FORMATION 2 EXAMINATION - APRIL 2008

NOTES

INFORMATION SYSTEMS

Section A - You are required to answer Questions 1 and 2. Section B - You are required to answer any three out of Questions 3 to 6. (If you provide answers to all of Questions 3 to 6, you must draw a clearly distinguishable line through the answer not to be marked. Otherwise, only the first answers to hand for these four questions will be marked.)

TIME ALLOWED: INSTRUCTIONS:

3 hours, plus 10 minutes to read the paper.

During the reading time you may write notes on the examination paper but you may not commence writing in your answer book. The pass mark required is 50% in total over the whole paper. Start your answer to each question on a new page. You are reminded that candidates are expected to pay particular attention to their communication skills and care must be taken regarding the format and literacy of the solutions. The marking system will take into account the content of the candidates' answers and the extent to which answers are supported with relevant legislation, case law or examples where appropriate. List on the cover of each answer booklet, in the space provided, the number of each question(s) attempted.

The Institute of Certified Public Accountants in Ireland, 17 Harcourt Street, Dublin 2.

THE INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS IN IRELAND

Time Allowed: 3 hours, plus 10 minutes to read the paper.

INFORMATION SYSTEMS
FORMATION 2 EXAMINATION - APRIL 2008
Answer BOTH Question 1 and Question 2 in this Section. (Both Compulsory)

SECTION A

1.

After consultation with various stakeholders and the companys small I.T. Department, management have decided to have a computer based job scheduling system designed and built specifically for its requirements. The system will facilitate setting up, tracking, and managing projects. It will also record the costs associated with individual projects. The whole process is currently carried out manually by you, the company accountant, and members of your Finance Department. With your previous background in project management, you have been approached to manage the development and implementation of the new system. Management regard this proposed system as being critical to the future success of the company. REQUIREMENT:

The company recognises that, if it cannot manage the increased workload, it will very quickly lose market share to its competitors. Furthermore, if they want to take on additional jobs in the short-term, the effective management and control of these issues will be vital.

The general upsurge in the economy has meant that the demand for landscaping services has grown significantly, with the result that the companys order book is now full and will be for the foreseeable future. This raises a number of problems for the companys management, in that because every project is unique, scheduling orders can be a very complex and difficult job. The complexity arises from the requirements of each project (i.e. type of machinery required, chemicals applied, time of the year, number of employees allocated and the general nature of the job). Tied in with the complexity is the need to manage expensive capital equipment used in the projects.

ELITE Ltd is a company that provides landscaping services to both commercial entities and public authorities within the horticultural industry. The main services that it provides are Soft Landscaping (planning and maintenance of existing gardens and shrubs), Hard Landscaping (construction of patios, walls, decks, ponds, irrigation and other assorted features), and Design and Consultancy. 90% of the companys income arises from work carried out for companies and government agencies located mainly in the Munster region. The remaining 10% is generated from work carried out for the residential sector, mainly at the high end of the market.

(b) (c)

(a)

Explain the benefits and possible drawbacks of outsourcing the development to an external organisation. (5 Marks)

What do you think are the main considerations that will lead to the successful development and implementation of this job scheduling system? How will you gauge the success of the completed system? (12 Marks)

Explain to management the various approaches to determining the feasibility of this project.

(8 Marks)

[Total: 25 Marks]

Page 1

2.

Write brief notes on ANY FIVE of the following. In each case your answer must include an illustrative example from a practical business situation. (a) (b) (c) (d) (e) (f) (g) Attributes of quality information. Business uses of an Intranet. Rapid Application Development. XBRL. Methods of systems changeover. Internet Cookie. Companys I.T. Acceptable Usage Policy. Note: Each part carries 3 marks.

3.

Answer ANY THREE of the four questions in this Section. (a) (b) What is the difference between a data-driven DSS and a model-driven DSS? Give a business example of the use of each. Define and describe the main features of an Executive Support System (ESS). What is the difference between an unstructured and a structured decision? (8 Marks)

SECTION B

[Total: 15 Marks]

(c)

4.

[Total: 20 Marks] (6 Marks)

(6 Marks)

(6 Marks)

(a) (b)

(c)

How is the Internet challenging the protection of individual privacy?

Name and describe five quality of life impacts of computers and information systems.

Discuss three key technology trends or developments that raise ethical issues. Give an example of an ethical or moral impact connected to each one.

