Programme

advertisement
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
The Government of the Russian Federation
Federal State Autonomous Educational Institution of Higher Professional Education
“National Research University “Higher School of Economics”
Faculty of business and management
School of business Informatics
Program of Discipline
“Information Systems Audit”
for Master training direction 38.04.05 “Business Informatics”
The authors of the program:
Grekul V.I., candidate of science, senior researcher, grekoul@hse.ru
Одобрена на заседании кафедры
управления ИС и цифровой инфраструктурой
«____»______________ 2015 г.
Зав. кафедрой Исаев Е.А.
Утверждена академическим советом образовательной программы «Бизнес-информатика»
«____»______________ 2015 г.
Академический руководитель Зараменских Е.П.__________________________
Зарегистрирована УМО школы бизнес-информатики
«____»______________ 2015 г.
________________________
Moscow, 2015
This program cannot be used by other divisions of the university and other institutions of higher
education without the permission of the department - the developer of the program.
1
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
1
Application area and normative references
This program of academic discipline establishes minimum requirements for knowledge and skills of the
student and determines the content and the types of studies and reporting.
The program is designed for lecturers, teaching this discipline, teaching assistants and students of
080500.68 "Business Informatics" teaching direction of Master training, studying for Master's program
"Business Informatics".
The program is designed in accordance with:


2
educational standard of the Federal State Autonomous Educational Institution of
Higher Professional Education "National Research University" Higher School of
Economics ", the level of training: Master, approved 26/06/2011;
working curriculum of the University for the 38.04.05 "Business Informatics" Master
training direction for the Master's program "Business Informatics, approved in 2014.
Objective of the discipline mastering
The aim of the course is to teach students to use their generalized knowledge in various
fields of IT for estimation of information system (IS) characteristics and IS-related controls.
This course is based on the program of CISA (Certified Information Systems Auditor) exam
and introduces students to the concepts and practical methods of full cycle of IS auditing.
This is the main feature of the course that distinguishes it from other similar disciplines
studied in Russian and foreign Universities and aimed usually to separate categories of audit
(e.g., audit of Information Security Management, IT strategy audit, Network Infrastructure
audit etc.).
3
Student’s competence formed as a result of the discipline mastering
As a result of the discipline mastering the student must:

know: Control objectives and controls related to information systems.
Audit planning and audit project management techniques. Risk assessment
concepts, tools and techniques in an audit context. Applicable regulations that
affect the scope, evidence collection and preservation, and frequency of audits.
Fundamental business processes including relevant IT.
 be able to apply: IT Audit Assurance Standards, Guidelines, and Tools and
Techniques. Evidence collection reporting and communication techniques.
 have the skills (gain experience) in audit project planning and assessing of main
information systems characteristics.
As a result of the discipline mastering the student acquires the following competencies:
2
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
Competencies
Descriptors - the
main criteria of the
mastering (indicators
of results
achievement)
Forms and methods
of studying,
contributing to the
formation and
development of
competence
Ability to make managerial
SK-M5
decisions, rate their possible
consequences and take responsibility
for them
Demonstrate
Lectures, seminars,
homework
Ability to analyze, verify and assess
information integrity, collect or
synthesize missing data
Have knowledge and
skills
Lectures, seminars,
homework
Ability to conduct research and
PK-12
prepare analytical materials to make
strategic decisions in the sphere of
information technologies
Have knowledge and
skills
Lectures, seminars,
homework
Ability to define and spread common SLК –М3
objectives in professional and social
activity
Have knowledge and
skills
Lectures, seminars,
homework
Ability to develop, describe and
control technological requirements
and regulations
Have knowledge and
skills
Lectures, seminars,
homework
4
Code by FSAES/
NRU HSE
SК-М6
SLК-М9
Place of the discipline in the structure of educational program
This discipline is optional for specialization "Information systems management" within the
Master's program "Business Informatics"
The study of this discipline is based on the following disciplines:
 "Design of Information Systems";
 "IT-service management";
 "Improving enterprise architecture".
For the discipline mastering, students should know conceptual foundations of enterprise
architecture, basic classes of information systems for business management, fundamental
business processes including relevant IT- processes, best practices and up-to-date standards in
3
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
the field of information technology (PMBOK, ISO/IEC 15288, ITIL, CobIT), methodologies of
information systems design and implementation, be able to organize and synthesize information to
develop specific proposals to improve IT-management processes.
Main provisions of the discipline should be used further to prepare master theses, scientific articles and
reports.
The total complexity of discipline is a 6 credit units.
5
№
Thematic plan of the disciplin
1.
2.
3.
4.
5.
6.
Classroom training
Total,
hours
Lecture
Seminar
Independent
study
The Process of Auditing
Information Systems
Governance
and
Management of Information
Technologies
Information
Systems
Acquisition, Development
and Implementation
Information
Systems
Operations,
Maintenance
and Support
Protection of Information
Assets
Business Continuity and
Disaster Recovery
44
6
8
30
44
6
8
30
36
4
8
24
32
4
8
20
30
4
6
20
30
4
6
20
Total
216
28
44
144
Topics
1. The Process of Auditing Information Systems
Main tasks of auditor:

