Information System & IT Audit Ml 303 past paper pack (UPdated)

Institute of Cost and Management
Accountants of Pakistan
Constituted under Cost and Management Accountants Act, 1966
INFORMATION SYSTEMS AND I.T. AUDIT (ML-303)
SEMESTER-3
PAST PAPERS

Institute of Cost and Management
Accountants of Pakistan
Constituted under Cost and Management Accountants Act, 1966
Past Papers Included
Syllabus
1. Model Paper
2. 2015 Spring (August) Examination
3. 2014 Fall Examination
5. 2014 May Extra Attempt Examination
6. 2013 Fall (February 2014) Examination
7. 2013 Extra Attempt, November Examination
9. 2012 Fall (February 2013) Examination
11. New Fall (E) 2011, April 2012 Examination
12. 2011 Winter (November) Examination
13. 2011 Summer (May) Examination
14. 2010 Fall (Winter) Examination
15. 2010 Spring (Summer) Examination
18. 2008 Fall(Winter) Examination
23. 2006 Spring (Summer) Examintion

Institute of Cost & Management Accountants of Pakistan
Education Department
ICMAP/HO/Edu/056/2015
August 10, 2015
CIRCULAR
Re-aligned Syllabus 2012
It is notified for all concerned that the syllabus of CMA qualification has
been re-aligned, which will be effective from Fall-2015.
Students are advised to visit ICMA Pakistan website at
https://www.icmap.com.pk/syllabus.aspx to check detailed outlines of re-
aligned courses.
Regards,
Rehana Ali
Acting Director Education

1Re-align Syllabus 2012 ICMA Pakistan
SSEEMMEESSTTEERR -- 33
IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS AANNDD IITT AAUUDDIITT [[BBMMLL--330033]]
IINNTTRROODDUUCCTTIIOONN
TThhiiss ccoouurrssee ddeeaallss wwiitthh mmaannaaggeemmeenntt ooff sseeccuurriittyy ooff tthhee ssyysstteemmss,,
aanndd iiss ddeessiiggnneedd ttoo ffooccuuss oonn ttoooollss aanndd tteecchhnniiqquueess ooff
iinnffoorrmmaattiioonn ssyysstteemmss aanndd aapppplliiccaattiioonn ooff kknnoowwlleeddggee ttoo II..TT..
AAuuddiitt..
OOBBJJEECCTTIIVVEE
TToo pprroovviiddee tthhee ssttuuddeennttss wwiitthh aa ddeettaaiilleedd kknnoowwlleeddggee ooff
IInnffoorrmmaattiioonn SSyysstteemm aanndd II..TT.. AAuuddiitt ttoo eennaabblliinngg tthheemm ttoo::
 ddeessiiggnn aanndd ddeevveelloopp iinnffoorrmmaattiioonn ssyysstteemm ttoo iimmpprroovvee tthhee
ppeerrffoorrmmaannccee ooff oorrggaanniissaattiioonnss,, aanndd
 aappppllyy ccoonncceeppttuuaall aapppprrooaacchh ooff iinnffoorrmmaattiioonn ssyysstteemmss ttoo II..TT..
AAuuddiitt..
OOUUTTCCOOMMEESS
OOnn ccoommpplleettiioonn ooff tthhiiss ccoouurrssee,, ssttuuddeennttss sshhoouulldd bbee aabbllee ttoo::
 uunnddeerrssttaanndd EE--BBuussiinneessss aanndd EE--CCoommmmeerrccee..
 lleeaarrnn mmaannaaggeemmeenntt ooff IISS ooppeerraattiioonnss..
 lleeaarrnn bbaassiicc ddaattaa mmaannaaggeemmeenntt sskkiillll..
 uunnddeerrssttaanndd mmaannaaggeemmeenntt ooff aauuddiittiinngg iinnffoorrmmaattiioonn
ssyysstteemm..
 ddeemmoonnssttrraattee aann uunnddeerrssttaannddiinngg ooff tthhee ccoommpplleexxiittyy ooff
mmaannaaggiinngg sseeccuurriittyy iinn eelleeccttrroonniicc ssyysstteemmss,,
 iiddeennttiiffyy aanndd aasssseessss tthhee ccrriittiiccaall tthhrreeaattss ttoo iinnffoorrmmaattiioonn
ssyysstteemmss,,
 ppeerrffoorrmm pprreelliimmiinnaarryy sseeccuurriittyy aauuddiitt ooff iinnffoorrmmaattiioonn
ssyysstteemmss aanndd aappppllyy sskkiillllss ttoo aa sseeccuurriittyy iinncciiddeenntt,, aanndd
 aappppllyy tthhee mmoosstt eeffffeeccttiivvee iinnffoorrmmaattiioonn ssyysstteemmss aauuddiitt,,
ccoonnttrrooll aanndd sseeccuurriittyy pprraaccttiicceess..
IINNDDIICCAATTIIVVEE GGRRIIDD
PPAARRTT SSYYLLLLAABBUUSS CCOONNTTEENNTT AARREEAA WWEEIIGGHHTTAAGGEE
AA
IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS
11.. EEmmeerrggiinngg TTeecchhnnoollooggyy iinn EE--BBuussiinneessss
22.. IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss
33.. IInnffoorrmmaattiioonn aanndd DDaattaabbaasseess
44.. SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss
5500%%
BB
IITT AAUUDDIITT
55.. TThhee PPrroocceessss ooff AAuuddiittiinngg IInnffoorrmmaattiioonn SSyysstteemm
66.. GGoovveerrnnaannccee aanndd MMaannaaggeemmeenntt ooff IITT
77.. AAuuddiittiinngg IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss
88.. AAuuddiittiinngg SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss
99.. IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt
1100.. BBuussiinneessss CCoonnttiinnuuiittyy aanndd DDiissaasstteerr RReeccoovveerryy
5500%%
TTOOTTAALL 110000%%
NNoottee:: TThhee wweeiigghhttaaggee sshhoowwnn aaggaaiinnsstt eeaacchh sseeccttiioonn iinnddiiccaatteess,, ssttuuddyy ttiimmee rreeqquuiirreedd ffoorr tthhee ttooppiiccss iinn tthhaatt sseeccttiioonn.. TThhiiss wweeiigghhttaaggee ddooeess nnoott
nneecceessssaarriillyy ssppeecciiffyy tthhee nnuummbbeerr ooff mmaarrkkss ttoo bbee aallllooccaatteedd ttoo tthhaatt sseeccttiioonn iinn tthhee eexxaammiinnaattiioonn..
CCOONNTTEENNTTSS
PPAARRTT –– AA
IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS
11.. EEmmeerrggiinngg TTeecchhnnoollooggyy iinn EE--BBuussiinneessss
 EE--BBuussiinneessss aanndd EE--CCoommmmeerrccee;;
 EE--BBuussiinneessss MMooddeellss ((BB22BB,, BB22CC,, BB22EE,, BB22GG,, GG22CC &&
CC22CC,,EE22EE))
 EE--CCoommmmeerrccee AArrcchhiitteeccttuurree,, aanndd RRiisskkss
 AAddvvaannttaaggeess aanndd ddiissaaddvvaannttaaggeess ooff EE--CCoommmmeerrccee ffoorr
BBuussiinneesssseess
 EEDDII ((ddeeffiinniittiioonn,, ccoommppoonneenntt ,,aaddvvaannttaaggeess aanndd
ddiissaaddvvaannttaaggee))
 EE--BBuussiinneessss SSooffttwwaarree ((SSCCMM,, EERRPP && CCRRMM)) ((ddeeffiinniittiioonn,,
ccoommppoonneenntt,, aaddvvaannttaaggeess aanndd ddiissaaddvvaannttaaggee))
22.. IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss
 MMaannaaggeemmeenntt ooff IISS OOppeerraattiioonnss
 IITT SSeerrvviiccee MMaannaaggeemmeenntt
 CChhaannggee MMaannaaggeemmeenntt PPrroocceessss
 CCoommppuutteerr HHaarrddwwaarree CCoommppoonneennttss aanndd AArrcchhiitteeccttuurreess
 CCaappaacciittyy MMaannaaggeemmeenntt
 PPrroobblleemm mmaannaaggeemmeenntt
 OOppeerraattiinngg SSyysstteemmss
 NNeettwwoorrkk AArrcchhiitteeccttuurree ((LLAANN,, WWAANN && WWiirreelleessss))
 LLAANN ,, WWAANN && wwiirreelleessss ddeevviicceess
 OOSSII llaayyeerrss
 NNeettwwoorrkk MMeeddiiaa
 DDaattaa mmaannaaggeemmeenntt aanndd mmoonniittoorriinngg
33.. IInnffoorrmmaattiioonn aanndd DDaattaabbaasseess
 WWhhaatt iiss aa ddaattaa--bbaassee
 DDaattaa mmooddeelllliinngg
 TTyyppeess ooff ddaattaa--bbaasseess
 TThhee rroolleess ooff aa ddaattaa--bbaassee mmaannaaggeemmeenntt ssyysstteemm
 DDaattaa aass aa rreessoouurrccee
 IImmppoorrttaannccee ooff mmooddeellss&& EERRDD
 DDaattaabbaassee aacccceessss tteecchhnniiqquueess
 IInnffoorrmmaattiioonn ssyysstteemmss ccaatteeggoorriieess
 OOffffiiccee aauuttoommaattiioonn ssyysstteemmss
 CCoommmmuunniiccaattiioonn ssyysstteemmss
 TTrraannssaaccttiioonn pprroocceessssiinngg ssyysstteemmss
 DDeecciissiioonn ssuuppppoorrtt ssyysstteemm
 MMaannaaggeemmeenntt iinnffoorrmmaattiioonn ssyysstteemm
 EExxeeccuuttiivvee IInnffoorrmmaattiioonn ssyysstteemm
 EEnntteerrpprriissee ssyysstteemmss
 LLiimmiittaattiioonn
 UUsseess ooff iinnffoorrmmaattiioonn ssyysstteemmss CCaatteeggoorriieess
 DDSSSS ccaatteeggoorriieess
44.. SSyysstteemm AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss
 AApppprrooaacchh((WWaatteerrffaallll,, ssppiirraall,, iinntteerraaccttiivvee,, pprroottoottyyppiinngg))
 PPhhaassee ooff SSDDLLCC ((IInnvveessttiiggaattiioonn aanndd ffeeaassiibbiilliittyy ssttuuddyy))
 RReeqquuiirreemmeenntt AAnnaallyyssiiss aanndd iinniittiiaall DDeessiiggnn
 DDeettaaiilleedd ddeessiiggnn ssppeecciiffiiccaattiioonn // ddooccuummeennttaattiioonn
 SSyysstteemm iinnssttaallllaattiioonn // iimmpplleemmeennttaattiioonn &&
mmaaiinntteennaannccee
 PPrroojjeecctt MMaannaaggeemmeenntt
 PPrroojjeecctt PPllaannnniinngg
 PPrroojjeecctt CCoonnttrrooll MMeetthhooddss aanndd SSttaannddaarrddss

