UNIVERSITY OF TORONTO, Faculty of Arts and Science and ss Rotman School of Management _s” Final Examinations, April/May 2009 Xp, po RSM427 — Audit and Information Systems Duration: 2 Hours (120 minutes) 1 AIDS ALLOWED: Non-programmable calculator. FIRST NAME: LAST NAME: Student number:, ‘Waite legibly. legible answers will not be graded. 2 There are 6 questions on 18 pages. Answer each question in the space provided. If you need additional space, use the back of the page facing the question and clearly identify the question being answered. 3. You may use bullets (point form) to organize your answer, but each sentence must be complete. Use pen. 4. Assume that questions refer to Canadian companies, unless otherwise noted. MARKS: Question 1 /15 Question 2 740 Question 3 /10 Question 4 —___/20 Question 5 /5 Question 6 /60 TOTAL /120 RSM427HIS Final Exam Page 1 of 18QUESTION 1 (15 marks) Circle the best answer for each of the 10 questions below (1.5 marks per question): 1, US Securities and Exchange Commission (SEC) issued the final rule on XBRL deadlines. Select the answer that correctly identifies i) initial filing for quarterly fiscal period ending (en or after); and ii) year by which all public companies must provide XBRL filings. A) i June 1, 2009; if) 2010 B) i) June 15, 2009; i) 2011 ©) i) April 30, 2009; i) 2009 D) 3) June 30, 2009; i) 2012 E) None of the above 2. Which of the following is generally not associated with digital signatures? A) Identity of signatory B) ‘Time of signature ©) Content at time of signature D) Password authentication E) None of the above 3. Which of the following is considered the most dependable form of biometrics? A) Token passwords B) Facial recognition ©) Signature analysis D) Itis scanning E) Voice recognition 4, From the point of view of the IS auditor, which of the following represents the most critical control relating to employee termination and layoffs? A) Allemployees ate invited to the good-bye party B) Employee returns the company laptop ©) Payroll records are removed D) Login identification and authentication information is terminated E) Employee signs off on the termination document (and releases the company from further legal liability) 5, Which of the following is not a benefit of automated application controls? A) Generally more reliable B) Tested only once ©) Generally more efficient to test D) Only have to be tested once every three years E) None of the above RSM427HIS Final Exam Page 2 of 18,6. Goal of phishing attacks is to ‘A) access the files on target's computer B) install spyware on target's computer ©) delete files on target's computer D) infect files on target's computer E) none of the above 7. Which of the following is considered a major component of assessing reliability of electronic audit evidence? A) Integrity B) Authentication ©) Authorization D) Nonrepudiation E) Allof the above 8. Which of the following would not be included in the testing of applications controls? A) Use Monetary Unit Sampling to select instance for testing B) Identify risks related to the application ©) Verify access controls over the application D) Inquiry and observation E) None of the above 9. Which of the following responsibilities is a key part of the "data user" role? A). Specify classification level B) Implement controls over classification ©) Report unauthorized activities 1D) Manage access controls E) None of the above 10. In the context of protecting information system assets, UPS refers to A) a shipping company that guarantees confidentiality of shipped documents B) privacy protection setvice ©) agenerator ‘D) emergency power supply E) dry pipe fire protection system RSM427HIS Final Exam Page 3 of 18QUESTION 2 (10 marks) Shoe Store Ltd (SSL) website will soon support e-commerce and will have a typical “shopping cart” checkout system. Identify five (5) most important controls that the online “shopping cart” should have. Explain the objective of each identified control. In other words, what risk is each identified control designed to prevent/detect/ correct? RSM427HIS Final Exam Page 4 of 18QUESTION 3 (10 marks) Loblaw Companies Limited (“Loblaw) is “Canada’s largest food distributor and a leading provider of general merchandise products, drugstore and financial products and services” (from wwu-Jobla.ca) ‘The company reported accounts payable and accrued liabilities of $2,823 million as at January 3, 2009.Given the nature ofits operations, how would you use CATS in the audit of this balance (accounts payable and accrued liabilities)? State at least five (5) procedures you would use, and the objectives of exch procedure. For each procedure, also note why you would use CAATS rather than traditional (non-computerized) audit procedures. RSM427HIS Final Exam Page 5 of 18QUESTION 4 (20 marks) Identity each of the following as a strength or a weakness. For strengths, explain why itis a strength, and identify the associated control objective. For weaknesses, explain the impact of the weakness and ‘make @ recommendation for improvement. Cleatly label your answers, by using the word ‘strength’ (0 the letter S) to label strengths and the word ‘weakness’ (or the letter W) for weaknesses. 