Develop and implement a risk-based IT audit strategy.

Plan specific audits to determine whether information systems are protected, controlled and
provide value to the organization.

Conduct audits in accordance with IT audit standards.

Report audit findings and make recommendations to key stakeholders.

Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken
by management in a timely manner.
Main areas of auditing expertise: IT Audit and Assurance Standards, Guidelines, and Tools and
Techniques; Code of Professional Ethics; and other applicable standards. Risk assessment concepts, tools
4
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
and techniques in an audit context control objectives and controls related to information systems. Audit
planning and audit project management techniques fundamental business processes including relevant IT
evidence collection techniques (e.g., observation, inquiry, inspection and interview data analysis) used to
gather protect and preserve audit evidence. Compliance and substantive testing. Reporting and
communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure).
2. Governance and Management of Information Technologies
Main objectives to be evaluated:

The effectiveness of the IT governance structure.

IT organizational structure and human resources (personnel) management.

IT strategy.

IT policies, standards and procedures.

Adequacy of the quality management system to determine whether it supports the organization's
strategies and objectives in a cost-effective manner.

IT management and monitoring of controls.

IT resource investment.

IT contracting strategies and policies. Risk management practices.

Monitoring and assurance practices.
Main areas of auditing expertise: IT governance, management, security and control frameworks, and
related standards, guidelines and practices. The purpose of IT strategy, policies, standards and procedures
for an organization and the essential elements of each. The organizational structure, roles and
responsibilities related to IT the processes for the development, implementation and maintenance of IT
strategy, policies, standards and procedures. Quality management systems. Maturity models. IT resource
investment and allocation practices, including prioritization criteria (e.g., portfolio management, value
management, project management). IT supplier selection, conflict management, relationship management
and performance monitoring processes including third-party outsourcing relationships enterprise risk
management practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key
performance indicators [KPIs]). IT human resources (personnel) management practices used to invoke the
business continuity plan.
3. Information Systems Acquisition, Development and Implementation
Main objectives to be evaluated:

Business case for proposed investments in information systems.

Project management practices and controls.

Controls for information systems during the requirements, acquisition, development and testing
phases.
5
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"

Readiness of information systems for implementation and mitigation into production to determine
whether project deliverables, controls and the organization's requirements are met.

Post-implementation reviews of systems.
Main areas of auditing expertise: Benefits realization practices (e.g., feasibility studies, business cases,
total cost of ownership [TCO], ROI). Project governance mechanisms (e.g., steering committee, project
oversight board, project management office). Project management control frameworks, practices and
tools. Risk management practices applied to projects IT architecture related to data, applications and
technology (e.g., distributed applications, web-based applications, web services, n-tier applications)
acquisition practices (e.g., evaluation of vendors, vendor management, escrow). Requirements analysis
and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability
management, security requirements). Project success criteria and risks. Control objectives and techniques
that ensure the completeness, accuracy, validity and authorization of transactions and data. system
development methodologies and tools, including their strengths and weaknesses (e.g., agile development
practices, prototyping, rapid application development [RAD]; object-oriented design techniques). Testing
methodologies and practices related to information systems development. Configuration and release
management relating to the development of information systems. System migration and infrastructure
deployment practices and data conversion tools, techniques and procedures. Post-implementation review
objectives and practices.
4. Information Systems Operations, Maintenance and Support
Main objectives to be evaluated:

Periodic reviews of in format ion systems to determine whether they continue to meet the
organization's objectives.

