QUESTION 1

Part (A)
There has been significant growth in the volume of data generated by up-to-date devices. The
evolution for IT Auditing Can be seen from the voluminous of data for the auditing works. It has
challenged the way how they work as IT Auditors. The multifaceted on the IT landscape has
evolved from an Internet of PCs to and Internet of Things (loT). These things include PCs,
tablets. phones, appliances and any supporting infrastructure that reinforces the entire
ecosystem.

As a champion for big data and IT Audit, the Information Systems Audit and Control Association
(ISACA) believes that the total volume of data nowadays cannot easily perform analyses and
subsequently draw valid audit conclusions, if they were to be based on traditional data
processing applications This is due to the recent explosion in the volume of data that need to be
generated for business purposes (e.g. purchase transactions, network device logs, security
appliance alerts, etc). As a result, the ISACA has suggested some ways to maximizing the value
of data to help businesses as follows (Figure 1):
Required:
1)​ What is Big Data? (2 marks)
2)​ By using the Data Analytic Framework, explain how IT auditors enhance their
values through data analytics. (8 marks)

Part (B)
In 1992, The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
has been developed as a model for evaluating internal controls. This model has been adopted
as the generally accepted framework for evaluating internal control for companies. By using
COSO as is standard, the IT Auditor will measure the effectiveness of a company's internal
control system.

The accounting profession today relies on the Internal Control-Integrated Framework (IClF) of
the COSO for the processes that promote the quality of decision-critical information. According
to a report, -’Leveraging the COSO Internal Control-integrated Framework’, the framework was
developed to help enhance the confidence in all types of data and information (Herz, Monterio
and Thomson, 2017). The report also signifies the followings (emphasis added):
●​ The framework will enable organizations to effectively and efficiently develop and
maintain systems of internal control that can enhance the likelihood of achieving the
entity's objectives and adapt changes in the business and operating environments;
●​ The framework continues to emphasize the importance of management judgement in
designing, implementing, and conducting internal control, and in assessing the
effectiveness of a system of internal control; and
●​ The framework has been enhanced by expanding the financial reporting category of
objectives to include other important forms of report, such as non-financial and internal
reporting.

Required:
Illustrate and explain 5 COSO Internal Control-Integrated Framework Principles.
(10 Marks)
QUESTION 2

Part (A)
The headquarters of Syahirah Corporation, a private company with RM15.5 million in annual
sales, is located in Johor Bahru, Malaysia. Syahirah Corporation provides for its 150 clients an
online legal software service that includes data storage and administrative activities for law
offices. The company has grown rapidly since its inception 3 years ago, and its data processing
department has expanded to accommodate this growth. Because Syahirah Corporation's
president and sales personnel spend a great deal of time out of the office developing new
clients, the planning of the IT facilities has been left to the data processing professionals.

Syahirah Corporation recently moved its headquarters into a remodelled warehouse on the
outskirts of the city. While remodeling the warehouse, the architects retained much of the
original structure, including the wooden-shingled exterior and exposed wooden beams
throughout the interior. The distributive processing computers and servers are situated in a large
open area with high ceilings and skylights. The openness makes the data centre accessible to
the rest of the staff and promotes a team approach to problem-solving. Before occupying the
new facility, city inspectors declared the building safe; that is, it had adequate fire extinguishers,
sufficient exits, and so on.

To provide further protection for its large database of client information, Syahirah Corporation
instituted a tape backup procedure that automatically backs up the database every Sunday
evening, avoiding interruption in the daily operations and procedures. All tapes are then labelled
and carefully stored on shelves reserved for this purpose in the data processing department.
The departmental operator's manual has instructions on how to use these tapes to restore the
database, should the need arise. A list of home phone numbers of the individuals in the data
processing department is available in case of an emergency. Syahirah Corporation has recently
increased its liability insurance for data loss from RM50,000 to RM100,000. This past Saturday,
the Syahirah Corporation's headquarters building was completely ruined by fire, and the
company must now inform its clients that all of their information has been destroyed.

Required.

i. Describe the computer security weaknesses present at Syahirah Corporation that made
it possible for a disastrous data loss.
(5 markah/marks)

ii. List the components that should have been included in the disaster recovery plan at
Syahirah Corporation to ensure computer recovery within 72 hours.
(5 markah/marks)

iii. What factors, other than those included in the plan itself, that should be included in
the plan?
(5 markah/marks)
Part (B)

Bank A in Kuala Lumpur, Malaysia has 13 branches spread throughout northern Malaysia, each
with its own minicomputer where its data are stored. Another bank-Bank B has 10 branches
spread throughout Malaysia, with its data stored on a mainframe in Kota Bahru, Kelantan.

Required:
Which bank's system do you think is more vulnerable to unauthorized access? Explain your
answer.
(5 markah/marks)
QUESTION 3

Background
You are the new information technology (IT) audit specialists at the accounting firm of Wided &
Auni Partners. One of the partners, Qistina, asked you to evaluate the effectiveness of general
and application IT-related controls for a potential new audit client: Qaisara Enterprises (QE),
which is a privately held business. During the company annual dinner, an executive of QE asked
Qistina to have someone with good IT training to look at the company's IT systems development
process. Qistina, the audit partner recently summarized the following information about QE's IT
systems development process based on her recent conversation with the IT Vice President (VP)
al QE.

QE'S IT System Summary

QE develops most of its computer somware applications in-house. Over the past several years,
the IT VP has been able to hire several good software programmers with relatively strong
programming experience. She has assembled a team of 5 programmers who handle most of the
application and systems' programming needs. Because of their strong IT backgrounds, the IT
VP involves all 5 programmers in new application developments or modifications to existing
applications and involves all of them in operating, security, utility and other system software
programming and maintenance tasks. The staff is relatively versatile, and anyone of them can
handle the programming demands of most changes

The IT VP notes that because the programmers are typically more free-spirited. She prefers to
give the programmers relatively free latitude in the development of new applications or
modifications to existing applications. She comments that programmers like to view their work
as a form of art. As a result, she notes that the programmers 'attack' the programming logic
development using their own, unique programming style and approach. She believes such
freedom' for the programming staff enhance the quality of the application development.

New applications are generally initiated by the IT VP after she identifies suggestions for
changes to existing applications based on conversations with similar IT personnel at other
companies. Because she regularly attends IT development conferences, she believes that she
is in the best position to identify ways to improve current application procedures. Occasionally,
non-IT personnel (like accounting department personnel who work with the accounting systems)
identity suggested changes. The IT VP notes that she generaly hears about application changes
or new application ideas from non-IT personnel in informal settings such as over lunch in the
company cafeteria or when bumping into people in the office hallways. When that occurs, she
makes a mental note to take back to her programming staff.

When applications are developed or changes are made, the assigned programmer generally
telephones or emails the non-IT personnel primarily responsible for the application to discuss
the programmer's suggested modification and to get their unofficial blessing to proceed.
Occasionally, the programmer meets with the respective personnel, if requested. However, the
programmers generally feel that such meetings have limited benefits because users have very
ittle understanding of the programming logic used.

If the programmer is making a modification to an existing application, he or she makes a copy of

the current program tape or disk so that they don't have to reprogram the entire application.
Before beginning, the programmer generally tries to meet with the programmer who was
previously involved with any program associated with this application to get a big picture feel for
the application. Given the small size of the programming staff, the programmer can generally
identify the person last involved with this application by talking with other programmers. The
programmer locates documents related to the programming logic maintained in the
programming department's files. Generally, this documentation includes a hardcopy of the
program logic along with notes made by the prior programmer about the format of the logic
used. The newly assigned programmer can recreate a trail of the most recent modifications to
the application from these notes.

Programmers test all application developments and modifications. To increase the

independence of the testing, the IT VP assigns a different programmer to perform testing of the
application before implementation. The test programmer creates a fictitious data set by copying
one of the actual data sets used in the relevant application. The test programmer performs a
test of the new application or modification and documents the results. The IT VP says that there
are tight controls over program testing because of her detailed reviews of all program test
results and personal approval of each program before implementation into live production. And,
she adds the copies of all test results are maintained in the files for subsequent review

Once the IT VP believes that the program is accurately processing the test data, she approves
the program for implementation into live production. The IT VP notes that it is a big event for the
programmers when their application is ready for implementation. She comments that the
programmers take pride in the completion of the project. All programmers celebrate once the
project programmer announces that he or she has compiled the final version into object code.
The object code version then being forwarded to the IT Librarian.

Required:
By using the Information System Auditing: Tools and Techniques in Creating Audit
Programs by ISACA prepare an audit process to audit Qaisara Enterprises (QE)'s IT
Systems Development Controls
I.​ Determine the audit subject
(1 mark)
II.​ Define the audit objective
(3 marks)
III.​ Set audit scope
(1 mark)
IV.​ Perform pre audit planning
(7 marks)
V.​ Determine audit procedure and steps for data gathering
(8 marks)