bml 303 past papers pack

Institute of Cost and Management Accountants of Pakistan

Constituted under Cost and Management Accountants Act, 1966

INFORMATION SYSTEMS AND

I.T. AUDIT (BML-303)

SEMESTER-3

PAST PAPERS

From

Institute of Cost and Management Accountants of Pakistan

Constituted under Cost and Management Accountants Act, 1966

Past Papers Included

1. MODEL PAPER 2. FALL 2014 EXAMINATIONS 3. SPRING (AUGUST) 2014 EXAMINATIONS 4. EXTRA ATTEMPT, MAY 2014 EXAMINATIONS 5. FALL 2013 (FEBRUARY 2014) EXAMINATIONS 6. EXTRA ATTEMPT, NOVEMBER 2013 EXAMINATIONS 7. Fall 2012 (February 2013) Examinations 8. Spring (August) 2012 Examinations 9. New Fall (E) 2011, April 2012 Examinations

10. Winter (November) 2011 Examinations 11. Summer (May) 2011 Examinations 12. Fall (Winter) 2010 Examinations 13. Spring (Summer) 2010 Examinations 14. Fall (Winter) 2009 Examinations 15. Spring (Summer) 2009 Examinations 16. Fall (Winter) 2008 Examinations 17. SPRING (SUMMER) 2008 EXAMINATIONS 18. FALL (Winter) 2007 Examination 19. SPRING (Summer) 2007 Examination 20. FALL (Winter) 2006 Examination 21. SPRING (Summer) 2006 Examination

Pag

e1

SYLLABUS

INFORMATION SYSTEM AND IT AUDIT [BML-303]

PART - A

INFORMATION SYSTEM (IS)

1. Emerging Technology in E-Business

Definition of The EDI, E-Business and E-Commerce

E-Business Models (B2B, B2C, B2E, B2G, G2C, & C2C)

E-Commerce Architecture and Risks

Advantages of E-Commerce Business

E-Business Software’s (SCM, ERP, & CRM)

2. Infrastructure and Operations

Management of IS Operations

IT Service Management

Change Management Process

Computer Hardware Components & Architecture

Capacity Management

Operating Systems

Network Architecture (LAN, WAN & Wireless)

3. Information and Database

What is a Database

Data Modelling

Types of Database

The Role of a Database Management System

Data as a Resource

Importance of Models

Information System Categories

Pag

e2

Office Automation Systems

Communication Systems

Transaction Process Systems

Decision Support Systems

Enterprise Systems

Limitations

Uses of Information Systems Categories

4. System Acquisition / Development Process

Approaches (Waterfall, Spiral, Interactive, Prototyping)

Phases of SDLC (Investigation and Feasibility Study)

Requirements Analysis and Initial Design

Detailed Design Specification/ Documentation

System Installation/ Implementation & Maintenance

Project Management

Project Planning

Project Control Methods and Standards

Pag

e3

PART – B

I.T. AUDIT

5. The Process of Auditing Information Systems

Audit Mission and Planning

Role and Responsibilities of Internal, External and I.T. Auditors

Risk Assessment and Analysis

Risk Based Audit Approach

Compliance and Substantive Testing

Internal Controls and Their Types, Objectives and Procedures

Preforming and I.T. Audit

CAATs

Control Self-Assessment

6. Governance and Management of I.T.

Corporate and IT Governance

IT Governance Frameworks

Roles and Responsibilities of Senior Management Steering

Committee & Chief Information Officer

Policies and Procedures

Human Resource Management

Sourcing Practice

Change Management

IS Roles and Responsibilities

Segregation of Duties and Control within IS

Auditing IT Governance Structure and Implementations

7. Auditing Infrastructure and Operations

Hardware Review

Operating System Review

Database, Local Area Network, Network Operating, Control and

Information System Operations Reviews

Lights-out Operation

Application Control and Their Objective

Pag

e4

File Creation

Data Conversion

Input and Output

Problem Management Reporting Reviews

Hardware Availability

Utilizing Reporting and Scheduling Reviews

8. Auditing System Acquisition / Development Process

Risk of Inadequate System Development Life Cycle (SDLC) and

Review of Development Procedures an Methodologies

Review of Acquisition Process for Outsourcing

Information System Maintenance Practices

Change Management

Library Control Software

Review of The Practice of Project Management Tools and

Techniques

9. Information Security Management (ISM)

Importance of ISM

Understanding of Facilities (Data Centers, Outsourced Facilities,

Storage, Media Libraries, Backup Vaults, UPS & Disaster Recovery

Sites)

Antivirus Software Implementation Strategies

Program and Data Security Techniques

Monitoring and Surveillance Techniques

Environment Controls

Smoke Detectors

Fire Suppression Access Management Controls

Physical Design and Access Controls

Logical Access Controls (User Authentication Matrix & Password

Management / Password Change Procedures)

Network Security (Encryption, Firewalls, Systems and Humidity /

Temperature)

Media Sanitization

Auditing Information Security Management

Pag

e5

10. Business Continuity and Disaster Recovery

Defining a Disaster

BCP and DRP

BCP Process

Business Continuity Policy and Planning

Incident Management

Business Impact Analysis

Development of BCP

Insurance

Plan Testing

Auditing Business Continuity

1 of 2 ISITA/Model-Paper

ICMA.

Pakistan

MODEL PAPER

INFORMATION SYSTEMS AND I.T. AUDIT (ML-303) SEMESTER- 3

Time Allowed: 02 Hours 40 Minutes Maximum Marks: 80 Roll No.:

(i) Attempt all questions.

(ii) Answers must be neat, relevant and brief.