(10 Marks) (4 Marks)

5.

(a) (b)

(c)

What is case-based reasoning? How does it differ from an expert system? Describe the most common security threats against contemporary information systems.

Why are knowledge workers so important to the digital firm?

What is knowledge management? What types of knowledge might a company such as a law firm have, and how could such an organisation benefit from knowledge management? (9 Marks) (6 Marks) (5 Marks)

[Total: 20 Marks]

6.

(a) (b) (c)

[Total: 20 Marks] (6 Marks)

What is required of an MIS auditor and what does the MIS audit reveal?

Describe four types of information systems controls that could be employed by an organisation to make their systems more secure.

END OF PAPER
Page 2

[Total: 20 Marks]

(6 Marks)

(8 Marks)

SUGGESTED SOLUTIONS

THE INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS IN IRELAND

INFORMATION SYSTEMS
FORMATION 2 EXAMINATION - APRIL 2008

(a)

SOLUTION 1:

Tutorial Notes: Purpose: The case study question aims to be a written summary or syntheses of a real-life scenario. It requires the candidate to isolate and think through the key issues involved against both theory and the larger comparative environment. This case tests the candidates knowledge of various approaches to determining project feasibility. Candidates should also be able to identify the factors that will lead to the successful development and implementation of this specific job scheduling system and how will the overall success of the completed system be gauged. Finally, the candidates should be aware of benefits and possible drawbacks of outsourcing the development to an external organisation. Links: No major links on other topics or papers in Formation 1. Options: The candidates answer may vary slightly form the answer format used below. Essential Components: The candidates will demonstrate understanding of the steps involved in determining project feasibility. Also, the candidates should understand the concept of implementation when managing the organisational change surrounding a new information system. They should also understand alternatives to building the system in-house, in this case outsourcing. Explain to the management the various approaches to determining the feasibility of this project. (8 Marks)

ANSWER 1

Operational feasibility involves studying the ability of the organisation to accept and use the new system. Issues to examine under this heading include company culture and workforce skill.

Organisational feasibility involves studying how the new system will support the current and future business plans and goals.

Technical feasibility relates to the ability of ABBEY Ltd to build a particular system in terms of expertise and knowledge of the technology involved. It is important at this stage to assess the IT staffs experience and skills in the area of systems development and the platforms, software and hardware, being used.

Economic feasibility relates to the cost-benefit justification of the different solutions using different methods. Such methods include break-even analysis, return on investment calculations or time value of money calculations. Each method involves calculating the total tangible costs and benefits of a new system. Typical costs include development, new hardware and training. Typical benefits include savings from improved efficiency, more accurate stock control and reduced staffing costs. Also required is the determination of intangible costs and benefits. Intangible costs and benefits are those that cannot be easily calculated but are still important indicators of a systems feasibility. An example of an intangible costs would be the disruption to ABBEY Ltd and improved technical image would be an intangible benefit.

The first important decisions to be made in a systems development project are the examination of the feasibility of that project and also, which of different possible solutions is the preferred option. A feasibility study is necessary to determine whether a proposed computer aided manufacturing system is viable and also to look the feasibility of different alternative systems. This study involves examining different types of feasibility.

Page 4

Once a study has been conducted into project feasibility, it should be documented in the form of a feasibility report, to be given to the Managing Director, containing the following: G Project background, context and system objectives G Description of current system and problems G Outline of possible solutions and an evaluation of the different types of feasibility in relation to each under the headings mentioned above. G A recommendation for a particular solution or sometimes to discard the project. 8 Marks Any 4 points similar to above X 2 marks each.

(b)

What do you think are main issues that will lead to the successful development and implementation of this job scheduling system? How will you gauge the success of the completed system?
G G G G

The factors that could be used to gauge the success of the system: G Cost: What was the original budget and final budget G Time: What was the original schedule and final schedule G Quality: Did the project meet the requirements outlined in the project plan G Scope: Did the scope of the project change?

