Department of Finance and Investment Management
Performance and Risk Strategy
FNB18x7
ASSESSMENT OPPORTUNITY 2 (Suggested Solution)
10 MAY 2016
QUESTION 2
[25 marks]
E-ticket is an online ticketing company which facilitates the sale and purchase of tickets to a
variety of local events such as: theatre productions, concerts, festivals, sports. Recently the
company introduced air and bus travel tickets which could be coupled with accommodation in
accordance with specific packages on offer at the time. To this end the company uses the
services of other companies engaged in the travel industry such as chartered airlines and
hotels which it pays for directly on behalf of its customers once they have confirmed their
reservations on the E-ticket website.
Upgrade of online booking system
Customers wishing to book holiday accommodation and airline tickets can do so 24 hours a
day, seven days a week (“24/7”). However, E-ticket’s current system is unable to confirm
bookings made outside of normal office hours since there are not call centre consultants
available to contact the respective airlines or hotels once a booking is made on the system.
Any ‘out of hours bookings’ are not processed until the next working day. The information is
held on E-ticket’s server but reservations are not made with the airlines or hotels until it is
processed by a consultant.
E-ticket has recently run into problems with this system. There have been several cases where
customers have booked a holiday online but then received an email 48 hours later to tell them
that either the airline or the hotel has rejected the booking because there were no places
available for the dates requested. E-ticket’s Finance Director has contacted the major airlines
and hotels in order to discuss a permanent connection to their systems, so that customer
bookings could be made immediately regardless of the time of day. Unfortunately, the airlines
COURSE:
Performance and Risk Strategy (FNB18x7)
Page 2 of 4
and hotels are not willing to permit such an arrangement because E-ticket’s system is not up
to industry-standard because it has not been updated since it was first installed. E-ticket’s
directors wish to upgrade the system in order to secure a connection with airlines and hotels.
Security breach
E-ticket has recently suffered a security breach involving 2,000 of its highest-spending
customers. One of E-ticket’s analysts had been asked to write a report about those customers’
buying habits. The report was required urgently and so the analyst copied the customers’ files
onto a memory stick, which he took home to analyse on his home PC over the weekend. He
copied the final report onto the same memory stick, but lost the stick during the train journey
into work.
The analyst had one of his flatmates email him a copy of the report, which was still on the
hard drive of his home PC, so the report’s deadline was met. The analyst did not report the
loss of the memory stick because he did not wish to get into trouble for losing the data. He
hoped that anybody who found the stick would simply erase the files.
Over the next two weeks, E-ticket started to receive complaints from customers that orders
were being placed without the account holders’ permission. The analyst was asked to
investigate these complaints to determine whether there was a security problem. The analyst
quickly realised that many of the complaints were from the 2,000 customers whose files were
on his memory stick and that the person who had found the stick was abusing that information.
He admitted the loss of the memory stick and was suspended.
Required
2.1
Advise E-ticket’s IT Director on the steps that should be undertaken in order to
upgrade the online booking system to offer a 24/7 connection to airline and hotel
systems.
(10 Marks)
Answer
Marks awarded for the following:
1. Delegation of development to consultant (or creation of an internal team) with
expertise and resources.
2. Ensuring sufficient communication with consultant to ensure that they understand
that the system must:
a. meet industry standard;
b. Interface with supplier.
3. Collaboration with suppliers to ensure successful interface and to account for any
changes which may have occurred in supplier’s system.
COURSE:
Performance and Risk Strategy (FNB18x7)
Page 3 of 4
4. Benchmark system against competing suppliers or other systems that meet industry
standard.
5. Obtain input from marketing expert to optimize site for maximum sales.
6. Extensive testing of the following aspects of the system before it goes into
production:
a. End user functionality (i.e. customers are able to use the system in an
efficient and convenient manner);
b. Interface with suppliers.
Suggested solution:
The first step is to identify a suitable consultant for advice on this upgrade. E-ticket’s IT
Director may be in a position to provide overall strategic management, but the director may
not have the time or the expertise to manage this project on a day to day basis. E-ticket will
have to ensure that any software that it purchases meets the industry standard. One of the
major aspects of this upgrade is to enable the company’s systems to integrate and work
with those of suppliers. The director should meet with the major airlines and hotel chains to
identify ways in which the integration of E-ticket’s systems could be enhanced. The director
should enquire as to whether there are likely to be any changes in the foreseeable future
so that these can be incorporated into the new system. The director should study the
websites of competitors to identify features that could usefully be added to the company’s
system. A marketing expert, either from the company’s sales department or an external
consultant should advise on ways to design the site to boost sales. Ideally, the proposals
should be tested on a sample of E-ticket’s customers to ensure that the system is accessible
and attractive. Once the system has been designed it should be tested in some detail before
it goes live. The interface with the suppliers’ systems should be tested rigorously to ensure
that bookings go through without difficulty.
Required
2.2
Advise E-ticket’s board on the weaknesses in both the control environment and the
internal controls that led to this loss of data.
(15 Marks)
Total for Question 2 = 25 marks
Answer
Marks awarded for the following:
1. Identifying that staff possibly overworked and under excessive pressure and
potential for errors.
2. Unsupportive/intimidating tone from senior management leading to undesirable
control environment.
3. Specifying staff training with respect to the following and related consequences:
COURSE:
Performance and Risk Strategy (FNB18x7)
Page 4 of 4
a. Handling sensitive personal customer data and respecting client
confidentiality.
b. Security protocol for storage/extraction of data (i.e. Usage of personal USB
and sharing of files amongst staff).
c. Identifying threat of virus/malware which could compromise security.
4. Prohibition of using personal disks on company computers and policy over internal
communications of customer data.
5. Access control and restriction of staff access to sensitive aspects of customer info:
a. Encryption of credit card details and identifying that only finance staff should
have access to financial info.
b. Identifying that customer names and addresses were not necessary for
analyst to analyse customer buying habits.
Max: 15
Suggested solution:
There appear to be major shortcomings within E-ticket’s control environment. The analyst’s
behaviour suggests that staff may be overworked, which will lead to errors and possibly
short-cuts such as taking files home. The fact that the analyst was afraid to admit to the
loss of the files adds to the sense that the environment is unsupportive and punitive. Staff
should have been trained on the sensitivity of personal details in a company such as Eticket. The information that has been lost may be very personal in nature and could lead to
losses because of identity theft and related fraud. Such training should have reduced the
risk of a member of staff leaving a file of customer records on an unsecure PC. Staff should
not be permitted to connect personal disk drives to E-ticket’s computers. There is a danger
that these will carry viruses or other malware. Ideally, staff PCs should not have open USB
sockets to reduce the risk of this occurring, alternatively software which prevents the use of
personal USBs could be installed. Any files that need to be shared with colleagues can be
transferred over the firm’s network. The files themselves should not be accessible in their
entirety. Sensitive customer details such as credit card numbers and other banking details
should be encrypted and be accessible only to staff in the finance department. Fields within
files should be made available to E-ticket’s staff on a strictly “need to know” basis. The
analyst did not need to know customers’ names and full postal addresses. It would have
been sufficient to have identified customers by a user number and provided the analyst with
a buying history for each.