(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.

(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.

(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.

(vii) Question Paper must be returned to invigilator before leaving the examination hall.

MARKS

Q.1 First question (MCQs Part) comprises 20 MCQs of one (1) mark each to be attempted in 20 minutes.

Q.2 Read the following CASE carefully and answer the questions given below:

C A S E

Megaton Corporation is a large industrial concern that has a complex network infrastructure with multiple local area and wide area networks that connects Megaton headquarter with its national and international offices. There is an Intranet site that is accessed only by employees to share work-related information. An Internet EDI site is also available that is accessed by customers and suppliers to place orders and check status of the orders. Both sites have both open areas and sections containing private information that requires an ID and password to access. User IDs and passwords are assigned by the central security administrator. The wide area networks are based on a variety of WAN technologies including frame relay, ATM, ISDN, and T1/T3. These network carry unencrypted, non-sensitive information that are sent to international offices of Megaton but do not include any customer identifiable information. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers. A new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Firewall policy did not allow any external access to the internal systems. Various database-driven Internet applications are in use and many have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Megaton headquarter also maintains a data center consists of 15,000 square feet (1,395 square meters). The access to data centre is controlled by a card reader and cameras monitoring the entrance. Recently, Megaton has actively started supporting the use of notebook computers by its staff so they can use them when travelling and when working from home. In this regard Megaton desires that they can access the company databases and provide online information to customers. A large organization-wide ERP software implementation project is also under consideration. Megaton decided to buy a commercial off-the-shelf ERP package and then customize it to fit their needs. Though Megaton was not in a hurry to implement the project but sizeable customizations of ERP were anticipated. The last IS audit was performed more than five years ago. The current business continuity and disaster recovery plans have not been updated in more than eight years. During this time Megaton has grown by over 300 percent. At the headquarters alone, there are approximately 750 employees. The IS auditor has been asked to evaluate the current environment and make recommendations for improvement.

PTO

id1013781 pdfMachine by Broadgun Software - a great PDF writer! - a great PDF creator! - http://www.pdfmachine.com http://www.broadgun.com

2 of 2 ISITA/Model-Paper

MARKS

Questions: a. What possible risks can be involved with the use of EDI system at Megaton? 08

b. What would be the most serious concerns regarding the wide area networks at Megaton?

06

c. Many issues are involved when a company stores and exchanges the confidential customer information over the network. What could some of the significant issues to address if the information exchange between Megaton headquarter and its international offices include personally identifiable customer information?

05

d. What role top management of Megaton can play for better IT governance? 05

e. Suggest some controls to strengthen the security of Data Centre at Megaton. 03

f. Based on the information given in the case, what would you recommend to Megaton for preparing their disaster recovery plan?

03

Q.3 (a) �Capacity management� is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively. The capacity plan should be developed based on input from both user and IS management to ensure that business goals are achieved in the most efficient and effective way. Discuss some types of information required for successful capacity planning.

08

(b) A database is a collection of information that is organized so that it can easily be

accessed, managed, and updated. List properties of three major types of database structure: hierarchical, network and relational.

06

Q.4 (a) To develop an information system, the organization can either outsource the system development or rely on its people. What are some of the risk involved when system development is done by the end-users of an information system?

06

(b) E-commerce is a positive development for both business and individuals as it has made

transactions more convenient and efficient. E-commerce involves no physical interaction between buyers and sellers and such virtual transactions have many associated risks. Explain some of these risks and their mitigation strategies.

06

Q.5 (a) The acquisition of right hardware and software resources for organization is a complex issue that requires careful planning. What are some of the issues involved in acquiring hardware and software for an information system and the steps involved in the selection of a computer system?

06

(b) An important objective of the IS auditor is to ensure that organization provides adequate

segregation of duties within the information system management structure. What are some of the duties and responsibilities of the IS auditor to achieve this objective?

06

Q.6 (a) While performing IS audit of an organization, IS auditor needs to carefully examine various IS controls implemented by the organization. What are some techniques IS auditor can use to evaluate the application controls implemented in an information system.

06

(b) An organization can hold a variety of sensitive information such as financial results, and

business plans for the year ahead. As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorized access increases. What are some basic types of Information Protection that an organization can use to minimize this risk?

06

THE END

ISITA-Mar.2015 1 of 2 PTO

ICMA.

Pakistan

INFORMATION SYSTEMS AND I.T. AUDIT (BML-303) SEMESTER-3

FALL 2014 EXAMINATIONS Thursday, the 5th March 2015




(iii) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.

(iv) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(v) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.

(vi) Question No. 1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


MARKS

Q. 2 (a) Xeon Limited is a large multinational Bank. It has recently received license to operate banking business in Pakistan. The management of the bank has decided to develop its own banking software and recently they have awarded a software development contract to a local software consulting company. While project kicked off, the project manager who had been assigned on this project; applied his own software development methodology instead of internationally recognized Software Development Life Cycle (SDLC).

08

The bank has deputed you on this project as IS auditor. As job responsibility, you are required to identify risks associated with non-compliance of international standards for software development methodology that has not been adopted by project manager.

List down at least four potential risks and suggested controls that may expose due to incorporation of non-standard software development methodology.

(b) Audit risk is the risk of information or financial report that may contain material error or IS auditor may not detect an error that has occurred. Explain in brief how would you categorize audit risks?