How will you gauge the success of the completed system? Student answers will vary but should include an understanding of the main project variables: Scope, time, cost, quality, and risk. A sample answer is:

Issues that might contribute to project failure are: G The techniques for estimating the length of time required to analyse and design systems are poorly developed. G It is assumed that all will go well when in fact it rarely does. (Murphy is alive and well and resident in your organisation!) G Not enough credence is given to the fact that building systems often involves tasks that are sequentially linked, cannot be performed in isolation, and require extensive communications and training. G Adding more workers, especially untrained ones, does not necessarily enhance the operation. G Problems are not reported in a timely fashion. No one wants to be the bearer of bad tidings. (4 main issues x 1.5 marks) (6 Marks)

The The The The

role of users in the implementation process degree of management support for the implementation efforts level of complexity and risk of the implementation project quality of management of the implementation process

Questions that could be asked to understand the success or failure of the project would be: G What technical difficulties were experienced and which could have been foreseen? G What risks did the project entail? G What events led to the scope changing? G What difficulties occurred that were a consequence of personal, employee-oriented problems? G What difficulties occurred that were a consequence of environmental, organisational, or managerial challenges? G What do project team members consider as the primary challenges? G What do clients or stakeholders consider as the primary challenges? (4 tests x 1.5 marks) (6 Marks)

Page 5

(c)

Outsourcing is the process of turning over an organisations computer center operations, telecommunications networks, or applications development to external vendors who provide these services. Outsourcing is an option often considered when the cost of information systems technology has risen too high. Outsourcing is seen as a way to control costs or to develop applications when the firm lacks its own technology resources to do this on its own. It is seldom used for a system that is strategically important. 5 Marks (2 benefits, 2 drawbacks X 1 mark each, 1 mark for relating to this case)

Explain the benefits and possible drawbacks of outsourcing the development to an external organisation.

Tutorial Notes: Purpose: Responses for each sub question are expected to include a few sentences and possibly bullet points. This limit simulates a real life scenario in which accuracy, brevity and clarity is called for and also hopefully prevents candidates from spending a disproportionate amount of time on each sub-question. When answering a sub-question, candidates might use purposeful illustrations based upon aspects of the scenario. Links: No major links on other topics or papers in Formation 1. Options: Candidates may select five from seven questions. Answers may vary slightly from those given below. Essential Components: Candidates should demonstrate knowledge of the topics. Their definitions should be expanded upon and should demonstrate a competent understanding of each topic and how each adds or affects business value. Solution 2: (a)

ANSWER 2

Reputable source: For information to be used effectively by managers, the users must have confidence in its source. This would be supported by the fact that the source was reliable in the past and that there is a good and clear channel of communication between the provider and the user of the information.

Accurate for purpose: Managers rely on information to effectively manage their `value adding' activities. For example, to satisfy the VAT regulations, a VAT invoice must be accurate to the nearest penny.

Completeness: It is desirable that all information required for decision-making is made available. There must be close co-operation between the information provider and the end user.

Relevant for purpose: Information should always be relevant to the issue being considered. It is often the case that memos, reports and schedules contain irrelevant sections, which can have an adverse effect on the understanding of the issue by the user.

3 Marks (2 Marks Definition, 1 Mark Business Value) Attributes of quality information Quality information is that which, when used, `adds value'. Research suggests that information should possess numerous attributes. The attributes which `add value' and together underpin quality of information are examined below.

Page 6

(b)

(c)

1. Workforce productivity: Intranets can help users to locate and view information faster and use applications relevant to their roles and responsibilities. With the help of a web browser interface, users can access data held in any database the organisation wants to make available, anytime and - subject to security provisions - from anywhere within the company workstations, increasing employees' ability to perform their jobs faster, more accurately, and with confidence that they have the right information. It also helps to improve the services provided to the users. 2. Time: With intranets, organisations can make more information available to employees on a "pull" basis (i.e.: employees can link to relevant information at a time which suits them) rather than being deluged indiscriminately by emails. 3. Communication: Intranets can serve as powerful tools for communication within an organisation, vertically and horizontally. From a communications standpoint, intranets are useful to communicate strategic initiatives that have a global reach throughout the organisation. The type of information that can easily be conveyed is the purpose of the initiative and what the initiative is aiming to achieve, who is driving the initiative, results achieved to date, and who to speak to for more information. By providing this information on the intranet, staff have the opportunity to keep up-to-date with the strategic focus of the organisation. 4. Web publishing allows 'cumbersome' corporate knowledge to be maintained and easily accessed throughout the company using hypermedia and Web technologies. Examples include: employee manuals, benefits documents, company policies, business standards, newsfeeds, and even training, can be accessed using common Internet standards (Acrobat files, Flash files, CGI applications). Because each business unit can update the online copy of a document, the most recent version is always available to employees using the intranet. 5. Business operations and management: Intranets are also being used as a platform for developing and deploying applications to support business operations and decisions across the inter-networked enterprise. 6. Cost-effective: Users can view information and data via web-browser rather than maintaining physical documents such as procedure manuals, internal phone list and requisition forms. 7. Promote common corporate culture: Every user is viewing the same information within the Intranet. 8. Enhance Collaboration: With information easily accessible by all authorised users, teamwork is enabled. 9. Cross-platform Capability: Standards-compliant web browsers are available for Windows, Mac etc. Rapid Application Development Rapid application development (RAD), is a software development process developed initially by James Martin in 1991. The methodology involves iterative development, and the construction of prototypes. Traditionally the rapid application development approach involves compromises in usability, features, and/or execution speed. It is described as a process through which the development cycle of an application is expedited. Rapid Application Development thus enables quality products to be developed faster, saving valuable resources.

