You are on page 1of 2

CIMA P3 Exam Surgery

Past Paper Answer Q56



Q56 K


Marking scheme

Marks

(a) Dependence on IT fundamental threat to future, need for prevention
of threats, back-up and contingency planning.

3


Centralisation lack of segregation of duties, human resource
controls, reviews of transactions.

3

Illicit access why might occur, access and virus controls. 3
Protection of income limits need to be enforced. 3
Systems development need for development to reflect customer
demands and prevent fraud. Strength of system development process
and internal audit involvement.


3

Other relevant factors up to 3 marks each

3


max 15
(b) Risks up to 2 marks per risk discussed, including threats of
withdrawal of credit card companies, reputation with customers,
unprofitable transactions. max


6

Risk management up to 2 marks per step taken, including risk
analysis, isolating problem customers, use of secure third party
mechanism. max



6


max

10



25


(a) Dependence on IT
K is totally dependent on its IT systems functioning reliably. Without the systems it has no income.
Interruption to the systems for any length of time will threaten the company's future. Auditors will be
concerned whether these risks are being managed effectively by controls preventing disruption, for
example anti-virus controls. Because of the systems' importance, auditors will want to establish
whether the system is completely backed-up, the extent of contingency plans and whether
contingency arrangements provide the strong controls required.
Centralisation of computer systems
The centralisation of the computer systems may also be a source of significant risk. There may be a lack
of segregation of duties in recording transactions and payments. It may be possible for the same
individual to programme fraudulent charges and make the necessary adjustments to other parts of the
system to cover up the fraud. The auditors will therefore consider how much these risks are mitigated
by general controls:
Human resource controls over the recruitment of individuals
Audit of transactions by internal audit
Analytical or other overall reviews of transactions or accounts, to identify strange patterns in
charges
Reviews of computer usage

Illicit access
A key risk to the system is access by unauthorised persons. This could be access to obtain tracks
without paying, obtain customer details, access customer accounts, or carry out denial of service
attacks disrupting operations. Auditors will obviously be very concerned with the strength of controls
preventing unauthorised use such as passwords, and controls, such as up-to-date virus protection
software, to prevent viruses affecting the system.
Protection of income
In order to maximise income, K has imposed rules on the number of songs that can be downloaded for
free. These limits will only be effective if they are enforced. The auditors will want to ascertain whether
the controls over the number of free downloads are effective, covering the complete recording of
transactions and the prevention of free downloads when limits are reached.
Development of system
Technology improvements means that K's system will need to develop, to provide a better service for
customers or to counter threats to fraud. Auditors will therefore be concerned with how the system is
developed. In particular they will want to know how the need for development is identified, and how
K has previously handled development will lessons learnt from post-completion audits be actioned
in future. The extent of internal audit involvement will be an important consideration for external
auditors, as internal audit work may provide assurance that controls have been adequately tested.
However external auditors will also want to obtain assurance that internal audit has sufficient IT
expertise to be able to conduct effective testing.
(b) Risks
Credit card company risk
K may suffer from the risk that the credit card company will no longer allow customers to pay via K's
site, to protect its own reputation. This represents a threat to revenue, since some customers will find
it more difficult to pay. The problem will be enhanced if other credit card companies also withdraw
permission.
Reputation risk
Customers may not wish to use K's website because of fears that they will be charged fraudulently and
because they fear that fraudsters have access to their personal data.
Refunding of payments
K may have to pay refunds to customers, but still be liable to copyright holders for the royalties on the
downloads.
Alleviation of risks
Risk analysis
K needs to analyse what's happened to see if there is any pattern in the fraudulent charges being made.
If the customers who have suffered problems can be easily classified, for example geographically, it
may be best to stop offering the service to customers with that link until the problem is resolved.
Expert systems
It is possible to purchase expert systems to monitor fraud. Credit card companies use systems that
contain information relating to credit card frauds over a long period of time. The system can
therefore recognise suspicious buying patterns.
Controls over customers allowed to use the service
K can reduce the risks of problems by recording customer details. Customers could be asked to
register and confirm identity by email. Alternatively if a fraudulent purchase is identified as coming
from a specific computer IT address, then that address should not be allowed to purchase in future.
Secure payment mechanism
The threat to reputation of payment information not being secure can be dealt with by using a third
party payment mechanism with a reputation for being secure, for example Paypal.

You might also like