2Re-align Syllabus 2012 ICMA Pakistan
PPAARRTT –– BB
II..TT.. AAUUDDIITT
55.. TThhee PPrroocceessss ooff AAuuddiittiinngg IInnffoorrmmaattiioonn SSyysstteemmss
 AAuuddiitt MMiissssiioonn aanndd PPllaannnniinngg
 RRoollee aanndd rreessppoonnssiibbiilliittiieess ooff IInntteerrnnaall,, eexxtteerrnnaall aanndd IITT
AAuuddiittoorrss,,
 RRiisskk AAsssseessssmmeenntt aanndd AAnnaallyyssiiss
 RRiisskk bbaasseedd AAuuddiitt AApppprrooaacchh
 CCoommpplliiaannccee aanndd ssuubbssttaannttiivvee tteessttiinngg
 IInntteerrnnaall CCoonnttrroollss aanndd tthheeiirr ttyyppeess,, oobbjjeeccttiivveess aanndd
pprroocceedduurreess..
 PPeerrffoorrmmiinngg aann IITT aauuddiitt
 CCAAAATTss
 CCoonnttrrooll sseellff aasssseessssmmeenntt..
66.. GGoovveerrnnaannccee aanndd MMaannaaggeemmeenntt ooff II..TT
 CCoorrppoorraattee aanndd IITT GGoovveerrnnaannccee
 IITT GGoovveerrnnaannccee FFrraammeewwoorrkkss
 RRoolleess aanndd RReessppoonnssiibbiilliittiieess ooff SSeenniioorr MMaannaaggeemmeenntt,,
SStteeeerriinngg CCoommmmiitttteeee && CChhiieeff IInnffoorrmmaattiioonn OOffffiicceerr
 PPoolliicciieess aanndd PPrroocceedduurreess
 HHuummaann RReessoouurrccee MMaannaaggeemmeenntt
 SSoouurrcciinngg PPrraaccttiicceess
 CChhaannggee MMaannaaggeemmeenntt
 IISS RRoolleess aanndd RReessppoonnssiibbiilliittiieess
 SSeeggrreeggaattiioonn ooff dduuttiieess aanndd CCoonnttrroollss wwiitthhiinn IISS..
 AAuuddiittiinngg IITT GGoovveerrnnaannccee,, SSttrruuccttuurree aanndd
IImmpplleemmeennttaattiioonnss..
77.. AAuuddiittiinngg IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss
 HHaarrddwwaarree rreevviieeww
 OOppeerraattiinngg SSyysstteemmss RReevviieewwss
 DDaattaabbaassee,, llooccaall aarreeaa nneettwwoorrkk,, nneettwwoorrkk ooppeerraattiinngg,,
ccoonnttrrooll aanndd iinnffoorrmmaattiioonn ssyysstteemm ooppeerraattiioonnss rreevviieewwss
 LLiigghhttss--OOuutt OOppeerraattiioonnss
 AApppplliiccaattiioonn ccoonnttrroollss aanndd tthheeiirr oobbjjeeccttiivveess
 FFiillee ccrreeaattiioonn;;
 DDaattaa CCoonnvveerrssiioonn
 IInnppuutt aanndd oouuttppuutt
 PPrroobblleemm mmaannaaggeemmeenntt rreeppoorrttiinngg rreevviieewwss
 HHaarrddwwaarree aavvaaiillaabbiilliittyy
 UUttiilliizziinngg rreeppoorrttiinngg aanndd sscchheedduulliinngg rreevviieewwss..
88.. AAuuddiittiinngg SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt pprroocceessss
 RRiisskk ooff iinnaaddeeqquuaattee ssyysstteemm ddeevveellooppmmeenntt lliiffee ccyyccllee
((SSDDLLCC)) aanndd rreevviieeww ooff ddeevveellooppmmeenntt pprroocceedduurreess aanndd
mmeetthhooddoollooggiieess
 RReevviieeww ooff aaccqquuiissiittiioonn pprroocceessss ffoorr oouuttssoouurrcciinngg
 iinnffoorrmmaattiioonn ssyysstteemm mmaaiinntteennaannccee pprraaccttiicceess
 CChhaannggee mmaannaaggeemmeenntt
 lliibbrraarryy ccoonnttrrooll ssooffttwwaarree
 RReevviieeww ooff tthhee pprraaccttiiccee ooff pprroojjeecctt mmaannaaggeemmeenntt ttoooollss
aanndd tteecchhnniiqquueess..
99.. IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt
 IImmppoorrttaannccee ooff IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt
 UUnnddeerrssttaannddiinngg ooff FFaacciilliittiieess ((DDaattaa cceennttrreess,,
oouuttssoouurrcceedd ffaacciilliittiieess,, SSttoorraaggee,, mmeeddiiaa lliibbrraarriieess,,
bbaacckkuupp vvaauullttss,, UUPPSS && DDiissaasstteerr rreeccoovveerryy ssiitteess))
 AAnnttiivviirruuss SSooffttwwaarree IImmpplleemmeennttaattiioonn SSttrraatteeggiieess
 PPrrooggrraamm aanndd DDaattaa sseeccuurriittyy tteecchhnniiqquueess,,
 MMoonniittoorriinngg aanndd ssuurrvveeiillllaannccee tteecchhnniiqquueess
 EEnnvviirroonnmmeenntt CCoonnttrroollss
 SSmmookkee ddeetteeccttoorrss
 FFIIRREE SSuupppprreessssiioonn AAcccceessss mmaannaaggeemmeenntt ccoonnttrroollss
 PPhhyyssiiccaall ddeessiiggnn aanndd aacccceessss ccoonnttrroollss
 LLooggiiccaall AAcccceessss ccoonnttrroollss ((uusseerr aauutthhoorriizzaattiioonn mmaattrriixx &&
PPaasssswwoorrdd mmaannaaggeemmeennttss // ppaasssswwoorrdd cchhaannggee
pprroocceedduurreess))
 NNeettwwoorrkk sseeccuurriittyy ((eennccrryyppttiioonn,, ffiirreewwaallllss)),, ((,,aanndd
HHuummiiddiittyy // TTeemmppeerraattuurree))
 MMeeddiiaa SSaanniittiizzaattiioonn
 AAuuddiittiinngg IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt
1100.. BBuussiinneessss CCoonnttiinnuuiittyy aanndd DDiissaasstteerr RReeccoovveerryy
 DDeeffiinniinngg aa DDiissaasstteerr
 BBCCPP aanndd DDRRPP
 BBCCPP PPrroocceessss
 BBuussiinneessss CCoonnttiinnuuiittyy PPoolliiccyy aanndd PPllaannnniinngg
 IInncciiddeenntt MMaannaaggeemmeenntt
 BBuussiinneessss IImmppaacctt AAnnaallyyssiiss
 DDeevveellooppmmeenntt ooff BBCCPP
 IInnssuurraannccee
 PPllaann TTeessttiinngg
 AAuuddiittiinngg BBuussiinneessss CCoonnttiinnuuiittyy..
TTEEAACCHHIINNGG MMEETTHHOODDOOLLOOGGYY:: TThhee ffaaccuullttyy iiss aaddvviisseedd ttoo tteeaacchh tthhee ttooppiiccss iinn tthhee mmooddee ooff ccaassee ssttuuddiieess bbaasseedd oonn kknnoowwlleeddggee aanndd
aapppplliiccaattiioonn wwiitthh pprraaccttiiccaall aapppprrooaacchh..
RREECCOOMMMMEENNDDEEDD BBOOOOKKSS
CCOORREE RREEAADDIINNGGSS
TTIITTLLEE AAUUTTHHOORR PPUUBBLLIISSHHEERR
IInnffoorrmmaattiioonn SSyysstteemmss:: TThhee FFoouunnddaattiioonn ooff EE--
BBuussiinneessss
SStteevveenn AAlltteerr PPrreennttiiccee HHaallll // PPeeaarrssoonn // FFiinnaanncciiaall TTiimmeess
DDeecciissiioonn MMooddeelllliinngg wwiitthh MMiiccrroossoofftt EExxcceell JJeeffffrreeyy HH.. MMoooorree // LLaarrrryy RR.. WWeeaatthheerrffoorrdd PPrreennttiiccee HHaallll // PPeeaarrssoonn // FFiinnaanncciiaall TTiimmeess
CCIISSAA RReevviieeww MMaannuuaall CCIISSAA
IInnffoorrmmaattiioonn SSyysstteemmss AAuuddiitt aanndd CCoonnttrrooll
AAssssoocciiaattiioonnss,, IInncc..
AADDDDIITTIIOONNAALL RREEAADDIINNGGSS
IInnttrroodduuccttiioonn ttoo IInnffoorrmmaattiioonn SSyysstteemm JJaammeess OO’’ BBrriieenn MMccGGrraaww--HHiillll
PPrraaccttiiccaall IITT AAuuddiittiinngg JJaacckk CChhaammppllaaiinn WWaarrrreenn GGoorrhhaamm && LLaammoonntt RRIIAA GGrroouupp

