IT Application 1 CA-Professional Stage (Application Level ... · IT Application CA-Professional Stage (Application Level) Shafique Ahmed/Sr. Officer-Audit, BSRM Group 2 12. Briefly

IT Application CA-Professional Stage (Application Level)

Shafique Ahmed/Sr. Officer-Audit, BSRM Group

1

MIS, E-COMMERCE, CAATS 01. Define Data & Information. What is the difference between data and information? What are the

characteristics of useful information? 02. Define the terms: System, Information system, Information systems development, Information 03. Explain different types of information system with example. 04. Explain the three different types of decisions for management in an organization. 05. What are the levels of management decision making? 06. What are the information requirements at various level of management? 07. Describe the action and decisions of Top level management. What is first level management? Explain. What

are the tasks at the operational management level of a system? 08. Describe the relationship between management decision making and information structure. 09. What is e-commerce? Name the common business applications related to e-commerce. What factors are to

be considering in the decision process related to e-commerce adoption? 10. Define Advantages E-Commerce 11. What are the disadvantages/Limitation of E-Commerce// 12. What is CAAT? How planning and execution of accounting information system are related with CAAT? 13. Explain the factors to be considered to determine to use of CAAT. What are the major steps to be

undertaken by the auditor in the application of CAAT? SYSTEM DEVELOPMENT & IMPLEMENTATION 01. Define accounting information system. What are the necessary elements of an accounting information

systems technology? 02. What are the steps needed for developing a new accounting information system? 03. “The feasibility of a proposed solution is evaluated in terms of its components” what are the components?

Describe briefly. 04. Suppose the authority of your organization shows interest to commence a new IT enabled accounting

system in the organization. They have assigned you to prepare a feasibility report. Which parameters will you investigate to prepare the report?

05. Describe the initial system design phase of a new AIS development process. 06. Explain the steps of system justification and selection in initial system design. 07. Elucidate testing phase of a new AIS development process. 08. What do you mean by system conversion? Describe the conversion strategies used in AIS. 09. Describe the post implementation review goals. 10. How the security requirements can be implemented in developing a new accounting system? ///

Explain the terms: (i) Authentication and Authorization (ii) Prevention and Resistance. (iii) Detection and response

SECURITY, CONTROL & STANDARD 01. Define information security/ security control? What are the properties/ components of information security?

What are the types of security control? 02. What are the ways of providing security in an information system? /// 03. Explain the terms: i) Data encryption, ii) Firewall iii) biometric security 04. What is Disaster Recovery Plan? Identify the advantage of disaster recovery plan. What are the basic steps to

develop a disaster recovery plan? Why business needs business continuity plans? 05. Explain different types of physical security control and explain the importance of this type of security control. 06. Briefly explain the Logical security control procedure. 07. How user IDs and passwords are used in logical security control? 08. Describe backup and recovery procedure of logical security controls showing it’s significant in information

system. 09. What do you mean by information system security standard? At least which security standard should be

applied to applicable information systems within the organization? 10. Explain when and in which situations an organization adopts the following remote access techniques for

remote access of Secure Socket Layer (SSL) & Virtual Private Network (VPN) /// 11. What types of integrity policy and procedures may exist in information system? Explain briefly. //



2

12. Briefly explain Security Functionality Verification, Software-information Integrity, and Malicious Code

Protection. // 13. What is Spam? How can you protect your system from spam attack? // 14. Define Computer Virus. Which costs are likely due to attack of computer viruses? How can the risks of

computer viruses be minimized? 15. Define Computers Hackers. What are the common activities of a computer hacker? How can you protect your

system from the computer hackers? 16. What are the controls applied to personal systems to ensure processing integrity, security and safeguarding

of IT resources. 17. Explain the controls and standards which are applied during the system implementation phases of

installation, testing, documentation, Training & File conversion and change-over. // 18. What is System Documentation? Why do you need system documentation? What factors or points should be

included in the documentation of a system? 19. What are the controls and standards applied to system maintenance and evaluation? 20. What is IS security policy? “An IS security policy is divided into five sections” What are the steps? Explain

briefly.

E-BUSINESS PROCESS 01. What is business model design? Explain how IT contributes to support of business models? 02. Risk & Threats E-business/ IT strategy 03. Explain risk avoidance and transfer. 04. What is ‘Service Level Management’? What are the components of service level management? 05. What is service level agreement? What should be included in a service level agreement (SLA)? 5

IT STRATEGY in BANGLADESH 01. What is overall strategy of an organization? Why it is important for the IT strategy of an organization to be

developed in tandem with the overall strategy of an organization? 02. What is IT strategy of an organization? Describe the IT strategy development process considering the overall

strategy of an organization. 03. Compare the current IT capabilities and environment with that of the past regarding IT strategy development

of an organization. 04. What are the critical success factors which should be considered in developing IT strategy of an

organization? //Name five issues on which success of strategy alignment depends 05. “IT has been declared as a thrust sector in Bangladesh” Explain this statement with the perspective of

Bangladesh Government IT Policy. 06. What do you mean by intellectual property rights? Discuss the status and the issues of intellectual property

rights in Bangladesh.



3

MIS, E-COMMERCE, CAATS 01. Define Data & Information. What is the difference between data and information? What are the

characteristics of useful information? Data: Data is a raw material of information. It relates to fact, event and transactions. Data refers to unprocessed information. It is normally entered by input devices into computer which can be any form but it does not bring meaning. Information: Information is data that has been processed into a form that is meaningful to the recipient and has real value for current decision. Information is the basic resource of modern society. It is the structured format of data.