Business use of an Intranet Increasingly, intranets are being used to deliver tools and applications, e.g., collaboration (to facilitate working in groups and teleconferencing) or sophisticated corporate directories, sales and CRM tools, project management etc., to advance productivity. Intranets are also being used as culture change platforms. For example, large numbers of employees discussing key issues in an online forum could lead to new ideas. Other uses / benefits are

(d)

XBRL XBRL (Extensible Business Reporting Language) is an XML-based format to define and exchange business and financial information. XBRL is a standards-based way to communicate business and financial information. These communications are defined by metadata set out in taxonomies. Taxonomies capture the definition of individual reporting concepts as well as the relationships between concepts.

XBRL International is supported by its jurisdictions independent bodies, generally organised on a countryspecific basis that work to promote the adoption of XBRL and the development of taxonomies that define the information requirements of their particular domains. XBRL is being adopted around the world in order to migrate business information process from paper-based and legacy electronic proprietary formats more fully onto Internet oriented processes (both for external and internal reporting processes).
Page 7

The XBRL format is governed and marketed by a international consortium (XBRL International Incorporated) of approximately 600 organisations, including, companies, regulators, government agencies, infomediaries and software vendors.

(e)

(f)

(g)

Acceptable use policies are also integral to the framework of information security policies; it is often common practice to ask new members of an organisation to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organisation. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.

Company I.T Acceptable Usage Policy An acceptable use policy (AUP; also sometimes acceptable usage policy) is a set of rules applied by network and website owners which restrict the ways in which the network or site may be used. AUP documents are written for corporations, businesses, universities, schools, and website owners often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

Most modern browsers allow users to decide whether to accept cookies, but rejection makes some websites unusable. For example, shopping baskets implemented using cookies do not work if cookies are rejected.

Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. In particular, they are neither spyware nor viruses, despite the detection of cookies from certain sites by many anti-spyware products.

Cookies have been of concern for Internet privacy, since they can be used for tracking browsing behavior. As a result, they have been subject to legislation in various countries such as the United States and in the European Union. Cookies have also been criticised because the identification of users they provide is not always accurate and because they could potentially be a target of network attackers. Some alternatives to cookies exist, but each has its own uses, advantages and drawbacks.

Internet Cookie HTTP cookies, sometimes known as web cookies or just cookies, are parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it accesses that server. HTTP cookies are used for authenticating, tracking, and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. The term "cookie" is derived from "magic cookie," a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies.

In case of parallel adoption the old and the new system are running parallel so all the users can get used to the new system, but still can do their work using the old system. Phased adoption means that the adoption will happen in several phases, so after each phase the system is a little closer to be fully adopted by the organisation

Methods of systems changeover Candidates may allude to any or all of the several types of adoption that can be used to implement a system. The types big bang, parallel adoption and phased adoption form the main types that are used to adopt a system. The big bang relates to the cosmological theory (Big bang) where the start of the cosmos happened at one moment in time. This is also the case with the big bang adoption type where the new system is adopted on one date.