08

Q. 3 (a) You are an IS auditor of Glorious (Private) Limited, a large accounting firm. As part of human resource development plan, Glorious recently arranged overseas training of Computer-Assisted- Audit-Techniques (CAATs) for its IS audit team. You were one of the team members who travelled for CAATs training. When you resumed office after successful completion of training, the senior management of Glorious asked you to transfer CAATs knowledge to its IS Audit team members. In order to conduct knowledge transfer session, you are required to develop a presentation that should include: i) Applications of CAATs (At least five) ii) four advantages and four disadvantages of CAATs (At least four of each)

Describe the important points in brief.

13

(b) Lincoin Limited is a group of companies has branch offices in all major cities of

Pakistan. Lincoin Limited has good IT infrastructure all over its branches. Its data processing facilities are highly sophisticated and running number of software applications. A few months ago Lincoin�s IT facilities had shutdown for two weeks due to unforeseen application server�s disaster that caused significant losses in business since timely information was not available for decision making. The IT business continuity plan (BCP) was in place but it did not recover the business applications successfully as expected while applied in disaster recovery events. Due to ineffectiveness of BCP, the management of Lincoin has decided to get it reviewed by an external IS auditor. State at least ten basic elements that should be verified by IS auditor while reviewing BCP.

05


ISITA-Mar.2015 2 of 2

MARKS

Q. 4 (a) There are various project management techniques and tools available to assist project

manager in software development process. In current revolutionary age of information technology, Agile project management process is considered highly successful. Describe in brief the Agile project management method with at-least 10 Agile principles that support project teams in implementing Agile project management method.

12

(b) Wolex Enterprises is a large distribution company dealing in life saving drugs. Currently

they have very small distribution network, however, the management intends to launch its operation in all major cities of the country. Wolex operation�s feasibility team is in consultation with various firms engaged in developing the infrastructure facilities and recruiting the work force. However, outsourcing option for IT support services is also under consideration. You as a senior member of Wolex feasibility team; required to come-up with four benefits and four limitations that support outsourcing proposal.

08

Q. 5 (a) A database is a collection of information of structured data organized in rows and columns. The usage of database has various significant strengths such as:

reduced data redundancy

improved data integrity

allows data sharing

reduced development time Explain each of the strengths as indicated above.

08

(b) Symbol Electronics Limited is a medium sized manufacturing company involved in

assembling and exporting domestic electronic goods. During last year, SEL had incurred significant losses on several large export consignments due to three weeks over scheduled shipments. Upon investigation by the internal IS Audit team, the production manager of SEL held the suppliers responsible for not delivering the raw material on time, while the suppliers were of the view that the delivery lead time was not considered by SEL procurement department when raw material orders were placed. In order to overcome the issue of delayed acquisition of raw material, the management of SEL has decided to adopt Business-to-Business (B2B) model. You, as a head of Information Technology of SEL, briefly explain B2B model and specify its key characteristics. State advantages and disadvantages of B2B model.

08

THE END

1 of 2 ISITA/August-2014

ICMA.

Pakistan


SPRING (AUGUST) 2014 EXAMINATIONS Thursday, the 21st August 2014




(iii) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.


(v) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(vi) Question Paper must be returned to invigilator before leaving the examination hall.

MARKS

Q.2 (a) Enterprise Resource Planning (ERP) is an industry term for integrated, multi-mode application software packages that are designed and support multiple business functions. Due to importance and effective operational needs, an automobile manufacturing industry management plans to implement ERP system in order to integrate its different departmental functions. Briefly explain different implementation phases of ERP system. Discuss benefits achieved to the company by effectively implementing ERP system in organization.

09

(b) Recent research shows that most of the time approx 80% CPU of computer system

remains in idle state. Operating system is a resource manager and optimize the CPU resources. Discuss different classes of operating system.

05

Q.3 (a) A Decision Support System (DSS) is an interactive information system that provides information, models and data manipulation tools to help make decisions in semi-structured and unstructured situations. Discuss eight important techniques used in decision making in Decision Support System (DSS).

10

(b) MIS system has been deployed in an organization and has advertised Data Base

Administrator (DBA), Project manager and application developer jobs in leading newspaper to fulfil its vacant positions. Discuss role and job description of each post to effectively implement and manage MIS system in organization.

06

Q.4 (a) A multinational bank has established a data center in its head office. 50 Terabyte capacity Storage Area Network (SAN), Blade server, CISCO router and PIX firewalls have been deployed in network infrastructure of data center. Proper environment and physical controls can ensure equipment reliability as per manufacturer like IBM & CISCO recommendations in equipments data sheets, which can reduce risk of any downtime. The management of the bank has engaged an IT auditor for LAN and Network operating review. Consider yourself as an IT Auditor, highlight the minimum six requirements related to organization LAN and Network operating review.

10

(b) Due to revolution in networks technology, wireless security provide prevention of

unauthorized access or damage to computers using wireless networks. Discuss three principal ways to secure wireless networks.

06

PTO


2 of 2 ISITA/August-2014

MARKS

Q.5 (a) Students of XYZ University have developed mobile applications and have advertised on

university web site. To promote this product through e-commerce activity they need a merchant account. Discuss need and requirement of merchant account in our country to promote e-commerce business activities. Elaborate six different payment methods used in e-commerce business?

09

(b) For all customers, partners, resellers, and distributors who hold valid Cisco service

contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. M/s UNICOM network manager has decided to upgrade its CISCO12000 series router as per CISCO TAC (Technical assistant support center) recommendation. Change management procedure is used when changing hardware, upgrading operating system and configuring various network devices. Discuss effects of proper procedures/ SOPs followed and deployed during this migration process.

07

Q.6 (a) Most business continuity tests fall short of a full-scale test to all operational portion of the corporation. The test should address all critical components and simulate actual prime-time processing conditions. Discuss different tasks to be accomplished by �Continuity Plan Testing�? Explain five test phases that should be completed to perform full testing.

