the
students have a sufficiently broad definition.
Revise material in Module D21 on e-business.

You might want to demonstrate some websites that demonstrate some of these models or ask
the students to share their experiences.
Suggest leading a discussion to identify the business communication processes and ensure that
the students understand this term.
Paper F21 Page 9

Business to Consumer (B2C)

You might want to demonstrate www.amazon.com as the most well known B2C site.
Through class discussion compare and contrast the physical shopping experience to the online
experience. Ask if any students have bought anything online and ask them to share their
experiences with the class.
Lead a discussion of the advantages and disadvantages of online shopping. Issues that might
arise include:
• Issue of consumer privacy, security and trust have become critical factors for the online
store
• Problems with intermediaries and long term relationships between seller and distribution
channels.
• Delivery and distribution challenges
• Convenience factor for busy people
• Differences in online goods e.g. clothes that people traditionally like to try one or feel
compared to standard grocery items.
• in remote areas of even overseas have caused logistics problems for those businesses
without such processes in place.
Lead a discussion on electronic payment systems.
Choose 2 electronic payment systems prepare a comparison addressing issues such as:
* Description of system
* Target market
* Advantages
* Disadvantages
Students might choose 2 of the following to compare:
• e-cash: Various products developed which attempted to provide the online
equivalent of cash by utilising public key cryptography. The banking industry was
the greatest barrier as there was no general acceptance of this as valid currency.
• Smart card e-payments: Similar to phone cards where smart cards are built with a
microchip as an online “purse” to store money. Suitable for smaller valued
transactions, the “purse” is reloaded from banking machines or proprietary
systems. Required the user to have card readers attached to PC.
• Electronic Purse: developed by several online vendors. Consumer could purchase
a large denomination using standard credit card details that was “held” by the
online store for purchases within that store. As the consumer purchases smaller
valued transactions the value was deducted from the purse value automatically.
The consumer would “reload” the virtual “purse” with value as required. Great for
Paper F21 Page 10

smaller transactions but restricted the consumer’s choice of where they could shop
– if tied to one online store.
• Credit Cards: Traditional credit cards such as MasterCard, Visa, and American
Express have been accepted as the most common way of purchasing online goods.
The main challenges are that these transactions are not suitable for smaller
amounts and there have been 9oissues with authorisation and security of the cards.
Business to Business (B2B)

Lead discussion about the emergence of this model. Discuss some of the possible benefits that
B2 B offers.
Review the article at http://b2b.ebizq.net/exchanges/kenjale_1.html

Choose an industry and describe a B2B example. Give your opinion about the future of
the B2B model.
Do you agree with the authors that this term may soon become obsolete?
There is no ”correct” answer to this question. What we are looking for is demonstration
that student understands the model and its position in the business environment. If there
are no such models locally in Pakistan, you might like to lead a discussion on whether
the students think that the local market will follow the same trends as the western world
or if it will take shortcuts and learn from other experiences.
Business to Employee (B2E)

Lead discussion as to whether the students have any experience with this model. You might
like to ask the question if the students to identify what model their current relationship with the
Institute follows. I suggest that it is closest to this model.
Prepare a list of information that is shared in a normal business i.e. information to

which everyone needs access.
Students might suggest the following information:
• Spreadsheet and document templates which are corporate standards
• Policy and procedures manuals
• Quality document (e.g. ISO 9000)
• Software and hardware manuals
• Telephone directories (both internal and external)
• Training manuals
• Company newsletters
• Forms required for administration e.g. annual leave forms. Absentee forms.
Paper F21 Page 11

Research the emergence of the B2E model and describe the technologies that could be
used by an organisation to support this model.
Describe 2 issues that might impact the success of such a model.
Suggested solution could cover technologies such as Intranet, Extranet, CUCMe, and
bulletin boards.
Issues that might arise include:
• the current technology infrastructure of the organisation and whether it is capable
of supporting the technologies required.
• the skills of the staff
• the level of access to the technology by all staff
• the willingness of staff to use the technology
• the need to keep it up to date and ensure that the right people have responsibility.
Consumer to Consumer (C2C)

This is an interesting model to discuss as it has also introduced new business types
Research this model on the Internet and describe it in your own words. Provide some
examples of this model.
Identify one product that could be used to create a C2C opportunity. Describe the
scenario and the benefits that this would provide.
You will find all students will answer this differently. The most common answers will
probably introduce technologies such as bulletin boards, Chat forums, and online
auctions where consumers directly interact with other consumers.
Students might choose an online auction where consumers post what they want to sell
and other consumers can purchase. Expected benefits from this type of model could
include:
• Cost savings – no expensive paper communications
• Time savings – electronic communications are faster
• Provides greater power to the consumer – greater choice and more control over the
purchases
• Greater power to the seller – can reach far greater audiences than ever before
Government to Citizen (G2C)

Many governments have a strategy to deliver online services and information. You might want
to lead a discussion about the issues of inequity and access that this introduces into societies.
Paper F21 Page 12

Identify 3 common communication processes or transactions that a citizen must conduct

with government. Describe the transactions and how technology could be used to
improve the current processes.
Suggested solution could include:
• Taxation
• Notifying departments of change of addresses
• Registering on the electoral role
• Applying for a visa or passport
The students might identify the used of the following technologies as a way of
improving access:
• Internet,
• WWW
• Email
• Public information kiosks
• Video-conferencing
• SMS – mobile solutions
Research the objectives of the Citizen Online Project of the Pakistan Government.
Give a list of at least 6 types of information that will be available.
Site is at http://www.itcommission.gov.pk/itnews/images/citizenproj.htm Students
should identify some of the following:
• organizational details,
• rules and procedures,
• contact persons
• e-mails addresses,
• downloadable forms and
• data of interest to the general public.
1.2 Management of IT
IT is still a relatively new industry and the most rapidly developing industry that the world has
even known. You might want to lead a discussion about how the role of IT management has
changed from the centralised operation of the Electronic Data Processing (EDP) department to
the contemporary IT Department.
Many new technologies have had a profound impact on the organisation of IT.
Paper F21 Page 13

Survey 3 companies (one large, one medium and one small). Describe the organisation
itself and describe the organisation structure in terms how IT is managed.
You might want to invite 3 IT managers into the class to discuss how IT is managed in
their organisations in relation to the size of the organisation.
Students should identify the differences between centralised management and
decentralised management. Also in some smaller companies, the IT management role
might be incorporated into other roles whereas in larger companies, there may be
several IT-related managers e.g. IT Operations, IT Development, IT Strategy.
Management of computer operations

This section has defined “Computer Operations” in a broad sense as everything concerned with
ensuring that an organisation can access and use its information systems.
IT Operations Strategy
Ensure that the students understand the relationship of the IT Operations Strategy with the
other Strategic Plans.
In your option would the IT Operations Strategy be a long-term plan or a short-term

plan? Why?
Students should describe this Strategy as a tactical plan for implementing the IT
Strategy. The Operations Strategy will cover a shorter term than the overall plan and
will be a more detailed plan. It will address the priorities of IT acquisitions and
installations to support the overall IT Strategic Plan and will guide the Operations
Department in its activities.
Technology Planning
Supporting the organisations technology infrastructure for opportunities and protecting it from
obsolescence are critical tasks of operations planning. Discuss the diagram included in the
Student Guide.
Lead a discussion on who the students think should be included in this activity.
Measuring and Managing Capacity

You might want to draw out the differences in small organisations who make decisions about
purchasing a more powerful, faster computer for a particular function when needed as opposed
to larger organisations who need to consider and plan upgrades and purchase.
Paper F21 Page 14

IS Operations Staffing
IS staffing issues are not just confined to the Operations area. However there are increasingly
technical skills required to work in this complex area. You might want to discuss the issue of
Operations staffing with the class.
You might want to discuss the Computer Society of Pakistan and what the students’ understand
about the organisation (http://www.csp.net.pk/) Ask the students how membership might
impact staffing and what impact his might have on recruitment.
Production Planning and Control

While many organisations run online systems that are required for staff to service customers,
there are many systems that run in batch mode and may require large amounts of processing
power and time.
You might want to lead a discussion about what Production Planning and Control means in a
small business. For example, it might mean that no one can use the accounts systems while the
end of month accounts are processed.
Security
Security is a complex issue and the IT infrastructure of an organisation must be protected.
While the costs of security can be significant, just what level of security the organisation needs
is dependent on the risk to the organisation and needs to be a strategic decision.
Within a single site, describe some of the ways that the site security can be improved.
There are many answers to this questions and it really is a matter of appropriateness.
Weighing up cost versus risk is critical. Some of the more common ways that the
students might suggest include:
• Limiting physical access to the computer room
• Access codes for authorised personnel only
• Monitoring access using remote TV cameras
• Storing significant files and backup off site
• Ensuring an uninterrupted power supply and fire protection is in place
• Physical separation of development and operations staff
Privacy
You might want to direct students to this article titled Technology and concept - privacy and
authentication at http://www.bcs.org/ereview/2001/html/p119.htm for a good discussion of
some overall principles of privacy.
Paper F21 Page 15

With respect to your personal and business life, identify what transactions that you
participate in that may have resulted in personal data being held in a database.
List at least 6 instances.
You might wish to discuss this question in terms of the diagram on P528 of the text
“Strategic Management & Information Systems”. Students could nominate many
instances here including:
• Birth records
• University records and exam results
• Institute enrolment records and exam results
• Driving records
• Passport records
• Bank records, Credit cards and/or debit cards
Management of inter-organisational computing

Early users of computer processing bureau services and early adopters of Electronic Data
Interchange (EDI) were the first to deal with issues arising from inter-organisational
computing.
Consider a company that produces fabrics for export and which is restricted in its IT
resources.
Identify as many partners as you can with whom the IT Department might consider a
partnership and describe the broad technology environment that might be adopted for
each.
The students might identify many different partners for this example. Suggested
solution might include:
• Customers. Using a website for reaching out to global customers might be a
desired outcome so the IT Department might consider using an outsource provider
for their services such as web development and hosting or could consider and ASP
service.
• Suppliers. Adopting an online system with suppliers so that orders for raw
materials, can be readily sourced when needed could help. This could be
approaching suppliers to establish extranets with them or to develop an industry
portal.
• Government. The IT department should consider forming a relationship with
Government so that export, customs documents can be simply used and more
effective communications forged.
• IT Vendors. Many IT vendors give partners direct access to their order systems
which can be used without the need to develop costly systems.
Paper F21 Page 16

Collaborative computing
Read Section “11.5 Group-Based User Computing” in Strategic Management &
Information Systems pp 413 - 418
You might want to discuss concepts and if any of the students have direct experience with
collaborative computing.
Intranets have been heralded as a great new tool for organisations. Research
information about Intranets. Describe at least 4 benefits that an organisation might
realise by employing an Intranet. State any assumptions that you have made about the
organisation.
There are many benefits that might accrue with an Intranet. Student’s answers may
include:
• Improved control over data. No replication and assigned responsibilities.
• Improved responsiveness to customers. Information may be accessed by all staff
and the customer given an answer to their query immediately.
• Better staff efficiencies. Data is collected and entered only once and yet everyone
can access the latest information. No need to run around trying to find out who has
the latest information.
• Able to capture improved information about operations and information access
and thus improve what information is being captured and how it is being used.
Distributed Systems
Discuss the concepts raised in the material in the Student Guide.
There are many benefits of distributed data processing and many potential pitfalls.
Describe at least 4 benefits and 4 potential weaknesses of using distributed systems.
Students may have widely varied answers. The following is a suggested solution:
Advantages:
• User involvement. There is greater user involvement in distributed solutions.
• Availability. Confines the effects of computer breakdown to smaller segments and
thus reduces the reliance on one computer.
• Flexibility and growth. Allows for phased approaches to upgrades and systems
rollouts.
• More cost effective solutions able to be developed and implemented because this
is normally associated with PCs.
• Responsiveness and productivity are increased. Smaller jobs, better understanding
of the data.
Paper F21 Page 17

Disadvantages.
• Maintenance and hardware problems not as easily diagnosed. Networks are more
complex and there are more points for failure introduced.
• Controls. There is much less control over distributed systems. Backup and security
issues in particular can be a problem.
• Integration of data and information is more complex. Data can become fragmented
or not synchronised.
• Possible for costs to escalate as there are many costs that are hidden.
For example, consider the Distributed Devices described above. Who is responsible for the
planning associated with the devices? Who would be responsible for the maintenance of the
devices? Who would be responsible for the training of the uses of the devices? Who would be
responsible for managing the devices? Who is responsible for managing the risks?
Read Chapter 9 “IS Resource management” for some insights into the difficulties facing
managers of a distributed systems site.
EDI and Electronic Commerce

Lead a discussion about EDI. There may be logical industry examples that you can quote.
EDI can be defined as: the direct computer-to-computer exchange of information”.
Ensure that the students understand the difference between EDI and other forms of ecommerce
by discussing the example of a company who emails an order versus one who uses an EDI
system for an order.
Summarise the benefits of EDI and provide examples of how the EDI benefits could be
achieved if applied to the traditional order processing systems of a business.
EDI Benefits Order Processing Benefits
Save costs Input orders directly from phone or use
Internet-based forms to allow customers to
High costs of resources for preparation,
enter orders themselves directly into your
handling and data entry of orders can be
order processing system.
eliminated.
Increase Sales SEE 1998 PY Technical Guide P 237

Reduce time for fulfilment
Reduce Errors
Improve Security
Improve Integration
Paper F21 Page 18

Reduce Inventory levels
Outsourced Services
Outsourced is a term that has been widely used over recent years but is it anything new?
Discuss the concept of the computer bureau and its relationship with some of the modern day
outsourcing arrangements.
Read the article “Ins and Outs of Outsourcing”

One of the most crucial parts of outsourcing is maintaining the quality of services delivered
through the third party. The SLA thus is the most important document in an outsourcing
agreement. You might want to discuss what sort of things should be included in an SLA.
Outsourcing can involve a little of the organisation or the whole IT department. And there are
various ways of outsourcing specific functions. Discuss the role of ISPs as outsource providers.
Lead into a discussion of ASPs.
For an in-depth look at ASPs, read the 4 part article “All about ASPs”.
You might want to lead a discussion based on some of the issues raised in the article.
Management of end-user computing

“End-user” is a term that can have several different connotations and as a consequence
different implications for management. You might wish to lead a discussion on the various
levels of end-user computing.
Financial analysis and control

Managing the increasing risks and the costs of IT needs greater control today and is subject to
more pressures. Implementing IT Strategies is a balance between the direct costs, indirect costs
and benefits. While tangible costs and benefits are easier to manage, there are increasingly
complex intangible costs and benefits.
Read Chapter 7: Information value and IS investment in the text Strategic Management
and Information Systems.
Capital Costs
There are several choices to obtaining IT hardware and software including renting, leasing and
buying outright. The choice of financing options is largely determined by the organisation
policies, the availability of funds and the other spending choices. Outright purchase might
involve consideration also of taxation and depreciation regulations and the impacts on the
financial position of the company.
Paper F21 Page 19

Consideration of rental and lease options may vary according to the marketplace, business
environment, availability of these options and the time over which the organisation is looking
to rent or lease.
What do you think would be the benefits of rental or lease over outright purchase?
Student might suggest the following points:
• Capital is not tied up in IT which allows greater investment in the company’s main
business
• Reduced risk of paying too much for IT. With costs decreasing for some
technologies quite dramatically as it matures, there is a danger that the early
adopters pay high prices and the late adopters pay far less.
• Less obsolescence. Rented or leased equipment can be quickly disposed of and
there are greater opportunities for upgrading the configuration
• Improved performance. Depending on the performance clauses in the contracts,
any hardware or software that is rented or leased can be disposed of or pressure
put on the provider to improve service.
• Taxation advantages might exist.
Capital costs can also incur other costs that are sometimes ignored. Also there are many flow-
on costs associated with capital investments that are often hidden.
You are an IT manager. Your mainframe computer is from a supplier, Cant Computers,
who has been providing service to you for several years. You have made a decision that
implies you need to upgrade and have received notification from your supplier that the
cost to upgrade will be in the vicinity of Rs100,000. You immediately think – I will
change suppliers and get a quote from another supplier, Butt Computing, for Rs 90,000
for similar specification.
Which supplier would you choose and why?
Student answers should demonstrate an understanding of the associated costs with a
capital purchase. Answers could be either depending on the arguments but suggested
solution would be Cant Computers since a change to Butt Computing would involve
not only the capital cost but also include many other flow-on costs such as:
• Reskilling the IT support staff for the new computers
• Changes to maintenance and support arrangements for computers
• Potential changes to systems and programs
• Potential changes for some users and training costs
• Need to investigate the extent of changes necessary for integration of the new
computer with existing equipment
Paper F21 Page 20

• Need for changes to disaster recovery plans
Time and expense Tracking

Lead a discussion with the students about mechanisms they may have seen that allow the time
and expense tracking.
Cost charge out and Monitoring

Lead a discussion on the different ways that an IT department might operate.
Desktop computing has introduced complexity and enormous hidden costs into the IT
Manager’s budget in many companies. In your opinion, what which of the following do
you think could offer the greatest cost benefits and why?
i) standardisation of desktop computers
ii) centralisation of purchasing
Students should demonstrate an understanding of desktop computing and the potential
issues. Answers could include mention of the following:
• Standardisation – if user departments purchase diverse computers in terms of
specifications, operating systems and software then IT support becomes a major
issue. In many organisations, these departments will still ring the IT department
for support assuming that the skills and knowledge are there to support anything!
Also software clashes can occur on different computers if the specifications are
different and undermine any rollout of effective desktop tools. Standardisation
means skills, tools and support can be managed more effectively.
• Centralisation of purchasing. Many suppliers offer bulk discounts and discounts
for their better customers. If each department buys from different suppliers, costs
can be more overall. Also managing warranties acne support becomes easier if
managed centrally.
IT Control Objectives
Currently there are 2 distinct classes of control models available – the business control model
“COSO” and the more focused control models for IT “DTI”. A relatively new control
framework, COBIT has been developed by the Information Systems Audit and Control
Association Foundation (ISACF).
Discuss the need for controls to assist IT Management meet their responsibilities.
CoBIT management guidelines identify a list of generic Key Goal Indicators. Define in
your own words a “Key Goal Indicator” and list 6 that are applicable to all IT
processes.
Students should be able to provide a definition based on the one supplied in the COBIT
guidelines but not word for word
Paper F21 Page 21

Students might identify any of the following list of KGIs:

• • Achieving targeted return on investment or business value benefits
• • Enhanced performance management
• • Reduced IT risks
• • Productivity improvements
• • Integrated supply chains
• • Standardised processes
• • Boost of service delivery (sales)
• • Reaching new and satisfying existing customers
• • Creation of new service delivery channels
• • Availability of bandwidth, computing power and IT delivery mechanisms fitting
the business, and their uptime
• and downtime
• • Meeting requirements and expectations of the customer of the process on budget
and on time
• • Number of customers and cost per customer served
• • Adherence to industry standards.
1.3 Software
Strategies for adopting eBusiness practices are supported by many products, technologies and
types of systems. While this area is constantly changing there are some systems that are
recognised by many companies as key strategies. We will look at some of those systems here
but students are encouraged to research this topic further for new and emerging trends.
Supply Chain Management (SCM)

Trading involves a number of partners across the supply chain. You might want to take an
industry and talk about the supply chain for that industry as an example.
Enterprise Resources Planning (ERP)

Ask the students if any of them have experience with the more common ERP packages e.g.
SAP, PeopleSoft and Oracle applications. Discuss how these packages are used and if there
were any issues arising from the implementation.
While the direct costs of an ERP project can be significant there are many indirect costs
that also need to be considered.
Paper F21 Page 22