1, Access to specific company files is based on the person’s role as one of the following: employee, management, executive, or director. 2. Selected backups are restored and tested every 6 months. 3. Any department management (eg, sales, manufactuting, ete) can initiate a new IT project, given that IT department staff members are not busy with other projects. RSM¢27HIS Final Exam, Page 6 of 184, All scanned electronic documents must have a verified digital signature. 5. The CIO approves all general ledger account mapping, 6. The CFO of a public financial services company prioritizes all IT projects. 7. TT department maintains the business continuity plan and updates it when new technology. implemented. RSM427HIS Final Exam Page 7 of 188. IT department is responsible forthe disaster recovery plan. Risk scenarios are natural disasters and terrorism. 9. Ethical hackers are hired before new system implementation to find vulnerabili have free access to the system and ability to seek any and all vulnerabilities. 10, Data custodian scans the information for errors and corrects obvious mistakes, RSM427HIS Final Exam Page 8 of 18QUESTION 5 (5 marks) ‘Why is the knowledge of information systems critical to you in the role of an auditor? Cover at least five (6) points and explain how each one is related to your work as an auditor. RSM427HIS Final Exam Page 9 of 18QUESTION 6 (60 marks) Mobile Health Inc (MEI) was founded in 2005 by Dr. Phil Well, and provides alternative health services such as chiropractic, massage, acupuncture, and health supplement sales (eg, vitamins, herbal remedies, etc). The key differentiator for the company is that MHT has over 50 health care practitioners /therapists who visit the individual at home or at the work place. They provide the appropriate service on site (at client’s location). One of the largest revenue sources has been with professional service firms (such as accounting/law firms) whete individuals work for long periods of | time and are sometimes under significant stress. Many of these companies allow their employees to expense these types of services (i. company reimburses the employes). In prior years, the company only accepted cash payment from its clients. However, this limited the business growth as clients didn’t like carrying cash and many backed out of appointments after hearing that credit cards are not accepted. In addition, Phil didn’t want his employees handling cash. In January 2009, he ordered Raj Satyam (long-term IT consultant) to “do what it takes” to ensure that each of his therapists can process credit card transactions and bill the client immediately after providing the service. ‘You, a CA, joined the company as the CFO on Friday, May 1%, 2009. The company never had a CFO before, and you will be managing Mike Jones (senior accountant) and the three accountants /bookkeepers who report to Mike. Phil believes that demand for MHI’s services will only increase in these stressful times, and he wants to take the company public in 2010. You were hired to oversee finances, compliance, and continuing expansion. (On May 4th, you received the following email from Phil: “I was just reading about the 12 requirements for the PCI Data Secutity Standard. I'm sure ‘we are in compliance after spending $300k on new computers and systems with Raj. Stil, T ‘want you to provide me a report outlining all 12 requirements, where we stand on cach, and ‘whether we need to do anything else to ensure compliance. Also, give me another report on any additional issues relating to TT at MHI: 1) Do you see any weaknesses? 2) What ate the implications of the weaknesses? 3) How do we fix them? Just so you know, I don’t like fluffy reports ~ so stick to the point and don’t repeat any PCI issues in the second eport. Ifyou find anything else that I should know about, let me know. Phil”. eis now May 64, 2009 and you are reviewing on your notes from the meeting with Raj (Exhibit 1) and with Jen Tan Exhibit 2) Jen is a chiropractor and long term employee of MHI. Required: ; Prepare the two (2) required reports for Phil. ‘RSM427HIS Final Exam Page 10 of 18