1 of 2 ISITA/Model-Paper
ICMA.
Pakistan
MODEL PAPER
SEMESTER- 3
Time Allowed: 02 Hours 40 Minutes Maximum Marks: 80 Roll No.:
(i) Attempt all questions.
(ii) Answers must be neat, relevant and brief.
(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,
effective presentation, language and use of clear diagram/ chart, where appropriate.
(iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.
(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.
(vi) Question No.1 – “Multiple Choice Question” printed separately, is an integral part of this question paper.
(vii) Question Paper must be returned to invigilator before leaving the examination hall.
MARKS
Q.1 First question (MCQs Part) comprises 20 MCQs of one (1) mark each to be attempted in
20 minutes.
Q.2 Read the following CASE carefully and answer the questions given below:
C A S E
Megaton Corporation is a large industrial concern that has a complex network infrastructure
with multiple local area and wide area networks that connects Megaton headquarter with its
national and international offices. There is an Intranet site that is accessed only by
employees to share work-related information. An Internet EDI site is also available that is
accessed by customers and suppliers to place orders and check status of the orders. Both
sites have both open areas and sections containing private information that requires an ID
and password to access. User IDs and passwords are assigned by the central security
administrator. The wide area networks are based on a variety of WAN technologies
including frame relay, ATM, ISDN, and T1/T3. These network carry unencrypted, non-
sensitive information that are sent to international offices of Megaton but do not include any
customer identifiable information. Traffic over the network involves a mixture of protocols, as
a number of legacy systems are still in use. All sensitive network traffic traversing the
Internet is first encrypted prior to being sent. A number of devices also utilize Bluetooth to
transmit data between PDAs and laptop computers. A new firewall has been installed and
patch management is now controlled by a centralized mechanism for pushing patches out to
all servers. Firewall policy did not allow any external access to the internal systems. Various
database-driven Internet applications are in use and many have been upgraded to take
advantage of newer technologies. Additionally, an intrusion detection system has been
added, and reports produced by this system are monitored on a daily basis. Megaton
headquarter also maintains a data center consists of 15,000 square feet (1,395 square
meters). The access to data centre is controlled by a card reader and cameras monitoring
the entrance. Recently, Megaton has actively started supporting the use of notebook
computers by its staff so they can use them when travelling and when working from home.
In this regard Megaton desires that they can access the company databases and provide
online information to customers. A large organization-wide ERP software implementation
project is also under consideration. Megaton decided to buy a commercial off-the-shelf ERP
package and then customize it to fit their needs. Though Megaton was not in a hurry to
implement the project but sizeable customizations of ERP were anticipated. The last IS
audit was performed more than five years ago. The current business continuity and disaster
recovery plans have not been updated in more than eight years. During this time Megaton
has grown by over 300 percent. At the headquarters alone, there are approximately 750
employees. The IS auditor has been asked to evaluate the current environment and make
recommendations for improvement.
PTO