Describe at least 4 cost categories, apart from the cost of the software that need to be
considered in an ERP project.
Students should recognise that many costs in an ERP project are hidden but can
include:
• Planning and project management
It takes time and effort to properly prepare for an ERP deployment. The company's
IT staff and the appropriate business managers must be given the time and clear
responsibility to conceive and evaluate the project's scope, costs, and timeline. It's
important to assign the planning responsibilities to staff members who not only
have a good grasp of the technology, but who also understand the company's
business requirements and processes. Also make sure that whoever leads the
planning sees the project through--from the initial deployment to some extended
period after deployment to work out the inevitable kinks.
• Integration
Companies almost always underestimate the time and cost necessary for enterprise
software integration. ERP systems rarely exist in a vacuum and they usually need
to be tied into software and complex business processes that predate the ERP
system. In addition to software from a primary ERP vendor, the enterprise may also
want to use applications provided by other software vendors. For example, a
company may want to tie its core ERP suite from SAP into a CRM application
from Siebel and global trading management software from Vastera. Mergers and
acquisitions also create difficult integration challenges because the merged
companies may use different ERP packages and other different applications with
which they've already integrated. Dick Kuiper, a vice president with Meta Group,
says that a large enterprise typically operates five or more ERP systems and some
companies are known to have more than 20 ERP systems.
• Dirty data
A number of problems and hidden costs crop up when handling real-world data.
When an enterprise converts its legacy systems to ERP, it must convert large
amounts of data for use in the new system. Much of the old data is difficult--if not
impossible--to convert, which means a lot of time and money will be spent re-
entering it into the system or putting it through complex conversion processes.
Even after a system is fully deployed, you can't take the data for granted because it
ages. For instance, every month some of the company's customers, employees, and
business partners change their address or other parts of their profile. Gartner Group
analyst Beth Eisenfeld estimates that 2 percent of a company's customer data goes
bad every month. She recommends an ongoing effort to clean up obsolete data.
Finally, when data is combined from multiple systems for analysis or as a result of
integration projects, more work can be involved to clean it up and convert it.
• Testing
Given the mission-critical nature of a company's ERP system, it should be
thoroughly tested before it's fully deployed. Don't just test the system with dummy
Paper F21 Page 23

data. Use actual data from different real-world scenarios. For example, a
manufacturing company should pull up historic orders from customers and route
the orders through the entire process of creating the product, shipping it, and billing
for it. Ideally, employees who actually operate the specific business processes on a
day-to-day basis should perform these tests. Of course, all of this costs money, but
the investment will significantly reduce other costs that result from the downtime
and poor implementations that occur when systems aren't properly tested.
• Documentation
ERP systems take a long time to deploy and are used for many years within a
company. That means they usually outlast the IT employees and business-process
managers who conceptualise, deploy, and modify the systems. Documenting the
system is crucial so that future employees can make sense of the software and
business-process logic the system encompasses. Documentation is also needed to
help future workers deal with the inevitable updates, extensions, and integration
projects that occur as a company evolves. In addition, documentation can save
consultants time and help them map out the scope of projects properly to improve
cost accountability.
• Training
One of the biggest mistakes enterprises make is forgetting that employees must
adapt to a new ERP system. Employees must be trained on how to operate the
system and how to apply it to familiar business tasks such as looking up and
entering data, Furthermore, a new ERP system almost always means changes to
business processes. That requires change management to teach employees about
new business practices and manage staff reorganization. Employees often resent
change and resist it when it means they have to let go of established work habits
and take up new reporting relationships. Despite all the money a company spends,
an ERP deployment can fall flat on its face or simply operate at vastly reduced
efficiency if the company fails to adequately train the staff and manage the change
effectively.
• Consulting fees
Since few IT departments are staffed to handle the extra work required to
implement each phase of a big ERP project, many of the items mentioned earlier
require consultants. Without proper management, though, consulting fees can eat
through your budget faster than a pack of mice through a chunk of cheese. It's
important to make sure that in-house staff is capable of managing consultants.
Consulting contracts should carefully define key deliverables, schedules, skill
levels of available staff, and objectives for training internal staff. The contract
should also be accompanied by a detailed specification that clearly points out the
desired business objective and technical requirements. Proper planning and project
management (as mentioned earlier) are important for managing consultants and
holding them accountable.
• The bottom line on ERP
Paper F21 Page 24

Although ERP projects are complex and expensive, properly implemented, they are
nonetheless worthwhile. Meta Group found that once fully deployed, the median
annual savings from a new ERP system was $1.6 million per year.
But every ERP system must be continually maintained and upgraded to take
advantage of new applications, technologies, and features. ERP software is hardly
static, and there are major new developments as the software grows to embrace the
Internet and as companies open up their data and business processes to partners
When you realize how much is involved with ERP, you quickly realize that it is
this software and the business process it describes--not the computing hardware--
that lies at the real centre corporate information technology
Customer Relationship Management (CRM)

Definitions of this category of software are wide and varied. Discuss the student’s
understanding of the term. You might like to find some other examples of definitions and
discuss those as well.
Sales Force Automation (SFA)

Sales teams carry out 3 important functions – finding, acquiring and maintaining customers.
You might like to talk about various ways of supporting the sales force using technology. Foe
example, introduce the laptop, the palm pilot and mobile phone as simple examples of how
technology may be applied to “automate” a mobile work force and the benefits it might bring
to the organisation. .
You are the IT Manager and have been asked to provide advice to the Sales Manager
about SFA systems. They want to buy a package and have asked what might be available
and what it might do for them.
Research the web and identify a product that might help them. Describe the product, its
advantages and disadvantages.
There are many projects in the market. Most of the well-known CRM packages or ERP
packages have a module for the Sales Force. If the students have difficulties with this
point them to a product called Salesnet to use as the basis for their answer. The
following is the sort of benefits claims from Salesnet that students might include in
their answers.
You benefit from real-time access to critical sales team activities, sales reports,
forecasts, and customer information, via the Web. Salesnet also offers wireless access
to all preferred mobile devices (including RIM devices) at no additional cost.
Salesnet is an application service provider (ASP) that offers a robust Web-based Sales
Process Management (SPM) and Sales Force Automation (SFA) service. Salesnet's
online Sales Process Management (SPM) solution offers the fastest CRM/SFA
deployment in the industry, with a 100 percent successful track record. Salesnet's
Professional Services team guarantees that your best sales business practices will be
automated within weeks, from pilot to rollout, and at one-fifth the cost of traditional
client/server CRM/SFA deployments. Salesnet's ASP model eliminates the need for a
Paper F21 Page 25

huge up-front capital investment in software and hardware. And, sales professionals get
real-time access to critical sales team activities, sales reports, forecasts, and customer
information -- via their desktop computer, laptop, or preferred wireless device --
regardless of their geographic dispersement
Advantages of this sort of product are improved quality of information, faster responses
to customers, improved communication with workers who are mainly out of the office
and greater efficiency in mobile workforce operations.
Disadvantages is increased security risks, need for improved controls over remote
operations, greater investment in technology and more complex networks.
eBusiness Products
There are literally hundreds of software and hardware products that lay claim to be eBusiness
Products. Many of the products address only one specific part of the business or one particular
function. Since this is a relatively new area, products emerge onto the market almost daily so
the best place to research what it available is via the Internet.
Visit the Computer Associates website at http://www.cai.com/products/ to find out how

Computer Associates categorise and sell eBusiness Solutions. Download the white paper
“The Software that manages eBusiness” for one view about the complexity of servicing
organisations wanting to conduct eBusiness.
Some of the different types of products that you might find are described below.
Online Shopping Carts

There are many companies that have developed online shopping cart products. These products
tend to service the needs of smaller businesses with little resources to develop their own
solutions.
Once such product is Merchant Order Form (MOF). Visit their website at
http://www.merchantorderform.com/ to find out more about their product. Search the
web to find another shopping cart product and compare/contrast the features of the 2
products.
From the website – the student will find that MOF is a Perl based shopping cart
program. Its features are:
• It can be installed on any server
• It is industry standard CGI program that is stand alone program
• Web based shopping cart with flexible payment methods, design and layout
options.
Paper F21 Page 26

• MOFcart can accept unlimited product input and options for size, colour, text, and
price.
There are many others that the student can choose from to compare and contrast. If they
are having problems locating some – you might suggest the following:
• http://www.easycart.com/main.html
• http://www.cartit.com/
• http://www.netconcepts.com/
• http://www.pdgsoft.com/index.shtml
The features that will differentiate products and which the students should be aware of
include:
• Flexibility. Limitations and constraints in the number of products, categories,
customer etc that can be handled by the product
• Shipping options available
• Management reporting options
• Service and support arrangements and cost
• Security features
• Industry standard languages or databases
• Location of data, information etc
• Ability to integrate with other systems such as billing, debtors, stock control etc
Online Payments
Products for offering online secure payment systems also abound. These products vary from
direct online verification of credit card details with either banks, or branded cards through to
smart card developments to handle micro-payments for goods.
Consider options for online payments. Compare and contrast the following products in
terms of what sort of businesses might be interested in each of the solutions.
i) Flexegate (http://www.ehost.com.au/ecommerce/index.htm)
ii) http://www.paypal.com/
iii) http://www.billpoint.com/
Describe what sort of features businesses should look for in online payments systems.
The 3 products featured would all appeal to small to medium businesses. The questions
that the businesses would need to have asked are:
• Do I want international currency?
Paper F21 Page 27

• How many products do I have and what is the average value of transactions?
• How familiar are my customers with online payments and technology
• What systems or other products will this need to interface with?
When looking at any online payments systems, businesses should look for:
• International currency arrangements
• Transaction fees and other monthly or annual charges
• Security features
• Liability issues
• Integration features with other software products e.g. shopping carts, databases
Most online shoppers use credit cards to pay for their online purchases. But other options such
as debit cards - which authorize merchants to debit your bank account electronically - are
increasing in use. Other developments in recent years looked at systems to emulate money.
"Electronic money" or "e-money" aim to make purchasing simpler. These sorts of products can
include "stored-value" cards that let you transfer cash value to a card. Some cards can be
"reloaded" with additional value at a cash machine while others are "disposable. The
equivalent Internet-based payment systems called "e-wallets aim to allow "micropayments" -
very small payments. Most e-wallets work by decreasing the sales amount from the online
balance.
Online Forms
Online forms can then be used to capture information from visitors to the business’s website
such as an order, a request or feedback that can be collated.
You might like to discuss some examples such as eFORMS or Dyno Forms
http://www.dynoform.com/v3/dynoInfo.asp
Knowledge Management Systems

Lead a discussion to ensure that student’s understand what corporate knowledge is i.e. more
than just corporate information.
Discuss some of the products mentioned in the Student Guide and ask for a discussion about
other local products.
1.4 IFAC Guidelines/Discussion papers

Ensure that these guidelines are available to the students either through the library or via
downloads.
Managing Security of Information

You might want to lead a discussion about the core principles and relate it to the students’
experience.
Paper F21 Page 28

If you were in a position to convince senior management about the need for information
security, how would you go about it?
Describe the approach you would take, the risks that exist and what benefits they might
receive.
Managing Information Technology Planning for Business Impact

Discuss how this guidelines relates to the work the students’ have already done on IT planning.
In your own words, describe how the guideline achieves the principle alignment
The students’ answer should demonstrate an understanding of the Guideline. The
Assessment phase established a baseline for the planning process. With an
understanding of the scope, this phase pf the planning also confirms the ebusiness
directions and drivers to ensure that the IT plan is synchronised with the Business plan.
Acquisition of Information Technology

Discuss the definitions of this guideline and how it might be adopted by a small business.
Kenthurst University is considering building versus buying its new procurement

management information system. The Director of Procurement is strongly biased toward
purchasing one of the many new web-based procurement software packages. He has
stated that “purchasing will be faster and cheaper since we don’t have to do any design
or programming”
Do you agree or disagree with the Director? Explain why.
Students should understand the need to establish and confirm requirements before
making a decision to make or buy. Without doing the user requirements there is no
support for this statement. It might be that there are more changes required to the
package because it doesn’t suit the user’s needs. It may be that there is a better package
out there. There is work to be done to prepare a RFP, issue it, evaluate responses and
negotiate a contract. The package might not suit the internal IT architecture and as a
results there would be enormous costs required to obtain and install new hardware so
that the package might run. There is also work needed during the design phase to
develop test plans.
Implementation of Information Technology Solutions

This guideline covers a lot of potential scenarios or routes. Lead a discussion to ensure that the
students understand the options for implementation.
Paper F21 Page 29

Describe in your own words at least 5 levels or types of testing that might be included in
a contract negotiation associated with implementing IT solutions.
Testing can occur at many levels depending on the type of contract being negotiated
and the scope of work to be covered by the contract. Student’s answers should include
some of the following:
• Unit testing – the first level of testing in any system designed to ensure that
programs work according to the specifications.
• System Testing – testing that all program units operate together as a system in
accordance with systems test plans.
• Hardware and Component testing – designed to ensure that hardware and other
equipment work in accordance with specifications.
• Integration testing – ensures that the IT Solution delivered works in conjunction
with other systems and equipments as required in a production environment.
• Load and Stress testing – designed to test that the IT solution can perform with
maximum volumes and loads.
• User acceptance testing – designed to ensure that the IT solution delivered works
as expected by the users.
• Procedure testing – tests that the procedures that make up the IT Solution perform
as expected
• Pilot testing – tests that the IT Solution delivered works for a subset of real live
circumstances and data.
IT Service Delivery and Support

You might like to lead a discussion to link the work done previously with IT Management and
Operations Management to this guideline. Highlight that there are various approached adopted
by organisations in terms of the methodologies and standards that they adopt.
Select 4 of the functions mentioned in the guideline and describe how a small
organisation without an operations department might address each of them
Students can of course select any of the functions listed in the guideline. What we are
looking for is that they understand the functions and can think through the objectives of
each. Students should understand the options in a small organisation and might consider
how a company with mainly packages might address each function For example:
• Training and help desk functions might be outsourced in a small organisation to a
training company and or to a consultant.
• Version control might be something simple like the purchasing department
keeping a register of the softer licenses and versions purchases.
Paper F21 Page 30

• There may be no way of formally addressing some of the functions e.g. Capacity
Planning other then monitoring the usage of equipment and software and ensuring
that money is put aside for upgrade and refreshing the equipment or that a policy
exists for dealing with obsolete equipment.
IT Executive Checklist
Lead a discussion about the problems with IT Projects that have received a lot of press and
how this checklist might be applied. .
Other Papers and Guidelines

While the IFAC IT Committee was disbanded in 2001, there are several other publications that
have been issued that deserve attention.
Managing IT Monitoring (Exposure Draft)

IT Monitoring is essential and has an impact on IT governance. This guideline emphasizes the
main principles on which IT monitoring should be based as well as provides a generic
approach for implementing effective monitoring. While IT monitoring activities will be unique
to each organisation, the seven principles can guide development of the approach. These
principles are:
• Comprehensiveness – monitoring activities should be comprehensive
• Relevance – Monitoring must be relevant to the mission, vision, goals and strategies of
the enterprise.
• Acceptability – monitoring approach must be acceptable to those being monitored
• Timeliness – monitoring data must be available to detect deviations for immediate
action if necessary
• Verifiability – information should be verified by another means to ensure it is accurate
and based on fact
• Action-Oriented – monitoring results must enable expedient action to be taken.
• Flexibility/Adaptability – monitoring system should be adaptable to a changing
environment.
Outsourcing (Exposure Draft)

In recent years, many organisations have adopted outsourcing a strategy for either all or part of
their IT systems or facilities.
Outsourcing is the act of contracting with an outside vendor to assume responsibility for one or
more IT function or services.
While the original driver for outsourcing was cost reduction the trend today is to look more
toward value added to the business then on straight cost reduction. This guideline provides an
overview the different types of outsourcing contracts, the problems associated with outsourcing
and resource issues.
Paper F21 Page 31

Paper F21 Page 32

2. Information Technology Security, Control and

Management
Control Frameworks
Introduction
There was some information about controls and security in Module D. This module builds on
the knowledge gained there and you may wish to ensure that all students have undertaken that
module and see if there are any outstanding questions or issues.
You may want to find out if the students have any experiences or know of computer security
issues such as
• Loss of data.
• Theft of data.
• Computer abuse.
• Computer fraud.
• Privacy.
Describe major types of computer abuse that an organisation may experience.

Suggested solutions should include incidents of
• Hacking.
• Viruses.
• Unauthorised access.
• Denial of service.
• Theft of assets.
Control frameworks
Discuss why controls are needed. Ensure that students do not start focusing on particular IT
control procedures until they have identified the “big picture”, organisational requirements for
control, which stem from the need to safeguard the business.
Risks and exposures in computer-based information systems

Organisations should start by determining the risks. Explain that Risk Analysis was discussed
in module D and will also be revisited later.
Paper F21 Page 33

You should discuss each of the events listed, that is error, fraud, vandalism/abuse, business
interruption, competitive disadvantage, excessive cost, deficient revenues, statutory sanctions,
social costs, etc
Pay particular attention to error as this is not always seen as a risk but it is the most common.
Ask for some more examples.
Describe how losses can occur through error, fraud and social costs.
Solutions to this question may be varied. Error and fraud should not pose much
problem as these can be directly linked to money. Social costs can also occur if the
government wastes money or an organisation wastes money. In the former it may result
in higher taxes, with the latter there could be cost cutting and retrenchments.
Explain what “auditing around the computer” (that is, only auditing the input and output and
ignoring what the computer does) means and why this may not be suitable in today’s
environment. Today the systems are mainly real-time and on-line rather than batch systems.
Traditionally systems carried out relatively simple processing on data and it was easy to match
what went in with what came out. Today systems may generate transactions and there is not the
same paper trail. What the computer does becomes very important to check and audit.
The Weber text has been used as the main reference and it covers controls in great detail. There
are also good explanations of technologies.
IT control frameworks
You should discuss the importance of the associations mentioned and the reason why students
may want to consider joining them after qualifying.
Visiting the relevant web sites is the best way to find out about the associations and the
publications that they may have.
You may want to set groups of students the task of visiting a site and then giving a preparation
to the rest of the group on a particular topic such as WebTrust or COBIT.
When would an organisation consider a WebTrust review?

The solution should refer to the fact that this basically provides assurance that a
Website is credible and secure. It would be a useful review if an organisation wanted to
have independent proof that it can conduct e-commerce or other network services.
Control objectives
This section should explain why we have controls. It is important to stress that even controls
should have objectives. The dot points list some of them, that is,
• Effective, efficient and economical operations.
Paper F21 Page 34

• Reliable financial reporting.

• Effective control of systems design.
• IT asset safeguarding.
• Compliance with applicable laws and regulations.
• System reliability and
• Data integrity.
Most of these are discussed in the coming sections but students may be prompted to think of
any other objectives of controls.
Effectiveness, efficiency, economy of operations

COBIT stresses the need for this. Not normally a direct concern of external auditors but it may
be an objective of an internal audit review. Of course it is a basic principle of management
custodianship and duty of care.
You may wish to discuss IT management structures and different approaches. Weber discusses
this in his chapter on Top Management Controls (Chapter 3).
Explain how a planning process might operate and the need to set organisational goals.
How would you determine whether the IT strategic planning process was effective?
The solution should cover areas such as:
• Obtain policies and procedures documents to identify the planning process.
• Review the long-term goals and objectives of the organisation.
• Check that the IT strategic plan supports the business.
• Evaluate the long and short term plans to ensure that they are in accordance with
the strategy.
• Review minutes of meetings to understand how decisions may have been arrived
at.
• Consider the process to handle change and how this could impact the plans.
• Examine how the plans have been turned into operation tasks and activities.
Explain how a top down approach may lead to more detailed plans or models of operation.
Paper F21 Page 35

Since controls are normally applied to safeguard data and information, the organisation should
have plans in place to develop their information models. The model can then link to the levels
of control depending upon how critical the data is.
Discuss the fact that organisations should have another plan to deal with emerging
technologies. Some large organisations now have a specific role that examines changes in the
IT industry and how these may be applied at the organisation.
How does having a clear IT strategy assist an organisation decide when (or whether) to
adopt a new technology?
The solution should cover issues such as:
• New technologies should not be adopted just because they are new.
• There must always be a cost benefit analysed as part of a business case.
• New technologies should be researched.
• The technology should support the organisation’s strategic plan.
• The organisation should have a policy regarding adoption of standards or new
proprietary methods.
Stress that people and interpersonal skills are still important in the IT area. The quality, skill
and experience of IT staff must not be overlooked as part of the overall control framework.
Network administrators will often be granted high level security privileges so they can
administer the network. What security concerns does this raise and what can be done
about this?
The solution should consider:
• Network administrators will be in a position of trust.
• They should be carefully recruited and references and security checked.
• Parts of the job can be boring but require high-level security clearance. For
example setting up a senior manager as a user and allocating this manger access to
files, normally requires the administrator to have high security access.
• Administrators will know much more about the network than managers and
possibly auditors.
• If administrators are to be restricted in their actions then someone will need to
know the intricacies of the system to be able to shut them out.
• There may be a need for levels of administration with appropriate restricted access
rights.
Paper F21 Page 36

• All audit logs should be independently reviewed to monitor administrator accesses

as necessary.
Discuss the use of budgets as a control mechanism. Explain that once projects are started
management will often continue to pour money into them. Find some local examples of failed
IT projects that wasted funds.
Briefly discuss the need for adequate Project Management procedures as a control mechanism.
Reliability of financial reporting

Explain that external auditors are normally concerned with the reported financial figures.
Obviously mangers will expect that any data that is produced from the IT system will be
reliable even if it is not specifically a financial report.
Take the students through the examples and ask for other examples that they can think of.
Give other examples of different interpretation of data.

