IT GOVERNANCE

Suggested Answers
March-April 2023

Answers to the Question# 1(a)

The relevant action item is to utilize a GIS based soil mapping system and IoT solutions to analyze detailed data to
provide information relating to crop suitability, land zoning, nutrient status and fertilizer dosage.

The above will be carried out as follows:

Short term:

1. Pilot test selected ICT solutions in a smaller area or with a group of farmers.
2. Develop basic infrastructure and provide training to farmers on using ICT solutions effectively.
3. Initiate data collection and basic analytics to gather initial insights

Mid term:

1. Scale up successful ICT solutions to a larger area or more farmers.

2. Enhance infrastructure, expand internet connectivity, and upgrade data systems.
3. Encourage comprehensive data collection and advanced analytics for better decision-making.

Long term:

1. Expand successful ICT solutions across larger agricultural regions.

2. Continuously monitor and evaluate the impact of ICT-based methods.
3. Advocate for policies that promote the adoption of ICT solutions in agriculture.

Answers to the Question# 1(b)(i)

Ethics in information technology usage refers to the moral principles and guidelines that govern the responsible and
ethical use of technology. It involves considering the social, legal, and ethical implications of how technology is
developed, used, and managed.

Answers to the Question# 1(b)(ii)

Information systems raise new ethical questions for both individuals and societies because they create opportunities
for intense social change and, thus, threaten existing distributions of power, money, rights, and obligations. Like other
technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to
achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The development
of information technology will produce benefits for many and harms for others.

Answers to the Question# 1(b)(iii)

Ethical issues in information systems have been given new urgency by the rise of the Internet and e-commerce. Internet
and digital firm technologies make it easier than ever to assemble, integrate, and distribute information, unleashing
new concerns about the appropriate use of customer information, the protection of personal privacy, and the protection
of intellectual property.

Answers to the Question# 1(b)(iv)

Other pressing ethical issues that information systems raise include establishing accountability for the consequences
of information systems abuse or misuse, setting standards to safeguard system quality that protects the safety of the
individual and society, and preserving values and institutions considered essential to the quality of life in an
Page 1 of 8
information society. When using information systems, it is essential to ask, “What is the ethical and socially
responsible course of action?”

Page 2 of 8
Answers to the Question# 2(a)

Decisions made at the operational management level tend to be more structured, those at the tactical level are more
semi structured, and those at the strategic management level are more unstructured. Structured decisions involve
situations in which the procedures to follow, when a decision is needed, can be specified in advance. Unstructured
decisions involve decision situations in which it is not possible to specify in advance most of the decision procedures
to follow. Most decisions related to long-term strategy can be thought of as unstructured. Most business decision
situations are semi structured; that is, some decision procedures can be prespecified but not enough to lead to a definite
recommended decision. Finally, decisions that are unstructured are those for which no procedures or rules exist to
guide the decision makers toward the correct decision. In these types of decisions, many sources of information must
be accessed, and the decision often rests on experience and “gut feeling.”

Information systems must be designed to produce a variety of information products to meet the changing needs of
decision makers throughout an organization. For example, decision makers at the strategic management level may
look to decision support systems to provide them with more summarized, ad hoc, unscheduled reports, forecasts, and
external intelligence to support their more unstructured planning and policymaking responsibilities. Decision makers
at the operational management level, in contrast, may depend on management information systems to supply more
prespecified internal reports emphasizing detailed current and historical data comparisons that support their more
structured responsibilities in day-to-day operations

Answers to the Question# 2(b)

A neural network can be trained to learn which credit characteristics result in good or bad loans. Developers of a credit
evaluation neural network could provide it with data from many examples of credit applications and loan results to
process, with opportunities to adjust the signal strengths between its neurons. The neural network would continue to
be trained until it demonstrated a high degree of accuracy in correctly duplicating the results of recent cases. At that
point, it would be trained enough to begin making credit evaluations of its own.