Data Information Data is raw material for data processing. Processed data became information Data is not the meaningful to the user Information is meaningful to the user Data does not depend upon information. Information is based upon and derived from

data. Data is the lowest level of knowledge Information is the second level Data by itself alone is not significant. Information is significant by itself Data is, generally, disorganized and disjointed in the form

Information is properly arranged, classified and organized

Characteristics of useful information: Understandable, Relevant, Reliable, Accurate, Timely, Complete, Cost effective

02. Define the terms: System, Information system, Information systems development, Information technology. Describe the components of an information system. System: System is collections of some inter related components that work to achieve a specific task that is each system are consists several components, there must be a logical relational between components and all components of system work to achieve a specific task. Information system: Information system is a set of interrelated components that process, store and distribute information to support decision making and control in an organization. System development: System development is the activity of creating a new business system or modifying an existing business. Information technology is the use of hardware and software in relation to computer and telecommunication to process, storage and dissemination of data to treat as well as manage information. Computer based information technologies includes hardware, software, Telecommunication network and Data management. Components of information system: Input, Processing, Output, Feedback (feedback is allowing people to evaluate the performance of the systems and make necessary changes to input or processing activities.)

03. Explain different types of information system with example. Major types of information system in the business: (TPS): TPS is allows manipulating data from business transactions to generate various information products for external use. (MIS) MIS is designed to provide accurate, relevant and timely information to managers for support operational control, management control and decision making functions in an organization. (DSS) DSS is a system that provides tools to managers to assist them in solving semi structured and unstructured problem in their own way. Characteristics of DSS: a) They support semi structured and unstructured data for decision making. b) They are flexible enough to changing needs of decision makers. c) They are easy to use. Components of DSS:

Users: The users of DSS are usually a manager with a semi structured and unstructured problem to solve. Users do not need a computer background to use DSS. The basic requirement to use DSS is that understands the problem as well as considers the solution factor.

Databases: DSS includes one or more databases. These databases include routine and non-routine data from internal and external sources.

Planning languages: Two types of planning languages uses in DSS that is 1) general purpose planning languages 2) special purpose planning languages.



4

Model base: The model base is the ‘brain’ of the DSS because it performs data manipulations and computations with the data provided to it by

the user and the database (EIS) An executive information system (EIS) which is sometimes referred to as an executive support system (ESS) is a DSS that is designed to

meet the special needs of top-level managers. OAS: The primary goals of Office automation system (OAS) are to facilitate communication. OAS is a set of tools that gather, process, store, retrieve and disseminate information between individual workers, team of workers and business entities, both inside and outside the organization. Knowledge work system (KWS) is information systems that aid knowledge to the workers for creating and integrating new knowledge in the organization.

04. Explain the three different types of decisions for management in an organization. 05. What are the levels of management decision making? 06. What are the information requirements at various level of management? 07. Describe the action and decisions of Top level management. What is first level management? Explain. What are the tasks at the operational

management level of a system? 08. Describe the relationship between management decision making and information structure.

Level of Management Information required Types of

decision Activity & Decision Relationship with information system

Top level/ Strategic management

External & internal business environment,

SWOT related information, Competitor analysis

information, Source of finance & investment

opportunities related information

Unstructured Define Strategy, objectives and policies Instructions for preparing budget, procedures, schedule etc. Overall control & Coordinate

EIS, ESS, DSS

Middle Level/ Tactical management

Function & operation process, Supply Chain management Comparative financial

statement Ratio analysis

Sami-Structured

develop short and medium range plans, schedules budgets Specify & deligate the policies, procedures, and business

objectives

DSS, MIS

Low level/ Operational management

Function wise detail procedure Work efficiency and

effectiveness

Structured

Assigning jobs and tasks to various workers Instruct and guide to workers for day to day activities Help to solve complaints of the workers Provide training to the workers Arrange necessary materials, machines, tools etc for

perform work efficiently Prepare periodical reports about the performance of

workers. Ensure discipline in the enterprise & motivate workers.

MIS,TPS, OAS, KWS



5



6

09. What is e-commerce? Name the common business applications related to e-commerce. What factors are to

be considering in the decision process related to e-commerce adoption? E-commerce: E-commerce, which is short for electronic commerce, is the process used to distribute, buy, sell or market goods and services, and the transfer of funds online, through electronic communications or networks. Some common business applications related to electronic commerce are e-mail; online shopping and order tracking; online banking; online office suites; domestic and international payment system; teleconferencing; electronic tickets; etc. Factors to consider in the decision process related to e-commerce adoption: External influence; Government initiatives; Geographical condition; Political condition; Economic

condition; Technology infrastructure; Public awareness; Socio-cultural condition. 10. Define Advantages E-Commerce

Better management system within organization Better management system across different organization Increase sales Decreasing costs Increasing profits Provide price quotation on real time. Expands the size of the market from regional to national or national to international. Convenient service that is both customer and business benefit from it Better customer service Opportunity for new business

11. What are the disadvantages/Limitation of E-Commerce//

Describe system functionality and information requirement for a typical e-commerce system. Pick point Software Software design

Software development Software developer

Website Website design Website development Website developer

Technology Technology provider Technological solution Internet service provider Internet bandwidth Telecommunication bandwidth

Security Virus Server crash Unauthorized access Information transfer

Other Management commitment Operation of E-Commerce User friendliness Customer expectation

12. What is CAAT? How planning and execution of accounting information system are related with CAAT?

CAATs are tools to help auditors to select, gather, analyze and report audit findings. CAATs are audit techniques that use the computer as an audit tool. CAATs provide effectives tests where there are no input documents or where population and sample size are very large. Planning and execution of accounting information system are very much interrelated with CAAT because Pick point:

Search databases for information Computing sample sizes, Selecting sample items,



7

Scanning for unusual items Footing numbers, Recalculating and verifying balances Computing financial statement ratios and trends for analytical procedures. Test any gap in invoice number