Examples include:
• Timing of transaction, i.e. goods shipped on the 30th of a month but not processed
until the 1st of the next month.
• Different definitions of sales value, i.e. does it include transport costs or not?
• Goods or services provided over a long period of time may be treated as a one off
sale in one report but apportioned over time in another.
• Are orders really sales?
• If goods are returned should they reduce the sales amount?
Effectiveness of design
Briefly discuss the systems development design cycle and when auditors may be involved.
Explain the need for auditors not to be an active, regular part of the control process.
As an auditor you may be called upon to review aspects of the design of the new system.
Describe briefly how data flow diagrams and entity-relationship modelling are used to
represent a system.
The solution should cover the fact that a DFD is a representation of the flow of data.
ERM shows relationships between entities that are more attuned to the real world way a
system operates.
Discuss how specialist auditors may need to be trained to read these and other types of
diagrams in order to verify designs.
Paper F21 Page 37

IT asset safeguarding
Everyone should be aware that computers are now much more portable than their mainframe
ancestors. Discuss the ways that PCs in particular may be secured.
Also students should be aware that technology is rapidly changing and equipment can quickly
become obsolete. You can show them how important it is to have strategic plans that deal with
this issue.
You may see how many of the students have a computer at home and what consumables they
use. This could lead to a discussion of how to prevent pilferage of small items.
Stress that the “outer layer” of control here will be the physical security around the office area.
Prepare a set of procedures that could be handed to staff who are to be issued with
notebooks that could help minimise theft or loss.
In the solution we would expect to see issues such as:
• Make use of any built in password/security to use the computer.
• Do not check in but carry on board when flying.
• Do not hand to porters but carry always.
• Lock away at night in a desk or storage area.
• Do not leave in cars.
• Do not place on back seat of a car.
You should discuss the use of an asset register as a control procedure.
Compliance with applicable laws and regulations

You should refer to any recent rulings or cases that have been in the press.
Distinguish between acts of employees and third parties.
Discuss any special frameworks that students may be familiar with. Are there differences
between working for a government agency as regards a private company?
Identify other examples of actions that employees could take that would be illegal or
fraudulent. You need to balance the user’s requirements to do their job and misuse of
information.
What controls may be incorporated to ensure that users do not misuse data?
Paper F21 Page 38

In the solution students should consider:

• Logical and physical controls that may be used to identify the user.
• Grouping of users to manage access.
• Identification of confidential data and categorisation of information.
• Effective use of permissions to control access.
• Log files and audit review to ensure appropriate access.
You may wish to refer to the Copyright laws and the need for organisations to carefully control
their software as well as their data.
System reliability
Unreliable systems are a waste of time. This is a major control issue and one that is of great
interest to external auditors. Obviously managers also want reliable systems.
In this section we focus on the availability of the system. In many organisations IT is mission
critical.
Discuss the devices that may be utilised to ensure systems are operational. Stress that UPS only
provide temporary power and some organisations may require standby generators.
Backup to removable media is essential if the system ever has to be rebuilt.
Controls do not work in isolation and even simple batch controls may pick up processing
problems as shown in the example given.
How could you design controls to at least warn of the processing error that was
described in the example?
The specific controls would depend upon the scheduling software that was used but in
principle the solution should cover:
• Batch controls could be used to calculate the new, expected totals and if these did
not balance a warning issued.
• If batch controls are not used other control totals or numbers of records could
provide a similar warning.
• As the process progresses files may be created and subsequent operations could
check for the existence of a file.
• File dates and times could be checked.
Paper F21 Page 39

• Error logs may be manually reviewed before users start operations.
Data integrity
Use the diagram to discuss in detail all the controls that are shown. Students should remember
what they learnt from module D but this would be a good way of revising the controls.
Summarise why we need controls. Compare with the COBIT guidelines.
Layer of control
Earlier we discussed that physical access to the equipment was an outer layer of control. We
now take the concept of controls as layers further.
Societal
Discuss the students’ view of how society accepts (or doesn’t) crime or criminal acts. Ideally
discuss any recent cases that may have appeared in the press.
Give examples of socially accepted behaviour that may actually be illegal

The solution will vary but in most countries the general public accepts the following:
• Speeding a little over the limit.
• Recording television programs for later viewing or sharing with friends.
• Copying software for use on more than one computer.
• Recording music from a friend’s CD.
• Taking office supplies.
You may want to discuss the following statement:

10% of the population will never cheat or steal, 10% will always cheat and steal, and 80% of
the population may cheat and steal if they think that they will get away with it.
Organisational environment
Now you need to consider the impact of the organisations that students work in. Discuss both
the culture that an organisation may try to promote and the way the managers behave and the
example they set.
Assume that an organisation’s security policies state that passwords should not be
revealed to others. You discover that a senior manager has told an administrative
assistant what their user id and password is so that the assistant can log on as the
manager and check the manager’s e-mail. Describe how you would handle this situation.
Paper F21 Page 40

• Risks faced but we could assume a senior manager has access to confidential data.
• Whether the AA would normally be able to see the same information as the
manager and do they have similar access.
• Assuming the AA now has greater access than they should, this is a weakness.
• Also manager is not setting a good example to others.
• Manager should be trained so they can get mail or if it is acceptable for AA to get
mail, the AA should be given the appropriate access to get the manager’s mail.
Technology infrastructure
Discuss how controls can force someone to adhere to them but procedures can only suggest
how they should behave. Use an example such as a road speed sign, which cannot make people
slow down, but speed humps can.
Discuss physical access to the office and the computer and options available.
Discuss how networks are making it easier to bypass physical controls and what may be done
about this. Ideally use any recent cases.
Software
Users should only be allowed to run appropriate software and this is normally controlled by
logical controls.
Discuss what should happen in periods of holiday or sickness.
Business process
Compare the traditional way of operating with several people in the chain with today’s method.
One of the advantages of IT is to improve productivity by removing the separate

operations and staff that were involved in data processing. This means that the control
process afforded by segregation of duties also disappears. What can be put in its place?
The solution should discuss:
• Should balance the need for productivity and security.
• Logging of user actions can be an effective control.
• Computer controls must be tighter such as over-ride controls.
• Management review becomes more important.
• Control over assets and recording of assets should be separated.
Paper F21 Page 41

Responsibility for control
Role and responsibilities of key parties

Auditors are NOT the only people responsible for controls.
Discuss the fact that it starts at the top and works its way down. Stress the difference between
responsibility and operational procedures.
Explain what the responsibilities are at the different levels.
You are introducing a new financial system to users and will be running training
sessions. One of the sections is on security; list the topics you would expect to see in this
section.
• How users will log on to the system.
• Levels of authority.
• What users can access and what will be restricted.
• Any over-ride facilities.
• Typical security messages that may occur.
• Security indicators that users should look out for.
Control environment
This section provides some more detail about the control framework/environment.
External regulatory controls

Identify what regulations the students think could impact controls. Some examples are given in
the text.
Discuss the issues with the “global” corporation.
Board/audit committee governance

Discuss any current standards that may be in the pipeline or recently adopted that may relate to
compliance and controls.
You can visit the web sites of the accounting bodies and consider the impact in Pakistan.
Management philosophy and operating style

You should discuss briefly leadership ideals and the impact on staff. Identify any ethical issues
with students.
Paper F21 Page 42

Describe how managers could use IT to act unethically or without integrity.

In the solution we would expect to see:
• Using logs to check on how much staff have been working.
• Obtaining data about friends and relatives that they should not have access to.
• Finding personal information about colleagues.
• Deleting incriminating evidence such as e-mails.
• Falsifying figures by editing data directly.
Plans/structure of organisation
You may wish to use COBIT guidelines in this section since they stress the need for adequate
management and planning in the IT area.
Method to communicate the assignment of authority and responsibility

Discuss examples of good and bad communication within organisations that the student may be
familiar with.
What would be an effective way to communicate?

1. a new e-mail policy
2. stricter control over password and user identifier sharing
In solution the student should:
• Distinguish when face-to-face communication is preferred to written
communication.
• All policies should be written down but they need to be communicated effectively
rather than just added to the procedures manual.
• Policies may be sent out by e-mail or in meetings.
• Some polices may require a signed response. For example an employee may be
required to sign a document stating that they understand the policy and its impact
on them.
Management control methods

We keep stressing the controls start at the top and this section continues the theme.
Appropriate high level plans need to be set for the organisation. You may wish to discuss how
well this is done and how they should then flow down to more detailed plans.
An organisation is impacted by budget cuts and they decide not to install a fault tolerant
system to save money. What should they have considered before making such a decision?
Paper F21 Page 43

In this solution we should see:

• Reference to the risk analysis (which is covered in more detail in the next section).
• Why are there budget costs? Have the long-term plans been changed?
• Was a FT system part of the IT plan originally? Were there strategic reasons for
FT as part of improved services internally or to customers?
• Management may decide to run the risk but should only do so once they have
considered all issues.
Human resource policies and practices

Students may not normally consider these to be part of control procedures. Discuss how HR
procedures could impact controls before reviewing the material.
Why is a disgruntled employee a risk?

In the solution the student should consider:
• Why the employee is disgruntled in the first place. If they feel cheated then they
may cheat the organisation.
• The employee may work to rule or even sabotage the system.
• The employee may be planning to leave and may copy confidential files.
• The employee may try to break into restricted areas.
• The employee may no longer concentrate and so have a higher error rate.
• In extreme cases, disgruntled employees have caused bodily harm to others.
Financial policies and practices

Discuss how budgeting may be used to control expenditure.
Examine the issues with IT projects and how these can be a drain on financial and human
resources. Try to find cases of large project overruns.
Discuss why IT charge back is not as common as it used to be.
If a project has now exceeded its budget how should management decide whether to
abandon it or continue funding it?
• Is there still a good business case for the project? That is, does it show a cost
benefit?
Paper F21 Page 44

• Why are there overruns? Have more requirements been added or was it poor
estimating in the first place?
• What are the estimates for the remainder of the project? How reliable are they?
• What will be lost if project is abandoned now?
• Where will the extra funds come from?
Risk assessment
Controls combat risk so stress that one of the first activities to be performed is a risk analysis.
You should discuss the basic approach to a risk analysis and if possible may want to
demonstrate or show specific risk methodologies.
Risk categories
Some risk analysis material was discussed in Module D but we will go into greater depth here.
Get students to consider what can happen if IT systems fail and consider the various events
described in the Student Guide. Identify any others that students can think about.
Can you think of any IT systems that would not be critical for an organisation?
• Is it a trick question? If a system is not critical then should the organisation have
wasted money on it! Systems must support the business goals and be needed.
• All systems today are normally critical to the organisation.
Why do you think that we have so many virus and hacker problems today compared with
the days of mainframes and mini computers?
• The sheer number of PCs means that a virus can spread rapidly.
• In the early days each system was proprietary and so a virus could not spread to
incompatible systems. Now most people use a common operating system or
standard protocols.
• Many people have e-mail access and are not security conscious and so can
inadvertently spread viruses.
• There are detailed documentation and Internet sites that explain how things work
and how to break into them.
Paper F21 Page 45

Probability of loss
If you have access to a methodology they may use different ways to consider the possibility of
loss. In the text we consider a simple approach.
Consequences
Explain that the controls may also be assessed on a cost benefit analysis. That is, what will we
lose versus what it will cost us to prevent.
Consider the example in the text and explain that it can be difficult to identify cause and effect.
How can you place monetary and none monetary measures on a virus attack?
Students should consider:
Monetary (assuming time is money) None-monetary
IT staff time to recover data and files Reputation of organisation if attack
is made public.
Wasted user staff time while waiting Staff moral if they suffer down time
for recovery
Time taken to reconstruct any lost data Restricted activities may impact
moral if, say, bans are now placed
on using e-mail
Cost of new virus checking software
Time taken to virus check all data in
the future.
Control activities
This is one of the biggest sections to cover. A lot of detail of controls and associated
technologies will be found in the textbook.
You may find that students without a good IT background may not be aware of the technology
issues that require a control. You may therefore need to discuss appropriate technology issues.
Control design
Explain that many controls can be implemented as polices and procedures. In some cases the
control relies on an individual carrying out a process and this may be difficult to confirm.
It can be useful to summarise the top down approach to controls and responsibilities.
Even if the policy states that staff should behave ethically, how could you confirm that
they are?
Paper F21 Page 46


• What does “behave ethically” mean?
• Once specific instances have been identified then controls become easier to
identify.
• Log files may record what and when data was accessed and these may be checked
to see that there were valid reasons for access.
• User behaviour may be observed by managers and peers.
• Other controls such as over-ride controls may identify users that over or under
charge customers.
Each textbook may define and group controls differently. Discuss some of the options.
Categorise the following controls as preventative or detective:

1. encryption
2. setting file permissions
3. help facilities
4. batch control
5. audit trails
6. check digits
7. log files
8. printing internal tables
Solution:
Encryption P
Setting file permissions P
Help facilities P
Batch control D
Audit trails D
Check digits D
Log files D
Printing internal tables D
There may be discussion as to whether some of these controls such as Batch Controls
are Preventative or Detective. Strictly speaking a Preventative control stops an error
getting into the computer. The objective of the exercise is to get students thinking about
various controls not precisely categorising them.
Paper F21 Page 47

Control procedures
Discuss the fact that control principles stay the same; it is just the technology that changes.
You can point out that with automatic approval systems, anyone who logs on as a manager can
approve funds as if they were that manager. This is why safeguarding user ids and passwords
are so important.
Discuss the different levels of access that various operating systems may allow and how a user
authorisation matrix may be used to help plan access.
Users often complain about having to think about passwords and so will use easy to
guess words. Describe ways of selecting an easy to remember but hard to guess
password.
The solution could suggest:
• A short statement about what the user likes, e.g. I like golf.
• This could be refined with special characters and upper and lower case, e.g.
I/like/Golf.
• Initials of a favourite film e.g. Gone with the Wind = GWTW.
• A favourite saying, e.g. 2bornot2b.
• It is essential that the user never discloses the method they have chosen.
You may want to discuss the new problems that organisations will now face with on-line
transactions. These can be easily lost.
List the advantages of using batch controls over data entry.

The solution should cover:
• Provides control totals for verification at end of batch run.
• Controls completeness of entry.
• Provides independent figures for balancing file.
• Keeps like transactions together, which improve input process.
• Errors can be restricted to a relatively small batch of transactions.
You should discuss the fact that real-time systems can still generate exceptions and errors and
that there should be an adequate way of capturing these and following them through.
The example discussed in the text about over or undercharging is another demonstration of
how individuals or organisations can deal un-ethically.
Paper F21 Page 48

Control over data integrity, privacy and security

So far the controls have been related to getting data into the system. Once in, it becomes useful
information that also needs to be protected.
You may wish to discuss any developments in privacy legislation and the importance of
looking at legislation in other countries.
Students may want to consider what sort of information about themselves that they would not
want to be made freely available. Ask if any have had un-solicited e-mails or other
correspondence and questioned how organisations got their address.
A manager may review the log of data access to check why employees have accessed
data. This manager’s access will also be logged in this report so how can you control
what the manager may have been up to?
Solution should cover:
• This has been a problem with manual systems as well as IT systems.
• One solution is for a higher manager to review but this is often impractical since
these managers are normally too busy.
• Managers are often controlled by budgets and overall performance. So long as
they meet their target the organisation is happy with their performance and may
even turn a blind eye to minor errors and security lapses.
• The only time that this information is ever reviewed may be during an audit.
• Exception reporting may be used but again this needs to be reviewed by a senior
manager.
Discuss the need for data classification that can help develop the appropriate control
techniques.
What classification scheme could be used in the Institute of Chartered Accountants?

The solution could suggest:
• Public
• Members only
• Staff and Members
• Staff only
• Executive staff only
Paper F21 Page 49

You should discuss the basic control principles and ask students what could happen if controls
are too restrictive.
You should get examples of the physical controls that students may have experienced at
various sites.
Describe security procedures that could apply to contractors working at a secure site.
• Are contractors to be treated as employees or guests?
• They need access rights such as badges and key cards.
• Do they need to travel around to do their work?
• Security clearance may need to be checked.
• Will they be allowed out-of-hours access?
• Will they use their own PCs and what is the restriction on copying and removing
data.
• Do they need user accounts on the system?
• Are they also working at competitive companies?
• Is there a contract that they need to sign?
• Who is to be held responsible for them?
Discuss why most organisations only use the User Id and password access method and have
not embraced physical devices such as cards to restrict access to PCs.
Explain that even though operating system permissions can control access to files it is possible
for database system to have other access controls.
Describe the database controls that you may want to use to control a payroll clerk’s
access to employee information.
The solution should suggest:
• The clerk may be restricted in the employees that they can view, i.e. not senior
managers.
• The clerk may not be able to see all information about employees but only that
which they need to know.
• There may be restrictions on peers that the clerk can access.
Paper F21 Page 50

• There may be restrictions on the data that can be printed out as opposed to being
available on a screen.
Network security is a topic in its own right and some of the ways hackers break into systems is
very sophisticated. There is a lot of information on the Internet that you can direct students to
including:
• http://security.ittoolbox.com/default2.asp
• http://www.articsoft.com/whitepapers.htm
• http://www.cisecurity.org/
• http://www.isalliance.org/
• http://www.loc.gov/global/internet/security.html
• http://www.sans.org/top20.htm
Increasingly networks are using open systems or popular protocols rather than
proprietary systems. Why can this be a security weakness?
• Open systems have to be very well documented and this may reveal security
flaws.
• Since so many organisations use the open system there is a great deal of
knowledge about the system and statistically there will be more knowledgeable
people with criminal intent.
• The fact that so many organisations use the system makes it a worthwhile target.
• While these are all weaknesses, one strength is the fact that should a weakness be
discovered it is usually fixed very quickly.
Discuss the fact that we are now seeing increasing numbers of attacks against popular
operating systems.
Visit the Microsoft site and identify any updates for the current operating system.
There is no solution for this question other than to see what are the current security
issues at the time of presenting the course. But for example, at the time of writing there
was a security fix for IE version 6 posted at:
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp
See more security issues at
Paper F21 Page 51

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
Discuss the issues with application software. You could lead the students through the main
security issues with typical financial systems and even get software for a demonstration.
An increasingly important control is the monitoring of activity. Discuss why this is required
and how it should be implemented.
What are the issues with an organisation monitoring employee’s e-mail?

The main issues are:
• Amount of privacy that an employee expects.
• Have employees been told that the mail will be monitored?
• Who will be doing it and what type of information is being sought?
• How will the organisation verify that mail comes from an employee and not from
someone posing as the employee?
• What are the rules for e-mail and penalties?
• What about mail that uses third party organisations such as hotmail?
Discuss the ethics of other forms of monitoring employees. How would students react if they
were being monitored constantly?
Availability / continuity of processing, disaster recovery planning and control

Discuss the need for recovery in the event of a major disaster. Again this is a major topic and
there are many textbooks and web sites for reference such as
• Disaster Recovery Journal's Homepage at http://www.drj.com/
• Disaster Recovery Planning at
http://www.curtin.edu.au/curtin/audit/disaster/disaster.html
• Resources for Security Risk Analysis, Security Policies, BS7799 (or ISO 17799) and
Security Audit at http://www.securityauditor.net/
Ask students what might have happened when books were kept manually. Stress that manual
systems would often have no backups and if there were a fire an organisation would have most
likely lost all their records.
List other systems that would have no manual backup procedures.
Paper F21 Page 52

Students may be able to come up with several examples such as airline seat allocation.
If the computer goes down at check in then there is no way to allocate seats to
passengers.
Discuss the need for hot or cold sites. You can even talk about “warm” sites.
Describe why a reciprocal arrangement may not be an effective recovery option.