Answers to the Question# 2(c)

Crowdfunding is a form of financing in which a large number of contributors (often called "backers") provide the
financial resources to achieve a common goal. In the place of a traditional bank, a crowdfunding portal acts as
intermediary. Crowdfunding portals can be subdivided into four further subsegments on the basis of the kind of
consideration given to investors for their investments.
Donation-based crowdfunding: Donor receive no remuneration for their contributions
Rewards-based crowdfunding: Donor receive some form of non-monetary consideration. Such consideration can take
the form of the right to pre-order a product or some other form of prestige, such as having the investor's name included
in the credits of a funded film.
Crowdinvesting: Investors receive a share of equity, debt or hybrid ownership. The contracts used in crowdinvesting
often simulate certain aspects of equity participation using a mezzanine instrument. Crowdinvesting portals profit from
the fees they receive from successfully financed companies.
Page 3 of 8
Crowdlending: It contains platforms that enable private individuals and businesses to secure loans from the crowd. In
return for the provision of the loan, investors receive a pre-determined interest rate. The market leaders in the
crowdlending industry are financed by two types of fees. On the one hand, borrowers are charged a fee that depends
on their creditworthiness and the duration of the loan. On the other hand lenders are required to pay a certain percentage
of the amount invested (often 1%) or one percentage point of the interest rate.

Example:”EK Desh” crowdfunding platform in Bangladesh.

Answers to the Question# 2(d)

Block chain technology has made a great impact on society, including:

• Bitcoin, Block chain’s prime application and the whole reason the technology was developed in the first place,
has helped many people through financial services such as digital wallets. It has provided microloans and
allowed micropayments to people in less than ideal economic circumstances, thereby introducing new life in
the world economy.
• The next major impact is in the concept of TRUST, especially within the sphere of international transactions.
Previously, lawyers were hired to bridge the trust gap between two different parties, but it consumed extra
time and money. But the introduction of Crypto currency has radically changed the trust equation. Many
organizations are located in areas where resources are scarce, and corruption is widespread. In such cases,
Block chain renders a significant advantage to these affected people and organizations, allowing them to
escape the tricks of unreliable third-party intermediaries.
• The new reality of the Internet of Things (IoT) is already teeming with smart devices that — turn on your
washing machines; drive your cars; navigate your ships; organize trash pick-up; manage traffic safety in your
community — you name it! This is where block chain comes in. In all of these cases (and more), leveraging
block chain technology by creating Smart Contracts will enable any organization to ‒ both — improve
operations and keep more accurate records.
• Block chain technology enables a decentralized peer-to-peer network for organizations or apps like Airbnb
and Uber. It allows people to pay for things like toll fees, parking, etc.
• Block chain technology can be used as a secure platform for the healthcare industry for the purposes of storing
sensitive patient data. Health-related organizations can create a centralized database with the technology and
share the information with only the appropriately authorized people.
• In the private consumer world, block chain technology can be employed by two parties who wish to conduct
a private transaction. However, these kinds of transactions have details that need to be hammered out before
both parties can proceed:

Answers to the Question# 3(a)

Political resistance is one of the great difficulties of bringing about organizational change — especially the
development of new information systems.
People in organizations occupy different positions with different specialties,
concerns, and perspectives. As a result, they naturally have divergent viewpoints about how resources, rewards, and
punishments should be distributed. These differences matter to both managers and employees, and they result in
political struggle for resources, competition, and conflict within every organization.
Virtually all large information systems investments by a firm that bring about significant changes in strategy, business
objectives, business processes, and procedures become politically charged events. Managers who know how to work
with the politics of an organization will be more successful than less skilled managers in implementing new
information systems.

Answers to the Question# 3(b)

