Chartered Institute of Internal Auditors - Past paper pack
IIA Diploma Past Paper Pack
Information Systems Auditing
P4
Wednesday 28 November 2012
Morning session
Time allowed – 3 hours and 10 minutes
DO NOT OPEN THIS PAPER UNTIL INSTRUCTED BY THE INVIGILATORCandidate information and instructions
There are two questions in Part A and four questions in Part B.Answer both questions in Part A and any three questions in Part B on the answer sheets provided.
There are 100 marks available in this paper.
Organisations marked with an asterisk, *, are fictitious. No similarity with any real organisation is intended nor should it be inferred.
Start each question on a separate answer sheet.
Do not identify yourself in answering any questions.
Enter your candidate number, the paper number, the question number and the page number within the answer at the top of each answer sheet used.
Any plans/notes that are made for each question should only be made on official IIA exam paper. Separate answer sheets should be used for each question plan.
Clarity and logic of your answers, effective presentation and good use of English will be taken into account by the examiners when marking this paper.
Past Paper Pack
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
Ó March 2013
Chartered Institute of Internal Auditors - Past paper pack
PART A
There are two compulsory questions in this section. Questions one and two relate to the following scenario.
Universal Construction and Builders* (UCB) is a long established construction company. Its head office is in Ireland with divisional offices in Europe, the Middle East and Asia. UCB’s business is focused on three divisions - construction, civil engineering and house building. The construction division undertakes building projects such as new office blocks, civil engineering undertakes infrastructure projects such as bridges and motorways, and the house building division builds houses for both the private and social markets.
UCB has a large number of support companies within the group providing services to the divisions and also to external customers. These operations include a design consultancy, soil testing, plant hire, scaffolding and waste disposal.
UCB employs over 7,000 people worldwide and has a turnover of £1.5bn.
You are a member of the internal audit team of 15 people based at the head office, but with audit responsibility for the whole worldwide group.
An IT project to implement a business intelligence (BI) system at head office is at the feasibility study stage. The BI system will deliver information to the whole group and will include financial consolidation, budgeting, reporting, dashboards and analysis.
This project is a priority for UCB and has come about because of many failures to provide consistent and accurate reporting of management information and the frustration of the executive and board over their inability to have timely results.
There are a large number of different information systems around the group. This is due, in part, to the three divisions having been allowed to be autonomous but also because the group has grown through acquisition of other companies and inherited systems. This has resulted in most management information being spreadsheet based and the head office receiving hundreds of files that need to be manually consolidated and reported each month. This process takes time and limits the range of consolidated reporting to summary operating statements, which can be up to a month out of date.
You have been seconded to the project team that is currently working on the feasibility study. You are to advise the project team of the business benefits of the new BI system, and of the risks and controls to delivering accurate and timely information.
QUESTION ONE
a. / Describe the benefits that UCB should expect from a new BI system. / 12 marksb. / Describe the types of reports and analysis that the BI system would need to provide in order to deliver the expected benefits. / 8 marks
SYLLABUS REFERENCE
This question is designed to test the candidates understanding of how organisations benefit from quality information and effective systems, in this case a BI system which is a main component of ERP software (Sections 2.1, 2.2, 2.3, 2.4 and 1.4).
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.Note that part a does not specify split of marks between why, benefits and use of spreadsheets so the mark scheme will need to be flexible
Question/Part / Remember/Understand / Apply/
Analyse / Evaluate/
Create / Total
marks
Part a
Benefits 12 marks - 1½ marks each for 8 benefits / 2 / 6 / 4 / 12
Part b
2 marks for each report and analysis type described / 2 / 4 / 2 / 8
Total / 4 / 10 / 6 / 20
Part a
Benefits
· Single unified view of group wide financial information
· Speed - improvement of timeliness of information
· Enable data and process integration across the group
· Consolidation of KPI and business metrics
· Support strategic and operational decision making
· Enable insight into business trends and opportunities
· Enhance competitive advantage through improved knowledge about the business once there is time to use the information rather than spending all month in producing the data
· The group will use a consistent solution for data collection
· Removal of the vast family of data files that need to be managed around the group, checked and consolidated
· Improvement in accuracy of information
· Use of a database solution enabling a timetable of data feeds and collection to be introduced, maintained and updated in real time
· Fixed format of data feeds
· No requirement for re-processing of information
· Opportunity to implement analytical functionality taking BI to a new level rather than just historic operating statements
· Presentation of information.
Part b
The types of reports and analysis that the BI system would need to provide in order to deliver the expected benefits include:
· Operations reporting - providing information about routine business operations and benchmarking
· Performance monitoring - comparison of monthly actual data with budgets, forecasts, targets and thresholds
· New ways of presenting information including corporate dashboards and scorecards
· Forecasting - estimation of what to expect in the future based upon extrapolation of historical data
· Cost Value Reconciliation (CVR) and Analysis of Final Development Cost of projects to predict final outcomes and to minimise surprises at the end of a long complex construction project
· Strategic reporting - focussing on the strategic objectives of UCB using tools such as OLAP and data visualisation
· Multidimensional analysis - providing insight through slicing and dicing into data at a variety of granularity levels through the business such as business unit, division, country, currency etc
· Ad-hoc reporting and query tools to enable maximum access and use of the collected information.