The solutions should consider:
• Most organisations only have limited spare capacity.
• Usually when running to full capacity most computer systems slow down or start
crashing.
• Hardware and software may have been upgraded at one of the sites, not the other,
and now they are incompatible.
• There may be other conflicts between software that will not work together.
• The owner of the system will always take priority.
• There may be confidentiality issues, especially if both companies are in the same
industry.
Students should consider what would make up adequate DRP documentation. Discuss how an
escalation process may operate.
The plans should be far reaching as the next question demonstrates.
What should an organisation consider when developing a continuity plan to recover

from a major flood?
• Floods can impact many square miles. Any offsite storage or hot/cold site will
need to be many miles away from the primary site.
• How will staff get to these distant sites and how long will it take?
• The homes of staff may be affected and they will most likely not come to work but
will be protecting their own buildings.
• If customers are local then the flood will also impact them. They may not have
such a good DRP and so will not be able to pay you even if you send them
statements.
Ask students to consider effective ways of testing the DRP.
Discuss what can and can’t be covered by insurance.
Paper F21 Page 53

IS processing /operations
IT is essential in most organisations. We have discussed the higher level planning of IT and
now want to look in more detail at how the department should operate.
One of the COBIT control objectives is that the IT department runs effectively. This is not a
primary area of review for external auditors but it may be for internal auditors.
Ask students to define “effectively” and then tie this in with the need for a SLA. Discuss the
importance and content of SLAs.
Describe the benefits of an SLA.

The solution should cover:
• Level of service is defined.
• Responsibilities are defined.
• Measurable performance should be identified and monitored.
• Forms basis for future cost benefit analysis if users want additional service.
• Sets expectations.
• Can link costs of service to service provided.
Discuss the hardware and software that may be supported by IT and what may need to be
excluded.
Explain the link between IT operations and business processes.
How could you justify moving to the latest version of an operating system if the current
one suits users fine?
• Maybe you cannot!
• What is the business strategy and the IT plans. Do they call for latest versions?
• What are the benefits and has a business case been prepared?
• What are the implications of staying with older versions especially with support?
• Will future releases of applications require the latest version?
Paper F21 Page 54

Reiterate that without the SLA it is difficult to determine if the IT department is effective. Also
subsequent development and additions can be shown to improve the levels of service that the
user requires.
Ask students to consider the types of organisation that will need to stay up to date and where
IT is a major enabler of their business.
How does the move to e-commerce impact the IT department?

• New skills required by IT staff.
• New networks required.
• Increase in volumes that need to be catered for.
• Additional risk analysis to be undertaken to see how system will impact business.
• Possible 24 by 7 operations that may impact staffing.
• Partnerships may be needed with third parties such as ISP.
You may want to discuss the move to outsourcing and its benefits and disadvantages.
Ask students who should own data. Distinguish between the job of custodian and owner. In
many cases there is no clear owner, discuss the issues that this raises.
Just as batch controls are considered old fashion, so are the controls over input/output
distribution. Stress that electronic data may be well protected but a report left on a desk is
vulnerable.
Describe the process that could be followed when printing confidential documents in a
general office.
Processes could include:
• Have a separate, secure printer for confidential documents.
• Put managers into appropriate groups so they can print to this printer.
• Collect from the printer as soon as printed.
• Stand by printer while printing to ensure no one else can see report.
• Consider the possibility of printer administrators being able to manipulate the print
queue.
Paper F21 Page 55

Link IT operations back to the risk analysis and discuss how IT staff will be required to
implement the DRP. On a day-to-day basis they will need to carry out backup and restore
processes.
List three important pieces of information that IT staff should know about the recovery
procedures after a major disaster.
• Order of priority to recover applications.
• Location of backup sites.
• How to get backup data from remote site.
• Where the Recovery Plan is.
• Where to source hardware and software.
• Who is required for recovery and their role?
• Staff should have been trained and tested the recovery procedures.
Monitoring of control compliance

Controls must be seen to be effective and complied with.
Roles of management, users, auditors

Ask students to consider the different roles and responsibilities. This ties back with earlier
work.
You should refer students to the IT governance web sites.
If one of the objectives of the IT department is to provide improved customer services

how could this be measured?
• Ultimate objective is to sell more, so sales volume could be ultimate test.
• Customers that repeat business could be tracked.
• Customers could be surveyed to see if they believe service has improved.
• Complaints could be monitored.
• A reduction in returns could indicate satisfied customers.
• A reduction in “churn” in some industries can indicate satisfied customers. Churn
is used to describe customers that leave, say, a mobile phone carrier.
Organisations are now trying to use a balanced scorecard to indicate performance. Discuss how
this can be applied to IT.
Paper F21 Page 56

Describe how a balanced score card could be used to measure the performance of the IT
department.
IT performance that could be represented includes:
• Calls to help desk.
• Outstanding faults.
• Time to clear problems.
• Types of problems.
• Down time.
• Up time.
• Network traffic.
• Numbers of users.
• Storage used.
• Amount of data input, processed, stored and output.
When discussing external monitoring in may be useful to refer back to WebTrust and SysTrust.
Discuss what needs to be done if non-compliant. Basically will depend upon what the problem
is.
Computer-assisted audit techniques

Ask students what applications and hardware they use regularly. How technically competent
have some of them become? Can they write programs?
Discuss the need for IT audit specialists and also the need for all accountants to be computer
literate. Are there any accountants that do not need a computer?
Discuss some of the systems development processes and what they will need to know.
Computers normally run a complied version of software. When checking source code
how can the auditor be sure that they are looking at the right version of the software?
• Dates of files and compilation.
• Recompiling and running a program to compare the two compiled files.
• Program version control procedures.
Paper F21 Page 57

• Processing controls to ensure correct version is used in production environment.
Testing is an essential control and the way testing is undertaken should be discussed with
students. Stress the need for the levels of testing and the way different people, including users
will be involved.
When would an organisation choose a parallel implementation instead of a direct

change over?
• Can systems be run in parallel?
• Which one will be considered real?
• Will there be enough time to do both and will staff be available?
• What is the objective of the parallel run?
• What will determine correct operation?
• Is this to compensate for poor testing?
• Will staff be trained as they go?
Discuss the use of reporting tools and ask students if they have already used such tools.
Generic tools may be more useful and could be used at different clients.
Lead into a discussion of other computer tools that students can use in an audit environment.
Look at the “Auditing” tools supplied in Microsoft Excel and summarise what they
would do for you.
The student should identify:
• You can trace dependent cells in the spreadsheet.
• You can trace precedents and dependents.
• You can track formulas with errors.
• The auditing toolbar also allows you to trace cells with data that does not meet a
data validation that is created with the data menu.
• Should these tools be called auditing tools?
Computers should be effective tools in the hands of accountants.
Paper F21 Page 58

3. Case Studies
3.1 Join In Inc
You are a consultant who has been appointed to assist the financial controller to implement a
new personal Computer (PC) based financial accounting system selected by the Mr Khan,
Managing Director of Joinin Inc (Joinin) and also owner of the company. You have also been
asked to help the company develop a strategic plan.
Joinin was established 2 years ago as a computer distributor, specialising in the sale of
notebook and laptop computers and a full range of accessories e.g. carrying cases, docking
stations. At the time the company was set up, Mr. Khan believed there would be enormous
growth in this area and the growth of his company has confirmed this. Joinin now consists of 5
retail branch offices in large regional towns and a warehouse and head office function in
Karachi. During the last year, Mr. Kahn has begun to sell through dealers in smaller towns.
Mr. Khan has encouraged the branch stores to operate autonomously. Individual stores have
local computer systems to handle customer orders, customer tracking, marketing etc. Sales are
normally for cash or credit card, although there has been an increase in orders for specialty
notebook computers that are then billed to corporate customers. Dealers place their orders with
head office.
Head office keeps track of the dealer orders and fulfilment processes.
Summary financial data in provided below:
YEAR ENDED SALES GROSS MARGIN STOKC HOLIDNG

Rs Rs Rs
31/12/1999 225,000 51,750 49,000
31/12/2000 4,650,000 930,000 850,000
31/12/2001 16,440,000 2,350,000 3,750,000
In your initial meeting with Mr. Khan and the Financial Controller, Mr. Addit, the provided an
overview of the company. Here is an extract from the meeting notes:
As you can see from our figures, the past 3 years have been extremely successful for
Joinin. In a highly competitive industry, we have been able to capture a high proportion
of the market, largely due to our ability to deliver specialist notebooks to our customers
without lengthy delays. With the current high demand, manufacturers have been unable
to supply sufficient stocks to meet industry demands. However we have overcome this
by ordering products from our suppliers based on expected demands of our customers
and by close liaison with our suppliers to monitor delivery times.
The business has now grown to the extent that we need more computerised controls
than those provided by our existing PC based cashbook system. With increasing sales
volumes, we have a larger volume of outstanding customer accounts and higher stock
Paper F21 Page 59

levels. Also the risk of obsolescence in our industry means that we cannot afford to let
our stock holdings get out of hand.
Another issue is that our competition is increasing. Other sellers of PCs are beginning
to move into the notebook market and together with the improved production
capabilities of manufacturers this is pressuring us to reduce our prices. We need to look
at promoting IT more as a strategic weapon rather than an administrative tool.
As you know, we have purchased the Cashit Accounting software package at a cost of
Rs 10,000. It is a multi-user system that comprises the following modules:
• General Ledger
• Account Receivable
• Accounts Payable
• Inventory Control
• Cashbook
i) Identify 3 key critical success factors (CSFs) for the business and explain why
each of these is critical.
ii) What sort of information is required to monitor the performance of Joinin against
the CSFs.
iii) List 3 ways in which IT can play a more strategic role for Joinin and provide real
or hypothetical examples from various industries. Identify how each way listed
might relate to this company
iv) Describe how IT plans should be developed in relation to this organisation’s
business plan.
v) Given the current situation in the organisations there is a need to centralise
customer information for use in national marketing. Which areas would you want
to investigate further to determine their impact on the IT strategic plan?
vi) You are invited to speak for approximately an hour at a meeting of the branch
managers and major dealers to explain the IT Strategic Plan. Develop an agenda
for the meeting and explain how you would run the meeting. Consider what
issues you think the managers might raise and describe how you would handle
these in the session.
Suggested Solution
i) CSFs should be directly related to the material in the question and could include:
• Purchasing policy. The ability of the company to purchase notebook computes so
that they can deliver them to customers more quickly than their competitors
• Debtor Control. Cash flow is important especially given the high stock value.
Mechanisms need to be in place to collect revenue as soon as possible.
Paper F21 Page 60

• Stock Control. In an industry with a sustained downward pricing pressure, it is

critical that slow moving stock is quickly identified and converted to cash.
• Pricing control, the pricing pressure from competitors will results in decreased
margins (evidenced by decreasing Gross Profit margin in the figures supplied).
Margins on stock items need to closely monitored.
ii) The sort of information that should in place to monitor these would be:
• Purchase order information including costs, outstanding orders, expected delivery
dates and forecast sales.
• Debtors information including g cash receipts, orders taken and projected sales.
• Stock information including % turnover of items, stock items not sold for a certain
period and holding times.
• Detailed sales information would be required including sales by region, salesman
and period, discounts given and difference between buy-in and selling price.
iii) There are man y ways in which IT could play a more strategic role for Joinin. These
include:
As a competitive tool
• Provide field staff with effective methods of gathering information e.g. using
mobile technologies such as laptops and hand-held computers. Dealers with
hand-held computers could provide almost instant access to obsolete or slow
stock to negotiate deals with priority customers and move the stock.
• Provide effective methods for tracking stock items and performing stock takes
more easily e.g. introduce bar-coding and scanning technologies. Picking stock
in the warehouse could be more timely with bar-codes and scanning
technologies. More frequent stock control could move some of the potentially
obsolete stock.
• Provide a collaborative computing environment to help staff across all
department share information e.g. e-mail, and other groupware. By allowing
staff in the retail branches and warehouse and head office to communicate and
have access to important stock and customer information for better services.
• Investigate integrated systems that will provide more information for targeting
customer types and special customers e.g. CRM systems. Brining all system
together will overcome some inefficacies in each branch looking after its own
systems and it will provide head office with better management information for
decision-making.
To re-engineer business processes
• Rationalise systems and allow staff to share facilities e.g. use the same order
and customer management information systems and processes. AC RM or ERP
system would necessitate a review of business processes and rationalisation of
duplicated processes at remote branches and head office
Paper F21 Page 61

• Provide tools to re-engineer processes and determine effects e.g. CASE tools.
By providing a selection of the tools available to management, Joinin will
facilitate better analysis and design of information systems.
• Provide the ability to capture cost information about current processes to
determine where there are inefficiencies e.g. investigate activity-based costing
• Provide the facilities to automate current manual processes e.g. robotics for
picking orders in warehouse
For inter-organisational linking
• Provide direct access to supplier systems for ordering and tracking delivery of
orders e.g. EDI systems. Many suppliers now use networks and
communications software to enable direct access to suppliers systems. This
would enable Joinin buyers access to better information and faster order
fulfilment.
• Provide timely information to partners e.g. extranet and collaborative tools.
c) The student should be able to relate the development of an IT Strategic Plan to Joinin
in terms of the major players and issues to be covered. The key to being able to work
with the business on the Strategic Planning is that the company has identified using “IT
more as a strategic weapon than an administrative tool”.
The company will need to develop its business strategy first in consultation with IT.
Once the business knows its goals and objectives, then it can begin to develop and look
at the strategic use of IT.
IT Strategic planning should identify opportunities that can then be tested against the
Business plan and revised until they are aligned.
Armed with the IT Strategic Plan, the IT Manager will then be able to address the IT
planning issues, develop priorities for IT acquisitions and systems, and address the
operation’s strategy.
3.2 Reedit Publications

Reedit is a publisher of children’s and educational textbooks. It is planning to upgrade its use
of technology including greater automation of its head office and production facilities.
Currently it operates production facilities at 3 of the regional centres focussing on children’s
books while the remaining centres focus on educational textbooks.
In the past, the company’s technology has been developed in a somewhat ad-hoc manner. Fast
growth has meant that systems have been developed in reaction to problems rather than in any
planned manner.
The following briefly summarize the company’s information architecture:
• Technology. The company runs 2 mid-range computers that have significant capacity
and performance issues at present. The processing load on the hardware is very high and
this is causing bottlenecks with memory and disk activity.
Paper F21 Page 62

• Network. Local Area Networks (LANS) are in place at the head office, each of the 5
regional distribution centres and in several other locations. Most of the factories have
terminal connections with a few stand-alone desktop PCs. A WAN is in place
connecting each of the major regional centres.
• Applications. Reedit purchased a software package for accounting some years ago. The
software also provides some functions for sales, manufacturing and distribution areas.
The applications have been heavily modified with a few specialized systems
development for forecasting and analysis. Several projects are underway at present to
improve the existing systems.
• Data. A well-known database is being used as recommended by the software vendor.
• IT Organization structure. Two teams are in place with separate IT managers. One team
is in the production facilities and includes 10 staff to support the production plant as
well as the regional distribution centres. The other team is in the Head office. This team,
comprising 5 people, supports the WAN and desktop as well as the centralized systems.
The Executive management of Reedit recently announced it is going to change the business
approach from a regional basis to offer products at a national level (i.e. all product lines
available nationally) plus extend its range into educational games.
The company has been working on its business strategy and the overall approach includes
setting its Corporate Mission Statement/Vision and then establishing the broad objectives and
strategies by product line. Business Managers will determine specific plans to achieve the
corporate mission. The IT managers have been asked to participate in the process.
You are a consultant assigned to help Reedit Publications (Reedit) prepare its
Information Technology Strategic Plan.
i) Explain how the proposed restructuring could affect the current information
architecture.
ii) The table below outlines some of the tasks in the overall Business Strategic
Planning Framework. Using the table, identify and explain the IT Strategic
Planning tasks that need to be considered within this framework. (NOTE that not
every row of the table needs to be used.
iii) Identify the use of an IT Strategic Plan for Reedit. What information from the IT
Strategy document could also be included as separate sections within the
Business Strategy document? What sections from the IT Strategic Plan would you
recommend are excluded from the Business Strategic Plan and form part of a
separate IT document?
Stage Purpose Process Deliverables

Vision Set Business mission
statement and vision
Paper F21 Page 63

Strategy Set broad business

objectives and
strategies
Implementatio Set specific business

n strategies.
Suggested Solution.
i) The proposed restructuring could affect current IT architecture in many ways including:
• Technology. Capacity and performance are already an issue. Adding to processing and
expanding products lines will impact this and place heavy demands on the systems. The
IT implications are to look for adding memory, and disk storage capacity or to evaluate
an overall upgrade to the system. More strategically there might be better production
control systems that will necessitate a move to client/server architecture.
• Network. Local Area Networks must be standardised and able to connect all centres.
Greater automation linking all centres might necessitate a review of the entire network.
More strategically, an investigation into the Internet, intranets and other network
solutions might prove fruitful and require more focus on security issues such as
encryption and firewalls.
• Applications. IT is unknown how the systems are currently structured but to move to a
national product line will require a review of the systems. Can they handle the new
expanded product line? Can they handle the new accounting controls and systems? Will
they still be appropriate for a new architecture and will they be able to support the
centres over a network?
• Data. Although no details are given, this area must be reviewed as part of the overall
architecture. How does the database relate to the other systems? What sorts of users
require access? Should it be integrated across the organization and with all systems?
Strategically it might be appropriate to look at an ERP system to integrate all system and
provide improved information for management decision-making.
• IT Organization structure. This is the area that will have the most impact. With 2 IT
managers and various locations, the issue of staff skills and performance will be key.
Identifying the location of the IT department and the roles of the 2 current managers will
need to be handled carefully. Understanding the resources needed and the skills needed
for the new architecture will be crucial.
ii) Typically IT strategic planning is done as a separate exercise however this is changing and
the biggest issue today is how to align the business Strategic Plan with The IT Strategic Plan.
Student’s answers will vary for this questions and there is no one correct solution.
What we are looking for is an understanding that the strategic business plan underpins and
drives the IT strategy. IT is not a technical document and should be high level.
Paper F21 Page 64


Stage Purpose Process Deliverables
Vision Set Business mission
statement and vision
IT Purpose and To gain a shared Describe the desired Brief IT direction.
Vision understanding of the state of IT within the
IT Direction within the business – including
business. the IT Dept and the
rest of the
organisation
Strategy Set broad business
objectives and
strategies
Understand the Complete and Systems overview
current IT inventory and Systems
environment assessment of all assessment
systems and
infrastructure
Identify technology Review literature, List of key factors
trends that could attend trade shows, and key
impact the business and contract technologies
consultant’s report
about technologies
that impact the
broad business
strategies.
Establish IT objectives Identify key business Summary of IT
and Strategies areas that need to objectives
be supported and
critical success
factors
Implementatio Set specific business
n strategies.
Specify IT strategies Determine priorities Project summaries
and evaluate key for business areas in linked to specific
business areas terms of projects business strategies
Indicative
costs/benefits
Develop a high-level Document Application
IT Architecture standards, direction Architecture
for each component
Paper F21 Page 65

of the Information Data Architecture

Architecture Technology
Architecture
Network
Architecture
IS Organization
structure
iii) The IT Strategic Plan for Reedit should provide a framework that supports future IT
decisions about projects, budgets, and resources. The document also provides a communication
tool to IT staff and the rest of the organization about the direction, priorities and resources
issues for IT.
Sections of the IT Strategic Plan that should be included in the Business Strategic Plan are:
• Current IT assessment including overall assessment, status and issues relevant to
Reedit
• IT Strategy containing an outline of the proposed projects in terms of the business
and product strategies that they support. This could also include a high-level
information architecture and plan for IT projects.
• IT Strategy Implementation Plan highlighting dependencies, transition issues and
opportunity factors.
Sections that would not be included in the Business Plan are:
• Project Descriptions giving brief scope, name, dependences, critical success
factors
• Information Architecture models that are more technical in nature e.g. network
architecture and data architecture
3.3 Veemax
Veemax manufactures and distributes solar power systems for homes and are recognised
overseas as being leaders in their field. The company deals directly with home builders and
some residential architects but plan to develop larger systems for office buildings and hotels.
Veemax has separately managed data centres in 4 large towns across Pakistan. There are 3
types of hardware platforms in use by the company. Veemax recently acquired new hardware
the head office based on an expected life of 5 years. Applications are mainly purchased, fairly
old and undocumented, with some modifications made for the business requirements in each
town. Each data centre is responsible for all local IT Functions, and involves systems analysts,
business analysts, computer operations staff and user support representatives. Network
communications is arranged in a coordinated manner across the data centres.
Paper F21 Page 66