Sometimes a technology and resulting business innovation come along to radically change the business landscape and
environment. These innovations are loosely called “disruptive”. What makes a technology disruptive? In some cases,
disruptive technologies are substitute products or use of products that perform as well as or better (often much better)
than anything currently produced or how it is used. The car substituted for the horse-drawn carriage, the word processor
for typewriters, the Apple iPod for portable CD players, and digital photography for process film photography.
In some cases, entire industries are put out of business. In other cases, disruptive technologies simply extend the
market, usually with less functionality and much less cost than existing products. Eventually they turn into low-cost
Page 4 of 8
competitors for whatever was sold before. Disk drives are an example: Small hard disk drives used in PCs extended
the market for disk drives by offering cheap digital storage for small files. Eventually, small PC hard disk drives
became the largest segment of the disk drive marketplace.
Some firms are able to create these technologies and ride the wave to profits. Others learn quickly and adapt their
business. Still others are obliterated because their products, services, and business models become obsolete. They may
be very efficient at doing what no longer needs to be done! There are also cases where no firms benefit and all the
gains go to consumers (firms fail to capture any profits). Moreover, not all change or technology is disruptive.
Managers of older businesses often do make the right decisions and find ways to continue competing. Disruptive
technologies are tricky.

Answers to the Question# 3(c)

IT also affects the cost and quality of information and changes the economics of information. Information technology
helps firms contract in size because it can reduce transaction costs — the costs incurred when a firm buys on the
marketplace what it cannot make itself. According to transaction cost theory, firms and individuals seek to economize
on transaction costs, much as they do on production costs. Using markets is expensive because of costs such as locating
and communicating with distant suppliers, monitoring contract compliance, buying insurance, obtaining information
on products, and so forth. Traditionally, firms have tried to reduce transaction costs through vertical integration, by
getting bigger, hiring more employees, and buying their own suppliers and distributors, as both General Motors and
Ford used to do.
Information technology, especially the use of networks, can help firms lower the cost of market participation
(transaction costs), making it worthwhile for firms to contract with external suppliers instead of using internal sources.
As a result, firms can shrink in size (numbers of employees) because it is far less expensive to outsource work to a
competitive marketplace rather than hire employees.
As transaction costs decrease, firm size (the number of employees) should shrink because it becomes easier and
cheaper for the firm to contract for the purchase of goods and services in the marketplace rather than to make the
product or offer the service itself. Firm size can stay constant or contract even as the company increases its revenues.

Answers to the Question# 4(a)

In a denial-of-service (DoS) attack, hackers flood a network server or web server with many thousands of false
communications or requests for services to crash the network. The network receives so many queries that it cannot
keep up with them and is thus unavailable to service legitimate requests.
A distributed denial-of-service (DDoS) attack uses numerous computers to inundate and overwhelm the network from
numerous launch points.
Although DoS attacks do not destroy information or access restricted areas of a company’s information systems, they
often cause a website to shut down, making it impossible for legitimate users to access the site. Often DDoS attacks
are used to divert attention from the operation of other malware.
For busy e-commerce sites, these attacks are costly. While the site is shut down, customers cannot make purchases.
Especially vulnerable are small and midsize businesses whose networks tend to be less protected than those of large
corporations.
Perpetrators of DDoS attacks often use thousands of zombie PCs infected with malicious software without their
owners’ knowledge and organized into a botnet. Hackers create these botnets by infecting other people’s computers
with bot malware that opens a back door through which an attacker can give instructions. The infected computer then
becomes a slave, or zombie, serving a master computer belonging to someone else. When hackers infect enough
computers, they can use the amassed resources of the botnet to launch DDoS attacks, phishing campaigns, or
unsolicited spam e-mail.

Answers to the Question# 4(b)

When you click an ad displayed by a search engine, the advertiser typically pays a fee for each click, which is supposed
to direct potential buyers to its products. Click fraud occurs when an individual or computer program fraudulently
clicks an online ad without any intention of learning more about the advertiser or making a purchase.
Click fraud has become a serious problem at Google and other websites that feature pay-per-click online advertising.
Some companies hire third parties (typically from low-wage countries) to click a competitor’s ads fraudulently to
weaken them by driving up their marketing costs. Click fraud can also be perpetrated with software programs doing
the clicking, and botnets are often used for this purpose. Search engines such as Google attempt to monitor click fraud
and have made some changes to curb it.
Page 5 of 8
Answers to the Question# 4(c)

Zero-day vulnerabilities are especially troublesome. These are holes or flaws in the software or systems unknown to
its creator or the person responsible for fixing/patching. Hackers then exploit this security hole before the vendor
becomes aware of the problem and hurries to fix it. This type of vulnerability is called zero day because the author of
the software has zero days after learning about it to patch the code before it can be exploited in an attack. Sometimes
security researchers spot the software holes but, more often, they remain undetected until an attack has occurred.