Page 8

Tutorial Notes: Purpose: To test candidates knowledge on the area of Decision Support Systems. This question will examine the candidates knowledge of the different types of decisions in the decision making process. Finally, this question will test the candidates on ways certain information systems help executives make better decisions when the problems are non-routine and constantly changing. Links: No major links on other topics or papers in Formation 1. Options: Candidates will not be able to vary too much from the format of answers given below. Essential Components: The candidates need to demonstrate an understanding of DSS, ESS and certain types of decisions a manager may encounter in the decision making process. SOLUTION 3

ANSWER 3

(a)

(b)

Data-driven DSS A system that supports decision making by allowing users to extract and analyse useful information that was previously buried in large databases such as a data warehouse. Note that alternative points that are valid will also score marks such as reference to the following: G What if Analysis G Model building G goal seeking G graphical analysis 8 Marks (4 Marks for each type) Unstructured decisions are those in which the decision maker must provide judgment, evaluation, and insights into the problem definition. Each of these decisions is novel, important, and non-routine, and there is no well-understood or agreed-on procedure for making them. Structured decisions are repetitive and routine, and decision makers can follow a definite procedure for handling them to be efficient. Many decisions have elements of both and are considered semi-structured decisions, in which only part of the problem has a clear-cut answer provided by an accepted procedure. In general, structured decisions are made more prevalent at lower organisational levels, whereas unstructured decision making is more common at higher levels of the firm. 3 Marks each Definition (6 Marks)
Page 9

Model-driven DSS Primarily stand alone system that uses some type of model to perform what-if and other kinds of analysis. A model driven DSS usually represents the relationships amongst the silent aspects of a real life situation.

The second type of DSS is a data-driven DSS. These systems analyse large pools of data found in major organisational systems. They support decision making by allowing users to extract useful information that was previously buried in large quantities of data. Often data from transaction processing systems are collected in data warehouses for this purpose. OLAP and data mining can then be used to analyse the data. For example, the candidate could refer to WH Smith PLCs system for online sales and profitability analysis described in the Window on Organisations, p. 352, Laudon & Laudon, which is an example of a data-driven DSS.

Model-driven DSS were primarily stand-alone systems isolated from major organisational information systems that used some type of model to perform what-if and other types of analyses. Their analysis capabilities were based on a strong theory or model combined with a good user interface to make the model easy to use. There are several examples in the Laudon & Laudon textbook: for example, the candidate could refer to the voyage-estimating DSS described in chapter 2, the Gaps planning and forecasting system described at the beginning of chapter 10, Laudon & Laudon, and Continental Airlines system for cargo revenue optimisation also mentioned on page 350, Laudon & Laudon.

Describe two types of DSS. Explain the circumstances in which each one might be used, giving industry examples to support your answer.

What is the difference between an unstructured and structured decision?

(c)

Executive support systems (ESS) help managers make unstructured and semi structured decisions. ESS focus on the information needs of senior management and combine data from both internal and external sources. The ESS creates a generalised computing and communications environment that can be focused on and applied to a changing array of problems. The ESS can help senior executives monitor organisational performance, track activities of competitors, spot problems, identify opportunities, and forecast trends. 6 Marks (3 Marks Definition, 3 Marks Capabilities)

Define and describe the capabilities of an executive support system (ESS).

Tutorial Notes:

ANSWER 4

Purpose: To test the candidates knowledge of ethical issues that have arisen due to recent technology trends and certain quality of life impacts brought about by same. This question will specifically evaluate the impact of the Internet on the protection of individual privacy. Links: No major links on other topics or papers in Formation 1. Options: Candidates will not be able to vary from the format of answers given below. Essential Components: The candidate needs to demonstrate an understanding of ethical and moral issues as they relate to technology trends within organisation. The candidate also needs to demonstrate a specific understanding of the quality of life impacts affected by information systems. The candidate should also demonstrate a detailed the connection between the Internet and the protection of individual privacy.

(a)

SOLUTION 4

Discuss at least three key technology trends that raise ethical issues. Give an example of an ethical or moral impact connected to each one.
G

Computing power doubles every 18 months. Ethical impact: Because more organisations depend on computer systems for critical operations, these systems are vulnerable to computer crime and computer abuse. Data storage costs are rapidly declining. Ethical impact: It is easy to maintain detailed databases on individuals. Who has access to and control of these databases. Data analysis advances. Ethical impact: Vast databases full of individual information may be used to develop detailed profiles of individual behavior. Networking advances and the Internet. Ethical impact: It is easy to copy data from one location to another. Who owns data? How can ownership be protected. (3 trends & corresponding example x 2 marks each) 6 Marks

(b)

Laudon & Laudon describes nine quality of life impacts of computers and information systems. These include balancing power, rapidity of change, maintaining boundaries, dependency and vulnerability, computer crime and abuse, computer forensics, employment, equity and access, and health risks.

Name and describe five quality of life impacts of computers and information systems.