13. Explain the factors to be considered to determine to use of CAAT. What are the major steps to be undertaken by the auditor in the application of CAAT? In determining to use CAATs the factors to be considered include: IT knowledge and experience of the audit team to execute Availability of CAATs and suitable computer facilities. Consider the necessary task where hard copy of evidence is not available. Consider the continuing use of the CAAT application to evaluate the effectiveness of CAAT Consider timing Major steps to be undertaken by the auditor in the application of CAAT are: Set the objective of the CAAT application Determine the accessibility and availability of is facilities Identify the specific files to be examined Understand the relationship between the data tables Define the specific task or procedures Define output requirement Ensure that the use of CAAT is properly controlled

SYSTEM DEVELOPMENT & IMPLEMENTATION 01. Define accounting information system. What are the necessary elements of an accounting information

systems technology? An accounting information system (AIS) is a system of collection, storage and processing of financial transaction with the reflection of ‘double-entry’ accounting system to enable user to take economic decisions. AIS is generally a computer-based method for entering financial operation by information technology resources. Necessary elements of an accounting information system:

Input: the input of AIS is the sources data which ensure that either increases or decreases economic benefit by way of expenses or income through cash or credit resultantly increases or decreases asset or liability and finally it would reflect the increases or decreases capital. The user of AIS is generally entered any transaction by using double entry accounting system.

Process: The systems are design in such a manner to ensure systematic reflection of the accounting entry to ensure better control. After entering transaction, it can automatically process.

Output: the Output of the AIS is reflect the result that showing in Debit voucher, Credit Voucher, Journal Voucher, Trial Balance as well as Income Statement & Balance sheet known as financial report as user friendly information given.

02. What are the steps needed for developing a new accounting information system?

Initial preparation Establishing and recording user requirements

Investigation and feasibility study Project management

Developing a solution for fulfill requirements Initial system design (including control & security)

Technical information and system requirements Specifications of hardware and software

Implementing security requirements Installing/ implementation

Testing System conversion and start up

Post implementation review



8

03. “The feasibility of a proposed solution is evaluated in terms of its components” what are the components? Describe briefly. Economic feasibility: To ensure that the proposed system would be economically feasible, proposed project costs and benefit are evaluated to ensure cost effectiveness. When the system could be run, analyses the system operations cost, system maintenance cost, Backup and recovery cost, security cost, training cost, IT cost etc. overall it analyzes cost effectiveness. Technical feasibility: The systems project is considered technically feasible when the internal technical capability is sufficient to support the project requirements. It considers the technical requirements of the proposed project. The technical requirements are then compared to the technical capability of the organization. Operational feasibility: The ability, desire and willingness of the stakeholders from the proposed system to use, support, and operate the system. The stakeholders include management, employees, customers and suppliers.

04. Suppose the authority of your organization shows interest to commence a new IT enabled accounting system in the organization. They have assigned you to prepare a feasibility report. Which parameters will you investigate to prepare the report? The feasibility study investigates a. The problem and the information need of the stakeholders i.e. operational feasibility. b. Technical capacity is sufficient to support project requirement i.e. Technical feasibility c. Proposed project costs and benefit are evaluated to ensure cost effectiveness i.e. Economic feasibility

The methods to ensure above parameters are given below: To assess operational feasibility:

Interviewing users, employees, managers, and customers. Observing or monitoring users to determine their needs & their satisfaction or dissatisfaction to the

current system. Collecting, examining, and analyzing documents, reports, layouts, procedures, manuals, and any other

documentation relating to the operations of the current system. To assess technical feasibility

Determine technical requirement to support and implement the new system Current technical capacity and additional requirement to enhance the technical capacity

To assess economic feasibility Every point would require to analyses the cost effectiveness of the proposed system

05. Describe the initial system design phase of a new AIS development process.

The Initial system design is a creative phase of system development that involves specifying & design outputs, processing design & procedures, and inputs procedures & design for a new system. Initial system design would be implementing in an organization considering the information security to ensure secure implementation. The major activities of initial systems design are: User interface design, Data design Data manipulation Input design Process design, Output design Output analysis; System designs is divided between accountants and IT professionals as follows: The accounting function is responsible for conceptual systems; The IT function is responsible for physical systems In conceptual systems, the accountants determines the nature of the information required, its sources, its destination, and the accounting rules that need to be applied in initial system design. Besides, the accountant plays important role regarding control and security issues of initial system design.



9

06. Explain the steps of system justification and selection in initial system design.

System planning System analysis

System design Determination of design feasibility

Evaluation of hardware and software proposal Evaluation of system proposal

Selection of system hardware and software System operations

07. Elucidate testing phase of a new AIS development process.

Testing phases involves methodically which ensure that the performance of the proposed AIS matches with the system requirements and meets the expectations of end-users. There are four types of testing:

Unit/program testing: test each program separately in the system. The purpose of such testing is to guarantee that programs are error-free.

System function testing: test the functioning of the information system as a whole and verify that all programs in the system work together properly.

Integration testing: verifies that the information system works well with other systems. Acceptance testing: provide the final certification that the system is ready to be used in a production

setting. System tests are evaluated by users and reviewed by management. When all parties are satisfied that the new system meets their standards, the system is formally accepted for the conversion.

An accountant ensures that systems and their products are reliable. He test the controls fixed in the system, assess the systems reliability in terms of effectiveness and efficiency, and participate in developing a new accounting information system.

08. What do you mean by system conversion? Describe the conversion strategies used in AIS. System conversion involves the method used to change from an old accounting information system (AIS) to new accounting information system (AIS). The accountant can play a major role here by determining the strategy which should be most effective and fruitful considering budget, time and diversity. Different conversion strategies to convert new AIS from old AIS:

Parallel strategy: both the old and new systems are operating until the project development team and end user management agree to switch completely over the new system. By this system any problems with the new system can be solved before the old system is terminated.