The proposed investigation needs to assess the cost, benefit and ability of two or three IT
operating alternates. A management committee consisting of the business managers and IT
managers for each town will approve the recommendation.
You have been asked by Veemax to propose consulting services to help assess the future
operating alternatives for its data centres, based on outsourcing and centralisation options.
i) Prepare a presentation to the Veemax management committee that outlines the
alternatives you propose to investigate and your initial reasoning. Describe the
areas/factors you will investigate to help Veemax assess each of the alternatives.
ii) Provide a list of the IT functions that Veemax could separately outsource.
Suggested Solution
This questions is designed to assess the student’s understanding of centralised
processing versus distributed and the issues involved with each.
i) We would expect the students’ to identify 3 alternatives including:
• Centralise data centres
• Outsource data centres
• Combination of outsourced and centralised data centres e.g. retaining the moist
critical functions and outsourcing the less critical ones.
The factors that the student should assess includes:
• Cost of each option.
Centralisation costs that need to be taken into consideration include environment
and infrastructure costs, maintenance costs, administration, support costs,
technology obsolescence costs, data communications costs, software license costs
and data recovery/redundancy costs.
The outsourcing option will incur many of the above factors and will also depend
on contracting arrangements. These must include support, location of work and
support, ownership of applications that will be used and how the deal is structure.
Transition, conversion and long-term costs likely should also be investigated.
• Infrastructure.
Requirements that need to be assessed include the space required for the data
centres, the network and communications links, staffing and the IT organisation
itself. These considerations all have important implications for Veemax. For
example, consider the business continuity issues concerned with providing a
satisfactory response time to the centres.
• Applications.
Consider the impact on applications in each option if there are regional
differences, or if there are licensing implications of choosing a centralised system
and if all requirements are the same for each centre.
Paper F21 Page 67

Considerations should also look at the longer-term requirements of Veemax and if

the option chosen will impact on the strategy or future choices.
• Hardware.
Centralised and decentralised systems will mean different capacity and
performance issues. Also need to consider life expectancy of equipment and
whether it fits in with Veemax’ strategic direction.
• Business
The impact on business service must be assessed. What is best to serve the
customers? How will the business units be co-coordinated if the systems are
outsourced? What impact will this have on budgets? How much training and re-
training will be needed for each option?
ii) Outsourced Services
Almost all the current IT Services could be outsourced from planning to support.
Recommendation to management should consider:
• What systems and activities are strategic to the company’s business?
• How much will outsourcing save the company?
• Does the company have access to the necessary skills and knowledge?
• Will outsourcing help support the company’s future directions?
While there isn’t a great deal of information available for making this decision, the
student should have a sufficient understanding of outsourcing to be able to identify
some of the more common outsourcing options that might suit Veemax including:
• Centralised data centre
• Operate the data centre
• Maintain current applications
• Develop future systems
• Operate the network
• Provide user support
• Provide PC and system support
• Handle systems administration functions.
3.4 Patak’s Fine Silks

Patak’s Fine Silks manufactures silk for the fashion industry. Patak’s has been operating for
over 15 years and it now commands a healthy 30 % of the local market. Its systems work well
although the IT Manager has repeatedly requested additional funds to upgrade the equipment
and systems that are running near capacity.
Paper F21 Page 68

The company has just been sold and the new owner is looking to make the company more
profitable and undertake an expansion program to raise its profile. Patak’s new owner is
extremely interested in the opportunities that ecommerce could offer the company and wants
the Board to support him in pursuing such a strategy. The Board comprises 12 members, 8
members who have served more than 3 years and 4 new members.
You are the IT Manager and the new owner has asked you to prepare a presentation to
the Board on the opportunities and risks of adopting an ecommerce strategy and what
the company might do about it.
You may use PowerPoint but include the notes you might use to guide you through the
presentation.
Would you provide any handout? Why or why not? If so include these in your answer.
Suggested Solution.
The questions seeks to test if the student can distil a lot of information into a
meaningful, short presentation on a real IT issue with a specific audience in mind.
Even though there is no provision for the students to present their answers, the answers
submitted should demonstrate an understanding of the use of PowerPoint to present the
facts and back that up with the written words.
Students’ answers will vary but the format and presentation should be well structured to
suit the intended audience of senior management level. We would expect slides to
contain no more than 6 – 8 dot points, be clear and follow a standard template.
Handouts would be advisable for this presentation as the new owner seeks to obtain
support from the Board. Handouts will provide the Board members with material that
they can refer to on an ongoing basis.
The student’s should assume no, or limited, knowledge at Board level about
ecommerce and the latest technologies. A suggested outline for the presentation
follows:
• Agenda – tell them what you are going to cover in the presentation.
• Current IT System – it would be a good idea to set the scene for the new Board
members in terms of the current architecture and issues. This should be high level
only but should highlight that something must be done even if the Board decides
not to proceed with an ecommerce strategy.
• What is ecommerce? Introduce the topic and explain what it means. Use examples
where possible.
• Terms and technologies. Provide a high level introduction of some of the new
terms they might not have heard about e.g. website, extranet. A handout of
definitions might prove useful to the Board members.
• What are the advantages?
• What are the risks?
Paper F21 Page 69

• Next Steps – present some alternatives for taking the next step for example it
would be necessary to undertake a Strategic Planning exercise to establish the
framework for an ecommerce strategy. .
• Questions
The answer on benefits and risks should include some of the following considerations.
Advantages
• Competition. New markets are available through ecommerce technologies such
as website which has global reach and it also permits targeted marketing.
• Wider audiences. Traditional marketing for Patak’s is confined to the local
market. Ecommerce technologies will allow Patak’s to expand its customer
base regionally, nationally and globally. A Website will extend its reach to a
potentially broad audience.
• Cost effective marketing channels. Extranets will allow Patak’s to form closer
relationships with manufacturers and designers and thus establish multiple
marketing channels quite cheaply.
• Innovative marketing. New technologies allow more meaningful material to be
produced e.g. streaming videos to demonstrate the product or detailed
catalogues complete with pictures and price lists.
• Cost Reduction. Many ecommerce technologies allow streamlining of the
supply chain, new cost-effective alliances and more effective warehousing and
delivery modes. Consider the cost reduction effect of technologies enabling
virtual warehousing – producing goods only when orders are received and
avoiding costly inventory collections.
Risks
There are many risks associated with ecommerce and the IT risks may be categorised
into 3 areas.
• IT Infrastructure risks. These risks relate to the hardware and infrastructure that
is required to keep systems accessible and operational to support the business.
Risks can arise from unauthorised access, physical loss of equipment,
inadequate emergency plans, improper disclosure of information or inadequate
encryption.
• IT application risk. Most of these risks are the same as the traditional risks of
IT applications including bugs and errors, inadequate testing, inadequate
integration of systems, inadequate reconciliation, lack of audit trails and lack of
version control of programs.
• IT Business process risks include transaction date not transmitted efficiently or
completely to accounting systems, backup systems only addressing the
ebusiness processes, design and implementation of interfaces not appropriate,
and controls applied to one process without regard to the entire process.
Paper F21 Page 70

Other risks include legal risks e.g. privacy, confidentiality and regulatory issues that
may differ from one country to another e.g. textile standards.
3.5 Controls
You are the Computer Audit Manager of GGG Limited (GGG). The company manufactures
and distributes ceramic tiles throughout Asia. The company is in the processes of restructuring
its operations and implementing a new financial system called BIGSYS. The new system
includes modules for sales orders, accounts receivable, purchase orders, accounts payable,
fixed assets, general ledger and financial statements as well as a report writer.
In the past, a lot of company time and money was spent on non-value added reporting.
Extensive reporting requirements have been imposed by head office and the branch sites have
also tailored some of their accounting systems to fit their own internal and external reporting
needs. The changes are typically made by one of the in-house programmers very quickly as
part of their daily support duties. This has led to information that is not used and information
that is not comparable between the different branches. Further, there is a lack of confidence in
the accuracy of information from the current systems unless double-checked or additional
manual controls are established. The external auditors have chosen not to rely on system
controls in a few areas such as inventory and accounts receivable.
Users are provided access to all the current system modules and are cross-trained in different
areas to allow for extra help during busy periods or when key staff are away due to illness or
annual leave. There continues to be pressure to better leverage employees including extensive
empowerment of management and staff at all levels.
The new financial system is being used to help establish more cost-effective and consistent
financial processes across the business. The system will provide for a more distributed
computing environment and additional features will be available such as remote access,
Internet access and integrated system controls.
A project team has been formed to:
• set-up and configure the system parameters to satisfy GGG’s requirements based on the
business needs and industry best practices;
• tailor, where critical, the new system primarily in the sales order and reporting areas; and
• complete data conversions and establish interfaces with a few other systems such as the
payroll and manufacturing systems.
Required
a) Prepare a brief overview to management outlining internal audit’s proposed
involvement in the security, audit and control design and implementation work for the
new financial system. The overview should include explanations about the:
i) current control environment and business plans that could give rise to added control
risks;
ii) key outcomes and benefits from internal audit’s involvement in the control work; and
Paper F21 Page 71

iii) control work approach including scope and key steps.

b) Outline the topics that need to be addressed in an information security policy for
GGG. This should not be just a list of security mechanisms but rather a structure for
preparing a security policy document for GGG. Describe in more detail the key security
policy matters that need to be addressed regarding GGG’s future use of the Internet
including topics related to scope, requirements and responsibilities.
Suggested Solution
The following lists key issues and principles associated with this question:
• As with any consultant or resource’s involvement in a system project, management
need to understand the value of involving audit staff to proactively assist in the
control design and implementation work for new systems. Early involvement of
control specialists will help ensure that the new systems will be implemented with an
integrated set of controls, avoiding a subsequent “band aid” approach.
• An Information Security Policy is provided to confirm the company’s security goal,
clarify rights and responsibilities, provide guidance / requirements and rely on
employees’ common sense and good judgement.
Potential Problem Areas

The following lists possible problems candidates may encounter with this case study:
• Many candidates should be comfortable with this question if they have an audit
background and this may result in solutions focusing more on control techniques
(e.g., input, process and output control methods) rather than the control design risks,
benefits and approach.
• Some candidates may focus on audit’s role being more of an adviser, quality
assurance or monitor. This is considered less effective than active involvement
although such roles can also be included.
• Information security topics may be focused on particular security mechanisms (e.g.,
password control, user access validation) and exclude key matters related to purpose,
scope and enforcement processes. Candidates were specifically instructed that the
solution “should not be just a list of security mechanisms but rather a structure for
preparing a Security Policy document for GGG”.
a) Solution Summary - Control Design
It is well established that appropriate (internal) audit involvement in system
development can contribute significantly to a successful system development or
implementation project.
The following is a brief overview outlining Internal Audit’s proposed involvement in
the security, audit and control design work for the new system.
i) BACKGROUND – CURRENT CONTROL ENVIRONMENT
Paper F21 Page 72

The following summarises the current control environment of GGG:

• Security - need to strengthen security regarding system access, segregation of
duties, remote access and Internet access. Users are multi-skilled and that can be a
good thing. However, it is important to maintain reasonable segregation of duties.
The fact that controls are poor, users can get changes made and there are and will
be extensive report writing features which could give cause for concern.
• System Development and Maintenance - need to establish more rigorous /
standardised approaches for program changes including testing. GGG has allowed
an autonomous method of working that may have advantages in ensuring that staff
and managers feel that they have control of their domains but this can cause
problems when trying to tailor packages. The definition of user requirements will
have to embrace multiple and diverse needs and there could be disagreement
between what Head Office (HO) wants and what the branches need. If the user
requirements are allowed to evolve the project will never end. Requests for
changes need to be evaluated in the light of a cost benefit.
• System Controls - need to enhance system controls to ensure information
accuracy and reduce need for double-checking or additional manual controls.
However, this needs to be balanced with the need for automated controls and
reports to have a clear purpose. As a general rule controls and information that
cannot be acted on or used to help achieve the business goals are not required. As
well, users may not design sufficient controls themselves due to lack of experience
thus leading to inaccurate or incomplete data.
• Audit Controls - need to enhance controls in systems to allow for greater audit
reliance such as for inventory and accounts receivable. External auditors have not
relied on controls and this would indicate that they are non-existent or not
functioning. While there is no evidence that the systems are producing inaccurate
data, such as a qualified audit report, it is not an acceptable situation. It may be
that external audit costs are higher because of the additional work performed.
The following business plans of GGG that could give rise to added control risks:
• Greater distributed computing - e.g., possibly lack of data synchronisation
between branches, loss of traditional audit trails and significant increase in number
of users
• Reorganisation of business - e.g., possibly employee roles will be unclear
• Pressure to leverage employees and staff empowerment - e.g. possibly lack of
duties segregation
• Interfaces - e.g., possibly poor data integrity between systems
ii) OUTCOMES AND BENEFITS
• Controls - help ensure that the processes and systems being established are
well controlled, auditable and secure rather than an “add-on”. This includes:
Paper F21 Page 73

 completeness
 accuracy
 authorisation/confidentiality
 timeliness
 validity
 pertinence
 consistency
 presentation / disclosure
 availability/continuity
• Practical - strive for an appropriate balance between satisfying control
objectives and users’ needs. Internal audit staff should have greater external
experience in control design to help apply best practices.
• Integrated - early involvement of control specialists will help ensure that the
new systems will be implemented with an integrated set of controls, avoiding a
subsequent “band aid” approach. This allows for simplified and more precise
efficient controls as well as greater technology flexibility that is not restricted
by burdensome “add-on” controls.
• Assurance - provide audit assurance and the implementation of reliable
functionality, controls, audit trails and security will help save audit and
operation time and costs (e.g., by automating controls). Internal Audit should
be able to consider the “big picture” and have a more independent corporate
interest to help ensure realistic expectations and benefits realisation.
• Other - general benefits not directly associated with the controls design could
include Internal Audit’s more direct access to management, ability to act as an
arbitrator, help ensure adequate documentation and ability to carry out quality
assurance if necessary.
(iii) APPROACH
• Scope - The scope of Internal Audit’s involvement is as follows:
 Activities - the controls, audit trails and security work cover both the
business processes and computer systems excluding the interface
system such as payroll and manufacturing.
 Teamwork - the Internal Audit representatives will work closely with
representatives from the project team to define, document and
implement the controls and will keep management well informed on
the work status.
 Best Practices - controls will be established based on researched best
practices. Sources of the best practices will be confirmed early in the
project.
Paper F21 Page 74

 System Reviews - excludes post-implementation audit reviews of the

processes, interfaces and controls (both manual and automated) in the
live environment that would be performed as part of separate audit
assignments, as appropriate.
• Steps - the controls design work will include the following steps (candidates
may provide other approaches and further details):
 Plan the Assignment - to assess the best design approach and support
needs. This includes identifying the required resources from Internal
Audit.
 Conduct Controls Workshop (or meetings) - to gain understanding
and support of the project team.
 Define Control Objectives, Integrity Requirements and Integrity
Techniques - for high and medium risk areas within each business
process. This will include evaluating inherent risk and control risk of
the project by carrying out a risk assessment exercise. As well, a
review of the systems development and program maintenance policies
and procedures is required with improvements to be proposed.
 Support Process Teams in the Configuration of Security, Controls
and Audit Trails - including interfaces and data conversion.
 Support Testing of Controls and Security - as part of planned
systems test activities.
Additional Discussion Questions
• What types of controls could be considered early that would be less likely to be considered
after the system is implemented?
• Why could management resist audit’s involvement in the project, opting just for the post-
implementation review approach?
b) Solution Summary - Security Policy

Security policies will primarily focus on the security characteristics of the company’s
principal computer platforms or the perceived security risks which if not managed
could cause significant loss or inconvenience to the business. The following outline
suggests topics that need to be addressed in the Information Security Policy for GGG.
The actual format would be dependent on the company’s current format for policies.
SCOPE AND RESPONSIBILITIES
• Purpose - state overall purpose such as to help protect company information
assets including systems that are to be used for business purposes only. Overall,
the policy is provided to confirm the security goal, clarify rights and
responsibilities, provide guidance / requirements and rely on employees’
common sense and good judgement.
Paper F21 Page 75

• Staff Covered - state the policy applies to all employees (full-time and part-
time), contractors, suppliers, customers, service providers and other parties with
approved access to company information assets.
• Information Sources - state information sources covered under the policy such
as intellectual, electronic and hard copy (written and printed).
• Information Assets - state company information asset covered under the
policy such as hardware and applications.
• Staff Responsibilities - state overall responsibilities of staff such as protecting
company data and personal computers, keeping passwords confidential and
reporting any security risks or possible breaches.
• Security Roles and Responsibilities - state key responsibilities for enforcing
the security policy such as security function, information and system owners,
departmental responsibilities (e.g., audit, human resources, media relations).
• Related Regulations and Terms - reference related regulations and
employment terms that are applicable in conjunction with the security policy
such as ethics, data protection, privacy, and confidentiality agreement.
• Compliance - state ramifications of security breach such as failure to comply
will result in disciplinary action, including possible termination and legal
actions.
REQUIREMENTS / GUIDANCE
• Base Security - state the security policies such as those related to access, data
protection, and asset protection. The policies should:
 not be fixed to hardware or software currently in use.
 be a balance between excessive coverage and being too generic.
 focus on security risks rather than listing the type of security
techniques and tools used.
 state the reason for a security requirement and examples of
inappropriate use to help clarify each security requirement.
Base security areas to be considered in addressing the risks include:
 firewalls;
 anti-virus tools;
 access control;
 enhanced user authentication;
 encryption;
 physical security: and
 disaster recovery plans.
Paper F21 Page 76

• Security Risk Management - state process for assessing and managing

security risk such as identifying information assets, assessing threats, and
defining actions (e.g., accept risk levels, transfer risks, mitigate risks with
controls, or avoid risks).
• Feedback/Escalation Procedures - outline incident reporting approach, as
well as follow-up requirements and resolution criteria.
Note - Candidates may provide more details on the types of base security topics to be
covered for GGG such as remote access, new user accounts, password protection,
firewall protection, etc.
INTERNET USE
The following describe the key security policy matters that relate to GGG’s future use
of the Internet:
• Data Security Procedures - policies need to be established regarding the
protection of data from GGG’s systems that could be accessed through the
Internet. For example:
 Establish firewall protection over modem or LAN access;
 Encrypt sensitive information being transmitted over the Internet;
 Require use of virus protection software (set company standard) and
keep employees aware of the virus risks associated with downloading
data or systems from the Internet;
 Prevent or restrict use of trusted network relationships (i.e., require
unique passwords);
 Limit or control powerful network management features;
 Prevent access ability using command line instructions ;
 Disabling system-default accounts;
 Require use of passwords that are not easily guessed (e.g., 6-8
alphanumeric characters);
 Restrict number of in-valid log-in attempts to help prevent the
password guessing;
 Restrict display of company information or system help until a user is
authenticated;
 Record security violations for subsequent review and follow-up; and
 Monitor security and immediately correct any weaknesses that
become known.
Paper F21 Page 77