Balancing power describes the shift toward highly decentralised computing, coupled with an ideology of empowerment of thousands of workers and decentralisation of decision making to lower organisational levels. The problem is that the lower-level worker involvement in decision making tends to be trivial. Key policy decisions are as centralised as in the past. The rapidity of change impact suggests that information systems have increased the efficiency of the global marketplace. As a result, businesses no longer have many years to adjust to competition. Businesses can now be wiped out very rapidly, and along with them, jobs.
Page 10

The equity and access impact suggests that access to computer and information resources is not equitably distributed throughout society. Access is distributed inequitably along racial, economic, and social class lines (as are many other information resources). Poor children attending poor school districts are less likely to use computers at school. Children from wealthy homes are five times more likely to use PCs for schoolwork than poor children. Whites are three times more likely to use computers at home for schoolwork than AfricanAmericans. Potentially, we could create a society of information haves and have-nots, further increasing the social cleavages in our society. Health risks have been attributed to computers and information technologies. For instance, business now spends $20 billion a year to compensate and treat victims of computer-related occupational diseases. Those illnesses include RSI (repetitive stress injury), CVS (computer vision syndrome), and techno-stress. 10 Marks Definitions (5 X 2 Marks)

The employment impact suggests that redesigning business processes could potentially cause millions of middle-level managers and clerical workers to lose their jobs. Worse, if reengineering actually works as claimed, these workers will not find similar employment because the demand for their skills will decline.

Computer forensics is the newest field and deals with recovering, storing, and handling data from computers as well as finding information in electronic data and presenting the information to a court.

The computer crime and abuse impact suggests that computers have created new opportunities for committing crimes and have themselves become the target of crimes.

The dependency and vulnerability impact suggests that businesses, governments, schools, and private associations are becoming more dependent on information systems, and so they are highly vulnerable to the failure of those systems.

The maintaining boundaries impact suggests that portable computers and telecommuting have created the condition where people can take their work anywhere with them and do it at any time. As a result, workers find that their work is cutting into family time, vacations, and leisure, weakening the traditional institutions of family and friends and blurring the line between public and private life.

(c)

How is the Internet challenging the protection of individual privacy Cookies, Web bugs, and other means of collecting information about Internet users can be shared without the Internet users consent. This allows information that a user may have given voluntarily for a good purpose, say logging into the New York Times site, to be shared with some other site. Spamming or e-mail that uses a users e-mail address is another invasion of privacy. 4 Marks

Page 11

Tutorial Notes: Purpose: To test the candidates assessment of the role of knowledge management and knowledge management programs in business and to define and describe how a certain knowledge management system can contribute to an organisations knowledge management. Also, the question tests the candidates knowledge of case-based reasoning and the difference between it and expert systems. Links: No major links on other topics or papers in Formation 1. Options: The candidates answer should not vary too much form the answer format used below. Essential Components: The candidates should demonstrate an understanding of knowledge management systems, knowledge workers, case-based reasoning expert systems. SOLUTION 5

ANSWER 5

(a)

(b)

Knowledge management is the set of processes developed in an organisation to create, gather, store, disseminate, and apply the firms knowledge. A taxi companys knowledge might include explicit knowledge, such as maps and routes between destinations. Tacit knowledge would include the experience of drivers, such as the best alternate routes between destinations or passenger needs. A taxi service might benefit from a system that gave drivers guides on routes that included alternate routes drivers had found. It might benefit from a learning management system that trained drivers for locations, destinations, and alternate routes. 9 Marks (4 Marks Definition, 3 Marks Types, 2 Marks - Benefits ) Student answers will vary, but should include an understanding of the three main functions of knowledge workers. An example answer is: Why are knowledge workers so important to the digital firm?

What is knowledge management? What types of knowledge might a company such as a taxi service have, and could a taxi service benefit from knowledge management?