Service level management practices.

Third-party management practices.

Operations and end-user procedures.

Process of information systems maintenance.

Data administration practices.

Capacity and performance monitoring tools and techniques.

Problem and incident management practices.

Change, configuration and release management practices.

Adequacy of backup and restore provisions organization's disaster recovery plan.
Main areas of auditing expertise: Service level management practices and the components within a
service level agreement. Techniques for monitoring third-party compliance with the organization's
internal controls. Operations and end-user procedures for managing scheduled and nonscheduled
processes. The technology concepts related to hardware and network components, system software and
database management systems. Control techniques that ensure the integrity of system interfaces. Software
licensing and inventory practices. system resiliency tools and techniques (e.g., fault tolerant hardware,
elimination of single point of failure, clustering). Database administration practices. Capacity planning
6
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
and related monitoring tools and techniques. Systems performance monitoring processes, tools and
techniques (e.g., network analyzers system utilization reports, load balancing). Problem and incident
management practices (e.g., help desk, escalation procedures, tracking). Processes for managing
scheduled and nonscheduled changes to the production systems and / or infrastructure including change,
configuration, release and patch management practices. Data backup, storage, maintenance, retention and
restoration practices.
5. Protection of Information Assets
Main objectives to be evaluated:

Information security policies, standards and procedures.

Design, implementation and monitoring of system and logical security controls.

Design, implementation and monitoring of the data classification processes and procedures for
alignment with the organization's policies, standards, procedures and applicable external
requirements.

Design, implementation and monitoring of physical access and environmental controls.

Processes and procedures used to store, retrieve, transport and dispose of information assets
Main areas of auditing expertise: Techniques for the design, implementation and monitoring of security
controls, including security awareness programs. Processes related to monitoring and responding to
security incidents (e.g., escalation procedures, emergency incident response team). Logical access
controls for the identification, authentication and restriction of users to authorized functions and data.
Security controls related to hardware, system software (e.g., applications, operating systems), and
database management systems. Risks and controls associated with virtualization of systems.
Configuration, implementation, operation and maintenance of network security controls. Network and
Internet security devices, protocols and techniques. Information system attack methods and techniques.
Detection tools and control techniques (e.g., malware, virus detection, spyware). Security testing
techniques (e.g., intrusion testing, vulnerability scanning). Risks and controls associated with data
leakage. Encryption- related techniques. Public key infrastructure (PKI) components and digital signature
techniques. Risks and controls associated with peer-to-peer computing, instant messaging, and web-based
technologies (e.g., social networking, message boards, blogs). Controls and risks associated with the use
of mobile and wireless devices. Voice communications security (e.g., PBX, VoIP). The evidence
preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of
custody). Data classification standards and supporting procedures. Physical access controls for the
identification, authentication and restriction of users to authorized facilities. Environmental protection
devices and supporting practices. Processes and procedures used to store, retrieve, transport and dispose
of confidential information assets.
6. Business Continuity and Disaster Recovery
Main objectives to be evaluated:

The adequacy of backup and restore provisions to ensure the availability of information required
to resume processing.

The organization's disaster recovery plan.
7
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"