• System Access and Use Protection - policies need to be established regarding

who and how access will be provided to the company systems through the
Internet. For example:
 Qualifications and/or approval process for employee user access
to/from the Internet. Who should have access? Is all staff to be
allowed access or just a few?
 Qualifications and/or approval process for external user access to
GGG’s financial systems from the Internet. GGG may provide
customers with access to systems such as order entry, inventory and
accounts receivable. The extent of information they are given access
to must be restricted and the prior data security procedures must be
adhered to.
 When is access allowed? Is access restricted to business hours? Can
staff access the Internet through the company system from home?
 Types of remote access allowed.
 External facilities to be allowed access internally.
 Which software is to be used? Will GGG standardise on one product
only?
 What is Internet access to be used for? Can orders be placed to
suppliers or from customers?
 What is it not to be used for?
• Secure E-mail Use - policies need to be established regarding the use of e-
mail. A separate e-mail policy may exist for GGG and should be referred to
and extended to cover Internet e-mail. For example:
 E-mail is to be used for business use although incidental personal use
is acceptable bearing in mind the company owns the e-mail account.
Incidental personal use could be further defined to exclude
advertising, chain letters and offensive material including humour and
images.
 Business judgement and ethics need to be applied regarding what
information is e-mailed over the Internet. The company may wish to
further define what sensitive information cannot be sent over the
Internet or must be encrypted.
 Classes of e-mail may be established with related security
requirements (e.g., casual, official, sensitive, graphics and audio,
copyright material, non-business related).
 Some company representation in e-mail or user groups may need to
include disclaimer notices to say that comments are those of the
individual.
Paper F21 Page 78

Additional Discussion Questions
• How much of security protection is common sense and does this need to be stated in a
policy?
• How long should a Security Policy be?
Paper F21 Page 79

Revision Material
R1. IT Strategy and Management

R1.1 IT Strategy
Strategic Considerations in IT Development
Key Points
• IT planning occurs at many levels including strategic, tactical and operational
• Planning must consider the position of the business in the broader market place and be
based on an understanding of the business environment.
• IT Strategic planning must be aligned with the Business strategic plan and gain the support
of senior management
• The time frame for IT strategic planning is constantly being challenged. Originally a long-
term plan would have served 3-5 years, but current best practice suggests that plans are
reviewed and revised more frequently.
E-Business Models
Key Points
• ecommerce has evolved from its original meaning related to transacting electronically with
business partners to a broader term embracing all business communications and
transactions that are completed electronically commonly called ebusiness
• ebusiness has introduced many new business models into the corporate world
• These new business models provide significant opportunities but also represent significant
threats. They rely on new technologies and must be integrated with business processes for
success.
• The current models include B2B, B2C, C2C G2C, B2E
Questions
1. What is an IT Strategic Plan?
a. An IT plan that takes longer than 5 years to complete
b. An IT plan that support the corporate business plan
c. An IT Plan that introduces new technologies and methodologies
d. An IT plan that shows what the IT department will be doing in 5 years time.
Suggested solution is b.
Paper F21 Page 80

2. Who should be involved in developing the IT Strategic Plan?

a. IT Manager, IT Auditor, CEO, Chief programmer
b. IT Manager, CEO, all departmental managers
c. IT Manager IT Auditor, Project Managers, all IT senior staff
d. IT Auditor, Sales Manager, Operations Manager
3. Identify in which sort of plan you would expect to find the following (i.e. S-
strategic, T – tactical or O – Operational)?
a. Corporate IT architecture
b. Principles behind acquisition of applications
c. Schedule of all projects
d. Resources plan
e. Performance Management Plans
f. Data management policies and procedures
Suggested answer is as follows:
a. S
b. T
c. O
d. S
e. T
f. O
4. Which of the following documents would be most useful when performing an

IT strategic planning project?
a. Annual reports from last 2 years, Sales forecasts, investment analysis
b. Sales reports for last 12 months, systems performance results, network
management reports for last 6 months
c. Systems performance results for last 6 months, sales forecasts for next 12 months,
current project status reports
d. Database management reports, sales forecasts, annual report
Suggested solution is c. Students should be able to demonstrate an understanding of the
nature of strategic planning in their answers to Why. While there are many documents
that are necessary as input to a Strategic Plan, the documents listed in C, would provide
information about demands on the systems in the past and in the future plus an idea of
Paper F21 Page 81

the workload of new systems being developed that might have an impact on the IT
architecture, resources needed etc.
5. Which of the following statements are TRUE:

e. A group of vendors in a particular industry who get together to exchange
information electronically have produced a B2B exchange
f. An individual who withdraws money from their own bank accounts at an
Automated Teller Machine (ATM) is conducting a B2E transaction
g. Customers selecting goods from an online store and entering their credit card
details are conducting a C2B transaction
h. A business lodging a corporate tax return electronically is conducting a transaction
under the G2C model
Suggested solution is a, and c are True.
6. In your opinion, what impact would the following scenarios have for an
organisation wishing to participate in a B2B exchange and why?
i. Company with many legacy systems.
j. A company that is part of a strong industry association
k. A company that has not participated in any online transactions before.
Suggested solution:
a) An exchange must be able to accept and process orders quickly and transmit it onto
the supplying organisation. Typically, in an organisation with legacy systems, the order
would pass though several systems from order sentry, to inventory, to warehouse
picking, to shipping and invoicing. Many of these systems would be running on
mainframe systems or mid-range and rely on systems that were developed many years
earlier. The format of the order information will usually not match that required by the
B2B Exchange.
Such organisations will need to adopt a different strategy necessitating either a rewrite
of legacy systems or investment in a new range of Enterprise Application Integration
(EAI) tools to interface the older systems with the newer ones of the exchange.
b) Part of the most difficult part of developing or running a B2B exchange is of getting
a common and agreed format for the transactions. If the company belongs to a strong
industry association this association can take on much of the work on behalf of its
members thus allowing the business to focus on its current operations. The industry
organisation would be in a position to manage the development and rollout of the
exchange and pull parties together. The association would also be in a position to
“broker” opportunities for its member companies and have a better understanding of
industry issues.
Paper F21 Page 82

c) A company that has not participated in online transactions before will probably have
none of the high level of security required to open their systems and processes beyond
the organisation. A B2B exchange will necessitate the company looking at investing
technologies and process to secure their systems and data. Security measures such as
firewalls, access controls, Encryption, and contingency plans will need to be addressed
as part of an ebusiness strategy.
7. Describe four (4) features that an organisation should incorporate into a B2E
solution and the benefits they would provide.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
There are many features that a student could include into this answer. Suggested
solutions include:
• Shared access to documents. Employees would always have the latest version on
hand and save time and money from trying to find a copy and maybe have to
photocopy it.
• Controlled access. Passwords and responsibility levels can ensure employees can
only see selected information and forms based on their level of responsibility.
• Events, calendar and scheduler. A centralised scheduling system offering these
features can save time and money as employees can easily schedule meetings and
events across department and teams without numerous phone calls or visits
• Address book. A corporate address book can save time and money as the
information will be maintained only once and everyone has access to the same
information.
• Task Management. Providing centralised project or task lists can save time and
money and allow supervisors to keep better control over project work.
• Corporate-wide search engine. New staff will find enormous benefits from being
able to enter keywords and find the information they want rather than having to go
or phone around and ask other people where to find the information.
R1.2 Management of IT
Management of computer operations
Key Points
• With increasingly reliance on computers systems for normal business transactions, the
management and controls of technology is a critical success factor for organisations.
Paper F21 Page 83

• Planning is essential to ensure that the computer operations serve the organisation and
support the business in meeting its goals.
• There are many functions associated with Operations management including infrastructure
issues such as capacity management, production planning, and production control; staffing
issues including IT staffing, systems training, and user support; and corporate issues such
as security and privacy.
Management of inter-organisational computing
Key Points
• Improvements in networks and telecommunications have introduced another layer of
complexity for IT managers in terms of supporting inter-organisational processes and
systems.
• Collaborative computing facilitates workers working in teams whether across departments
or across organisations.
• Distributed systems allow organisations to disperse the processing or storage of data among
different departments or company units.
• EDI is the direct exchange of data and information between 2 companies. EDI requires
agreements between the organisations as to the format and nature of the information to be
exchanged plus agreement on the nature of the exchange mechanism.
• While outsourced services offer another way for organisations to manage their business
processes and staffing across a number of areas, it brings with it a number of issues
including performance, security and costs.
Management of End-User Computing
Key Points
• End-user computing is a type of distributed computing that needs careful management
• Key issues include planning, managing and controlling the acquisition of technology and
software in end-user environments
Financial analysis and control
Key Points
• Various costing models are available for the acquisition and management of capital items.
• Return on investment has long been an issue for IT management.
• Monitoring and managing the costs of computing are more difficult as organisations move
to outsourcing, end-user computing and inter-organisational models.
• Charge back for IT services supplied to other departments within an organisation raises
many issues including planning, corporate architecture, research and development etc
Paper F21 Page 84

IT Control Objectives
Key Points
• Management must understand the risks and threats to the organisation before
developing their controls framework.
• Policies, practices, and procedures must be relevant and appropriate to the level of
risk faced by and organisation.
• CobIT provides a framework that can be used as a guide.
Questions
8. Describe the differences between an operations strategy and an IT strategy
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Students might choose to describe the differences in terms of the table of contents but
the main differences that should be included in any answer should demonstrate an
understanding of the difference in scope of the strategy and in timing. The IT Strategy
is a high level document that is aligned with the Strategic Plan of the business and
describes a framework for evaluating all IT decisions. The Operations strategy is a
document at the operational level that describes the overall approach to the technology
itself and how it will be managed
9. Are the following statements TRUE or FALSE?

a. The purpose of a Business Continuity Plan is to ensure that steps are taken in
advance to maintain continuity of essential business functions should a crisis
occur.
b. Logging systems resource usage and monitoring results is essential to ensure that
IT Resources are available to meet the demands of the organisation’s business
units.
c. Operations management must work 24 hours x 7 days to support the business
d. Problem management involves logging and analysing problems in applications or
infrastructure to ensure that problems can be quickly fixed.
e. Configuration management is concerned with identifying, managing, and tracking
the components of information system applications.
Paper F21 Page 85

a. The purpose of a Business Continuity Plan is to ensure that steps are taken in
advance to maintain continuity of essential business functions should a crisis
occur. TRUE
b. Logging systems resource usage and monitoring results is essential to ensure that
IT Resources are available to meet the demands of the organisation’s business
units. TRUE
c. Operations management must work 24 hours x 7 days to support the business.
FALSE
d. Problem management involves logging and analysing problems in applications or
infrastructure to ensure that problems can be quickly fixed. TRUE
e. Configuration management is concerned with identifying, managing, and tracking
the components of information system applications. FALSE
10. Which is the most important aspect of EDI?

a. The ability of computer applications to communicate automatically
b. The ability to transact using computer links
c. The use of a third party value added network to assist trade electronically
d. Use of agreed industry-wide standards for data interchange
Suggested solution is d.
11. What is the most important element of entering into an ASP agreement?
e. Obtaining a copy of the Annual report of the ASP
f. Developing a mutually agreed Service Level Agreement
g. Checking references of current clients
h. Ensuring that costs of the agreement are less than currently expended
12. List 4 types of software that can be used to provide a collaborative work
environment.
There are many answers that the student could provide. Suggested answer includes:
• Email
• Groupware
• Shared Calendar applications
• Meeting software
• Intranets
Paper F21 Page 86

13. Are the following statements TRUE or FALSE?

Suggested solutions is:
a. Distributed systems are easier to manage than other system architectures FALSE
b. Distributed systems can be defined as systems where corporate data is managed by
a number of different user departments. FALSE
c. The trend to distributed data processing has occurred as a result of the decrease in
the cost of computer hardware and the increase in functionality and availability of
software. TRUE
14. Identify 3 applications that could be well suited to end-user computing.

Suggested solution should identify applications that do not have a corporate-wide
impact and which are conducted in functionally separate units. This includes:
• Ad-hoc inquiries relying on stored data
• Simple reports relying on stored data
• What if analysis tools for business
• Applications that can be generated using high-level tools
15. Identify and describe 2 methods that are used for financial justification of an IS
project.
Students can select from several methods including:
• Return on Investment (ROI). This method compares the development and
operating costs of a system to the anticipated business cost reduction and revenue
increasing activities for the proposed IT investment.
• Discounted Cash Flow (DCF). This method acknowledges the time dependent
nature of value and looks at when the investment is required and when the benefits
will be realised.
• Net Present Value (NPV). This methods calculates the difference between the sum
of values of cash in-flows, discounted at an appropriate cost of capital, and the
present value of the investment.
• Internal Rate of Return (IRR). This method is based on NPV but calculated using
an interest rate that will cause the NPV to be zero, and aims to make comparisons
of projects more realistic.
• Payback Period. The method determines the amount of time, usually in years and
months that are required to the break-even point.
Paper F21 Page 87

16. From the standard control model and from the IT Governance Framework, a
number of Critical Success Factors can be deduced that apply to most IT processes. Are
the following TRUE or FALSE?
a. IT processes are defined and aligned with the IT strategy and the business goals
b. IT performance is measured in lines of code written and tested
c. People are focused on processes
d. Cross-divisional co-operation and teamwork should be discouraged in
organisations
e. Control practices are applied to increase transparency, reduce complexity, promote
learning, provide flexibility and scalability, and avoid breakdowns in internal
control and oversight
f. IT governance focuses on how well the organization understands IT.
g. IT governance provides a clear direction for IT strategy, a risk management
framework, a system of controls and a security policy
Suggested answers are:
a. TRUE
b. FALSE. Correct answer is IT performance is measured in financial terms, in
relation to customer satisfaction, for process effectiveness and for future
capability. IT management is rewarded based on these measures.
c. FALSE. Correct answer is People are goal-focussed and have the right
information on customers, on internal processes and on the consequences of their
decisions
d. FALSE
e. TRUE
f. FALSE Correct answer is IT governance focuses on major IT projects, change
initiatives and quality efforts, with awareness of major IT processes, the
responsibilities and the required resources and capabilities
g. TRUE
17. COBIT Management Guidelines suggests the use of a Maturity Model. What is
the purpose of a Maturity Model and what is it based on?
Students answers should demonstrate an understanding of Maturity Models and an
understanding of their use. Their description could include the following:
• The Maturity Model is a way of measuring how well developed management
processes are.
• Refer to business requirements and the enabling aspects that are at different
maturity levels
Paper F21 Page 88

• Provide a scale that lends itself to pragmatic comparison

• Provide a scale where the difference can be made measurable in an easy manner
• Provide a ready “profile” of the organsiation as it relates to IT governance
• Provide a baseline “As-Is” and set the target baseline “To-Be” positions
• Provide the basis for a gap analysis to determine what needs to be done to achieve
a chosen level
The Model is based on a scale for measurement. Scales should not be too granular, as
that would render the system difficult to use and suggest a precision that is not
justifiable.. Athe scale as described by COBIT includes the following:
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not
even recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognised that the issues exist and
need to be addressed. There are however no standardised processes but instead there are
ad hoc approaches that tend to be applied on an individual or case by case basis. The
overall approach to management is disorganised.
2 Repeatable. Processes have developed to the stage where similar procedures are
followed by different people undertaking the same task. There is no formal training or
communication of standard procedures and responsibility is left to the individual. There
is a high degree of reliance on the knowledge of individuals and therefore errors are
likely.
3 Defined. Procedures have been standardised and documented, and communicated
through training. It is however left to the individual to follow these processes, and it is
unlikely that deviations will be detected. The procedures themselves are not
sophisticated but are the formalisation of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to
take action where processes appear not to be working effectively. Processes are under
constant improvement and provide good practice. Automation and tools are used in a
limited or fragmented way.
5 Optimised. Processes have been refined to a level of best practice, based on the
results of continuous improvement and maturity modelling with other organisations. IT
is used in an integrated way to automate the workflow, providing tools to improve
quality and effectiveness, making the enterprise quick to adapt.
18. COBIT management guidelines is based on 4 management activities. These are:
h. plan, perform, correct, review
i. plan, do, check, act
j. Plan, develop, budget, review
k. Plan, do, budget, review
Paper F21 Page 89

R1.3 Software
eBusiness Enabling Software
Key Points
• As eBusiness becomes more common, there are an increasing number of software packages
available to organisations.
• Corporate-wide systems such as ERP and CRM are modular systems that enable the
organisation to implement all or selected modules as part of their strategy.
• There are many software packages available to small businesses that enable them to move
toward and electronic commerce platform. These include shopping carts, electronic
catalogues, online payment processing etc.
Questions
19. What is the best description of an ERP system from the following:
a. Provides and integrated approach for accounting and human resource management
b. Provides a corporate-wide system for managing the supply chain
c. Provides an enterprise approach to managing business information
d. Provides a system for managing the manufacturing and inventory control
processes
Suggested answer is b
R1.4 IFAC Guidelines/Discussion papers
Key Points
• IFAC IT Committee has produced a series of IT Guidelines promoting a global perspective
on best practice.
• IT Guidelines are available for the IFAC website and include Information security
management, business planning, acquisition, Implementation, IT service delivery and
monitoring.
• These IT Guidelines provide comprehensive best practice. They will need to be tailored so
they are appropriate to organisations no matter what size.
• Other publications are available that provide a broader understanding of IT issues for
management including Outsourcing, eBusiness and the Accountant and Project checklists.
Paper F21 Page 90

Questions
20. Which of the following are the key principles in developing an IT plan?
a. Alignment, Integration, Achievability?
b. Aligned scope, Awareness, Transparency?
c. Alignment, Accountability, Commitment?
d. Accountability, Evaluation, Integration?
c. is correct.
21. Identify and describe at least 2 factors that are important to implementing a
successful information security.
Students could identify any of the following factors as described in the IFAC
Guideline:
• Policy development. A framework that supports and complements existing
corporate policies and recognises the important role theta Information has in the
organisation is necessary.
• Roles and responsibilities. For effective security, roles and responsibilities, which
will be unique for each organisation, must be clearly stated and well understood
by all.
• Design. Once the policy has been accepted by senior management, the more
detailed standards, measures, practices and procedures must be developed and
maintained.
• Implementation. The standards, practices, procedures and measures should cover a
number of areas including accountability controls, Systems development life
cycle, authentication controls, business continuity planning.
• Monitoring, Measures and procedures for monitoring systems, processes and
environment are required to ensure adherence to the information security policy.
• Awareness, Training and Education. All staff must be aware of the need for an
information security policy and be trained in the standards and procedures
required. Staff responsible for the information and security policy should receive
more in-depth education.
22. Are the following statements TRUE or FASLE?

