BSYS702 – 2026S1 Assignment 1 (40 Marks) 

This assessment mirrors the real-world responsibilities of an IT risk analyst or auditor—investigating, analysing, and providing recommendations. While the lecture slides and reading materials (mainly from Weeks 3 and 4) will support your understanding, you may also explore relevant publicly available sources and strengthen your analysis.

Background

North Shore Playgrounds (NSP) manufactures playground equipment for customers worldwide. The company has two sales offices and a factory in Auckland’s North Shore. NSP’s revenues have steadily increased over the last few years, with new customers from India, Indochina, and Indonesia.

NSP uses various materials to make its playground equipment, such as rubber chips for playground floors (converted from old tyres), nylon (for the ropes and swings), and steel bolts. NSP’s business growth has led to difficulties obtaining these materials, so NSP has bought two of its suppliers to improve its control over its supply chain.

NSP’s main competitor, Kumeu Play People (KPP), is also growing and focusing on New Zealand and the Pacific Islands. The key differentiator in the playground industry is playground equipment designs, and

KPP is very aggressive in protecting the copyright of its designs. Many of KPP’s employees have moved to NSP recently because they want to travel overseas to install and service playgrounds for NSP’s international customers.

The company has an accounting system on an IBM AS/400 server. The system was developed in-house and implemented ten years ago. The company uses a Windows Active Directory-based network that connects all employee desktop computers to the AS/400 system. However, the networks of the suppliers it has bought are not integrated with NSP’s leading network. These suppliers also use their own accounting and inventory management systems. NSP’s ERP system is linked to these systems using middleware from an IT vendor based in Auckland’s CBD.

NSP’s IT budget has also grown with the increase in business, and to manage costs, the manager of NSP’s IT department, Ms Rekha Moorthy, has proposed a move to Microsoft’s Office 365, a suite of cloud-based applications that includes storage (OneDrive). However, when Ms. Moorthy announced the plan, she discovered that many employees were already using Dropbox to share files and were unwilling to move to OneDrive. Ms Moorthy is also facing difficulties with NSP’s accounting system, as it does not handle overseas operations (e.g. different currencies and rules for GST) well.

Your Role

You are part of the IS audit team that Ms Moorthy has hired to review NSP’s information systems. You have been assigned to review and evaluate NSP’s IT general controls. As part of the audit process, you have interviewed various members of NSP’s computer department, beginning with Ms. Moorthy. You have also observed the employees doing their work and reviewed systems documentation and logs. You have compiled a set of ‘audit notes’ based on your interviews, observations and documentation review.

Audit Notes

1. The server is located in a secure area at NSP’s headquarters, and access is controlled by a swipe card. All entries to the server room are logged, and an automatic fire alarm system is tested regularly and is operating well.
2. Ms Moorthy informed you that the security policy was based on a free template she downloaded online, which she had modified and put on NSP’s intranet. Before implementing the policy, she asked the human resources manager for advice. She believes all employees are aware of this policy.
3. NSP has an IT strategic plan that is reviewed and evaluated annually by a steering committee of members from every functional department in the company.
4. Users need passwords at least eight characters long, containing a mixture of letters and numbers. Passwords have to be changed once a year.
5. NSP only buys laptops on sale at JB Hi-Fi, and Ms Moorthy prefers to buy Lenovo laptops.
6. Users’ laptops automatically time out after 10 minutes of inactivity. A username and password are required to log back on to a computer after it has “timed out” and is on a screensaver.
7. Ms Moorthy confirmed that when employees leave the company (because of resignation, retirement, etc), their user accounts are disabled immediately. However, two retired employees from the IT department still have active user accounts because they developed NSP’s accounting system, and no one knows it as well as they do. Their accounts have been kept active in case they need to return to help NSP with some of the work they used to do.
8. Your analysis of employee records reveals that there has been a sudden increase in the number of part-time customer service staff in the last two years. When you asked Ms. Moorthy, she explained that because of the growth in its business, NSP needed many more employees, but it could not hire enough permanent full-time staff. NSP thus began approaching retirees, students and stay-at-home mums to work part-time in these roles. Many of them use their home laptops or tablets for their work.
9. IT purchase information is stored in a folder on a shared drive in the AS/400 server. Four employees handle purchases and payments to suppliers. Since they do each other’s jobs, Ms Moorthy allowed them to share the same user profile to access the shared folder containing purchase information. This procedure has allowed them to pay invoices and approve purchases even if only one of the four staff is available.
10. Ms Moorthy’s assistant, Mr Joe Johari, is responsible for assigning user rights to employees, which define what each employee can do in NSP’s IT systems. All requests for changes in user rights come to Mr Johari. He reviews the user access rights once a quarter, and if something does not look right, he emails a query to Ms Moorthy. He does not follow up with her to see if his queries have been resolved.
11. NSP has an expensive firewall and intrusion detection system (IDS) to protect its systems from hacking attempts. These systems have been rigorously tested by two members of the IT department, whom Ms Moorthy says are very experienced.
12. Any requests for changes to software used in NSP are first sent via e-mail to Mr Johari. Mr Johari then forwards the e-mail to Ms Moorthy, who either approves or denies the change request by email. Mr. Johari saves a copy of these e-mails in a separate folder in his e-mail Inbox as evidence of the decision. This process usually works well. However, employees occasionally have ‘emergency’ change requests that Mr Johari has to process without Ms Moorthy’s approval when she is absent or busy.
13. Peng Liu, the manager of the customer service department, has been given a ‘super-user’ status to grant appropriate user rights to employees in his department. Ms Moorthy approved Mr Liu’s superuser status because the need to hire new customer service staff quickly made it difficult for Mr Johari to keep up with the requests for assigning user rights.
14. User accounts can log on to any network (NSPs or the networks of the two companies it bought).
15. Besides the move to Office 365, Ms Moorthy informed you that she has also planned a project to consolidate NSP’s IT systems so that the exact accounting and inventory management systems will be used across the company. She also wants to replace all the accounting systems and move to a cloudbased one, such as Xero. Her board has approved the project, and she is about to start choosing a vendor. However, she is unsure whether to manage the project internally or hire an IT consulting company. Besides herself, the rest of her IT department lacks project management experience.

Your Task

1. Identify three major risks specific to NSP based on the background and audit notes. For each risk, explain its potential impact on NSP’s business operations, considering factors such as its industry, growth strategy, and IT infrastructure. (20 marks)
2. Using COBIT 2019 processes – APO13, BAI04, BAI06 and DSS05, develop risk mitigation strategies for NSP. (20 marks)
   • Select one relevant COBIT practice for each risk.
   • Explain why it is the best fit (to mitigate the identified risk) for NSP’s situation, considering its business needs and IT environment.

(Note: Not all practices in each process are relevant; choose only the most applicable ones.)

Present your answers in a table format, with one column for risks and another for the relevant control practice. Your answers should be 1,000 words in total (+/- 10%). Use the following table structure.