Answers to the Question# 4(d)

We can use information technologies to solve human and social problems through societal solutions such as medical
diagnosis, computer-assisted instruction, governmental program planning, environmental quality control, and law
enforcement.
For example, computers can help diagnose an illness, prescribe necessary treatment, and monitor the progress of
hospital patients. Computer-assisted instruction (CAI) and computer-based training (CBT) enable interactive
instruction tailored to the needs of students. Distance learning is supported by telecommunications networks,
videoconferencing, e-mail, and other technologies. Information technologies can be used for crime control through
various law enforcement applications.
For example, computerized alarm systems allow police to identify and respond quickly to evidence of criminal activity.
Computers have been used to monitor the level of pollution in the air and in bodies of water, detect the sources of
pollution, and issue early warnings when dangerous levels are reached.
Computers are also used for the program planning of many government agencies in such areas as urban planning,
population density and land use studies, highway planning, and urban transit studies. Computers are being used in job
placement systems to help match unemployed persons with available jobs. These and other applications illustrate that
information technology can be used to help solve the problems of society.

Answers to the Question# 4(e)

Intrusion detection tools and services protect against suspicious network traffic and that attempts to access files and
databases. Intrusion detection systems feature full-time monitoring tools placed at the most vulnerable points or hot
spots of corporate networks to detect and deter intruders continually. The system generates an alarm if it finds a
suspicious or anomalous event. Scanning software looks for patterns indicative of known methods of computer attacks
such as bad passwords, checks to see whether important files have been removed or modified, and sends warnings of
vandalism or system administration errors. The intrusion detection tool can also be customized to shut down a
particularly sensitive part of a network if it receives unauthorized traffic.

Answers to the Question# 4(f)

Data owners are generally managers and directors responsible for using information for running and controlling the
business. Their security responsibilities include authorizing access, ensuring that access rules are updated when
personnel changes occur, and regularly review access rules for the data for which they are responsible.
Data custodians are responsible for storing and safeguarding the data, and include IS personnel such as systems
analysts and computer operators.
Data users, including the internal and the external user communities, are the actual users of the computerized data.
Their levels of access into the computer should be authorized by the data owners and restricted and monitored by the
security administrator. Their responsibilities regarding security are to be vigilant regarding the monitoring of
unauthorized people in the work areas and comply with general security guidelines and policies.

Answers to the Question# 5(a)

During the design phase, the development process frequently takes the form of, or includes, a prototyping approach.
Prototyping is the rapid development and testing of working models, or prototypes, of new applications in an
interactive, iterative process that can be used by both IS specialists and business professionals. Prototyping, as a
development tool, makes the development process faster and easier, especially for projects where end-user
requirements are hard to define. Prototyping has also opened up the application development process to end users
because it simplifies and accelerates systems design. Thus, prototyping has enlarged the role of the business
stakeholders affected by a proposed system and helps make possible a quicker and more responsive development
process called agile systems development (ASD).
Page 6 of 8
Answers to the Question# 5(b)

A project is a special set of activities with a clear beginning and end. Every project has a set of goals, objectives, and
tasks. Every project must also deal with a set of limitations or constraints.

i) Initiating/Defining
• State the problem(s)/goal(s)Identify the objectives.
• Secure resources.
• Explore costs/benefits in feasibility study.
ii) Planning
• Identify and sequence activities.
• Identify the “critical path.”
• Estimate time and resources needed for completion.
• Write a detailed project plan.
iii) Executing
• Commit resources to specific tasks.
• Add additional resources/personnel if necessary.
• Initiate project work.
iv) Controlling
• Establish reporting obligations.
• Create reporting tools.
• Compare actual progress with baseline.
• Initiate control interventions if necessary.
v) Closing
• Install all deliverables.
• Finalize all obligations/commitments.
• Meet with stakeholders.
• Release project resources.
• Document the project.
• Issue final report.

Answers to the Question# 5(c)

• Acquisition: Evaluate and acquire necessary hardware and software resources and information system services.
Screen vendor proposals.
• Software Development: Develop any software that will not be acquired externally as software packages. Make any
necessary modifications to software packages that are acquired.
• Data Conversion: Convert data in company databases to new data formats and subsets required by newly installed
software.
• Training: Educate and train management, end users, customers, and other business stakeholders. Use consultants or
training programs to develop user competencies.
• Testing: Test and make necessary corrections to the programs, procedures, and hardware used by a new system.
• Documentation: Record and communicate detailed system specifications, including procedures for end users and IS
personnel and examples of input screens and output displays and reports.
• Conversion: Convert from the use of a present system to the operation of a new or improved system. This may
involve operating both new and old systems in parallel for a trial period, operation of a pilot system on
a trial basis at one location, phasing in the new system one location at a time, or a direct cutover to the
new system.

Answers to the Question# 6(a)

IS audit is the formal examination, interview and/or testing of information systems to determine whether:
i) Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines.
ii) IS data and information have appropriate levels of confidentiality, integrity and availability.
iii) IS operations are being accomplished efficiently and effectiveness targets are being met.

Page 7 of 8
Answers to the Question# 6(b)

The role of the IS internal audit function should be established by an audit charter approved by board of directors and
the audit committee (senior management if these entities do not exist). IS audit can be a part of internal audit, function
as an independent group, or integrated within a financial and operational audit to provide IT-related control assurance
to the financial or management auditors. Therefore, the audit charter may include IS audit as an audit support function.
The charter should clearly state management’s responsibility and objectives for, and delegation of authority to, the IS
audit function. This document should outline the overall authority, scope and responsibilities of the audit function.
The highest level of management and the audit committee, if one exists, should approve this charter. Once established,
this charter should be changed only if the change can be and is thoroughly justified. ISACA IS Audit and Assurance
Standards require that the responsibility, authority and accountability of the IS audit function are appropriately
documented in an audit charter or engagement letter.
An audit charter is an overarching document that covers the entire scope of audit activities in an entity while an
engagement letter is more focused on a particular audit exercise that is sought to be initiated in an organization with a
specific objective in mind.

Answers to the Question# 6(c)

In analyzing the business risk arising from the use of IT, it is important for the IS auditor to have a clear understanding
of:
• Industry and or internationally accepted risk management processes.
• The purpose and nature of business, the environment in which the business operates and related business risk.
• The dependence on technology to process and deliver business information.
• The business risk of using IT and how it impacts the achievement of the business goals and objectives.
• A good overview of the business processes and the impact of IT and related risk on the business process
objectives.

Answers to the Question# 6(d)

A substantive test substantiates the integrity of actual processing. It provides evidence of the validity and integrity of
the balances in the financial statements and the transactions that support these balances. IS auditors could use
substantive tests to test for monetary errors directly affecting financial statement balances or other relevant data of the
organization. Additionally, an IS auditor might develop a substantive test to determine whether the tape library
inventory records are stated correctly. To perform this test, the IS auditor might take a thorough inventory or might
use a statistical sample, which will allow the IS auditor to develop a conclusion regarding the accuracy of the entire
inventory. There is a direct correlation between the level of internal controls and the amount of substantive testing
required. If the results of testing controls (compliance tests) reveal the presence of adequate internal controls, then the
IS auditor is justified in minimizing the substantive procedures. Conversely, if the control testing reveals weaknesses
in controls that may raise doubts about the completeness, accuracy or validity of the accounts, substantive testing can
alleviate those doubts.

Answers to the Question# 6(e)

Audit documentation should include, at a minimum, a record of the following:

• Planning and preparation of the audit scope and objectives.
• Description and/or walk-throughs on the scoped audit area.
• Audit program.
• Audit steps performed and audit evidence gathered.
• Use of services of other auditors and experts.
• Audit findings, conclusions and recommendations.
• Audit documentation relation with document identification and dates.
It is also recommended that documentation include:
• A copy of the report issued as a result of the audit work.
• Evidence of audit supervisory review.

---The End---

Page 8 of 8