The following is a suggested solution.
a. The people who must be included in the acquisition process includes IT, users, IT
Audit, senior management, a consultant. FALSE
b. Acquisition requires a concise statement of the business expectations. TRUE
Paper F21 Page 91

c. The objective of information security is “the protection of the interests of those

relying on information and the information systems and communications that
deliver the information, from harm resulting from failures of availability,
confidentiality, and integrity”. TRUE
d. Rapid Application Development (RAD), Structured Analysis (SA) and Object-
Oriented Systems Development (OOSD) are examples of systems implementation
methodologies. TRUE
Paper F21 Page 92

R2 Information Technology Security Control and

Management
R2.1 Control frameworks
Key Points
• You must know what impacts the controls required in an organisation.
• Controls must be cost effective and meet an objective.
• Organisation risks must be analysed and appropriate controls implanted.
• Auditors will now be reviewing IT systems and looking for appropriate controls.
• There are IT standards and audit review processes that may need to be adhered to such
as – COBIT, SysTrust, WebTrust, SAS70, ITGI
Questions
1 Are these statements true or false?
a. Most IT data theft is carried out by copying the data so the organisation still has
the original. This means data theft is not so important. FALSE
b. As the data is stored electronically you automatically get privacy of
information. FALSE
c. Unless you sell things on the Internet you are unlikely to be impacted by the
loss of a server FALSE.
d. All auditors need to consider computer system issues. TRUE
e. Any organisation operating on the Internet will need a WebTrust certification.
FALSE
2 Auditors should –
a. Carry out regular control checks such as looking at logs every week.
b. Ignore the computer system as computers do not make mistakes
c. Examine controls and recommend changes
d. Always employ a specialist IT auditor
3 What would be the three most common IT problems that an organisation will have
to deal with?
1 Errors
2 Viruses
3 Disruption
Paper F21 Page 93

4 Why should an organisation always consider risks before deciding on the controls
to implement?
The level of control to be implemented will be dependent on the amount the
organisation may lose in the event of the system being compromised.
5 A SysTrust review will report on:

a. Security and efficiency
b. Maintainability and response time
c. Management and ethics
d. Availability and integrity
R2.2 Control objectives
Key Points
• Management are responsible for controls.
• Controls have to support business objectives and safeguard resources and assets.
• IT must be efficient and use its resources effectively.
• IT must therefore support the business goals and strategic plan. Other plans then flow
from this.
• Technical and information plans will also be required.
• These plans are part of the overall control process and also feed information as to what
detailed level of control will be required.
• In spite of the use of technology, interpersonal skills are still essential for the IT
manager and many IT staff members.
• Setting the IT budget is an important control process to manage the funds that are used
by IT and to help use them effectively.
• IT projects can waste funds and so need to be effectively controlled.
• Managers must be able to rely on the data and information provided by IT especially in
the financial area.
• Systems design must also be carefully controlled.
• It is at the design stage that system controls need to be considered and included as user
requirements.
• Different design approaches will require different control processes but the principles
stay the same.
• IT department and user workstations may represent a large value asset that needs to be
safeguarded.
Paper F21 Page 94

• The right equipment needs to be selected in the first place based upon the strategic plan.
• IT equipment is now very portable and so a target for theft and abuse. This needs to be
controlled.
• All organisations should be following the law and this applies to all aspect of IT
development and operations. Most importantly copyright rules must be adhered to.
• Attempts to thwart controls may come from an employee or external person. The
former is the most common but is usually hushed up; the latter gets the largest press.
• Users may not be able to do without their systems anymore and so reliability and
recovery are big issues.
• Data integrity is paramount and there are several control techniques that may be used
including – quality processes, change processes, security processes, education of users,
completeness, accuracy, currency, timeliness, consistency, comparability, authorisation
and auditability.
Questions
1 How do controls link in with the IT strategic plan?
Controls are not just about preventing fraud or errors. They should also be
applied to help the organisation operate in an effective and efficient way and to
maximise the return on investments.
The IT strategic plan should also be about maximising ROI and efficiency.
There needs to be controls in place to ensure that effective planning and
strategies are implemented.
2 True or False?
a. As technology changes so quickly the IT department’s budget should allow for
the latest equipment and versions of software to be installed as soon as they are
released. FALSE
b. While budgeting is part of a control mechanism, just setting a budget does not
guarantee that only that amount of money will be spent. TRUE
c. If an IT project is fully funded by a user department then it does not need to be
controlled. FALSE
d. Just because data is input accurately does not mean that it cannot later be
corrupted. TRUE
3 Describe why auditors are interested in the design approach and standards used.
The best time to implement controls is in the design phase before anything has
been built. Auditors need to check the design to see that controls are in the
requirements. Also the IT department must be efficient and not waste resources.
The development process should follow standards to help ensure that the system
Paper F21 Page 95

comes in on time and on budget and does what is required.
4 To help prevent equipment theft you can

a. Put all the equipment into an asset register
b. Use steel cables to fix equipment to desks
c. Put a bar code label on the front of the computer
d. Lock all notebook computers away when not in use.
5 Copying software is not theft. True False
6 The most common perpetrator of a fraud is

a. An employee
b. A hacker
c. An Internet user
d. A thief
7 Comment on the following statement – “Software is so easy to use these days that users
do not need any training.”
Users still need training in topics such as – control procedures around the system,
how to use the non-intuitive options, how to handle errors, how to make
corrections, where to store data, how to secure the system, etc.
R2.3 Layer of control
Key Points
• Security and control act in layers to protect the resource in the centre.
• Society’s view of the law, ethics and business practices will have an influence on what
people will try to do to circumvent security and controls.
• The same concept applies to the culture of a particular organisation or the way
managers operate.
• IT security and control processes can be used to protect against behaviour.
• Operating system and application software will usually restrict access to users or
groups of users but it has to be implemented appropriately.
• Management supervision and checking of data by more than one person are still
effective controls.
• It is ideal to separate the control of assets from the recording of the asset.
Paper F21 Page 96

Questions
1 If there is poor physical control around an office what impact does that have for other
control procedures?
It will be easier for a thief or fraudster to get physical access to the computers. This
then requires improved logical controls such as passwords and encryption to
safeguard the data in the computer.
2 Give examples of how attitudes to security and control may vary between
organisations.
Organisations such as banks will be very security conscious as they handle cash.
They will have a security culture and staff will probably accept the need for
security. Small businesses may not see any need for security and all users may
share data and computer access.
3 Hackers will
a. Only attack banks to defraud them
b. Attack anyone for fun
c. Only attack servers running UNIX
d. Always get caught
4 You should always try to separate the recording of assets from the control of assets.
True False
R2.3 Responsibility for control
Key Points
• Many people at all levels in the organisation are responsible for aspects of control.
• The board and senior management have the overall responsibility but are unlikely to
undertake any detailed work themselves.
• They do need to be involved in planning and approving procedures.
• IT staff will implement the procedures and undertake many day-to-day control
activities.
• Users will also be required to carry out parts of the control process and be on the look
out for problems and anomalies.
• Auditors will then be reviewing and checking controls and security.
Questions
1 The board of directors will usually know very little about IT security and controls therefore
they have no role to play. True False
2 Describe the IT manager’s role as regards security and control.
Paper F21 Page 97

They will need to provide support and guidance on security and controls to managers
when the policies are being developed. They will then need to implement the
procedures. They will need to monitor certain aspects of the security such as log files.
They will need to set an example to their staff and adhere to all security procedures.
3 If a user sees a peculiar transaction they should

a. Do nothing it is probably a test entry
b. Report it to their manager and the IT manager
c. Just ignore it
d. Put in a reversing entry to correct it.
4 Audit trails are special reports used just by the auditors.
True False
R2.5 Control environment
Key Points
• What are the external regulatory controls that an organisation has to adhere to?
• Accurate books and records must be kept and now these will be computerised.
• Other specific legislation relating to IT is now often enacted such as Privacy legislation.
• Accountants will often adopt international standards where there are no local standards.
• Management of IT is seen by COBIT as a high-level control objective.
• Polices and procedures must be communicated to staff and adhered to by managers.
• HR policies should ensure that when selecting staff they will adhere to control policies
and fit in with the security culture.
• COBIT also expects that the funding and management of the IT investment is
appropriate.
Questions
1 Why do organisations have to keep proper books of account?
Normally there is a requirement in a Company Act that requires proper books to
be kept. In addition the tax department will want to be able to see accounts to
assess how much tax has to be paid.
2 If a company operates in multiple countries it could be a good principle to adopt:
a. No privacy standards at all since they are all different.
b. The least difficult to implement as this will cost less
c. The most stringent
Paper F21 Page 98

d. The privacy standards in the holding company country

3 Why is the management of IT considered a control objective?
A control objective is the effective management of an organisation’s resources.
This is often a statutory requirement imposed on directors. IT can consume
large amounts of resources and so it must be effectively managed.
4 When recruiting new employees it is important to
a. Explain any special security requirements that are required
b. Check references
c. Ensure that they will adhere to the security culture of the organisation
d. All of the above.
5 What are the advantages of adopting a “user pays” approach to charging for IT
services.
Users will be keen to keep costs down and so will not waste the resources on
offer. They will be more receptive to projects that will help reduce costs. If they
are paying for a project then they are more likely not to make flippant requests
for ineffective requirements.
R2.6 Risk assessment
Key points
• Level of control should depend upon risks faced.
• Organisation needs to evaluate the risk it faces.
• It then determines the impact and possible financial loss of an event.
• It looks at the controls that could reduce or recover from the event.
• Cost effective controls can then be put in place.
• There are major and minor disasters that can impact an organisation.
• Loss of IT systems will now normally have a major impact.
• Errors are a common event that must be prevented by appropriate controls.
• Attacks can come from within the organisation (employees) or externally.
• Investment in IT has to be safeguarded.
• Controls may prevent an event, minimise the impact of an event or be used to recover
from an event.
Questions
1 The greatest risk facing IT systems is a hacker attack.
Paper F21 Page 99

True False
2 Describe three common risk events that will need to be controlled.

Virus attack
Errors
Service disruption
Hacker penetration
Disasters
Hardware failures
Changes in environment that impact systems
Power failures
3 If during a risk analysis activity you decide that a particular event is likely to occur,
how would you decide on the controls to implement?
You would estimate the likely cost to the organisation of the event. Then
consider the controls that could be used to prevent or recover from the incident.
Apply a cost benefit analysis and implement if management feel that it is
beneficial.
4 Describe why employees pose a risk to an organisation.
They will have some access to data and may misuse it. They are the ones that
will input data and may be prone to errors. They will need to adhere to the
security procedures and may not want to.
5 When considering theft you should:
a. Only worry about notebook computers as they are portable
b. Consider all IT equipment as being a target
c. Not worry if there are security guards on reception
d. Use logon passwords to deter theft.
R2.7 Control activities
Key Points
• You should be aware of possible risks before identifying the controls to incorporate.
• Many controls are procedural in nature and are implemented as policies and procedures.
• Controls must also fit within the framework of the organisation.
• Managers and staff must be aware of their roles and responsibilities.
• Controls may prevent an event, detect an event and provide correction to an event.
• IT controls can be used to control the user or for the user to control the system.
Paper F21 Page 100

• Contingency plans and the ability to recover from a disaster is an important element of
control.
• Insurance may be able to cover some of the financial losses suffered.
• Authorisation of transactions and segregation of duties are still important controls in IT
systems.
• User access is often controlled by user identifiers and passwords.
• Log files should be reviewed by an independent person.
• Controls such as batch control are required to ensure complete processing of
transactions.
• Errors must be satisfactorily followed up and resolved.
• Today IT systems must also control data privacy and security.
• Many countries have privacy legislation in place that may impact organisations trading
over the Internet.
• Information and files may be categorised so that appropriate control may be applied.
• Access controls may be classed as physical and logical.
• Networks will need their own types of physical and logical controls such as firewalls
and encryption.
• Operating systems may have security weaknesses and so all latest patches must be
installed.
• An important control is the regular monitoring of the system to examine performance
and security issues.
• Controls are required to be able to recover quickly from minor problems and backup
and recovery procedures are essential.
• For major disasters a hot or cold site may be required.
• Any DRP needs to be tested and kept up to date to reflect changes in operation.
• IT management and the smooth operation of the IT department will be critical to the
organisation so control polices and procedures are appropriate.
• A SLA may be considered an element of control to determine the levels of service that
are to be delivered.
• SLA performance will need to be monitored and reported on.
• New technologies should be adopted only if they can be shown to provide benefits to
the organisation, not just for the fact that they are new.
• Specific controls are required to control access to software and database files.
• Controls need to embrace all elements of the data life cycle including input and output
processes.
Paper F21 Page 101

Questions
1 Why do IT staff pose a security threat?
IT staff normally have high levels of security clearance to be able to do their
job. They will be responsible for many security procedures and if these are not
carried out correctly may prevent the organisation recovering. If IT staff make a
mistake such as deleting files it can have a major impact.
2 A problem with allowing users to pick their own passwords is:
a. They may share them with other staff
b. They may pick easy to guess passwords
c. They may forget the password
d. The administrator will then not know what the password is
3 Describe three techniques that minimise the likelihood of input errors:

Check Digits, Batch Control, Record checking, Exception reporting, reviews.
4 What is a transposition error?

One that occurs when one of more numbers (or letters) are swapped during data
entry.
5 Why should batch control processes still be used with an on-line, real-time system?
Errors can still be made with these systems including errors of omission,
duplication and incorrect data. Batch controls help detect these errors.
6 How can a manager or auditor verify that an audit log file has not been changed to
hide a fraudulent transaction?
The file should have appropriate permissions so that only the auditor or other
trusted person can access it. File modification dates may be examined. The file
may also have control totals or record counts that will indicate modification.
7 How often should data be backed up and taken off site?
Theoretically this will be determined by the risk analysis and the possible loss
that can be suffered. In practice most organisations operate a daily backup
cycle.
8 A SLA is:
a. Only used with outsourcing organisations
b. Used as a basis for checking IT department performance
c. Not necessary if you are not charging for IT services.
Paper F21 Page 102

d. Created the first time the system is implemented and then is no longer required.
9 Describe why an organisation that has all its equipment fully ensured should still
develop a DRP.
Insurance may not cover all aspects such as data recreation, loss of goodwill,
etc. In addition, while waiting for the insurance to come through the
organisation still has to operate.
10 Describe process controls that may operate in a payroll system.

Overflow errors in case of a division by zero error, reasonableness checks to
ensure that calculated salary is within the normal levels, calculated control totals
and run-to-run controls, handling rounding correctly,
11 A user puts their password on a post-it note and sticks this on their monitor. How
can you persuade them that this is not good security and to try to remember the
password?
Look at policy document and see if there are any penalties for such action.
Explain that anyone could log on as them and carry out malicious acts for which
they will be blamed. They could log on and send e-mails purporting to be from
the user.
12 Wherever possible give one person total responsibility for all aspects of an activity
since this gives them greater job satisfaction.
True False
13 Describe why you may want to restrict users to printing only on particular printers.
The printer may be being monitored or observed to identify the printing of
confidential data. Consumables on other printers may be costly and so they are
restricted to special print jobs. The printer may be close to the user and so the
most practical to use. The printer may have special stationery.
14 Managers must:
a. Authorise control procedures
b. Adhere to control procedures
c. Regularly check that control procedures are adhered to
d. All of the above
15 IT controls are only those activities that are performed by the computer.
True False
Paper F21 Page 103

R 2.8 Monitoring of control compliance
Key Points
• Controls must be complied with and be seen to be complied with.
• Responsibility lies with senior management and the board.
• We need to set objects against which we can compare actual.
• Performance monitoring should be an integral management function.
• Balanced scorecards may be used to show IT performance.
• External parties may be used to monitor.
• If not meeting targets then appropriate action needs to be taken.
• The computer can be used as an audit tool. Either with specialist software or more
generic applications.
• All accountants need to be computer literate, some more than others.
• Auditors may be involved in reviewing design process so need to be able to read
diagrams used in modelling.
• Testing is an important control and the procedures need to be reviewed.
• Auditors may use software to check the data in files and verify totals and reports.
• General software such as spreadsheets and word processors may also be used in the
audit.
Questions
1 How could an auditor use parallel simulation to verify warranty claims?
The auditor could examine the logic behind the calculation of warranty claims
and develop a piece of code to carry out this calculation. This code could then
access the same source data and it should arrive at the same figure.
2 Describe three audit tests that could be applied to data using a specialist reporting
tool
Verification of control totals
Random selection of data for further checking
Checking for data that falls outside certain ranges
Identification of repetitive transactions
Large value transactions
3 Describe three types of tests that may be performed during the testing phase of
systems development.
Paper F21 Page 104

Unit test
String test
Application test
Module test
Program test
Full system test
4 Why should all auditors be familiar with IT audit techniques.

Computers are used in all types and sizes of organisation. They can no longer be
ignored when conducting an audit. All auditors should be able to carry out basic
IT audit routines.
5 List topics that may be included in the compliance report.

Objectives/controls being tested, method of undertaking review, findings,
impact on performance and compliance, recommendations, costings and cost
benefit analysis of findings.
Summary
Information technology is always changing and so will the need for auditors and accountants to
keep abreast of the technology and its impact on audit, finance and accounting.
Uncontrolled use of computers can result in erroneous data and misuse of funds. Control
principles change slowly but the control processes must continue to evolve to meet the
challenges presented by the latest technology.
Paper F21 Page 105

R3. Revision Case Studies

R3.1 Tarash Food
Tarash Food is medium sized restaurant franchise with an annual IT operating budget of RS 3
million. Management are concerned that the computer systems currently being used are out-
dated when compared to what their competition might be using. Their current systems are
unable to be modified, to provide the improved restaurant efficiency that is required, without
high cost. Two head office Managers and the IT Manager started to look at new software
packages to replace the current financial and restaurant systems. However after several
demonstrations, they concluded that none of the packages provided all the functions that they
are seeking.
Recently the IT Manager met with Managers at several of the restaurant franchises to gain their
views on what they needed from a new computer system. Some of the Managers indicated that
they are happy with the current system and do not want to change. Others have indicated that
they urgently need new systems to support improved inventory and sales controls. Two of the
restaurants have taken steps to identify systems they wish to implement based on their own
contacts and market information.
Senior Management has agreed that a system is imperative and wants a new computer system
to be selected within the next few months.
You are IT consultant contracted by Tarash Food to help in the selection process. The IT
Department support has been good in the past and appears adequately skilled to
complete the implementation.
i) Identify problems in the approach taken to date by the IT manager in selecting
Tarash’ new systems.
ii) Outline a better process to select the new systems in a 3-4 month time frame.
iii) Indicate how you would involve the restaurant managers and head office
management in each sage of the process and what your role would be.
iv) Identify and explain areas for assessing the vendors and their proposed software
solutions. Suggest Tarash’s weighting factors for each area (e.g. 0-100%) and
explain your rationale for the weightings.
This question seeks to demonstrate an understanding by the student of the management
decisions needed in acquiring software through the package route.
i) Student’s should identify that the biggest problem with the approach so far is that
they have failed to establish their requirements before beginning to look at packages.
Other problems that might be highlighted include:
• Time allowed for project is too short for wide consultation needed
• There has been a lack of structured processes to collecting and establishing the
requirements
• Lack of senior management direction in the overall objectives of the process.
Paper F21 Page 106

• Criteria to evaluate the potential vendors have not been established.

• Lack of involvement of key stakeholders involved in the process – it is essential
that the major stakeholders are involved in the process from the beginning. The
fact that several franchise owners are already looking at identifying the systems
that they wish to use highlights the extent of the problem.
• Lack of proper cost-benefit evaluation and scoping
ii) A better process to follow in the allocated time would be to establish a formal
project with the following milestones:
• Prepare Project scoping and timeline
• Prepare application requirements and identify potential vendors or solutions
providers. Obtain approval from major stakeholders for the requirements.
• Prepare a RFP or RFT and send to vendors with an invitation to respond. This step
may involve further briefings for the vendors and must involve identifying the
criteria for evaluation.
• Evaluate responses from vendors and prepare a shortlist
• Agree on what is required from each vendor. Schedule a demonstration of the
solution and prepare a list of questions for the assessment. Complete reference
checks for the vendors and select.
• Negotiate on final conditions for contract and prepare contract.
Next steps will be implementation and planning.
iii) The best way of engaging the restaurant managers would be to continually consult
with them and keep them informed of progress. This could be achieved in several ways:
• Establish a collaborative working environment so that the group can all contribute
and actively debate issues about the requirements etc
• Arrange workshops and presentations to keep major stakeholders informed.
• Create a subgroup of restaurant managers to act as representatives of the franchise
owners. This group would be involved with setting the criteria, attending the
demonstrations and undertaking the evaluations.
• Constant communication though emails or phone calls would be needed to ensure
the rest of the group were kept informed of progress.
iv) Students could identify many criteria but whatever they nominate should be relevant
to Tarash. While a difficult question due to the lack of information given, students
should emphasis that weightings must reflect the business and its priorities and also the
cost of not having a feature included in the package. They should identify some formal
approach to establishing criteria for evaluating the responses such as establishing a list
of criteria and for apply a ranking say on a scale of 1-10 in importance (meaning
0=Low, 40=Medium, 70=High, 100= Essential)
In terms of the assessment areas the student could include the following:
Paper F21 Page 107

• Market Position. The student might want to evaluate the position of the vendor in
the marketplace. Vendor credential, years in business, company background could
all be considered as well as industry reports
• Financial Standing. Businesses looking to establish a relationship with a company
selling packages will want to ensure that the company remains in business.
Shareholders reports, annual reports and financial statements will all provide
information on the company’s financial position.
• Customer base. What sort of customers does the company have and how widely
are they distributed?
• Customer support. A company will normally want good customer support when
buying a package. Documentation, training and help desk support should all be
considered for customer support. Consider undertaking company reference checks
with existing customers.
• Product Architecture. Open system and standards in a package will establish a
good base for the future and make it easier for integration of other packages and
system.
• User Interface. Usability of the system interface, navigation around the system,
and outputs can make a system easy to use or difficult. This requirement can be
quite important to businesses and in Tarash’ case with a large number of users of
differing skills this requirement may be crucial for acceptance of the system.
• Cost. Costs quoted can vary as to what they actually contain e.g. warranties,
annual maintenance charges, training and implementation may or may not be
included. Discounts and payments terms may also be important to the business
when evaluating response.
• Functionality. How well the package meets the requirements without
modifications must be considered but also how easy the vendor makes it for the
business to make changes or tailor it for the business requirements can be an
important consideration for many companies.
R3.2 Kavak Manufacturing