(c)

Case-based reasoning (CBR) uses descriptions of past experiences of human specialists, representing them as cases and storing them in a database for later retrieval when the user encounters a new case with similar parameters. The system searches for stored cases similar to the new one, locates the closest fit, and offers the solution to the old case for use with the new case. If the new case fits the solution, it is added to the case database. If not, the case will be added with a new solution or explanations as to why the solution did not work. CBRs differ from expert systems in that they capture the knowledge of the organisation rather than a single expert, and the knowledge is captured as cases rather than if-then rules. Also, expert systems work by applying IF-THEN-ELSE rules against a knowledge base whereas CBR represents knowledge as a series of cases. With case-based reasoning, the knowledge base is continuously updated by the users. 3 Marks - Definition 3 Marks Differences to ES)

Knowledge workers create new products or find ways to improve existing ones. Without them, the firm would stagnate and become less competitive in an environment that is always changing and is increasingly more competitive. In the modern economy, knowledge is truly power. The three major functions of knowledge workers are: keeping the organisation up-to-date in knowledge as it develops in the external world; serving as internal consultants regarding their areas of knowledge and its opportunities; and acting as change agents as they evaluate, initiate, and promote new projects. The most important of these is to develop new knowledge as it applies to the making of products or services, as offering products and services is the mainstay of the corporation. 5 Marks Definition & Benefits

Page 12

(a)

SOLUTION 6

Tutorial Notes: Purpose: To test the candidates ability to explain the main threats to organisational information systems. This question will specifically examine the candidates knowledge of important tools and technologies and controls for safeguarding information resources and the role of the MIS Auditor. Links: No major links on other topics or papers in Formation 1. Options: Candidates may vary slightly from the format of answers given below. Essential Components: The candidates need to demonstrate an understanding of the vulnerability of systems and potential threats in todays business environment. The candidates need to demonstrate a specific understanding of the controls that can be employed to protect an information system. They should also demonstrate a detailed knowledge of the role of the MIS Auditor in the overall area of organisational security. Candidate should explain the main risks for contemporary information systems. G Cyber Theft G Computer Viruses G Spyware G Piracy G Unauthorised Use at work G Hacking / Cracking

ANSWER 6

(b)

For protection, a company must institute good security measures, which will include firewalls, investigation of personnel to be hired, physical and software security and controls, antivirus software, and internal education measures. These measures are best put in place at the time the system is designed, and careful attention paid to them. A prudent company will engage in disaster protection measures, frequent updating of security software, and frequent auditing of all security measures and of all data upon which the company depends. Full protection may not be feasible in light of the time and expenses involved, but a risk analysis can provide insights into which areas are most important and vulnerable. These are the areas to protect first. G Input controls check the data for accuracy and completeness when they enter the system. There are specific input controls for input authorisation, data conversion, data editing, and error handling. G Processing controls establish that data are complete and accurate during updating. Run control totals, computer matching, and programmed edit checks G Output controls ensure that the results of computer processing are accurate, complete, and properly distributed. Specifically, candidates may refer to : Firewalls prevent unauthorised users from accessing internal networks. They protect internal systems by monitoring packets for the wrong source or destination, or by offering a proxy server with no access to the internal documents and systems, or by restricting the types of messages that get through, for example, e-mail. Further, many authentication controls have been added for Web pages as part of firewalls. G Intrusion detection systems monitor the most vulnerable points in a network to detect and deter unauthorised intruders. These systems often also monitor events as they happen to look for security attacks in progress. Sometimes they even can be programmed to shut down a particularly sensitive part of a network if it receives unauthorised traffic. G Antivirus software is designed to check computer systems and drives for the presence of computer viruses. Often the software can eliminate the virus from the infected area. To be effective, antivirus software must be continually updated. 8 Marks (5 X 1.5 Marks each types + .5 marks overall)
G

Candidate may also allude to the lack of protection which leads to vulnerable systems and therefore is a threat in itself. Some systems more susceptible:G Lack of preventative measures (anti-virus, anti-spyware etc) G System Complexity G Computerised procedures not always read or auditedExtensive effect of disasterUnauthorised access possible 6 Marks (1.5 marks x 4 threats)

Page 13

(c)

The audit itself lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organisational impact of each threat. It includes a section for notifying management of such weaknesses and for managements response. Management is then expected to devise a plan to counter the significant weaknesses

The auditor usually interviews key individuals, who use and operate a specific information system, concerning their activities and procedures. Application controls, overall integrity controls, and control disciplines are examined. The auditor traces the flow of sample transactions through the system and performance tests, using, if appropriate, automated audit software.

An MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness. To accomplish this, the auditor must acquire a thorough understanding of the operations, physical facilities, telecommunications, control systems, data security objectives, organisational structure, personnel, manual procedures, and individual applications of the company.

What is required of an MIS auditor and what does the MIS audit reveal?

3 Marks Requirements & Role 3 Marks - Audit

Page 14