Information Technology Management Auditand Control

Download as pdf or txt
Download as pdf or txt
You are on page 1of 2

THE INSTITUTE OF CHARTERED ACCOUNTANTS OF PAKISTAN

EXAMINERS’ COMMENTS

SUBJECT SESSION
Information Technology Management, Final Examination – Winter 2011
Audit and Control

General:

The performance in this attempt was relatively better than the previous examinations. As
usual, the ability to understand the requirements of the question was found lacking. During
a visit to an examination centre, many students were seen arriving late i.e. after the paper
had been distributed. It implied that the extra reading time of 15 minutes is not being
utilized properly although the main purpose of this change was to allow time for planning
the answers and understanding the requirement of the questions.

Question-wise comments are as under:

Q.1 (a) In this part the candidates were required to identify the information which a
consultant usually gathers when he is assigned to evaluate a company’s IT
Strategy. Many candidates went into too much detail and tried to explain the
entire strategic planning process. However, a significant number of
candidates were able to provide concise answers also.

(b) Generally the performance in sub-part (ii) was better than in sub-part (i)
because only few students seemed to have a clear idea about the strategic
planning process. Many students were quite confused as they were unable to
distinguish between the requirements of sub parts (i) and (ii) and
interchanged the answers. Some of them mentioned the same points in both
sub-parts.

Q.2 (a) Generally the students were able to identify only two causes of data base
failure i.e. Security Breach and External Factors like sabotage, disaster etc.
Very few could mention the internal factors such as software errors, hardware
failure and procedural errors.

(b) This part of the question required students to mention four common back-up
strategies, for example, grandfather/father/son, dumping, residual dumping,
mirroring/dual recording/replication, logging, differential strategy etc. Large
number of students also wrote about back-up mediums, Hot/Cold/Warm sites,
BCP and DRP strategies, which were not relevant.

Q.3 This question on help desk was generally answered well. However, many students
had only a vague idea about the help desk function which was predominately based
on the dictionary meaning of “help desk”. Many students seemed confused
between the objectives and the action required to achieve the objectives. It was
evident that many students had relied on a cursory reading of the books without
making due efforts to retain what they study.

Page 1 of 2
Examiners’ Comments on Information Technology Management, Audit and Control
Final Examinations Winter 2011
Q.4 The question was about risks associated with e-commerce from the customers and
the sellers point of view and the measures to address those risks. Students generally
got average marks. Many of them were able to identify the risks like privacy,
integrity, fraud etc. but did not have adequate command while describing the
related mitigating factors. Many students identified the risks but did not describe or
explain them which was also required.

Q.5 Part (a) of the question was about steps to be taken while planning the high level
risk assessment of a VPN while part (b) related to determination of the scope and
objectives for such assignment. The question was not well attempted as most
students focused on low level procedural tasks instead of focusing on high level
tasks. Many students lacked clarity and answered part (a) for part (b) and vice
versa.

Q.6 (a) Majority of the students wrote with clarity about the benefits of a Business
Process Re-engineering (BPR) study.

(b) The response in this part was generally poor. A significant number of
students tended to agree or disagree with the proposal of concurrently
carrying out the BPR along with the implementation of ERP without
explaining their point of view.

(c) The performance was good as the majority covered most aspects related to
selection and evaluation of an ERP solution.

Q.7 Majority of the students could display good knowledge of CAATs. The only
prominent issue was that many students got mixed up between the two parts of the
question and placed some of the points pertaining to part (a) in part (b) and vice
versa. In majority of the cases, the situation could have been avoided by reading
the question carefully.

Q.8 The question required the students to comment on the views that all printing
options may be available to all users. The response was good. Majority of the
students were able to discuss the issues of confidentiality and cost efficiency etc.

Q.9 The question required students to design questions to be asked in order to assess
the effectiveness of the logical and environmental controls related to data
confidentiality, integrity and availability and power and fire hazards. The question
was straightforward and most of the students scored well. The following issues
however need mentioning:

• Some students repeated same controls many times, in different words.


• Some students got confused between measures for controls and procedures for
implementation of controls.

(THE END)

Page 2 of 2

You might also like