Kavak Manufacturing (Kavak) has decided to replace its aging accounting and production
systems. These systems are absorbing many resources to maintain them and keep the systems
running. They run on equipment that is old and which needs regular maintenance. In
particular, Kavak needs a new General Ledger system that will provide cost centre information,
automate accruals and be able to process foreign currency as its export trade increases.
Currently the IT Department has undergone several staff changes and are experiencing
difficulties hiring staff with the skills to maintain these old but critical systems.
The Managing Director recently attended a luncheon when a colleague told him that he should
invest in an ERP system for the business.
You are the new IT Manager, having been employed only 6 weeks ago. In your previous
job, the company you worked for also tried to implement an ERP system with disastrous
Paper F21 Page 108

results. You mentioned this to the Managing Director and cautioned him against rushing
into a decision to adopt and ERP system.
The Managing Director has asked you prepare a report for him to help him understand
what an ERP is and what some of the challenges might be for Kavak if the decision is
made to progress the acquisition of an ERP.
Prepare a report including the following points:
a) a description of what an ERP is and how it might help Kavak.
b) your comments about what the major challenges might be for Kavak to proceed with
an ERP implementation
c) your suggested approach to the problem.
The suggested solution for this case study is looking for an understanding of the
strategic issues associated with IT Planning as well as an understanding of ERP systems
and the students ability as a manager to communicate with senior management on
complex IT issues.
Layout, presentation and clarity are key skills for IT Managers to communicate with
senior manager. The student’s solution should demonstrate an understanding of these
issues with the use of graphs, pictures and references that could help non-IT mangers
understand the complex issues. The suggested solution should incorporate the following
items:
a) The definition that the student supplies should highlight and understanding of the topic and
the complexity of ERP systems. The fact that an ERP system now means many things to many
people must be understood and the scoping for such an exercise would be critical. Students
should not just use the definition supplied in the Student Guide but expand and recognise who
the audience for the definition and explanation is.
The key issues that could help Kavak if they were to implement and ERP would be:
• Timely replacement of old and costly systems with modern technology
• Integration of data into a single interface for improved management information,
compared to the many separate systems they currently have
• An accounting system that is capable of supporting global commerce and eBusiness,
• Up-to-date manufacturing and integrated inventory systems that manage the whole
process
b) The major challenges with implementing an ERP system focus around areas that bring
hidden costs to the project such as:
• Planning and project management. IT Staff and business staff need to be involved to
ensure the success of the project and time must be available from normal duties to
ensure no delays to the project.
• Integration. ERP systems need to be tied into existing systems and business
processes. In companies where there are older systems that staff are used to and
Paper F21 Page 109

which the business relies on, integration of the old data with new processes can
impose enormous problems.
• Conversion. Many legacy systems have enormous stores of data, both historical and
current – some of which is inaccurate, missing or corrupted. Conversion of this data
to the new ERP system must take the cleaning and mapping of data into consideration
and may even warrant its own project.
• Testing. As ERP systems replace core corporate systems, they must be thoroughly
tested before being moved into production. Live or real test cases should be available
to ensure that testing mirrors the production environment as close as possible.
• Documentation. ERPs may have documentation on the system but many companies
will need to document how their current practices work with the new ERP system.
Consideration must be also given as to how the ERP system impacts current roles and
responsibilities.
• Training. Training for staff involved with en ERP implementation will normally be a
corporate-wide requirement. Timing of the training is of the essence. Training can
cost time and money as staff are taken away from current jobs to train on a system
that they may not actually use immediately.
• Consulting fees. As ERP projects normally require many more resources and skills
that an organisation has, consultants are brought in to assist with the project.
Management of these resources must pay attention to deliverables, schedules, and
skills of the consultants or costly overruns will occur.
• Ongoing costs. Many companies ignore the ongoing costs of an ERP system and this
can be costly. This needs to be highlighted up front so that careful planning and
budgeting will allow these expenses to be managed.
c) The next step should be to review the company’s Strategic Plan and the IT Strategic Plan.
This will ensure that a technology is not just acquired without specific goals and objectives.
Aligning the plans and reviewing the current IT plans may highlight other less costly solutions
that will enable the company to reach its goals. If the decision of the senior management is to
proceed with an ERP acquisition then the scope and requirements must be documented.
R3.3 KVT Insurances.

KVT currently has systems for developing a CRM system to provide fully integrated
information on existing financial, policy, premium and claims systems. They are investigating
a fully integrated CRM system to provide decision-making support to their 70 branches across
Pakistan.
The security access for the current systems is considered adequate, however over the past few
years, enhancements have been continually made to address control and audit improvements.
Management recognises the need for strong controls in the company’s processes and systems
without requiring duplicated systems and manual controls. There is increasing pressure from
branches to have access to systems that will reduce the amount of manual reconciliation and
authorisation checks that they must do. However currently, these checks do uncover input
Paper F21 Page 110

errors or unusual items that are difficult to investigate due to time between data entry and when
the exception is identified.
You have been assigned to the development team for the new system as a business
analyst. One of your roles it to help in the design of improved security, audit and control
features.
You have been asked to present an overview to the business and Project Managers of
how the design of the security, audit and controls fits in with the overall design work.
a) Describe the purpose of the security, audit and control design work.
b) Comment on KVT’s approach to complete the control design work during system
design.
c) Identify at least 10 types of transaction controls that could be used when designing the
system controls for KVT’s new system and outline key considerations when considering
the appropriateness of a control.
Suggested Solution.
a) The purpose of the security, audit and control design work is to help ensure that the
new processes and system being developed are well controlled, Auditable and secure.
The system s should be able to provide KVT Management with reasonable assurance
that the business processes and controls achieve the following:
• Support the business objectives and operations in a flexible way that will be easily
adaptable if the business changes
• Reliably execute the business transactions i.e. give confidence in the availability,
integrity, and confidentiality of business transactions.
• Support staff in improving the efficiency and effectiveness of business processes
to deliver improved service to customers.
• Identify exceptions and anomalies in a timely way to allow follow-up and
correction.
b) Students may choose to answer this in a list form or a comparison with performing
the work during another time. The answer must identify that this is the ideal time to
address these issues as part of the business requirements phase – reasons might include:
• Cost savings. Early identification will allow design to proceed faster and more
completely rather than have to come back later and change the design to
incorporate controls.
• Fewer errors. Helps to remove or prevent past problems when controls were either
missed, duplicated or ignored.
• Improved integration. Controls are not added on creating another layer of work but
can be integrated to improve the flow of business processes.
• Best Practices. Helps create best practice by incorporating controls when and
where they are needed.
Paper F21 Page 111

• Improves profile of audit and controls. These are recognised by management ad

being important and helps develop a culture of best practice in the organisation.
Audit is seen as a tool and important part of the business.
• Methodologies and standards. Design of controls becomes a standards part of a
project and will lead to improved systems.
c) Students may provide different answers but should at least identify some of the
following:
Access Controls:
• Access and authorisation verification and checks
• User view restrictions
Input Controls
• Data entry validation
• Input tolerance levels and parameter checks
• Value limit checks
• Check digits
• Mandatory fields
• Sequence checks
• Batch input control totals
• Error or warning messages highlight anomalies
Processing Controls
• New policy holder checks
• Automatic premium postings
• Controls of reconciliation and suspense accounts
• Logging changes to key fields
• Standard recurring entries
• Automatic collection notices.
Output
• Premium notice distribution
• Error and exception reporting
• Unusual transactions reporting
• Audit trails
The appropriateness of controls should consider the following:
Paper F21 Page 112

• Cost/benefit. Is the cost of establishing and maintaining the control justified by the
benefit?
• Does the control provide a balance between the risks and enabling users to make
informed decisions and provide effective service to customers?
• Does the control require user intervention and other manual support procedures?
• Does the control allow flexibility?
• Is the control best suited as a preventive or detective control?
• Can the results of the control be measured and traced to ensure it is relevant and
timely?
Paper F21 Page 113

Glossary
For more computer definitions please refer to Internet references listed in References section.
Add-ins
Programs that can provide additional functionality to the primary application.
Application
A program used by an individual or an organisation to assist in their operation or work.
Arcnet
A network protocol or standard that used a token to allow network access.
ASP
Applications Service Provider. An organisation that will provide a complete set of services to
organisations based around one or more applications that the organisation requires.
Batch Processing
A method of entering transaction data in batches, usually to ensure control of data by the use of
batch totals that may be verified before data is updated.
Bridges
A device to connect two networks.
Browser
A program that provides the facilities to access Internet sites and use Internet protocols.
Business Intelligence (BI)

BI applications provide the functionality to analyse business data to identify trends and
relationships so as to make better business decisions.
Coaxial cable
A type of cable used in networks. It consists of a pair of conductors, which include a core and
outer sheath.
Data
Basic, raw information such as numbers and text.
Data Dictionary
A means of storing details about data items.
Database
Paper F21 Page 114

A structured store of data, usually stored in files.
Database Management System (DBMS)

Software used to create and maintain databases.
Distributed processing
A method by which the processing of an application or other program is split and performed on
different computers.
Document Management
A means to control and manage paper based or electronic documents.
Domain Name System

A process by which numerical addresses can be associated with more meaningful names.
EDI
Electronic Data Interchange. The ability to transfer structured commercial transactions and
documents vie computer networks or systems.
EFT
Electronic Funds Transfer. The ability to transfer funds between accounts using computer
networks or systems.
EFTPOS
Electronic Funds Transfer Point of Sale. The ability to transfer funds between accounts at a
point of sale such as a supermarket checkout.
Electronic commerce
Electronic commerce is conducting business transactions and communications electronically.
E-mail
Messages that can be sent electronically using computer networks or systems.
ERP
Enterprise Resource Planning systems provide applications for all aspects of an organisation to
allow them to have an integrated view of data.
Ethernet
A networking standard or protocol to manage and control packets of data on a network. It uses
a method of collision detection to determine if packets reached their destination.
FAQ
Frequently Asked Questions. FAQs are a list of commonly asked questions and their answers.
Paper F21 Page 115

Field
A collection of data that conveys meaningful information. For example Product code and
product description are two fields.
File
A file is an organised collection of data that acts as the basic unit of storage.
File Server
A file server is a computer that provides services to others in a network. It allows files to be
shared along with other devices such as printers, disks, etc.
Flat File
A structured file that contains one type of record only. Will have several records that consist of
the same fields.
Gateways
Network devices that allow communication to take place between networks using different
standards or protocols.
Hard Disk
A storage medium that uses rigid recording surfaces.
HTML
Hyper Text Mark-up Language. A standard for allowing items of information to be associated
and pages of information can be linked and referenced.
Hub
A central device used in networking to which all cables are connected.
Index
A reference table that point to records in a file.
Internet
World-wide interconnected network.
ISP
Internet Service Provider. An organisation that is linked to the Internet and can provide
subscribers with access to the Internet.
Join
The link between two tables in a database system.
Key
Paper F21 Page 116

A field used to identify a record in a file. For example Product Code.
Knowledge Management
Systems that support the sharing and maintenance of the knowledge accumulated by the staff
of the organisation.
LAN
Local Area Network. A network of computers that are within a limited distance of each other.
Normally restricted to an office or campus.
Master Data
A file of data such as names and addresses that change infrequently.
Media Access Control Address

Address used by network cards to identify components in a network.
Metadata
Data that describes the relationships and association of other data.
Methodology
An organised, documented set of procedures and guidelines for one or more phases of the
software life cycle, such as analysis or design. Many methodologies include a diagramming
notation for documenting the results of the procedure; a step-by-step "cookbook" approach for
carrying out the procedure; and an objective (ideally quantified) set of criteria for determining
whether the results of the procedure are of acceptable quality.
MIS
Management Information Systems. Applications used to provide information to the
organisation.
Modem
A device for sending digital signals across the analogue telephone network and named after its
function i.e. modulator – demodulator.
Multi-processing
May be used instead of multi-programming or could indicate a computer with more than one
processor.
Multi-programming
The ability of a computer to run two or more programs at the same time.
Multi-tasking
Multi-tasking is the ability to split a program into multiple tasks that can be run in parallel.
Paper F21 Page 117

Network
A collection of devices that can operate together and share devices, resources and data.
Network Interface Card

A Network Interface Card (NIC) is a hardware component that is installed in a computer to
allow it to connect to a network.
Normalisation
A technique used in data analysis to break down data structures so as to minimise repeated
data.
OLAP
On-line Analytical Processing is a technique whereby end users of data can analyse the data to
get the information that they require.
OLE
Object Linking and Embedding. A linked object is developed in a source application such as
Excel and then inserted in another file such as a Word document. The Excel data does not
become part of the Word document but can be seen whenever the document is opened. Any
changes made in Excel will be reflected in the Word document. If the same Excel data was
embedded in Word then it does become part of the Word document and will be saved with the
document. If the Excel data is selected then the Excel application will be invoked and the data
can be changed.
On-line processing
Processing that is connected to the central computer.
Object-oriented Design ((OOD)

OOD is a design method in which a system is modelled as a collection of co-operating objects
and individual objects are treated as instances of a class within a class hierarchy. Four stages
can be identified: identify the classes and objects, identify their semantics, identify their
relationships and specify class and object interfaces and implementation. Object-oriented
design is one of the stages of object-oriented programming.
Open Systems
Standards that are designed so that products from different vendors can be interchanged and
operate together.
Packet
A unit of data sent across a network
PC
Paper F21 Page 118

Personal Computer. A computer based on a microprocessor that is normally used by an

individual.
Peer to Peer Network

A network that does not have a file server but rather each computer may share its resources
with other users.
Processor
The computer component that undertakes the processing and controls other computer
components.
Program
A set of instructions that tell the computer what to do.
Programmer
A person who develops programs.
Query
A request for information from a database.
RAM
Random Access Memory. The component in the computer that stores the programs and data
that the processor needs to access.
Real-time processing
The updating of data as and when the event occurs.
Record
A collection of fields that relate to one unit of data. For example each product will be a record.
Relational Database
A way of describing the relationship between tables of data so as to build a more complex data
representation of an organisation.
Repeaters
Devices that can amplify a signal and so extend the length of a cable.
Report
A summary of information stored in the computer.
Report Writer
An application that can develop reports.
Paper F21 Page 119

Routers
A network device for sending data to various parts of a large network.
Schema
A description of items of data and their relationships.
Systems Development Life Cycle (SDLC)

The systems development life cycle (SDLC) model is an approach to developing an
information system or software product that is characterised by a linear sequence of steps that
progress from start to finish without revisiting any previous step. The SDLC model is one of
the oldest systems development models and is still probably the most commonly used.
Sequential Access
Accessing data according to some predefined sequence such as alphabetical order.
SNA
Systems Network Architecture. A networking standard developed by IBM.
Software Life Cycle

The phases a software product goes through between when it is conceived and when it is no
longer available for use. The software life-cycle typically includes the following: requirements
analysis, design, construction, testing (validation), installation, operation, maintenance, and
retirement.
Spreadsheet
An application that is primarily used for storing and calculating numeric data.
SQL
Structured Query Language. A standard language for accessing and maintaining data in
databases,
Standing Data
A file of data such as names and addresses that change infrequently.
Subschema
A subset of a schema to allow reduced access for a user.
System
A collection if interrelated objects working together.
Table
A collection of rows and columns such that the rows represent records and the columns fields
in a data structure.
Paper F21 Page 120

TCP/IP
Transmission Control Protocol/Internet Protocol. A standard for data transmission across
networks.
Template
A file that contains formatting information, text and other reusable information. Often used in
Word for Letter and Memo layouts.
Token Ring
A standard for data transmission across networks that uses a token to indicate the ability to
transmit data.
Transaction Tracking System (TTS)

A method to ensure that all database updates complete successfully and the ability to recover in
the event of a failure.
Transactional Data
Data that is based on transactions that will change frequently.
UNIX
An operating system
Unshielded Twisted Pair

A type of cable that consists of one or more pair of wires that are twisted to reduce cross talk
interference.
Upgrades
New versions of an application or operating system.
WAN
Wide Area Network. A network that connects geographically separated systems,
Web sites
A collection of information developed by an organisation or individual that is available on the
Internet.
Windows
An operating system that used multiple screens of data, a mouse and pull down menus.
Wizard
A feature of an application that takes the user through the steps of a complicated procedure to
ensure that no steps are missed and appropriate responses are obtained.
Paper F21 Page 121

Word Processing
An application used to enter and maintain text based information.
WWW
World Wide Web. A standard use mainly to set-up web sites.
XML
Extensible Mark-up Language. A standard for developing hyperlinked pages that can also
access variable data.
Goals
Goals are specific accomplishments that must be accomplished in total, or in some
combination, in order to achieve some larger, overall result preferred from the system, for
example, the mission of an organization. (Going back to our reference to systems, goals are
outputs from the system.)
Strategies or Activities
These are the methods or processes required in total, or in some combination, to achieve the
goals. (Going back to our reference to systems, strategies are processes in the system.)
Objectives
Objectives are specific accomplishments that must be accomplished in total, or in some
combination, to achieve the goals in the plan. Objectives are usually "milestones" along the
way when implementing the strategies.
Tasks
Particularly in small organizations, people are assigned various tasks required to implement the
plan. If the scope of the plan is very small, tasks and activities are often essentially the same.
Resources (and Budgets)
Resources include the people, materials, technologies, money, etc., required to implement the
strategies or processes. The costs of these resources are often depicted in the form of a budget.
(Going back to our reference to systems, resources are input to the system.)
Paper F21 Page 122

IT Management Audit &amp; Control (ICAP Booklet)

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IT Management Audit &amp; Control (ICAP Booklet)

Hochgeladen von

Copyright:

Verfügbare Formate

The Institute of Chartered Accountants of Pakistan

Information Technology (IT) Management, Audit and

© Alexer Pty Ltd

Paper F21 Page i

Paper F21 Page ii

Overview of Student’s Guide...........................................................................................1

COURSE MATERIAL .....................................................................................................4

1. IT Strategy and Management ......................................................................................4

Paper F21 Page iii

2. Information Technology Security, Control and Management................................33

Paper F21 Page iv

3.1 Join In Inc................................................................................................................59

R1. IT Strategy and Management .................................................................................80

Paper F21 Page v

R2 Information Technology Security Control and Management................................93

R2.1 Control frameworks...............................................................................................93

Paper F21 Page vi

R3. Revision Case Studies............................................................................................106

R3.1 Tarash Food.........................................................................................................106

R3.2 Kavak Manufacturing..........................................................................................108

R3.3 KVT Insurances...................................................................................................110

Paper F21 Page vii

Paper F21 Page 1

Paper F21 Page 2

Paper F21 Page 3

1. IT Strategy and Management

Discuss the differences between strategy and strategic planning.

The Strategic Plan

Paper F21 Page 4

The IT Strategic Plan

Paper F21 Page 5

Discuss the issues in the Student Guide.

Read “Chapter 4: Strategy planning for information systems” in recommended text.

Considerations for IT Strategic Planning

Understanding the business

Positioning the Business

Paper F21 Page 6

Knowing the Business Environment

Identify at least 4 possible requirements from customers that might impact an IT

Understanding the Risks

Paper F21 Page 7

Aligning the IT and Business Strategic Plans

Read Chapter 6 “Frameworks for integrating IS Strategies with business strategy”

Components of Long Range Plans

Paper F21 Page 8

Revise material in Module D21 on e-business.

Paper F21 Page 9

Business to Consumer (B2C)

Paper F21 Page 10

Business to Business (B2B)

Review the article at http://b2b.ebizq.net/exchanges/kenjale_1.html

Business to Employee (B2E)

Prepare a list of information that is shared in a normal business i.e. information to

Paper F21 Page 11

Consumer to Consumer (C2C)

Government to Citizen (G2C)

Paper F21 Page 12

Identify 3 common communication processes or transactions that a citizen must conduct

Paper F21 Page 13

Management of computer operations

In your option would the IT Operations Strategy be a long-term plan or a short-term

Measuring and Managing Capacity

Paper F21 Page 14

IT Management Audit & Control (ICAP Booklet)

IT Management Audit & Control (ICAP Booklet)