09

(b) Software development practitioners have developed alternative development strategies

to reduce development time, maintenance costs or to improve the quality of software. Compare advantages and disadvantages of waterfall model, spiral model and prototyping models used in software development methodologies.

09

THE END

1 of 2 ISITA/May-2014

ICMA.

Pakistan

EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

Saturday, the 24th May 2014









MARKS Q.2 (a) A traditional system development life cycle (SDLC) approach is made up of a number of

distinct phases, each with a defined set of activities and outcomes. Identify the phases and discuss in detail the purpose of each phase and the general activities performed by each phase.

12

(b) Assume that you are helping an IT manager of a supermarket in managing databases.

What different methods of accessing data you will use for their databases? 06

Q.3 (a) Discuss the various types of E-commerce models. E-commerce highly depends on the existence of a level of trust between two parties to avoid risk factor. State the most important elements of risk in E-commerce.

09

(b) Wireless transmission does not need a fixed physical connection because it sends

signals through air or space. Discuss the four common types of wireless transmissions with their applications� differences in scale and complexity.

06

Q.4 (a) Outsourcing is one of the business practices and strategies of organizations to reduce operational cost and concentrate on its core business areas. Cloud computing is one of the techniques of outsourcing. Elaborate different cloud computing service models. Discuss the advantages, disadvantages and business risks related to outsourcing.

08

(b) Adequate planning is necessary in performing effective IS audit. Discuss the various

types of audits, internally or externally, and the audit procedures associated with each audit that an IS auditor should understand.

08

Q.5 (a) Disaster recovery planning �DRP� is a continuous process. When the normal production facilities become unavailable, the business may utilize alternate facilities to sustain critical processing until the primary facilities can be restored. Discuss the most common recovery alternatives in detail.

10

(b) You have been assigned to audit a multinational company having its offices around the

globe. Discus the areas of IS auditing which should be kept in mind while performing audit of any global presence company.

09

PTO


2 of 2 ISITA/May-2014

MARKS

Q.6 The most critical factor in protecting information assets and privacy is laying the foundation for effective information security management. Identify and discuss at least six key elements of information security management system.

12

THE END

1 of 2 ISITA/Feb-2014

ICMA.

Pakistan

FALL 2013 (FEBRUARY 2014) EXAMINATIONS

Saturday, the 22nd February 2014









MARKS

Q.2 (a) Most of the business information systems are based on databases. In fact web is not a database, however, it illustrates the capabilities of hypermedia databases. Discuss features of hypermedia database. Also write difference between searching required information using a traditional database and using World Wide Web metaphor.

09

(b) The expert system makes sure that important factors of event have not been ignored

and provide information that helps the person make a good decision. Differentiate with the help of an appropriate example between forward chaining and backward chaining logics used by expert system.

08

Q.3 (a) PeopleSoft ERP system of XYZ Courier Company has been crashed. Data backup is key preventative measures .It ensures that the critical activities of an organization are not interrupted in the event of disaster. Discuss different types of disk-based back up system and criteria for choosing different types of back up devices and media for early restoration of data.

09

(b) One of the most interesting market mechanism in e-commerce is electronic auction which used B2C,B2B, C2B, G2B and G2C business models. Differentiate between forward and reversed e-auction with examples. Also discuss the role of broker and barter in e-marketplace.

08

Q.4 (a) To ensure high level of computer hardware and network availability, XYZ Company has signed service maintenance contract including spare parts with IBM local vendor for Information system support and maintenance work. The hardware maintenance program is designed to document the performance of hardware maintenance. Discuss mandatory information, which should be maintained in hardware maintenance program. Also elaborate typical procedures and reports for monitoring the effective and efficient use of hardware.

09

(b) A project team with participation by technical support staff and key users should be

created to write a request for proposal (RFP). Elaborate seven different areas which should be included in this or any RFP document contents.

07

PTO


2 of 2 ISITA/Feb-2014

MARKS

Q.5 (a) An IT audit firm is planning for its critical data migration from old FOXPRO database

system to new Oracle 9i database system. This large-scale data conversion becomes a project within a project. Discuss necessary steps for a successful data conversion process.

10

(b) Remote access is a common technique to monitor and configure network devices using

Telnet and others utility software�s. Discuss different remote access connectivity�s methods. How can an organization implement remote access security to avoid any chances of access to company�s intranet by any intruder, cracker, or hacker?

08

Q.6 Why organizations need Transaction Processing System (TPS), Management Information System (MIS) and Executive Information System (EIS)? How management Information system (MIS) emerged partly as a response to the shortcoming of the first computerized transaction processing system? Similarly Executive Information system (EIS) attempts to take over the short falls of traditional MIS approach. Elaborate this revolution in Information system. Do MIS and EIS really solve manager�s problem?

12

THE END

1 of 2 ISITA/E-Attempt.2013

ICMA.

Pakistan

EXTRA ATTEMPT, NOVEMBER 2013 EXAMINATIONS Tuesday, the 26th November 2013

INFORMATION SYSTEMS AND I.T. AUDIT � (ML-303)

SEMESTER- 3







(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


MARKS

SECTION � �A�

Q.2 (a) Modern E-commerce architectures consist of a variety of complex integrated components. Explain four significant components of e-commerce architecture.

06

(b) E-businesses use a variety of computer hardware architectures. These computers are

used both at client and service provider end. Explain any three types of computers based on their processing power, size, and architecture.

09

Q.3 (a) There are three major forms of organizational alignment for project management

within a business organization. Discuss each. 06

(b) Problem management is one of the key functions of information system operations.

Discuss three important duties of IS manager with respect to the problem management function.

09

Q.4 (a) Information system development may involve developing a new system or modifying

the existing one. In either case, IS management is required to prepare various types of feasibility studies. What are the five important functions of IS auditor while analyzing these feasibility studies?

05

(b) There exists a variety of models of databases used in information systems today.

Explain any five key features of network database model and relational database model.

10

SECTION � �B�

Q.5 (a) A risk-based audit approach is usually adopted to develop and improve the continuous IS audit process. Explain five stages of risk-based audit approach.

10

(b) Steering Committees play a strategic role in information systems management and

ensure that IS department is in harmony with the corporate mission and objectives. List five primary functions performed by the Steering Committee.

05

PTO


2 of 2 ISITA/E-Attempt.2013

MARKS

Q.6 (a) Data conversion is a significant activity in information system development life cycle. Explain five significant points to be considered in a data conversion project.

05

(b) System development life cycle (SDLC) approach doesn�t guarantee successful

completion of IS development project. This involves a magnitude of risk that needs to be controlled. Explain six responsibilities of IS auditor to control risks of inadequate system development life cycle.

06

Q.7 (a) Firewalls generally act as a first line of defence in securing corporate internal networks

from external threats. List six general features of firewalls. Also list three problems faced by organizations after implementing firewalls.

09

(b) The IS processing insurance policy is usually a multi-tiered policy designed to provide

various types of IS risk coverage. Explain five types of coverage provided in IS processing insurance policy.

10

THE END

1 of 2 ISITA/February.2013

INSTITUTE OF COST AND MANAGEMENT ACCOUNTANTS OF PAKISTAN

Fall 2012 (February 2013) Examinations

Saturday, the 23rd February 2013

INFORMATION SYSTEMS & I.T. AUDIT � (ML-303) SEMESTER - 3

Time Allowed � 2 Hours 45 Minutes Maximum Marks � 90 Roll No.:

(i) Attempt ALL questions. (ii) Answers must be neat, relevant and brief.

(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, presentation and language.



(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper. (vii) Question Paper must be returned to the invigilator before leaving the examination hall.

MARKS SECTION � �A�

Q. 2 (a) What do you understand by �Data Integrity Testing�? A multinational stock exchange

company uses online multi-user transaction processing system controlled by Oracle DBMS. Discuss properties of ACID principle used in this online Oracle based transaction processing system.

07

(b) Discuss importance of Customer Relationship Management (CRM) to meet expectations

of customers. Distinguish between Operational and Analytical CRM. 08

Q. 3 (a) �Modern operating system provides virtualization features�. Elaborate the statement. ABC

Company is planning to reduce its operational cost by implementing virtualization solution. Compare advantages and disadvantages of this solution.

06

(b) Moving data in a batch transmission process through the traditional Electronic Data

Interchange (EDI) process involves three functions within each trading partner�s computer system. Enlist and briefly explain these functions used in traditional EDI process.

09

Q. 4 (a) Software development organizations implement process methodologies. Discuss

features of waterfall and spiral models. How spiral model is supportive in risk management?

07

(b) A multinational bank is establishing its different branches all over the country. These will

be integrated through WAN. Discuss different WAN technologies alongwith their features to provide point to point secure connectivity of all its branches to bank�s Head Office. (any eight)

08

PTO

2 of 2 ISITA/February.2013

MARKS

SECTION � �B� Q. 5 (a) �Encryption� is the need of today�s e-business. Discuss why Symmetric Encryption is

used for Data Encryption and Asymmetric Encryption is used in Key exchange mechanism. If an individual wants to send messages using a public key cryptographic system, how does s/he distribute the public key in secure way?

08

(b) The changing technological infrastructure requires specific reviews of hardware,

operating systems, IS operations, databases and networks. As an IS auditor, discuss main areas which need to be reviewed related to hardware.

06

Q. 6 (a) �Policies and procedures� reflect management guidance in developing controls over

information systems. IS auditors should use policy as a benchmark for compliance. Discuss main features of information security policy document. How IS auditor can ensure Acceptable Internet Usage Policy?

06

(b) How CAAT helps IS auditor in gathering information from hardware and software

environment. Generalized audit software (GAS) is a main tool used in CAAT. Discuss different functions supported by GAS.

09

Q. 7 (a) There are various reasons to create Access Control Lists (ACLs). Discuss. How can

network administrator secure network by implementing extended ACL�s on company router interface?

08

(b) Discuss the process of developing and maintaining an appropriate �Business Continuity

Plan�. Explain what are the major tasks involved when an IS auditor is evaluating the suitability of business continuity plan.

08

THE END

ISITA/August.2012 1 of 2


Spring (August) 2012 Examinations

Thursday, the 30th August 2012

INFORMATION SYSTEMS & I.T. AUDIT � (S-602) STAGE-6






(vi) There will also be a computer based practical examination of 10 marks and presentation of a project of 20 marks, which form the part of this paper.

(vii) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.

(viii) Question Paper must be returned to the invigilator before leaving the examination hall.


Q. 2 (a) What are five major components of an idealized expert system? Expert system logic

combines forward chaining and backward chaining. Explain 10

(b) Distinguish between data base and data modeling. Give an example through illustrating

basic entity-relationship diagram tool for data modeling. 05

Q. 3 (a) The systems in organisations are built and maintained in terms of four phases. Illustrate

these phases. Also list out the common reasons of project failure for each phase. 08

(b) Define �Business Intelligence (BI)�. Identify its area of application. Three main factors

have been responsible for increasing use of BI as a distinct field of IT. Explain these factors.

06

SECTION � �B� Q.4 (a) �Testing� is an essential part of the development process. Discuss testing and the

elements of a software testing process. Enlist various types of testing. 08

(b) A large-scale data conversion requires considerable analysis, design and planning.

Discuss the necessary steps for a successful data conversion. 06

PTO

ISITA/August.2012 2 of 2

MARKS Q.5 (a) A recovery strategy indentifies the best way to recover a system (one or many) in case of

interruption including disaster, and provides guidance for developing recovery alternatives. There are different strategies and recovery alternatives available. Explain the most common recovery alternatives.

07

(b) General controls apply to all areas of the organization including IT infrastructure and

support services. Discuss. 06

THE END

1 of 2 ISITA/April.2012


New Fall (E) 2011, April 2012 Examinations

Thursday, the 19th April 2012











Q. 2 (a) Information technology and information systems are powerful and valuable tools for

individuals, and organizations. Identify and briefly discuss the obstacles and real world limitations that have slowed the pace of implementation for IT-based innovation.

06

(b) The Principle-Based Systems Analysis (PBSA) method is an approach to improve a work

system. PBSA converts the four steps of systems analysis into three steps that can be pursued in a situation. Briefly discuss these three steps.

06

Q. 3 (a) There are four system approaches of system life cycles, each involving different

processes and helps in deciding what method is appropriate for a particular situation. Discuss four system life cycles approaches.

04

(b) The four main factors related to information usefulness are information quality,

accessibility, presentation and security. Briefly discuss them. 08

(c) Briefly discuss the four aspects of the convergence of computing and communications. 04 SECTION � �B� Q. 4 (a) An IS department can be structured in different ways and IS auditor should determine

whether the job description and structure are adequate. Briefly discuss the IS roles and responsibilities reviewed by an IS auditor related to the following:

i) Media Management ii) System Administration iii) Security Administration iv) Quality Assurance v) Database Administration vi) Network Administrators

06

PTO

2 of 2 ISITA/April.2012

MARKS

(b) Discuss the policies and procedures that reflect management guidance and direction in developing controls over information system. Explain the key points contained by the information security policy document.

08

Q. 5 (a) The IS auditor should be familiar with the different types of sampling techniques and its usage. Briefly touch upon two general approaches to audit sampling. Identify the statistical sampling terms need to be understood while performing variable sampling.

08

(b) Discuss the various roles and responsibilities of groups/individuals that may be involved

in the development process of a project management structure. 06

THE END

1 of 2


Winter (November) 2011 Examinations

Monday, the 21st November 2011









(viii) Appearing in Project, Presentation and Practical parts of the paper is compulsory.

(ix) Question Paper must be returned to the invigilator before leaving the examination hall.


Q. 2 (a) What is an information system plan? 04 (b) Why do users and managers have to participate in information system planning and

development? 04

(c) Modern electronic communication systems capabilities help people work together by

exchanging or sharing information in many different forms. Discuss six main tools of modern electronic communication systems being used in present environment.

06

Q. 3 (a) Identify and explain five product performance variables used to evaluate any stage in the

customer experience. 05

(b) Discuss common roles of information systems in improving the product of a work system. 04 (c) What is the difference between efficiency and effectiveness, and how is this related to

the work system framework? 05

SECTION � �B� Q.4 (a) Explain the term �Risk Management� and the prerequisite of developing a risk

management program. 05

(b) Discuss the three methods used for �risk analysis�. 03 (c) �Changeover technique� refers to shift users from existing (old) system to the new

system. This technique can be achieved in three different ways. Discuss these in detail. 06

PTO

2 of 2

MARKS Q.5 (a) The IS audit process must continually change to keep pace with innovation in

technology. Explain the three evoking changes in IS audit process including automated work papers, integrated auditing and continuous auditing.

08

(b) Discuss the impact of laws and regulations on IS audit planning. 06

THE END

1 of 2


Summer (May) 2011 Examinations

Thursday, the 26th May 2011











Q. 2 (a) Information systems are the tools for decision-making. Each type of information system

supports both communication and decision-making in a number of ways. Explain in detail system types and its impact on communication and decision-making.

6

(b) (i) Define each of the process performance variables. Describe how an information system can improve performance related to each of these variables?

5

(ii) What are the phases of building and maintaining a system? 5

Q. 3 (a) A computer system finds stored data either by knowing its exact location or by searching for the data. Different DBMSs contain different internal methods for storing and retrieving data. Explain sequential access, direct access, and indexed access methods for accessing data in a computer system.

6

(b) Define each of the five levels of integration. What kinds of problems sometimes result from tight integration?

6

SECTION � �B� Q. 4 (a) IS auditors� conclusions must be based on sufficient, relevant and competent evidence.

Explain. Enumerate the determinants for evaluating the reliability of audit evidence. 5

(b) What are the project phases of physical architecture analysis? Explain. Different project phases are involved in planning the implementation of infrastructure. Discuss each phase.

6

PTO

2 of 2

MARKS Q. 5 (a) Control self assessment (CSA) is a management technique. Illustrate. What are the

objectives of CSA? Highlight benefits and disadvantages of CSA. 6

(b) (i) Testing is an essential part of the development process. An IS auditor plays a preventive role in the testing process. Enumerate the elements of a software testing process. Also explain the classifications of testing.

6

(ii) Contrast corporate governance and I.T Governance. Explain the role of audit in IT

Governance. 5

THE END

1 of 2


Fall (Winter) 2010 Examinations

Sunday, the 28th November 2010


Time Allowed � 2 Hours 45 Minutes Maximum Marks � 56

(i) Attempt ALL questions.

(ii) Answers must be neat, relevant and brief. (iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,

presentation and language.


(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script. (vi) There will also be a computer based practical examination of 10 marks and presentation of a project of 20

marks, which form the part of this paper. (vii) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


Q. 2 (a) (i) �Computer hardware owned and managed within a corporation can exist at any or

all of the following levels: corporate headquarters, regional processing centers, workgroup processors and individual work stations.� Briefly elaborate.

04

(ii) What is the difference between centralized and decentralized approaches? How an intermediate situation can be different from them, the two extreme modes?

05

(b) How can Principle-based system analysis (PBSA) be applied to work systems,

information systems and projects? 05

Q. 3 (a) An experienced manager who worked for the last 30 years, and gradually moved from

management trainee to the top executive position, is about to retire from his position. The company has a greater reliance on the expertise of this senior executive and considers him as the hub of tacit knowledge. An information technology expert of the company suggested that the core knowledge of the experienced manager along with the tacit knowledge related to vast and diverse experience can be captured and utilized efficiently through �expert system�. The CEO asked the IT specialist to justify his idea and elaborate it to the board.

Required:

What is an Expert System? Discuss the building blocks of an Expert System. 09 (b) Intellectual property is different from other forms of property therefore requires a different

form of protection laws. Define intellectual property and differentiate it from other copyright laws.

05

SECTION � �B� Q. 4 (a) Describe the phases involved in System Development Life Cycle (SDLC). 06

(b) There are three elements or dimensions of a project that should always be taken into account. Explain.

03

PTO

2 of 2

MARKS (c) The IS auditor should understand the various types of audits that can be performed,

internally or externally, and the audit procedures. Explain classification of audits. 07

Q. 5 (a) An IS auditor plays a vital role in ascertaining the appropriateness of Business Continuity

Planning (BCP) and Disaster Recovery Planning (DRP). Explain what are the tasks involved when IS auditor evaluating the suitability of business continuity?

04

(b) What crucial factors are to be considered when reviewing the BCP? 04 (c) How emergency procedures can be ensured during the evaluation of DRP? 04

THE END

1 of 2


Spring (Summer) 2010 Examinations

Thursday, the 20th May 2010





(iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. (v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.



SECTION � �A� MARKS

Q.2 (a) Customers think about product performance in terms of variety of performance variables. Identify product performance variables that can be used to evaluate any stage in customer experience. Also illustrate typical performance measures for each variable and common ways information systems are used to improve the product.

07

(b) Neural network is an offshoot of artificial Intelligence. It is an attempt to model human

brain.

(i) Explain the term �neural network�. 02

(ii) How does it operate? Explain the procedure. 03

(iii) Give any two real-life examples where neural network is applied. 02

Q.3 (a) ABC Corporation has its office in a multistoried building. Its various departments are spread over different floors in the same building. The physical security of the IT infrastructure like computers, peripherals, and network devices is up to the mark; however, the CTO is concerned about �controlling access to data.� Assume that CTO of the company has hired you to address this issue. Prepare an account of �control techniques� including manual data handling, access privilege, and data flow through networks and other media.

07

(b) Electronic commerce (e-commerce), is one of the most popular e-business

implementations. What do you understand by e-commerce models? Discuss. 07

SECTION � �B�

Q.4 (a) After developing an audit program and gathering audit evidence, the next step is the evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then develop audit recommendations.

(i) How can an IS auditor assess the strengths and weaknesses of the evidence gathered?

03

(ii) How can a control matrix be employed in this regard? 03

PTO

2 of 2

MARKS (iii) What critical role the concept of materiality can play in shifting relevant

information for audit report? 03

(b) Today, telecommunication networks are the key to business processes in both large

and small organizations. However, organizations often do not give due priority to them as data centers. What are the telecommunication network disaster recovery methods and how can we protect a network by using these methods?

05

Q.5 (a) Generally, each IT platform that runs an application, supporting a critical business function needs a recovery strategy. Discuss different alternative strategies in terms of cost and relevant level of risk.

07

(b) �System maintenance practices refer primarily to the process of managing change to

application systems while maintaining the integrity of both the production source and executable code.� In the light of this statement answer the following questions:

(i) Describe change management process.

(ii) How changes are deployed?

(iii) Why system documentation is important in change management process?

03

02

02

THE END

1 of 1



Thursday, the 19th November 2009






(iv) Read the instructions printed on the top cover of answer script CAREFULLY before attempting the paper.




SECTION � �A� MARKS Q.2 (a) Information systems are designed to support decision-making and management

performance in one way or another. Identify and explain each step involved in decision-making process with the help of process flow diagram.

08

(b) How are social context and nonverbal communication important when communication technologies are used?

06

Q.3 (a) Describe the main uses of high-level, fourth-generation, object-oriented, and web-oriented programming languages and tools.

08

(b) Define the elements of a work system framework with the help of a diagram. 06 SECTION � �B�

Q.4 (a) IS auditors appreciate a well-managed IS department to achieve the organization�s objectives. An effective IS department includes information systems management practices such as personal management, sourcing and IT change management. Explain these in detail.

08

(b) What are the typical physical access controls employed by different organizations having sufficient IT assets and specific budgets allocated for their protection?

06

Q.5 (a) A medium-sized company is operating in a client-server environment to establish a link with its several branches to the head office located in the same city. How can an IS auditor ensure security of this client-server environment? Enumerate.

06

(b) Control Self-Assessment (CSA) can be defined as a management technique. Explain. What are the benefits and disadvantages of CSA? Define IS auditor�s role in implementation of CSA.

08

THE END


1 of 2


Spring (Summer) 2009 Examinations

Wednesday, the 20th May 2009

INFORMATION SYSTEMS & I.T. AUDIT � (S-602)

Stage-6









MARKS SECTION ��A�

Q.2 (a) The data communication provides the underpinning of network and electronic commerce. Explain how the data transmits from one computer to another with reference to OSI model?

07

(b) Information systems depend on software resources to help end-users use computer hardware to transform data into information products. What are the different types of such software resources? Explain each by illustrating various examples.

07

Q.3 (a) Illustrate some benefits of using expert systems by different organizations. What are the problems faced during the development and usage of an expert system?

05

(b) A software development life cycle (SDLC) is a logical process that �System Analysts� and �System Developers� use to develop software packages. What is the purpose of using SDLC? Explain different phases of SDLC.

05

(c) One of the tools of software development is prototyping. How does prototyping help the software engineers in software development?

04

PTO


2 of 2

MARKS

SECTION ��B�

Q.4 (a) What are the typical categories of authentication? What is two-factor authentication? Give an example. What are TOKEN based authentication devices? Briefly describe their working. Which category of authentication they belong to and how?

07

(b) Describe the significance for IS auditor to ensure that hiring and termination procedures are clear and comprehensive. How an IS auditor can ensure whether these procedures are being practiced?

07

Q.5 (a) Briefly describe how laws and regulations affect IS audit? How IS auditors would perform to determine an organization�s level of compliance with external requirements?

05

(b) How unnecessary system outages resulting from system configuration can be controlled? How IS auditors can ensure that the appropriate controls are present in this regard? How media controls address the media transportation, storage, reuse, and disposal activities? Give media control example for each type of activity.

05

(c) What is contracting? Define different elements of a contract? What is the purpose of these contracts besides third-party outsourcing?

04

THE END

1 of 2



Wednesday, the 19th November 2008


Stage-6









MARKS

SECTION ��A�

Q.2 (a) With technology being getting advanced, purchasing over the internet has become a norm. A successful e-commerce system must address many stages consumers experience in the sales life cycle. Discuss the multi-stage model for purchasing over the internet in detail with the help of illustration.

10

(b) There are number of challenges that must be overcome for a company to convert its business processes from the traditional form to e-commerce processes. Elaborate the challenges with examples.

4

Q.3 (a) How does enterprise software work? Name some business processes supported by enterprise software. Why are enterprise systems difficult to implement and use effectively? Name at least three (03) commonly known popular ERP solution platforms.

4

(b) How have the value chain and competitive forces models changed as a result of the internet and the emergence of digital firms? Briefly discuss.

4

PTO


2 of 2

MARKS

(c) There were few actions by major hardware and software vendors in the past that initiated discussion about the need for consumers to be on guard to protect their privacy. Describe and discuss at least two most important cases in this regard.

6

SECTION ��B�

Q.4 (a) Why the test of Disaster Recovery and Business Continuity Planning is so important? What are the important elements to be considered and what tasks should be accomplished by such test?

7

(b) Why are digital signatures and digital certificates important for electronic commerce? What are three major issues when a certificate is needed to be revoked? Also describe a CRL.

4

(c) What are controls? Distinguish between general controls and application controls.

3

Q.5 (a) It is a general belief that an IS auditor�s conclusions must be based on sufficient, relevant and competent evidence. Elaborate the techniques for gathering evidence.

5

(b) What is Artificial Intelligence System (AIS) and what are the major branches of (AIS)? Discuss expert systems along with their capabilities and characteristics limiting their current usefulness.

9

THE END

1 of 2


SPRING (SUMMER) 2008 EXAMINATIONS

Sunday, the 25th May, 2008


Stage-6









Marks

SECTION ��A�

Q.2 (a) It is a fact that the majority of enterprises could not succeed without the possession of data concerning their external environment and their internal operations. How can the use of data flow diagrams aid enterprises through the provision of better quality decision � making information?

4

(b) A system must pass the ACID test to be considered as a true transaction processing system. What are the properties of ACID test?

5

(c) Fuzzy logic system deals with �approximate reasoning�. Does it make sense to apply it to control systems? Why or why not?

5

Q.3 (a) The accuracy of the outcome of a cost-benefit analysis is dependent on how accurately costs and benefits have been estimated. Inaccurate cost-benefit analysis may be argued to be a substantial risk in planning, because inaccuracies of the size documented are likely to lead to inefficient decisions. What are the causes of inaccuracies in cost and benefit estimations?

6

PTO


2 of 2

Marks

(b) ABC Software Company has to develop a software automation system for a local textile company with a very basic IT infrastructure. Is it a good idea to develop prototype of the system before developing full � fledged system? Discuss.

4

(c) The biggest concern with the biometric security is the fact that once a fingerprint or any other biometric source has been compromised it is compromised for life, because user can never change their fingerprints. Is this concern valid? Discuss with reasoning.

4

SECTION ��B�

Q.4 (a) Describe automated evaluation techniques along with their complexity levels applicable to continues online auditing. Also mention the circumstances under which each type can be used.

7

(b) What are the physical and logical access points that need to be checked for unauthorized exposures of critical IT assets?

7

Q.5 (a) Give details of active and passive attacks with two examples of each type? 4

(b) Why a proper configuration for firewalls is essential? 3

(c) Describe the purpose of library control software. 7

The End

bml 303 past papers pack

Education

management of

operations management

fall winter

management accountants

information systems

spring summer

new fall e

audit bml