2 of 2 ISITA/Model-Paper
MARKS
Questions:
a. What possible risks can be involved with the use of EDI system at Megaton? 08
b. What would be the most serious concerns regarding the wide area networks at
Megaton?
06
c. Many issues are involved when a company stores and exchanges the confidential
customer information over the network. What could some of the significant issues to
address if the information exchange between Megaton headquarter and its
international offices include personally identifiable customer information?
05
d. What role top management of Megaton can play for better IT governance? 05
e. Suggest some controls to strengthen the security of Data Centre at Megaton. 03
f. Based on the information given in the case, what would you recommend to Megaton
for preparing their disaster recovery plan?
03
Q.3 (a) ‘Capacity management’ is the planning and monitoring of computing and network
resources to ensure that the available resources are used efficiently and effectively. The
capacity plan should be developed based on input from both user and IS management
to ensure that business goals are achieved in the most efficient and effective way.
Discuss some types of information required for successful capacity planning.
08
(b) A database is a collection of information that is organized so that it can easily be
accessed, managed, and updated. List properties of three major types of database
structure: hierarchical, network and relational.
06
Q.4 (a) To develop an information system, the organization can either outsource the system
development or rely on its people. What are some of the risk involved when system
development is done by the end-users of an information system?
06
(b) E-commerce is a positive development for both business and individuals as it has made
transactions more convenient and efficient. E-commerce involves no physical interaction
between buyers and sellers and such virtual transactions have many associated risks.
Explain some of these risks and their mitigation strategies.
06
Q.5 (a) The acquisition of right hardware and software resources for organization is a complex
issue that requires careful planning. What are some of the issues involved in acquiring
hardware and software for an information system and the steps involved in the selection
of a computer system?
06
(b) An important objective of the IS auditor is to ensure that organization provides adequate
segregation of duties within the information system management structure. What are
some of the duties and responsibilities of the IS auditor to achieve this objective?
06
Q.6 (a) While performing IS audit of an organization, IS auditor needs to carefully examine
various IS controls implemented by the organization. What are some techniques IS
auditor can use to evaluate the application controls implemented in an information
system.
06
(b) An organization can hold a variety of sensitive information such as financial results, and
business plans for the year ahead. As more and more of this information is stored and
processed electronically and transmitted across company networks or the internet, the
risk of unauthorized access increases. What are some basic types of Information
Protection that an organization can use to minimize this risk?
06
THE END

ISITA-Mar.2015 1 of 2 PTO
ICMA.
Pakistan
INFORMATION SYSTEMS AND I.T. AUDIT (BML-303)
SEMESTER-3
FALL 2014 EXAMINATIONS
Thursday, the 5th March 2015
(iii) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.
(iv) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,
(v) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.
(vi) Question No. 1 – “Multiple Choice Question” printed separately, is an integral part of this question paper.
MARKS
Q. 2 (a) Xeon Limited is a large multinational Bank. It has recently received license to operate
banking business in Pakistan. The management of the bank has decided to develop its
own banking software and recently they have awarded a software development contract
to a local software consulting company. While project kicked off, the project manager
who had been assigned on this project; applied his own software development
methodology instead of internationally recognized Software Development Life Cycle
(SDLC).
08
The bank has deputed you on this project as IS auditor. As job responsibility, you are
required to identify risks associated with non-compliance of international standards for
software development methodology that has not been adopted by project manager.
List down at least four potential risks and suggested controls that may expose due to
incorporation of non-standard software development methodology.
(b) Audit risk is the risk of information or financial report that may contain material error or
IS auditor may not detect an error that has occurred. Explain in brief how would you
categorize audit risks?
08
Q. 3 (a) You are an IS auditor of Glorious (Private) Limited, a large accounting firm. As part of
human resource development plan, Glorious recently arranged overseas training of
Computer-Assisted- Audit-Techniques (CAATs) for its IS audit team. You were one of
the team members who travelled for CAATs training. When you resumed office after
successful completion of training, the senior management of Glorious asked you to
transfer CAATs knowledge to its IS Audit team members.
In order to conduct knowledge transfer session, you are required to develop a
presentation that should include:
i) Applications of CAATs (At least five)
ii) four advantages and four disadvantages of CAATs (At least four of each)
Describe the important points in brief.
13
(b) Lincoin Limited is a group of companies has branch offices in all major cities of
Pakistan. Lincoin Limited has good IT infrastructure all over its branches. Its data
processing facilities are highly sophisticated and running number of software
applications. A few months ago Lincoin’s IT facilities had shutdown for two weeks due
to unforeseen application server’s disaster that caused significant losses in business
since timely information was not available for decision making. The IT business
continuity plan (BCP) was in place but it did not recover the business applications
successfully as expected while applied in disaster recovery events. Due to
ineffectiveness of BCP, the management of Lincoin has decided to get it reviewed by an
external IS auditor.
State at least ten basic elements that should be verified by IS auditor while reviewing
BCP.
05

ISITA-Mar.2015 2 of 2
MARKS
Q. 4 (a) There are various project management techniques and tools available to assist project
manager in software development process. In current revolutionary age of information
technology, Agile project management process is considered highly successful.
Describe in brief the Agile project management method with at-least 10 Agile principles
that support project teams in implementing Agile project management method.
12
(b) Wolex Enterprises is a large distribution company dealing in life saving drugs. Currently
they have very small distribution network, however, the management intends to launch
its operation in all major cities of the country. Wolex operation’s feasibility team is in
consultation with various firms engaged in developing the infrastructure facilities and
recruiting the work force. However, outsourcing option for IT support services is also
under consideration.
You as a senior member of Wolex feasibility team; required to come-up with four
benefits and four limitations that support outsourcing proposal.
08
Q. 5 (a) A database is a collection of information of structured data organized in rows and
columns. The usage of database has various significant strengths such as:
 reduced data redundancy
 improved data integrity
 allows data sharing
 reduced development time
Explain each of the strengths as indicated above.
08
(b) Symbol Electronics Limited is a medium sized manufacturing company involved in
assembling and exporting domestic electronic goods. During last year, SEL had incurred
significant losses on several large export consignments due to three weeks over
scheduled shipments. Upon investigation by the internal IS Audit team, the production
manager of SEL held the suppliers responsible for not delivering the raw material on
time, while the suppliers were of the view that the delivery lead time was not considered
by SEL procurement department when raw material orders were placed. In order to
overcome the issue of delayed acquisition of raw material, the management of SEL has
decided to adopt Business-to-Business (B2B) model.
You, as a head of Information Technology of SEL, briefly explain B2B model and specify
its key characteristics. State advantages and disadvantages of B2B model.
08
THE END

1 of 2 ISITA/August-2014
ICMA.
Pakistan
SEMESTER- 3
SPRING (AUGUST) 2014 EXAMINATIONS
Thursday, the 21st August 2014
(iii) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.
(v) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,
(vi) Question Paper must be returned to invigilator before leaving the examination hall.
MARKS
Q.2 (a) Enterprise Resource Planning (ERP) is an industry term for integrated, multi-mode
application software packages that are designed and support multiple business
functions. Due to importance and effective operational needs, an automobile
manufacturing industry management plans to implement ERP system in order to
integrate its different departmental functions. Briefly explain different implementation
phases of ERP system. Discuss benefits achieved to the company by effectively
implementing ERP system in organization.
09
(b) Recent research shows that most of the time approx 80% CPU of computer system
remains in idle state. Operating system is a resource manager and optimize the CPU
resources. Discuss different classes of operating system.
05
Q.3 (a) A Decision Support System (DSS) is an interactive information system that provides
information, models and data manipulation tools to help make decisions in semi-
structured and unstructured situations. Discuss eight important techniques used in
decision making in Decision Support System (DSS).
10
(b) MIS system has been deployed in an organization and has advertised Data Base
Administrator (DBA), Project manager and application developer jobs in leading
newspaper to fulfil its vacant positions. Discuss role and job description of each post to
effectively implement and manage MIS system in organization.
06
Q.4 (a) A multinational bank has established a data center in its head office. 50 Terabyte
capacity Storage Area Network (SAN), Blade server, CISCO router and PIX firewalls
have been deployed in network infrastructure of data center. Proper environment and
physical controls can ensure equipment reliability as per manufacturer like IBM &
CISCO recommendations in equipments data sheets, which can reduce risk of any
downtime. The management of the bank has engaged an IT auditor for LAN and
Network operating review. Consider yourself as an IT Auditor, highlight the minimum six
requirements related to organization LAN and Network operating review.
10
(b) Due to revolution in networks technology, wireless security provide prevention of
unauthorized access or damage to computers using wireless networks. Discuss three
principal ways to secure wireless networks.
06
PTO

2 of 2 ISITA/August-2014
MARKS
Q.5 (a) Students of XYZ University have developed mobile applications and have advertised on
university web site. To promote this product through e-commerce activity they need a
merchant account. Discuss need and requirement of merchant account in our country
to promote e-commerce business activities. Elaborate six different payment methods
used in e-commerce business?
09
(b) For all customers, partners, resellers, and distributors who hold valid Cisco service
contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical
assistance. The Cisco Technical Support Website provides online documents and tools
for troubleshooting and resolving technical issues with Cisco products and technologies.
M/s UNICOM network manager has decided to upgrade its CISCO12000 series router
as per CISCO TAC (Technical assistant support center) recommendation. Change
management procedure is used when changing hardware, upgrading operating system
and configuring various network devices. Discuss effects of proper procedures/ SOPs
followed and deployed during this migration process.
07
Q.6 (a) Most business continuity tests fall short of a full-scale test to all operational portion of
the corporation. The test should address all critical components and simulate actual
prime-time processing conditions. Discuss different tasks to be accomplished by
‘Continuity Plan Testing’? Explain five test phases that should be completed to perform
full testing.
09
(b) Software development practitioners have developed alternative development strategies
to reduce development time, maintenance costs or to improve the quality of software.
Compare advantages and disadvantages of waterfall model, spiral model and
prototyping models used in software development methodologies.
09
THE END

1 of 2 ISITA/May-2014
ICMA.
Pakistan
EXTRA ATTEMPT, MAY 2014 EXAMINATIONS
Saturday, the 24th May 2014
SEMESTER- 3
MARKS
Q.2 (a) A traditional system development life cycle (SDLC) approach is made up of a number of
distinct phases, each with a defined set of activities and outcomes. Identify the phases
and discuss in detail the purpose of each phase and the general activities performed by
each phase.
12
(b) Assume that you are helping an IT manager of a supermarket in managing databases.
What different methods of accessing data you will use for their databases?
06
Q.3 (a) Discuss the various types of E-commerce models. E-commerce highly depends on the
existence of a level of trust between two parties to avoid risk factor. State the most
important elements of risk in E-commerce.
09
(b) Wireless transmission does not need a fixed physical connection because it sends
signals through air or space. Discuss the four common types of wireless transmissions
with their applications’ differences in scale and complexity.
06
Q.4 (a) Outsourcing is one of the business practices and strategies of organizations to reduce
operational cost and concentrate on its core business areas. Cloud computing is one of
the techniques of outsourcing. Elaborate different cloud computing service models.
Discuss the advantages, disadvantages and business risks related to outsourcing.
08
(b) Adequate planning is necessary in performing effective IS audit. Discuss the various
types of audits, internally or externally, and the audit procedures associated with each
audit that an IS auditor should understand.
08
Q.5 (a) Disaster recovery planning “DRP” is a continuous process. When the normal production
facilities become unavailable, the business may utilize alternate facilities to sustain
critical processing until the primary facilities can be restored. Discuss the most common
recovery alternatives in detail.
10
(b) You have been assigned to audit a multinational company having its offices around the
globe. Discus the areas of IS auditing which should be kept in mind while performing
audit of any global presence company.
09
PTO

2 of 2 ISITA/May-2014
MARKS
Q.6 The most critical factor in protecting information assets and privacy is laying the
foundation for effective information security management. Identify and discuss at least
six key elements of information security management system.
12
THE END

1 of 2 ISITA/Feb-2014
ICMA.
Pakistan
FALL 2013 (FEBRUARY 2014) EXAMINATIONS
Saturday, the 22nd February 2014
SEMESTER- 3
MARKS
Q.2 (a) Most of the business information systems are based on databases. In fact web is not a
database, however, it illustrates the capabilities of hypermedia databases. Discuss
features of hypermedia database. Also write difference between searching required
information using a traditional database and using World Wide Web metaphor.
09
(b) The expert system makes sure that important factors of event have not been ignored
and provide information that helps the person make a good decision. Differentiate with
the help of an appropriate example between forward chaining and backward chaining
logics used by expert system.
08
Q.3 (a) PeopleSoft ERP system of XYZ Courier Company has been crashed. Data backup is
key preventative measures .It ensures that the critical activities of an organization are
not interrupted in the event of disaster. Discuss different types of disk-based back up
system and criteria for choosing different types of back up devices and media for early
restoration of data.
09
(b) One of the most interesting market mechanism in e-commerce is electronic auction
which used B2C,B2B, C2B, G2B and G2C business models. Differentiate between
forward and reversed e-auction with examples. Also discuss the role of broker and
barter in e-marketplace.
08
Q.4 (a) To ensure high level of computer hardware and network availability, XYZ Company has
signed service maintenance contract including spare parts with IBM local vendor for
Information system support and maintenance work. The hardware maintenance
program is designed to document the performance of hardware maintenance. Discuss
mandatory information, which should be maintained in hardware maintenance program.
Also elaborate typical procedures and reports for monitoring the effective and efficient
use of hardware.
09
(b) A project team with participation by technical support staff and key users should be
created to write a request for proposal (RFP). Elaborate seven different areas which
should be included in this or any RFP document contents.
07
PTO

2 of 2 ISITA/Feb-2014
MARKS
Q.5 (a) An IT audit firm is planning for its critical data migration from old FOXPRO database
system to new Oracle 9i database system. This large-scale data conversion becomes a
project within a project. Discuss necessary steps for a successful data conversion
process.
10
(b) Remote access is a common technique to monitor and configure network devices using
Telnet and others utility software’s. Discuss different remote access connectivity’s
methods. How can an organization implement remote access security to avoid any
chances of access to company’s intranet by any intruder, cracker, or hacker?
08
Q.6 Why organizations need Transaction Processing System (TPS), Management
Information System (MIS) and Executive Information System (EIS)? How management
Information system (MIS) emerged partly as a response to the shortcoming of the first
computerized transaction processing system? Similarly Executive Information system
(EIS) attempts to take over the short falls of traditional MIS approach. Elaborate this
revolution in Information system. Do MIS and EIS really solve manager’s problem?
12
THE END

1 of 2 ISITA/E-Attempt.2013
ICMA.
Pakistan
EXTRA ATTEMPT, NOVEMBER 2013 EXAMINATIONS
Tuesday, the 26th November 2013
INFORMATION SYSTEMS AND
I.T. AUDIT – (ML-303)
SEMESTER- 3
MARKS
SECTION – “A”
Q.2 (a) Modern E-commerce architectures consist of a variety of complex integrated
components. Explain four significant components of e-commerce architecture.
06
(b) E-businesses use a variety of computer hardware architectures. These computers are
used both at client and service provider end. Explain any three types of computers
based on their processing power, size, and architecture.
09
Q.3 (a) There are three major forms of organizational alignment for project management
within a business organization. Discuss each.
06
(b) Problem management is one of the key functions of information system operations.
Discuss three important duties of IS manager with respect to the problem
management function.
09
Q.4 (a) Information system development may involve developing a new system or modifying
the existing one. In either case, IS management is required to prepare various types of
feasibility studies. What are the five important functions of IS auditor while analyzing
these feasibility studies?
05
(b) There exists a variety of models of databases used in information systems today.
Explain any five key features of network database model and relational database
model.
10
SECTION – “B”
Q.5 (a) A risk-based audit approach is usually adopted to develop and improve the continuous
IS audit process. Explain five stages of risk-based audit approach.
10
(b) Steering Committees play a strategic role in information systems management and
ensure that IS department is in harmony with the corporate mission and objectives.
List five primary functions performed by the Steering Committee.
05
PTO

2 of 2 ISITA/E-Attempt.2013
MARKS
Q.6 (a) Data conversion is a significant activity in information system development life cycle.
Explain five significant points to be considered in a data conversion project.
05
(b) System development life cycle (SDLC) approach doesn’t guarantee successful
completion of IS development project. This involves a magnitude of risk that needs to
be controlled. Explain six responsibilities of IS auditor to control risks of inadequate
system development life cycle.
06
Q.7 (a) Firewalls generally act as a first line of defence in securing corporate internal networks
from external threats. List six general features of firewalls. Also list three problems
faced by organizations after implementing firewalls.
09
(b) The IS processing insurance policy is usually a multi-tiered policy designed to provide
various types of IS risk coverage. Explain five types of coverage provided in IS
processing insurance policy.
10
THE END

1 of 2 ISITA/February.2013
INSTITUTE OF COST AND MANAGEMENT ACCOUNTANTS OF PAKISTAN
Fall 2012 (February 2013) Examinations
Saturday, the 23rd February 2013
INFORMATION SYSTEMS & I.T. AUDIT – (ML-303)
SEMESTER - 3
Time Allowed – 2 Hours 45 Minutes Maximum Marks – 90 Roll No.:
(i) Attempt ALL questions.
presentation and language.
(vii) Question Paper must be returned to the invigilator before leaving the examination hall.
MARKS
SECTION – “A”
Q. 2 (a) What do you understand by ‘Data Integrity Testing’? A multinational stock exchange
company uses online multi-user transaction processing system controlled by Oracle
DBMS. Discuss properties of ACID principle used in this online Oracle based transaction
processing system.
07
(b) Discuss importance of Customer Relationship Management (CRM) to meet expectations
of customers. Distinguish between Operational and Analytical CRM.
08
Q. 3 (a) ‘Modern operating system provides virtualization features’. Elaborate the statement. ABC
Company is planning to reduce its operational cost by implementing virtualization
solution. Compare advantages and disadvantages of this solution.
06
(b) Moving data in a batch transmission process through the traditional Electronic Data
Interchange (EDI) process involves three functions within each trading partner’s computer
system. Enlist and briefly explain these functions used in traditional EDI process.
09
Q. 4 (a) Software development organizations implement process methodologies. Discuss
features of waterfall and spiral models. How spiral model is supportive in risk
management?
07
(b) A multinational bank is establishing its different branches all over the country. These will
be integrated through WAN. Discuss different WAN technologies alongwith their features
to provide point to point secure connectivity of all its branches to bank’s Head Office.
(any eight)
08
PTO

2 of 2 ISITA/February.2013
MARKS
SECTION – “B”
Q. 5 (a) ‘Encryption’ is the need of today’s e-business. Discuss why Symmetric Encryption is
used for Data Encryption and Asymmetric Encryption is used in Key exchange
mechanism. If an individual wants to send messages using a public key cryptographic
system, how does s/he distribute the public key in secure way?
08
(b) The changing technological infrastructure requires specific reviews of hardware,
operating systems, IS operations, databases and networks. As an IS auditor, discuss
main areas which need to be reviewed related to hardware.
06
Q. 6 (a) ‘Policies and procedures’ reflect management guidance in developing controls over
information systems. IS auditors should use policy as a benchmark for compliance.
Discuss main features of information security policy document. How IS auditor can
ensure Acceptable Internet Usage Policy?
06
(b) How CAAT helps IS auditor in gathering information from hardware and software
environment. Generalized audit software (GAS) is a main tool used in CAAT. Discuss
different functions supported by GAS.
09
Q. 7 (a) There are various reasons to create Access Control Lists (ACLs). Discuss. How can
network administrator secure network by implementing extended ACL’s on company
router interface?
08
(b) Discuss the process of developing and maintaining an appropriate ‘Business Continuity
Plan’. Explain what are the major tasks involved when an IS auditor is evaluating the
suitability of business continuity plan.
08
THE END

ISITA/August.2012 1 of 2
Spring (August) 2012 Examinations
Thursday, the 30th August 2012
INFORMATION SYSTEMS & I.T. AUDIT – (S-602)
STAGE-6
(vi) There will also be a computer based practical examination of 10 marks and presentation of a project of 20
marks, which form the part of this paper.
(vii) Question No.1 – “Multiple Choice Question” printed separately, is an integral part of this question paper.
(viii) Question Paper must be returned to the invigilator before leaving the examination hall.
MARKS
SECTION – “A”
Q. 2 (a) What are five major components of an idealized expert system? Expert system logic
combines forward chaining and backward chaining. Explain
10
(b) Distinguish between data base and data modeling. Give an example through illustrating
basic entity-relationship diagram tool for data modeling.
05
Q. 3 (a) The systems in organisations are built and maintained in terms of four phases. Illustrate
these phases. Also list out the common reasons of project failure for each phase.
08
(b) Define ‘Business Intelligence (BI)’. Identify its area of application. Three main factors
have been responsible for increasing use of BI as a distinct field of IT. Explain these
factors.
06
SECTION – “B”
Q.4 (a) ‘Testing’ is an essential part of the development process. Discuss testing and the
elements of a software testing process. Enlist various types of testing.
08
(b) A large-scale data conversion requires considerable analysis, design and planning.
Discuss the necessary steps for a successful data conversion.
06
PTO

ISITA/August.2012 2 of 2
MARKS
Q.5 (a) A recovery strategy indentifies the best way to recover a system (one or many) in case of
interruption including disaster, and provides guidance for developing recovery
alternatives. There are different strategies and recovery alternatives available. Explain
the most common recovery alternatives.
07
(b) General controls apply to all areas of the organization including IT infrastructure and
support services. Discuss.
06
THE END

1 of 2 ISITA/April.2012
New Fall (E) 2011, April 2012 Examinations
Thursday, the 19th April 2012
STAGE-6
MARKS
SECTION – “A”
Q. 2 (a) Information technology and information systems are powerful and valuable tools for
individuals, and organizations. Identify and briefly discuss the obstacles and real world
limitations that have slowed the pace of implementation for IT-based innovation.
06
(b) The Principle-Based Systems Analysis (PBSA) method is an approach to improve a work
system. PBSA converts the four steps of systems analysis into three steps that can be
pursued in a situation. Briefly discuss these three steps.
06
Q. 3 (a) There are four system approaches of system life cycles, each involving different
processes and helps in deciding what method is appropriate for a particular situation.
Discuss four system life cycles approaches.
04
(b) The four main factors related to information usefulness are information quality,
accessibility, presentation and security. Briefly discuss them.
08
(c) Briefly discuss the four aspects of the convergence of computing and communications. 04
SECTION – “B”
Q. 4 (a) An IS department can be structured in different ways and IS auditor should determine
whether the job description and structure are adequate. Briefly discuss the IS roles and
responsibilities reviewed by an IS auditor related to the following:
i) Media Management
ii) System Administration
iii) Security Administration
iv) Quality Assurance
v) Database Administration
vi) Network Administrators
06
PTO

2 of 2 ISITA/April.2012
MARKS
(b) Discuss the policies and procedures that reflect management guidance and direction in
developing controls over information system. Explain the key points contained by the
information security policy document.
08
Q. 5 (a) The IS auditor should be familiar with the different types of sampling techniques and its
usage. Briefly touch upon two general approaches to audit sampling. Identify the
statistical sampling terms need to be understood while performing variable sampling.
08
(b) Discuss the various roles and responsibilities of groups/individuals that may be involved
in the development process of a project management structure.
06
THE END

1 of 2
Winter (November) 2011 Examinations
Monday, the 21st November 2011
STAGE-6
(viii) Appearing in Project, Presentation and Practical parts of the paper is compulsory.
(ix) Question Paper must be returned to the invigilator before leaving the examination hall.
MARKS
SECTION – “A”
Q. 2 (a) What is an information system plan? 04
(b) Why do users and managers have to participate in information system planning and
development?
04
(c) Modern electronic communication systems capabilities help people work together by
exchanging or sharing information in many different forms. Discuss six main tools of
modern electronic communication systems being used in present environment.
06
Q. 3 (a) Identify and explain five product performance variables used to evaluate any stage in the
customer experience.
05
(b) Discuss common roles of information systems in improving the product of a work system. 04
(c) What is the difference between efficiency and effectiveness, and how is this related to
the work system framework?
05
SECTION – “B”
Q.4 (a) Explain the term ‘Risk Management’ and the prerequisite of developing a risk
management program.
05
(b) Discuss the three methods used for ‘risk analysis’. 03
(c) ‘Changeover technique’ refers to shift users from existing (old) system to the new
system. This technique can be achieved in three different ways. Discuss these in detail.
06
PTO

2 of 2
MARKS
Q.5 (a) The IS audit process must continually change to keep pace with innovation in
technology. Explain the three evoking changes in IS audit process including automated
work papers, integrated auditing and continuous auditing.
08
(b) Discuss the impact of laws and regulations on IS audit planning. 06
THE END

1 of 2
Summer (May) 2011 Examinations
Thursday, the 26th May 2011
STAGE-6
MARKS
SECTION – “A”
Q. 2 (a) Information systems are the tools for decision-making. Each type of information system
supports both communication and decision-making in a number of ways. Explain in detail
system types and its impact on communication and decision-making.
6
(b) (i) Define each of the process performance variables. Describe how an information
system can improve performance related to each of these variables?
5
(ii) What are the phases of building and maintaining a system? 5
Q. 3 (a) A computer system finds stored data either by knowing its exact location or by searching
for the data. Different DBMSs contain different internal methods for storing and retrieving
data. Explain sequential access, direct access, and indexed access methods for
accessing data in a computer system.
6
(b) Define each of the five levels of integration. What kinds of problems sometimes result
from tight integration?
6
SECTION – “B”
Q. 4 (a) IS auditors’ conclusions must be based on sufficient, relevant and competent evidence.
Explain. Enumerate the determinants for evaluating the reliability of audit evidence.
5
(b) What are the project phases of physical architecture analysis? Explain. Different project
phases are involved in planning the implementation of infrastructure. Discuss each
phase.
6
PTO

2 of 2
MARKS
Q. 5 (a) Control self assessment (CSA) is a management technique. Illustrate. What are the
objectives of CSA? Highlight benefits and disadvantages of CSA.
6
(b) (i) Testing is an essential part of the development process. An IS auditor plays a
preventive role in the testing process. Enumerate the elements of a software testing
process. Also explain the classifications of testing.
6
(ii) Contrast corporate governance and I.T Governance. Explain the role of audit in IT
Governance.
5
THE END

1 of 2
Fall (Winter) 2010 Examinations
Sunday, the 28th November 2010
STAGE-6
Time Allowed – 2 Hours 45 Minutes Maximum Marks – 56
MARKS
SECTION – “A”
Q. 2 (a) (i) “Computer hardware owned and managed within a corporation can exist at any or
all of the following levels: corporate headquarters, regional processing centers,
workgroup processors and individual work stations.” Briefly elaborate.
04
(ii) What is the difference between centralized and decentralized approaches? How an
intermediate situation can be different from them, the two extreme modes?
05
(b) How can Principle-based system analysis (PBSA) be applied to work systems,
information systems and projects?
05
Q. 3 (a) An experienced manager who worked for the last 30 years, and gradually moved from
management trainee to the top executive position, is about to retire from his position. The
company has a greater reliance on the expertise of this senior executive and considers
him as the hub of tacit knowledge. An information technology expert of the company
suggested that the core knowledge of the experienced manager along with the tacit
knowledge related to vast and diverse experience can be captured and utilized efficiently
through “expert system”. The CEO asked the IT specialist to justify his idea and
elaborate it to the board.
Required:
What is an Expert System? Discuss the building blocks of an Expert System. 09
(b) Intellectual property is different from other forms of property therefore requires a different
form of protection laws. Define intellectual property and differentiate it from other
copyright laws.
05
SECTION – “B”
Q. 4 (a) Describe the phases involved in System Development Life Cycle (SDLC). 06
(b) There are three elements or dimensions of a project that should always be taken into
account. Explain.
03
PTO

2 of 2
MARKS
(c) The IS auditor should understand the various types of audits that can be performed,
internally or externally, and the audit procedures. Explain classification of audits.
07
Q. 5 (a) An IS auditor plays a vital role in ascertaining the appropriateness of Business Continuity
Planning (BCP) and Disaster Recovery Planning (DRP). Explain what are the tasks
involved when IS auditor evaluating the suitability of business continuity?
04
(b) What crucial factors are to be considered when reviewing the BCP? 04
(c) How emergency procedures can be ensured during the evaluation of DRP? 04
THE END

1 of 2
Spring (Summer) 2010 Examinations
Thursday, the 20th May 2010
STAGE-6
SECTION – “A” MARKS
Q.2 (a) Customers think about product performance in terms of variety of performance
variables. Identify product performance variables that can be used to evaluate any stage
in customer experience. Also illustrate typical performance measures for each variable
and common ways information systems are used to improve the product.
07
(b) Neural network is an offshoot of artificial Intelligence. It is an attempt to model human
brain.
(i) Explain the term ‘neural network’. 02
(ii) How does it operate? Explain the procedure. 03
(iii) Give any two real-life examples where neural network is applied. 02
Q.3 (a) ABC Corporation has its office in a multistoried building. Its various departments are
spread over different floors in the same building. The physical security of the IT
infrastructure like computers, peripherals, and network devices is up to the mark;
however, the CTO is concerned about “controlling access to data.” Assume that CTO of
the company has hired you to address this issue. Prepare an account of ‘control
techniques’ including manual data handling, access privilege, and data flow through
networks and other media.
07
(b) Electronic commerce (e-commerce), is one of the most popular e-business
implementations. What do you understand by e-commerce models? Discuss.
07
SECTION – “B”
Q.4 (a) After developing an audit program and gathering audit evidence, the next step is the
evaluation of the information gathered in order to develop an audit opinion. This
requires the IS auditor to consider a series of strengths and weaknesses and then
develop audit recommendations.
(i) How can an IS auditor assess the strengths and weaknesses of the evidence
gathered?
03
(ii) How can a control matrix be employed in this regard? 03
PTO

2 of 2
MARKS
(iii) What critical role the concept of materiality can play in shifting relevant
information for audit report?
03
(b) Today, telecommunication networks are the key to business processes in both large
and small organizations. However, organizations often do not give due priority to them
as data centers. What are the telecommunication network disaster recovery methods
and how can we protect a network by using these methods?
05
Q.5 (a) Generally, each IT platform that runs an application, supporting a critical business
function needs a recovery strategy. Discuss different alternative strategies in terms of
cost and relevant level of risk.
07
(b) “System maintenance practices refer primarily to the process of managing change to
application systems while maintaining the integrity of both the production source and
executable code.” In the light of this statement answer the following questions:
(i) Describe change management process.
(ii) How changes are deployed?
(iii) Why system documentation is important in change management process?
03
02
02
THE END