The organization's business continuity plan.
Main areas of auditing expertise: Data backup, storage, maintenance, retention and restoration processes,
and practices. Regulatory, legal, contractual and insurance issues related to business continuity and
disaster recovery. Business Impact Analysis (BIA). Development and maintenance of the business
continuity and disaster recovery plans. Business continuity and disaster recovery testing approaches and
methods. Human resources management practices as related to business continuity and disaster recovery
(e.g., evacuation planning, response teams). Processes used to invoke the business continuity and disaster
recovery plans. Types of alternate processing sites and methods used to monitor the contractual
agreements (e.g., hot sites, warm sites, cold sites).
6
Educational Technology
Following educational technologies are used in the implementation of different types of learning: lectures,
reports, discussion, cases review.
7
Evaluation tools for monitoring and certification of the student
Progress Tests (fragments)
Topic 1
01. Which of the following is the MOST important reason why an audit planning process
should be reviewed at periodic intervals?
A. To plan for deployment of available audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identify the applicable IS audit standards
02. When performing a computer forensic investigation [судебное расследование], in
regard to the evidence gathered, an IS auditor should be MOST concerned with:
A. Analysis.
B. Evaluation.
C. Preservation.
D. Disclosure.
03. The internal audit department of an organization has developed and maintained ACL
scripts for continuous auditing purposes. These scripts were provided to IT management
for continuous monitoring purposes. This situation resulted in a potential conflict related
to the auditors independence and objectivity. Which of the following actions would
BEST resolve this issue?
A. The internal audit team should stop sharing the scripts so that IT management must
develop its own scripts.
8
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
B. Since continuous monitoring and continuous auditing are similar functions, IT
management should assign the continuous monitoring tasks to the internal audit
department.
C. IT management should continue to use the scripts for continuous monitoring purposes
with the understanding that it is responsible for testing and maintaining the scripts that it
uses.
D. The internal audit team should review the areas where these scripts are being used and
reduce the audit scope and frequency for those areas.
Topic 2
01. In an organization where an IT security baseline has been defined, the IS auditor
should FIRST ensure:
A. Implementation
B. Compliance
C. Documentation
D. Sufficiency
02. Which of the following duties would be a concern if performed along with systems
administration?
A. Access rule maintenance
B. System audit trail review
C. Data librarian
D. Performance monitoring
03. Which of the following BEST describes an IT department's strategic planning
process?
A. The IT department will have either short-range or long-range plans depending on the
organization's broader plans and objectives.
B. The IT department's strategic plan must be time- and project-oriented, but not so
detailed as to address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals,
technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the
short-range plans or the organization since technological advances will drive the IT
department plans much quicker than organizational plans.
Topic 3
01. The most common reason for the failure of information systems to meet the needs of
users is that:
A. User needs are constantly changing.
B. The growth of user requirements was forecast inaccurately.
9
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
C. The hardware system limits the number of concurrent users.
D. User participation in defining the system’s requirements was inadequate.
02. An IS auditor is assigned audit a software development project which is more than 80
percent complete, but has already overrun time by 10 percent and costs by 25 percent.
Which of the following actions should the IS auditor take?
A. Report that the organization does not have effective project management
B. Recommend the project manager be changed
C. Review the IT governance structure
D. Review the conduct of the project and the business case
03. A request for a change to a report format in a module (subsystem) was made. After
making the required changes, the programmer should carry out:
A. Unit testing.
B. Unit and module testing.
C. Unit, module and regression testing.
D. Module testing.
Topic 4
01. When assessing the portability of a database application, the IS auditor should verify
that:
A. A structured query language (SQL) is used.
B. Information import and export procedures exist with other systems.
C. Indexes are used.
D. All entities have a significant name and identified primary and foreign keys.
02. Which of the following would an IS auditor expect to find in a console log?
A. Names of system users
B. Shift supervisor identification
C. System errors
D. Data edit errors
03. In a LAN environment, which of the following minimizes the risk of data corruption
during transmission?
A. Using end-to-end encryption for data communication
B. Using separate conduits for electrical and data cables
C. Using check sums for checking the corruption of data
D. Connecting the terminals using a star topology
Topic 5
01. Which of the following steps would an IS auditor normally perform FIRST in a data
center security review?
10
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
A. Evaluate physical access test results.
B. Determine the risks/threats to the data center site.
C. Review business continuity procedures.
D. Test for evidence of physical access at suspect locations.
02. Which of the following concerns associated with the World Wide Web would be
addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. A delay in Internet connectivity
D. A delay in downloading using File Transfer Protocol (FTP)
03. When auditing security for a data center, an IS auditor should look for the presence of
