UnIVERSITY OF TORONTO 5 Peyote See me a is ey oe fst ~ and nformatin pte Duron ova 0 mnt) Aids Allowed: Non-programmable calculator FIRST NAME: LAST NAME: Student number: Instrctions: 1, Wile legibly. Megible answers will not be graded. 2. There are 6 questions on 16 pages. Answer each question inthe space provided. If you need addtional space, use the back ofthe page fecing the question and clearly identiy the question being answered 3. Youmayuse bullets [point form) to organize your answer, But each sentence must be complete. Use pen, 4 Assume that questions refer to Canadian companies, unless otherwise nated. MARKS: ‘Question 1 AS ‘Question 2 j20 Question 3 so Question 4 Is Question 5 /0 ‘Question 6 60 TOTAL p20 sa 427085—Fnal Exam Page 10l 16QUESTION 2 (15 marks) Clearly circle the best answer fr exch of the 10 questions below 1.5 marks per question} 1), Which ofthe following would resutin the biggest return in security Hiring right people and training them Tracking and monitoring network trafic Installing anti-virus software and keeping it up-to-date Maintaining frequent back-ups and having disaster recovery plans None ofthe above 2), Which piece of information typically links various documents in the procurement process? ‘a, Date of delivery . Purchase order number © Product number 4. Product price fe. Iniator of purchase decision 13) Which ofthe following items is usually NOT included on the requisition form as pat of the procurement process? '2. Date of requisition Product number Product description Product price None ofthe above (allo the above items ae usually included onthe requisition) 4) Which ofthe following items is usually NOT Included on the packing ist (or packing slip) as pat ofthe sales process? ‘Purchase order number Proce number ©. Prodet description 4, Product price fe. None ofthe above (all ofthe above items ae usually included on the packing ist) 5} Which (any) ofthe folowing engagements are covered by the Canadian Audit Standards? 2. Audits of financial statements Audits of financial information other than financial statements Audits of intemal controls over financial reporting 4, Allofthe above fe. None ofthe above (6) Trust services (under AICPA and CICA) generally include the following engagements): 3. Advisory , Direct reporting ©. Compilation 4. aandb fe. None ofthe above SM «27H Final Earn age of 167), Which ofthe following is NOT considered apart of trust services principles and criteria (under AICPA and CICA): 2. Security b. Confidentiality © Privacy 1, Business continuity 12 None of the above (all are apart of trust services principles and eritera) 8}, Requiring each user to have a unique user name is best described as 3. Authentication Authorization © Identfation 4. Non-epudiation fe. None of the above 9) What s considered one ofthe key IT governance benefits of outsourcing online payments to companies such as PayPal or Google Checkout? ‘3, Better user experience . Less riskof non-compliance © 24/7 service 4, Brand recognition fe. None of the above 10) What is the main reason that automated contols are les efficient to tes in large organizations (such as banks)? 1. Ittakes significant amount af time to document all automated controls ._ttrequires significant IT traning to document and test automated controls © Testing automated contol is more risky than testing manual controls 1. Sample sizes for testing automated controls are typically larger than for manual controls fe. None of the above fom 4a7ins—Final Exam Page of 16QUESTION 2 (20 marks)_ PART! (2 marks) REQUIRED: What is PCI DSS and why is itimportant2 PART i: (3-marks) [REQUIRED Who needs to comply with PCI DSS? How i compliance assessed? And, what are the consequences of non compliance? aM 427K Final Een Page of 16+ PART i: (10 marks) REQUIRED: PCI SS consists of 12 requirements. entity a least 7 seven) specific requirements under PCI DSS. possible to comply with PCI OSS ana stil ave security weaknesses in processing of payment card? Discuss in depth Using examples. sa 427H15~Firal Exam age of 16PART IV (5 marks) REQUIRED: Is it possible to provide assurance over compliance with PCI DSS? Discuss in depth with specific references to CICA Handbook, as appropriate SME 427H35 Final Earn Page 6 of 16+ QUESTION 3 (10 marks) REQUIRED: identify atleast five (5) ofthe most important itferences between electronic and traditional (paper-based) ‘uct evidence. For each diflerence, discuss whether i points to strength or weakness of electronic audit evidence, and how any weaknesses can be minimized ss a27is—Final am age 70f 16{QUESTION 4 (5 marks) CICA Handbook has two important sections that deal with service organizations: ‘CICA HB section $310: “aut evidence considerations when an entity uses a service organization” CICA HB section $870: “auators report on controls ata serie organization” REQUIRED: What I the difference between these two sections? Als, give an example ofa situation where each would be uses fs AZ7HS Final am age tof 16{QUESTION 5 (10 marks) In your opinion, what wil be the bigest Impact of information systems on businesses inthe next 5 years and why? \Wnat benefits/ehallenges wil result fram thisimpact?Diseuss in eet and make sure you justify why you believe the topic of your discussion will have “biggest” impact. aM 427H15-—Firal Exam Page 90f 16QUESTION 6 (60 marks) ‘Computer Tralning Centre nc (CTC) is private company owned by Jane Shah. provides private computer traning for various software application (e.g, Microsoft Word, Mirosof Excel, Photoshep, ee). Courses typically run fr sito nine weeks, and cost anywhere between $500 and $900 depending on populaity_Jane founded the company in 1998 and Continues tobe the main instructor. Her son Paul is currently studying computer scence at the local college, and teaches the newly implemented certificate program in website programming and development at CTC, Paul recently emailed you to ask for business advice regarding CTC. After al, you recently graduated from the Rotman Commerce Program and are pursuing your accounting designation at an international accounting firm. You and Paul know each other though a mutual friend, and have talked about starting business together many times inthe past Here is an excerpt from Paul's eal “tneed your help. We hod afew chonges a the company and I need your advice. inorush ight now, but send you detailed emit later tonight with del. fel so over my heed right now... fm not sure where to star. Need some direction ond some of thot Rtmon business advice fram you! Thanks in odvancell ‘That evening, you received along emal from Paul (see Exhibit 1} asking for your help. RequineD: Prepare a response to Paul's request, ‘exhibit Pau SENT: April20, 2010 3t9:259m TOCA Sorry for being out of touch lately it hasbeen craty around here. |don’sknow where to stat. uy to organize tings, but I may just be rambling, 1) Fest, my mom got sick last month and she ha! to be away fom the busines for about 3 weeks. had to step in and take over teachin, We are thinking of hiring another person to teach, but we need to get more clients fis. ‘She ip also hoping to retire soon, but we don’t have any serious buyers. had afew conversations with some people and they al kept asking me for audited financial statements and asking me about controls. fm not sure ‘what they ate ceferring to, The business is making money so 'm not sure what else maters. Help me out here. 2) Totry and promote the business more, | recently built the CTC website and now lts of people are finding us on the wel when they search for computer courses. als bul awhole online registration system, so now anyone can register for a specific course twas actually pretty simple to progrem, and here fs roughly how it works: \We have alist of al courses and their descriptions on the website So, the online registration i basicaly a form that asks the customer to enter their Name, Adress, Telephone Number, Email, and the course they are registering for, Since there are multiple dates that courses ae offered on, the customer also types inthe Gate they wish to take the course on. After this, ask them for their credit card mumber and expiry date. The ‘min concern for us i to have the credit card number so we can hol the spot for the customer and make sure they ar serious, Alf this information is then stored on out servers and emailed to me and my mom directly. She then forwards the emallto Judy {you remember our bookkeeper Judy? She just went on fsa 427415 Final am Page 10 of 16maternity leave, 20 we'll need to replace her as wel. Inthe meantime | guess'm aso the bookkeeper Judy would then store that information ina spreadsheet ané would match t against the creditcard the ‘customer would have to bring onthe first day of the course to complete the payment. We have a portable ‘ret card machine in the office, so we can proces those payments drecty. We also publish customer's hhame, address and email on the website sa other stadents know who else will bein thelr las, and they can Contact each other dcectly before clas stats. They are usualy petty postive about this, but lately we had some complains from 2 few people. What do you think? I thnk the enline registration fs something we ean brag about to our potential investors, 3) And, don’t worry about security. made sure that our internet sever has a firewall. Also allcomputersin the office have anti-virus that updates automatically backup all the files on GoogleDocs under my account. That "way. lean access those files from anywhere, since they are stored on Google Servers. Few weeks ago, something "went wrong and we lst the spreadsheet with customer information, but since I back up everything atthe end of teach week, we were up and running in no time, Also, because all names were published for each course, we were able to recreate the missing information easily, 4) ama bit concerned about our documentation atthe office for cash transactions. lane collects the cash from walk-in customers and writes down the customer information 09 apiece of paper. she then leaves the ist and cash wth Jody for epost Judy also adds the names tothe spreadsheet and tthe website Do you think ‘this makes sense? 5}, Recenty, was watching the business channel, and they were talking about something called NI $2-109 (think) and how management needs to signoff on something. Since Ido have shares inthe company, does that apply to ‘me? Would it apply if we were to be purchased by another company? They were also talking about auditing and something called CAATS, Should we do that? Does that apply tows? 6) Weare also Implementing 2 new accounting sytem — fialy. purchased top.ofthetne accounting software. ‘The box says that fis analn-one Enterprise Resource Planning (ERP) solution. guess that means that we wi be able to integrate our cash and creditcard payments together. m also hoping that we can track our taxes better, since right now tial one through a spreadsheet as well With Judy gone on maternity leave, Ym not even sure how todo these. She had prety sophisticated spreadsheets with formulas and macros tat are ceally hard for me to judge. don’t know the tax rates or how to calculate payroll deductions ~ hopefully the new software will do that With my mom sick, Judy gone, an us wanting to sll the business inthe future, | really don't want to make any mistakes at this point. So, really want your advice and whether what we are doing makes sense. You know that m clueless about business, 0 the more details and background information you can give me, the beter. Really appreciate it! Paul, sw aaris Final fxm age 11 of 16