1 of 1
Thursday, the 19th November 2009
STAGE-6
(iv) Read the instructions printed on the top cover of answer script CAREFULLY before attempting the paper.
SECTION – “A” MARKS
Q.2 (a) Information systems are designed to support decision-making and management
performance in one way or another. Identify and explain each step involved in
decision-making process with the help of process flow diagram.
08
(b) How are social context and nonverbal communication important when
communication technologies are used?
06
Q.3 (a) Describe the main uses of high-level, fourth-generation, object-oriented, and web-
oriented programming languages and tools.
08
(b) Define the elements of a work system framework with the help of a diagram. 06
SECTION – “B”
Q.4 (a) IS auditors appreciate a well-managed IS department to achieve the organization’s
objectives. An effective IS department includes information systems management
practices such as personal management, sourcing and IT change management.
Explain these in detail.
08
(b) What are the typical physical access controls employed by different organizations
having sufficient IT assets and specific budgets allocated for their protection?
06
Q.5 (a) A medium-sized company is operating in a client-server environment to establish a link
with its several branches to the head office located in the same city. How can an IS
auditor ensure security of this client-server environment? Enumerate.
06
(b) Control Self-Assessment (CSA) can be defined as a management technique.
Explain. What are the benefits and disadvantages of CSA? Define IS auditor’s role in
implementation of CSA.
08
THE END

1 of 2
Spring (Summer) 2009 Examinations
Wednesday, the 20th May 2009
Stage-6
(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of
arguments, presentation and language.
(iv) Read the instructions printed on the top cover of answer script CAREFULLY before
attempting the paper.
(vi) There will also be a computer based practical examination of 10 marks and presentation of a
project of 20 marks, which form the part of this paper.
(vii) Question No.1 – “Multiple Choice Question” printed separately, is an integral part of this
question paper.
MARKS
SECTION –“A”
Q.2 (a) The data communication provides the underpinning of network and electronic
commerce. Explain how the data transmits from one computer to another with
reference to OSI model?
07
(b) Information systems depend on software resources to help end-users use
computer hardware to transform data into information products. What are the
different types of such software resources? Explain each by illustrating various
examples.
07
Q.3 (a) Illustrate some benefits of using expert systems by different organizations. What
are the problems faced during the development and usage of an expert system?
05
(b) A software development life cycle (SDLC) is a logical process that ‘System
Analysts’ and ‘System Developers’ use to develop software packages. What is the
purpose of using SDLC? Explain different phases of SDLC.
05
(c) One of the tools of software development is prototyping. How does prototyping
help the software engineers in software development?
04
PTO

2 of 2
MARKS
SECTION –“B”
Q.4 (a) What are the typical categories of authentication? What is two-factor
authentication? Give an example. What are TOKEN based authentication devices?
Briefly describe their working. Which category of authentication they belong to and
how?
07
(b) Describe the significance for IS auditor to ensure that hiring and termination
procedures are clear and comprehensive. How an IS auditor can ensure whether
these procedures are being practiced?
07
Q.5 (a) Briefly describe how laws and regulations affect IS audit? How IS auditors would
perform to determine an organization’s level of compliance with external
requirements?
05
(b) How unnecessary system outages resulting from system configuration can be
controlled? How IS auditors can ensure that the appropriate controls are present in
this regard? How media controls address the media transportation, storage, reuse,
and disposal activities? Give media control example for each type of activity.
05
(c) What is contracting? Define different elements of a contract? What is the purpose
of these contracts besides third-party outsourcing?
04
THE END

1 of 2
Wednesday, the 19th November 2008
Stage-6
question paper.
MARKS
SECTION –“A”
Q.2 (a) With technology being getting advanced, purchasing over the internet has
become a norm. A successful e-commerce system must address many
stages consumers experience in the sales life cycle. Discuss the multi-stage
model for purchasing over the internet in detail with the help of illustration.
10
(b) There are number of challenges that must be overcome for a company to
convert its business processes from the traditional form to e-commerce
processes. Elaborate the challenges with examples.
4
Q.3 (a) How does enterprise software work? Name some business processes
supported by enterprise software. Why are enterprise systems difficult to
implement and use effectively? Name at least three (03) commonly known
popular ERP solution platforms.
4
(b) How have the value chain and competitive forces models changed as a
result of the internet and the emergence of digital firms? Briefly discuss.
4
PTO

2 of 2
MARKS
(c) There were few actions by major hardware and software vendors in the past
that initiated discussion about the need for consumers to be on guard to
protect their privacy. Describe and discuss at least two most important
cases in this regard.
6
SECTION –“B”
Q.4 (a) Why the test of Disaster Recovery and Business Continuity Planning is so
important? What are the important elements to be considered and what
tasks should be accomplished by such test?
7
(b) Why are digital signatures and digital certificates important for electronic
commerce? What are three major issues when a certificate is needed to be
revoked? Also describe a CRL.
4
(c) What are controls? Distinguish between general controls and application
controls.
3
Q.5 (a) It is a general belief that an IS auditor’s conclusions must be based on
sufficient, relevant and competent evidence. Elaborate the techniques for
gathering evidence.
5
(b) What is Artificial Intelligence System (AIS) and what are the major branches
of (AIS)? Discuss expert systems along with their capabilities and
characteristics limiting their current usefulness.
9
THE END

1 of 2
SPRING (SUMMER) 2008 EXAMINATIONS
Sunday, the 25th
May, 2008
Stage-6
question paper.
Marks
SECTION –“A”
Q.2 (a) It is a fact that the majority of enterprises could not succeed without the
possession of data concerning their external environment and their internal
operations. How can the use of data flow diagrams aid enterprises through
the provision of better quality decision – making information?
4
(b) A system must pass the ACID test to be considered as a true transaction
processing system. What are the properties of ACID test?
5
(c) Fuzzy logic system deals with “approximate reasoning”. Does it make sense
to apply it to control systems? Why or why not?
5
Q.3 (a) The accuracy of the outcome of a cost-benefit analysis is dependent on how
accurately costs and benefits have been estimated. Inaccurate cost-benefit
analysis may be argued to be a substantial risk in planning, because
inaccuracies of the size documented are likely to lead to inefficient decisions.
What are the causes of inaccuracies in cost and benefit estimations?
6
PTO

2 of 2
Marks
(b) ABC Software Company has to develop a software automation system for a
local textile company with a very basic IT infrastructure. Is it a good idea to
develop prototype of the system before developing full – fledged system?
Discuss.
4
(c) The biggest concern with the biometric security is the fact that once a
fingerprint or any other biometric source has been compromised it is
compromised for life, because user can never change their fingerprints. Is this
concern valid? Discuss with reasoning.
4
SECTION –“B”
Q.4 (a) Describe automated evaluation techniques along with their complexity levels
applicable to continues online auditing. Also mention the circumstances under
which each type can be used.
7
(b) What are the physical and logical access points that need to be checked for
unauthorized exposures of critical IT assets?
7
Q.5 (a) Give details of active and passive attacks with two examples of each type? 4
(b) Why a proper configuration for firewalls is essential? 3
(c) Describe the purpose of library control software. 7
The End

Information System & IT Audit Ml 303 past paper pack (UPdated)

Information System & IT Audit Ml 303 past paper pack (UPdated)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Information System & IT Audit Ml 303 past paper pack (UPdated)

Ähnlich wie Information System & IT Audit Ml 303 past paper pack (UPdated) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Information System & IT Audit Ml 303 past paper pack (UPdated)