EXAMINERS’ COMMENTS
The first of the two questions based upon the Universal Construction and Builders (UCB) scenario dealt with the benefits of the proposed new Business Intelligence system and then moved on to investigate the reports and analyses that the BI system would need to provide.
While there was a very wide spread of answers to this question it was encouraging that most candidates completed the question and were able to offer a range of benefits that BI would bring to UCB. The main reason that there was a range of different answers originated from the candidate’s definition and understanding of what the term Business Information System actually means. The marking of this question was flexible and generous so that points could be earned for sensible descriptions within the scope set by the question.
It was very pleasing to find a few top quality scripts with well-presented benefits and descriptions of reports.
The main problems with the answers all tend to stem from candidates who ignore the scenario and attempt to answer a generic text book version of the question. While it is appreciated that an exam scenario can only give a flavour of the background, it is important to take on board what industry we are talking about, the size of the company and the likely areas of interest of the executive and board from a BI system.
The company is a construction activity working on major infrastructure projects around the world. The key activities of the company are project based from initial tender, winning the work, building or civil engineering involving subcontractors and direct labour, procurement of materials through to client handover on time and budget.
A number of scripts ignored this environment completely and concentrated on suppliers, manufacturing, supply chain, just-in-time working, stock and selling to customers. There is probably some of this somewhere in the support activities of UCB but not in the mainstream.
Similarly in part b examples of reports that concentrated on these aspects missed the point of really needing to look at project control and performance.
The final point to note was that nearly all candidates missed the issue of currency and the benefits of being able to switch, consolidate and report in presumably Euros.
QUESTION TWO
The new BI system must deliver accurate and timely business information to achieve its objectives.
a. / Compare the risks to delivering accurate and timely business information between the existing spreadsheet based process and the new BI system. / 10 marksb. / Describe the controls that will be required for the new BI system. / 10 marks
SYLLABUS REFERENCE
This question is designed to test the candidates understanding of the risks to quality information and the controls to be provided for a new information system (Sections 1.1, 1.4, 2.3, 2.4, 2.6, 2.7, 3 and 4).
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.Question/Part / Remember/
Understand / Apply/
Analyse / Evaluate/
Create / Total
marks
Part a
Risks in new BI system 4 marks - 1 mark each for 4 risks / 2 / 2 / 4
Risks in spreadsheet system 4 marks - 1 mark each for 4 risks / 2 / 2 / 4
Comparison of BI and spreadsheet risks / 2 / 2
Part b
Controls for the new BI system 10 marks - 1 mark each for 10 controls / 5 / 5 / 10
Total / 9 / 9 / 2 / 20
Part a
Existing spreadsheet based process risk areas
The process is reliant on a family of independent files which need to be brought together to form the management information of the business and includes risk areas:
· There is no database or warehouse, files get lost in transmission
· Uncontrolled - no version control, data gets tweaked and is inconsistent
· Data changes after consolidation, the management information is not complete
· Inconsistent format, data is invalid
· ‘Islands of information in a sea of incompatibility’, there are many different systems with information that may not be able to be meaningfully consolidated
· Errors cannot be intercepted due to lack of drill down functionality and problems with foreign currency etc. so information is wrong leading to invalid management conclusions
· Limited opportunities for classification and security of information - readers and users of the information have the whole spreadsheet file leading to inappropriate access to data.
New BI system risk areas
The new process should substantially solve the spreadsheet problem of separate files and transmission in that it will have a shared database. The risk areas of the new system include:
· Duplicate systems - the BI solution is seen as a head office only system and is seen to be in addition to local country systems
· Input to the BI system is not integrated into the local country system and is seen as a manual data entry operation possibly from the old spreadsheet solution
· Data input into the BI solution is not clean
· Data input into the BI solution does not match the final monthly information in the local country/ business unit
· Loss of data due to:
· Inadequate database controls
· Lack of access controls
· Inadequate backup - unlike the existing spreadsheet solution the local business unit does not necessarily have a copy of the current and historic management information.
Part b
Controls
· Acceptance by the whole business of the existence of the BI solution, its purpose, place and usage to provide all management information including:
· Board level commitment
· Buy-in
· Training
· Documentation
· Clear policies and procedures of how the system is supported within the organisation
· Definition, implementation, documentation and training about:
· The BI architecture
· The way that data is extracted from the source systems
· The data flows - sources, stages and warehouses
· Quality and timeliness of data
· The ETL process (extract - transform - load)
· Structure of cubes