a voltage regulator (surge protector) to ensure that the:
A. Hardware is protected against power surges.
B. Integrity is maintained if the main power is interrupted.
C. Immediate power will be available if the main power is lost.
D. Hardware is protected against long-term power fluctuations.
Topic 6
01. Which of the following is the best way to ensure that the company’s backup tapes can
be used at a warm site?
A. Retrieve the tapes from the off-site facility and verify that the equipment at the
original site can read them
B. Test them on the vendor’s machine, which won’t be used during an emergency
C. Inventory each tape kept at the vendor’s site twice a month
D. Test them on the equipment maintained within the hot site
02. Prior to a live disaster test, which of the following is most important?
A. Restore all files in preparation for the test
B. Document expected findings
C. Arrange physical security for the test site
D. Conduct a successful structured walk-through
03. Which is not one of the primary goals of BIA?
A. Criticality prioritization
B. Downtime estimation
C. Determining requirements for critical business functions
D. Deciding on various tests to be performed to validate the business continuity plan
11
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
Final exam topics
1. IT Audit and Assurance Standards, Guidelines, and Tools and Techniques; Code of
Professional Ethics.
2. Risk assessment concepts, tools and techniques in an audit context.
3. Control objectives and controls related to information systems.
4. Audit planning.
5. Evidence collection techniques (e.g., observation, inquiry, inspection, interview data
analysis) used to gather protect and preserve audit evidence.
6. Audit sampling methodologies.
7. Organizational structure, roles and responsibilities related to IT
8. Processes for the development, implementation and maintenance of IT strategy, policies,
standards and procedures.
9. The use of maturity models.
10. Practices for monitoring and reporting of IT performance (e.g., balanced scorecards, key
performance indicators [KPIs])
11. Project governance mechanisms (e.g., steering committee, project oversight board,
project management office).
12. Acquisition practices (e.g., evaluation of vendors, vendor management, escrow).
13. Control objectives and techniques that ensure the completeness, accuracy, validity and
authorization of transactions and data.
14. System development methodologies and tools, including their strengths and weaknesses
(e.g., agile development practices, prototyping, rapid application development [RAD];
object-oriented design techniques).
15. Testing methodologies and practices related to information systems development.
16. Configuration and release management relating to the development of information
systems.
17. Techniques for monitoring third-party compliance with the organization's internal
controls.
18. Operations and end-user procedures for managing scheduled and nonscheduled
processes.
19. Control techniques that ensure the integrity of system interfaces.
20. Software licensing and inventory practices.
21. System resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single
point of failure, clustering).
22. Capacity planning and related monitoring tools and techniques.
23. Data backup, storage, maintenance, retention and restoration practices.
24. Processes related to monitoring and responding to security incidents (e.g., escalation
procedures, emergency incident response team).
25. Security controls related to hardware, system software (e.g., applications, operating
systems), and database management systems.
26. Risks and controls associated with virtualization of systems.
27. Network and Internet security devices, protocols and techniques.
28. Information system attack methods and techniques.
29. Security testing techniques (e.g., intrusion testing, vulnerability scanning).
30. Risks and controls associated with data leakage.
12
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
31. Risks and controls associated with peer-to-peer computing, instant messaging, and webbased technologies (e.g., social networking, message boards, blogs).
32. Controls and risks associated with the use of mobile and wireless devices.
33. The evidence preservation techniques and processes followed in forensics investigations
(e.g., IT, process, chain of custody).
34. The processes and procedures used to store, retrieve, transport and dispose of confidential
information assets.
35. Data backup, storage, maintenance, retention and restoration processes, and practices
36. Regulatory, legal, contractual and insurance issues related to business continuity and
disaster recovery
37. Business Impact Analysis (BIA)
38. The development and maintenance of the business continuity and disaster recovery plans
39. Business continuity and disaster recovery testing approaches and methods.
40. Processes used to invoke the business continuity and disaster recovery plans.
41. Types of alternate processing sites and methods used to monitor the contractual
agreements (e.g., hot sites, warm sites, cold sites).
Essay topics (examples)
1. Information Technology investment methodologies
2. A Real Option strategic decision for IT project selection
3. Customer-related IT investments.
4. Managerial decision-making about IT Investment
5. Efficiency enhancing effects of IT investment
6. A Risk Management approach to IT Services Contract design
7. IT Portfolio Selection methods
8. Economics of Information Technology Outsourcing
9. Information technology process improvement
10. The international economics of information technology
11. Return On Investment as an indicator of success.
12. Measurement of information technology investment risks.
8
Educational-methodical and information support of discipline
Textbooks
Core reading
1. CISA Review Manual 2013. ISACA. 2013. ISBN 1604203005 / 978-1604203004
2. Peter Gregory. CISA Certified Information Systems Auditor All-in-One Exam Guide, 2nd
Edition. McGraw-Hill Osborne Media; 2 edition. 2011. ISBN 0071769102 / 9780071769105
3. Richard E. Cascarino. Auditor's Guide to IT Auditing. