CA Final Group II : Information Systems Control and Audit – June 2009
This Paper has 20 answerable questions with 0 answered.
Total No. of Questions — 7] [Total No. of Printed Pages — 2
Time Allowed : 3 Hours Maximum Marks : 100
Question No. 1 is compulsory.
Answer any four questions from the remaining six questions.
1. XYZ Company, engaged in the manufacturing of several types of electronic goods is having its branches all over the World. The company wishes to centralize and consolidate the information flowing from its branches in a uniform manner across various levels of the Organization.
The factories are already working on legacy systems using an intranet and collating information. But each factory and branch is using different software and varied platforms, which do not communicate with each other. This not only results in huge inflow of data which could not be consolidated for analysis but also the duplication of data. Even one percent change in any data entry or analysis translates into millions of Rupees and can sometimes wipe out the profits of the organization. So the company needs a system that would help them to be responsive and act fast.
Read the above carefully and answer the following with justifications:
(a) What are the problems that the company is facing now? 
(b) Should the company go for ERP solution? If yes, will the company be able to share a common platform with its dealers to access servers and database to update the information of issues of mutual interest? 
(c) For the selection of ERP package, state the issues to be considered. 
(d) Suggest how to go about the implementation of ERP package. 
2. (a) The top management of company has decided to develop a computer information system for its operations. Is it essential to conduct the feasibility study of system before implementing it? If answer is yes, state the reasons. Also discuss three different angles through which the feasibility study of the system is to be conducted. 10 (0)
(b) “While reviewing a client’s control system, an information system auditor will identify three components of internal control.” State and briefly explain these three components. 5 (0)
(c) While testing a software, how will you involve the people working in the system areas? 5 (0)
3. (a) A company is engaged in the stores taking data activities. Whenever, input data error occurs, the entire stock data is to be reprocessed at a cost of Rs. 50,000. The management has decided to introduce a data validation step that would reduce errors from 12% to 0.5% at a cost of Rs. 2,000 per stock taking period. The time taken for validation causes an additional cost of Rs. 200. (i) Evaluate the percentage of costbenefit effectiveness of the decision taken by the management and (ii) suggest preventive control measures to avoid errors for improvement. 10 (0)
(b) What are the issues that should be considered by a system auditor at post implementation review stage before preparing the audit report? 5 (0)
(c) “Always, there exist some threats due to Cyber Crimes.” Explain these threats. 5 (0)
4. (a) As a system auditor, what control measures will you check to minimize threats, risks and exposures in a computerized system? 10 (0)
(b) State and explain four commonly used techniques to assess and evaluate risks.State and explain four commonly used techniques to assess and evaluate risks. 5 (0)
(c) What are the audit tools and techniques used by a system auditor to ensure that disaster recovery plan is in order? Briefly explain them. 5 (0)
5. (a) When an organization is audited for the effective implementation of ISO 27001–(BS 7799: part II)–Information Security Management System, what are to be verified under.
(iii) Establishing Management Framework
(b) The Information Security Policy of an organization has been defined and documented as given below:
“Our organization is committed to ensure Information Security through established goals and principles. Responsibilities for implementing every aspect of specific applicable proprietary and general principles, standards and compliance requirements have been defined. This is reviewed at least once a year for continued suitability with regard to cost and technological changes.”
Identify the salient components that have not been covered in the above policy.
(c) Briefly explain Asset Classification and Control under Information Security Management Systems. 5 (0)
6. (a) What purpose the information system audit policy will serve? Briefly describe the scope of information system audit. 10 (0)
(b) State the duties of the subscriber of a digital signature as specified in Section 40 to 42 of Chapter VIII of Information Technology Act, 2000. 5 (0)
(c) What are the conditions subject to which electronic record may be authenticated by means of affixing digital signature? 5 (0)
7. Write short notes on the following: 4×5=20
(a) System Manual (0)
(b) Control Objectives for Information related Technology (COBIT) (0)
(c) Firewalls (0)
(d) White Box Testing. (0)