Direct cutover strategy: the old system is completely replaced by the new one. The advantage of this strategy is that it requires no transaction costs and is a quick implementation technique.

Phased strategy: each function or organizational unit is converted separately at different times using parallel conversion.

Pilot strategy: introducing a part of the system into one carefully designated organizational area, learning from this experience and then introducing the complete system.

09. Describe the post implementation review goals.

Determine that the user is satisfied with the new system or not Identify how well the systems are running, or any recommending for improvements if necessary. Evaluate the quality of the new systems considering documentation, training programs and data

conversions Ensure proper service level management to resolve identified problem after system development Continuing availability of required technological solution

10. How the security requirements can be implemented in developing a new accounting system? ///

Explain the terms: (i) Authentication and Authorization (ii) Prevention and Resistance. (iii) Detection and response The securities requirements can be implemented in developing a new accounting system are given below:



10

Authentication & Authorization: Authentication is a method for confirming user’s identities. Once a system determines the authentication of user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of giving someone permission to do or have something. An authentication and authorization technique includes user id and password, smart card or token and finger print or voice signature Prevention and resistance: Prevention and resistance technologies can stop unauthorized person from accessing intellectual assets. It includes:

Encryption: Encryption is the process of encoding information in such a way that hackers unauthorized user cannot read it, but that authorized parties can.

Firewall: A firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set.

Detection and response: If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. The most common types of defense is antivirus software that eliminate security breach at network level, operating system level & database.

SECURITY, CONTROL & STANDARD 01. Define information security/ security control? What are the properties/ components of information security?

What are the types of security control? Information security/ Security control are policy, procedure tools and techniques which are designed to prevent unauthorized access and to protect an organization's computer assets including data error, software & system from accidental, intentional and natural disasters. Properties/Components of information security

Confidentiality (prevent to disclosure information from unauthorized user) Integrity (data cannot be modified without authorization) Availability (ensures that the information must be served when it is needed)

Types of security control: Physical security controls are ensures the physical security of computer hardware, components, file

server, gateways, routers and others telecommunications equipments that are located in several places and reduces the chance of crime.

Logical security controls are those that restrict the excess capabilities of users in the operating system, database management system or application program & prevent unauthorized entries.

Environmental control include IS security policies, standards & guidelines, vendor terms, software license, maintenance, support agreement, warranties issue etc.

Information system operating control is designed to ensure the operating effectiveness & efficiency of information system by trouble shooting, maintenance procedures, and back-up & recovery procedures.

02. What are the ways of providing security in an information system? ///

Encryption: Encryption is the process of encoding information in such a way that hackers unauthorized user cannot read it, but that authorized parties can. Firewall: A firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. Biometric Security: Biometric security is a computer device which measures the individual physical character. This includes voice-verification, fingerprints, hand geometry, signature dynamics, and retina scanning, face recognition which ensure proper authentication of user. E-mail monitoring: Email monitoring is software that detects Spam, Malicious code, hackers & Virus and informs us for disable this. Antivirus protection: Antivirus software can detect virus, worms, Trojans and malicious and disable this. Antivirus software is requiring to install & update time to time to ensure better service. Security code: Password use to log system use, software use, data processing and using internet & email Back-up files: Arranging back-up of data software & system periodically. Computer failure control by backup, disaster recovery, UPS, generator



11

Disaster recovery: Disaster recovery plan specify how a company will maintain its information system and services if disaster occur. Auditing IT security: IT security should be periodically examined by internal or external auditor to review or evaluate whether proper security policies have been implemented.

03. Explain the terms: i) Data encryption, ii) Firewall iii) biometric security Encryption: Encryption is the process of encoding information in such a way that hackers unauthorized user cannot read it, but that authorized parties can. Firewall: A firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. Biometric Security: Biometric security is a computer device which measures the individual physical character. This includes voice-verification, fingerprints, hand geometry, signature dynamics, and retina scanning, face recognition which ensure proper authentication of user.

04. What is Disaster Recovery Plan? Identify the advantage of disaster recovery plan. What are the basic steps to

develop a disaster recovery plan? Why business needs business continuity plans Disaster recovery plan specifies how a company will maintain its information systems and services if a disaster strikes; it specifies the situation of disaster & identifies courses of action that employs must take when disaster strikes. Advantages of DRP: a. Ability to continuing company operation and function; b. Safeguarding the company reputation, brand and image; c. Mitigate the effect of disaster within short time d. Prevents loss of customers from competitors due to inability to trade; e. Increases confidence, clients, investors and business partners and other stakeholder. Basic steps to develop a DRP:

List of vendors doing business with the organization, their contract numbers and address for emergency purposes.

Checklist for inventory taking and updating on a regular basis. List of phone numbers of employees in the event of an emergency. Emergency phone list for fire, police, hardware, software, supplier, customer, backup location. Medical procedure to be followed in case of injury. Insurance papers and claims form. Location of data and program files, data dictionary, documentation manuals, source of back up media. Names of employees trained for emergency situation.

Business needs business continuity plans for the following reason: a. Provide for the safety for people at the time of disaster b. Identify weaknesses and implement a disaster prevention program c. Continue critical business operation d. Minimize risk of critical business operations e. Minimize immediate damage and losses f. Minimize the duration of a serious disruption g. Facilitate effective of co-ordination of recovery tasks h. Reduce the complexity of the recovery effort.

05. Explain different types of physical security control and explain the importance of this type of security control.

Physical security controls are ensures the security of computer hardware, components, file server, gateways, routers and others telecommunications equipments are located and reduces the chance of crime. Various physical security controls are:

Physical locks: key locks, electronic access locks, cipher locks, biometric locks etc. Security guards: Video surveillance cameras: (CC Camera) General emergency and detection control: alarm system, important telephone no such fire station, police

station, Ambulance services, Hospital etc. Heating, ventilation and cooling system



12

Insurance coverage Periodic back-up Emergency power and uninterruptible power supply system UPS, generator Disaster recovery plan: how a company will maintain its information systems and services if a disaster

strikes. 06. Briefly explain the Logical security control procedure.

Logical security controls are those that restrict the excess capabilities of users in the operating system, database management system or application program & prevent unauthorized entries. Major logical security controls are as follows:

User ids and passwords User ID should be unique for a single user and easily memorize able The system are ensure that user ID cannot be deleted. The system could be programmed to allow only certain user IDs to sign on from specific workstation. If the number of unsuccessful sign-on tried by user, the system should suspend the user ID till resets

the user ID by system security administrator. When user ID has been inactive for certain period in sign on condition, the system should

automatically save and close any files and sign off the uses. Password length must be minimum eight characteristics. The system should design to require a minimum of two numbers and two non-alphabetic characters

in the password. When password period expired, the system should visualize for entering the old password as well as

a new password in two times. For most cases, a password expiration period of 60 days is sufficient. Back-up and recovery procedures

Back-up and recovery procedures shall ensure periodic backups of system software, application programs and data as well as storage.

Daily backups are usually necessary only for data because the application programs and system software do not change significantly.

Full backup of the entire system, including system software, application programs and data, should be performed weekly or monthly, depending on changes made.

Moreover full system backups should be performed when major up gradation or significant changes system occurs.

Management should ensure that system operations can fully restore using the back-up media. Remote access controls: Today more and more users are requiring the ability to sign on remotely using

laptops, personal digital assistants (PDAs) and some kinds of cell phones. The most common remote access controls include secure sockets layer (SSL) sessions and virtual private networks (VPNs). Secure Socket Layer (SSL) is protocols that provide communication security over the Internet. It

used to provide encrypted internet meeting between remote computers and the network server. Once the connection has been established, all data exchanged between the remote computer and the network server is regularly encrypted.

A Virtual private network (VPN) expands a private network across a public network, such as the Internet. It enables a computer to send and receive data across public networks as if it were directly connected to the private network. VPNs allow employees to securely access their company's intranet while traveling outside the office. VPNs typically require special hardware and software. A VPN gateway server commonly protects the network server and the remote computer when electronic data interchange or exchange.

Computer operations audit: A computer operations audit are ensures that the whole computer operations are run smoothly that is (I) System software and application program are perform their process properly and (II) Data has been processed in a timely manner; (III) Output media are distributed in a timely, accurate and secure manner; (IV) Back-up and recovery procedures adequately protect data and programs against accidental or

international loss or destruction;



13

(V) Problem management procedures ensure that system problems are documented and resolved in a

timely and effective manner. Integrity/completeness checks: When large volumes of data are electronically imported from or exported

to other systems, data integrity and completeness controls can provide reasonable assurance that the recipient has received all the data intact without any alterations or missing information.

07. How user IDs and passwords are used in logical security control?

User ID should be unique for a single user and easily memorize able The system are ensure that user ID cannot be deleted. The system could be programmed to allow only certain user IDs to sign on from specific workstation. If the number of unsuccessful sign-on tried by user, the system should suspend the user ID till resets the

user ID by system security administrator. When user ID has been inactive for certain period in sign on condition, the system should automatically

save and close any files and sign off the uses. Password length must be minimum eight characteristics. The system should design to require a minimum of two numbers and two non-alphabetic characters in

the password. When password period expired, the system should visualize for entering the old password as well as a

new password in two times. For most cases, a password expiration period of 60 days is sufficient.

08. Describe backup and recovery procedure of logical security controls showing it’s significant in information system. Back-up and recovery procedures Back-up and recovery procedures shall ensure periodic backups of system software, application

programs and data as well as storage. Daily backups are usually necessary only for data because the application programs and system

software do not change significantly. Full backup of the entire system, including system software, application programs and data, should be

performed weekly or monthly, depending on changes made. Moreover full system backups should be performed when major up gradation or significant changes

system occurs. Management should ensure that system operations can fully restore using the back-up media.

09. What do you mean by information system security standard? At least which security standard should be

applied to applicable information systems within the organization? Information system security standard are minimum criteria, rules and procedures designed to establish the security of computer assets from unauthorized user and from accidental, intentional or natural disaster. The security standard that should be applied to applicable information systems within the organization: User ID should be unique for a single user and easily memorize able The system are ensure that user ID cannot be deleted. The system could be programmed to allow only certain user IDs to sign on from specific workstation. If the number of unsuccessful sign-on tried by user, the system should suspend the user ID till resets the

user ID by system security administrator. When user ID has been inactive for certain period in sign on condition, the system should automatically

save and close any files and sign off the uses. Password length must be minimum eight characteristics. The system should design to require a minimum of two numbers and two non-alphabetic characters in

the password. When password period expired, the system should visualize for entering the old password as well as a

new password in two times. For most cases, a password expiration period of 60 days is sufficient. Back-up and recovery procedures shall ensure periodic backups of system software, application

programs and data as well as storage.



14

Daily backups are usually necessary only for data because the application programs and system

software do not change significantly. Full backup of the entire system, including system software, application programs and data, should be

performed weekly or monthly, depending on changes made. Moreover full system backups should be performed when major up gradation or significant changes

system occurs. Management should ensure that system operations can fully restore using the back-up media.

10. Explain when and in which situations an organization adopts the following remote access techniques for remote access of Secure Socket Layer (SSL) & Virtual Private Network (VPN) /// Secure Socket Layer (SSL) is protocols that provide communication security over the Internet. It used to provide encrypted internet meeting between remote computers and the network server. Once the connection has been established, all data exchanged between the remote computer and the network server is regularly encrypted. A Virtual private network (VPN) expands a private network across a public network, such as the Internet. It enables a computer to send and receive data across public networks as if it were directly connected to the private network. VPNs allow employees to securely access their company's intranet while traveling outside the office. VPNs typically require special hardware and software. A VPN gateway server commonly protects the network server and the remote computer when electronic data interchange or exchange.

11. What types of integrity policy and procedures may exist in information system? Explain briefly. // Control and standards for information integrity: Information integrity provides reasonable assurance that the data receivers have received the entire data whole. It has follows components: a. System and information integrity policy and procedures b. Error correction (Identify and manages system error & corrects this). c. Security Functionality verification is the process that organization verifies that security functions are

correctly operate within the control system. The security function should able to inform to the system administrator when irregularities are discovered so that promptly initiative could be taken.

d. Software and Information Integrity is a system that monitors and detects the unauthorized changes to the software and information. The organization reassesses the integrity of software and information, employs automated tools that provide notification during integrity verification.

e. Malicious Code Protection To protect the system from malicious code the organization Uses malicious code protection mechanisms at system entry and exit points and workstations, servers, or mobile computing devices on the network to delete and eradicate malicious codes transported by email, email attachments, web accesses. Moreover update malicious code protection mechanisms when new releases are available and matches with configuration.

f. Spam is an unwanted message from anywhere To control the unwanted spam message the organization defines the following policies:

Use spam protection mechanisms at all system entry points, network & media or devices to detect and take action on unwanted messages.

Updates spam protection mechanisms when new releases are available and matches with configuration.

g. Information input restrictions: The organization implements security measures in such manner that restrict information input to the control system and allowed only authorized personnel.

h. Information input accuracy, completeness, validity and authenticity: The control system employs mechanisms to check information for accuracy, completeness, validity and authenticity is guided by organizational policy and operational requirements and ensure that inputs match specified definitions for format and contents.

12. Briefly explain Security Functionality Verification, Software-information Integrity, and Malicious Code

Protection. // a. Security Functionality verification is the process that organization verifies that security functions are

correctly operate within the control system. The security function should able to inform to the system administrator when irregularities are discovered so that promptly initiative could be taken.



15

b. Software and Information Integrity is a system that monitors and detects the unauthorized changes to

the software and information. The organization reassesses the integrity of software and information, employs automated tools that provide notification during integrity verification.

c. Malicious Code Protection To protect the system from malicious code the organization Uses malicious code protection mechanisms at system entry and exit points and workstations, servers, or mobile computing devices on the network to delete and eradicate malicious codes transported by email, email attachments, web accesses. Moreover update malicious code protection mechanisms when new releases are available and matches with configuration.

13. What is Spam? How can you protect your system from spam attack? //

Spam is an unwanted message from anywhere To control the unwanted spam message the organization defines the following policies:

Use spam protection mechanisms at all system entry points, network & media or devices to detect and take action on unwanted messages.

Updates spam protection mechanisms when new releases are available and matches with configuration. 14. Define Computer Virus. Which costs are likely due to attack of computer viruses? How can the risks of

computer viruses be minimized? Virus is a program that can damage other programs in the computer system. Once a virus is executing, it can perform any function. Such as erasing, lost files and programs. Risk of viruses can create those costs:

Cost of Purchasing, installing, and maintaining virus detection and prevention software Cost of Recovering lost data Cost of eliminates viruses infected in the computer assets Cost of Educating users on the risks of viruses, how to test for viruses, and what to do and whim to

contact when a virus is detected Cost of Developing and maintaining policies on virus prevention Cost of Prevent unauthorized accesses in the system

The risks of computer viruses can be minimized by following ways: Purchasing, installing, and maintaining virus detection and prevention software Always maintain backup of data, software and application program to recovering lost data Eliminates viruses when virus are infected in the computer assets Educating users on the risks of viruses, how to test for viruses, and what to do and whim to contact when

a virus is detected Developing and maintaining policies on virus prevention Prevent unauthorized accesses in the system by established authentication and authorization Antivirus software should be updated on at least a weekly basis & install automatic update Be alert to unusual or unexplained behavior on PCs and workstations. Viruses, worms, and other malware are primarily transmitted via e-mail, CDs so that require checking,

scanning. 15. Define Computers Hackers. What are the common activities of a computer hacker? How can you protect your

system from the computer hackers? A hacker is an individual who trying to gain unauthorized access to a computer system by finding weakness in the security protections employed by web sites and computer systems. Risk of Common hacking methods: Sniffing: The term sniffing refers to finding a user's password. There are three ways to sniff a password: password sharing, password guessing and password capture.

Password sharing means sharing password by victim to hacker out of simple ignorance. Password guessing i.e. a hacker tries to guess a user's password and keeps trying until he gets it right. In password capture, a password is obtained by some type of malware program and forwarded to the

hacker. Passwords may be captured electronically if they are sent as text that is not encrypted.



16

Social engineering: Social engineering is the "phone survey," the "application" and the "emergency situation." in these situations, a hacker may contact potential victims by phone or e-mail and ask the victims to provide password information for an in fact lawful reason. Spoofing: A spoofing attack is a situation in which one person or program successfully inn as another by fake data and thereby gaining an unlawful advantage. Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message. They are thus vulnerable to spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated by taking measures to verify the identity of the sender or recipient of a message. The following measures may be taken to prevent information system from hacker:

Implement firewalls; Develop a corporate security policy; Install anti-virus software; Keep operating system up to date; Do not run unnecessary network services; Conduct a vulnerability test; Avoid cheat websites; Securing the ports;

16. What are the controls applied to personal systems to ensure processing integrity, security and safeguarding

of IT resources. General controls: It represents the foundation of the IT control structure. It help to ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. General controls include: Control environment which designed to shape according to the corporate culture. Security policies, standards and processes- controls designed to secure access based on business need. Technical support policies and procedures- policies to help users perform more efficiently and report

problems. Hardware/software configuration, installation, testing, management standards, policies and procedures. Disaster recovery/backup and recovery procedures, to enable continued processing despite adverse

conditions. Application controls: Application or program controls are to ensure the complete and accurate processing of data from input through output. They consist of the mechanisms in place over each separate system that ensures that authorized data is completely and accurately processed. Application controls include: Input controls; Authorization; Validation; Error notification and correction; processing controls; Output controls.

17. Explain the controls and standards which are applied during the system implementation phases of installation, testing, documentation, Training & File conversion and change-over. // System implementation phase’s controls are the control of an information system that ensure & analysis the proper system implementation. It includes the following:

System installation: Before installation the proposed system should be communicated and approved by the higher management. For presenting approval, detail procedure of installation, preventive security measure, technical areas, network requirement, planning schedule, risk of installation and mitigation initiative against risk etc. all things are clearly described to understand clearly.

System testing: To ensure reasonable assurance that the system is free from any trouble to run smoothly, system testing is essential. Test schedule, test criteria, test plan, problem resolution, adding, deleting and changing program etc. should be clearly defined so that system testing can be performed successfully.



17

Documentation: Documentation is one of the most important tools for control. Documentation control

includes create, approve, distribute, revise, storage and disposal to meet the requirement easily. System documentation should include the following: System descriptions provide narrative explanations of operating environments and the interrelated

input, processing and output functions of integrated application systems. System documentation includes system flowcharts and models that identify the source and type of

input information, processing and the nature & location of output information. System file describe collections of related records generated by individual processing applications.

Training: Personnel training are important for the successful implementation of information system. Without knowing the full process of the system a person cannot handle all the functionalities of the information system. System operator needed-

System training; Network training; Hardware training; Security training; Maintenance training; Data recovery or back-up training; System software training; etc. and

User’s need- System software training; Facilities training; Operating system training; etc.

File conversion and change-over: In case of implementation of a new system, existing old file must be included in the new system. Different conversion strategies to convert new AIS from old AIS: Parallel strategy: both the old and new systems are operating until the project development team and

end user management agree to switch completely over the new system. By this system any problems with the new system can be solved before the old system is terminated.

Direct cutover strategy: the old system is completely replaced by the new one. The advantage of this strategy is that it requires no transaction costs and is a quick implementation technique.

Phased strategy: each function or organizational unit is converted separately at different times using parallel conversion.

Pilot strategy: introducing a part of the system into one carefully designated organizational area, learning from this experience and then introducing the complete system.

18. What is System Documentation? Why do you need system documentation? What factors or points should be

included in the documentation of a system? Documentation: Documentation is one of the most important tools for control. Documentation control includes create, approve, distribute, revise, storage and disposal to meet the requirement easily. System documentation should include the following: System descriptions provide narrative explanations of operating environments and the interrelated input,

processing and output functions of integrated application systems. System documentation includes system flowcharts and models that identify the source and type of input

information, processing and the nature & location of output information. System file describe collections of related records generated by individual processing applications.

19. What are the controls and standards applied to system maintenance and evaluation?

Computer system maintenance & evaluation procedures should adequately protect computer hardware against failure over the expected useful life and should be serviced according to manufacturer’s recommendation. Control and standards for system maintenance and evaluation process includes the followings:

System maintenance policy and procedures



18

System monitoring and evaluation Back-up and recovery of critical system software, applications and data for use if the system becomes

destroyed. Unplanned system maintenance Preventive system maintenance Periodic system maintenance Post implementation review: When systems are implemented, post implementations reviews are

generally assess the effectiveness and efficiency of that system & evaluate the maintenance requirement.

20. What is IS security policy? “An IS security policy is divided into five sections” What are the steps? Explain

briefly. IS security policy are the general goals of an organization to control and security over its information system. The five section of IS security policy is given below: Different sections:

Purpose & responsibility: The purpose of IS security policy is to provide essential guidelines regarding transaction processing, management information system and customize information capabilities for top level management to efficiently operate the organization. In addition, the policy is ensuring continuous support in the computer and telecommunication system of the company.

Security requirement when system development: IS security policy shall be always analyzes the current and future security needs when systems are developed. The organization should follow the system development life-cycle to determine problem definition, requirement analysis, design, development, monitoring, review etc.

Ensure Computer Assets and information security includes: Computer Assets & environmental security Information and communication security Backup and disaster recovery

Service programs: Service program providing IT service to develop and maintaining application software to ensure system performance capabilities & user friendly record keeping.

E-BUSINESS PROCESS 01. What is business model design? Explain how IT contributes to support of business models?

Business model: Business model is a part of business strategy determine how the business as a whole work & makes money. Business models includes all core functions to operate business such as purchase, production, sales, supply chain, finance, HR etc. IT contribution to the support of business models:

Email Business communication Supplier Customer Bank for finance Internal communication

Internet Availability of suppliers Making add by website design Creating new customer Provide price quotation or proposal

E-Commerce Online purchase & Order tracking Online banking Domestic and international payment system Increase profit & reduce cost

ERP Integrate all business function to effective & efficient operation Information system Using information technology organization now implement TPS, MIS,

DSS, EIS, OAS, KWS that support business to process transaction, provide information to support decision making & controlling organization, Get support to solve semi-structured & unstructured problem and facilitate communication



19

02. Risk & Threats E-business/ IT strategy

Physical risk Accidental Intentional Natural

Internal Hardware, Components External File servers, gateways, routers,

telecommunication equipment Unauthorized Access risk

Hacker Employee Negligence

Technological risk Computer failure ISP poor performance Low internet bandwidth Low telecommunication bandwidth Software design

Malicious risk Virus, worms, trogons Data erasing, lost Spam attacks ISP server crash Computer hard disk crash Software & operation system crash

03. Explain risk avoidance and transfer.

Risk avoidance: This includes not performing an activity that could carry risk. Avoiding risks also means losing out on the potential gain that accepting the risk may have allowed. To avoid the risk of loss also avoids the possibility of earning profits. It is the most effective way of managing risk. Risk transfer: Risk transfer is sharing with another party the burden of loss or the benefit of gain, from a risk and the measures to reduce a risk. Risk can transfer third party through insurance.

04. What is ‘Service Level Management’? What are the components of service level management? Service level management: Service level management is the process that an organization identifies and agrees on the level of it service needed to support the business and defines a mechanism to monitor the identified service levels to see that they are being achieved. Components of service level management: Availability of service requirement Measurement of service requirement Performing & provide service Considering security; Service support; Service level agreements.

05. What is service level agreement? What should be included in a service level agreement (SLA)? 5

Service level agreement: A service-level agreement is a part of a service contract where the level of service is formally defined. As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold. Service level agreement should include: Choosing required service Customer involvement Meeting with customer Shared workspace/bandwidth Service issue management Service management Requirement management Using best Software practices

IT STRATEGY in BANGLADESH 01. What is overall strategy of an organization? Why it is important for the IT strategy of an organization to be

developed in tandem with the overall strategy of an organization? The overall strategy of an organization is known as corporate strategy. Corporate strategy covers the business as a whole. It includes long terms directions of the company & its responsibilities, activities, relationship & management.



20

Importance of developing IT strategy considering overall strategy:

Support for creating business value Align with organizational vision Changes in business environment Sound decision making Promote employee more accountable and responsible Help to develop integrated business management system i.e. ERP Timely provide relevant and reliable information

02. What is IT strategy of an organization? Describe the IT strategy development process considering the overall

strategy of an organization. IT strategy explains how technology should be utilized as part of organizational overall corporate strategy. Process of developing it strategy

Strategy summary Understanding the business strategy Relationship of business strategy with IT Resources needed such as IT Expert, Finance, Technological solution

Internal capabilities Assess strength & Weakness

IT expert Technology Finance

Required resources IT expert Technology Finance

User expectation User friendliness IT service procedure Timing of per transaction processing

Training

System operator needed- System training; Network training; Hardware training; Security training; Maintenance training; Data recovery or back-up training; System software training; etc. and

User’s need- System software training; Facilities training;

Operating system training; etc.

03. Compare the current IT capabilities and environment with that of the past regarding IT strategy development of an organization. Past IT capabilities and environment regarding it strategy development: The job of IT function was to understand the business strategy and then figure out a plan to support it. Therefore most formal IT plans were focused according to business needs or opportunities. Current IT capabilities and environment regarding it strategy development a. Today IT faces many weaknesses in business environment. b. Globalization is change the business environment that create problem to maintain consistency of IT

strategy c. For IT strategy now it is possible timely to provide relevant & reliable information to take business

decision d. IT strategy now can promote employee to be more accountable and responsible to perform their task

efficiently & effectively e. IT strategy help to develop integrated business management system i.e. ERP to run business smoothly f. Now business manager recognize that IT related decisions is not solely the responsibility of IT g. Now, IT executives can take part in all business strategy discussions



21

04. What are the critical success factors which should be considered in developing IT strategy of an

organization? //Name five issues on which success of strategy alignment depends Critical success factors of IT strategy development:

a. Business model review

IT Manager How the business as a whole work Business Manager

b. Adopting strategic requirement

IT Manager How many challenges need to take to develop IT strategy besides current operation Business Manager

c. Involve expert manpower d. Implement required technological solution e. Working as partner between IT manager & business manager

05. “IT has been declared as a thrust sector in Bangladesh” Explain this statement with the perspective of

Bangladesh Government IT Policy. The Bangladesh Govt. has declared the ICT (Ministry of science and technology) sector as Thrust sector & creates a separate ministry for ICT encouraging steps for the local/ international investors in the Bangladesh ICT industries and keeping close interaction with BCS (Bangladesh Computer Samity), BCC (Bangladesh Computer Council) & ISPAB (Internet Service Provider Association of Bangladesh) in Bangladesh. Moreover following steps are taken by Bangladesh Govt.:

Allocate 2% ADB in IT spending ICT & IT product/services are enjoy VAT exemptions. 5-7 year Tax holiday provided to foreign direct investment. Exempted custom duty on computers, hardware and accessories. Computer science course established in high school level More than one thousand cyber café established around the Bangladesh.

06. What do you mean by intellectual property rights? Discuss the status and the issues of intellectual property

rights in Bangladesh. Intellectual property right is a category of public law that generally includes copyright, patents, trademark, design right, performer right, database right that ensures the product we buy are genuine.

Bangladesh law commission worked on the law of trademarks, copyright, patents and designs. On the basis of its report the law on copyright has already been enacted. The proposals of the law commission on trademarks are under active consideration of the government. The report on patents and designs is at the final stage of preparation.

Documents

IT Application 1 CA-Professional Stage (Application Level ... · IT Application CA-Professional Stage (Application Level) Shafique Ahmed/Sr. Officer-Audit, BSRM Group 2 12. Briefly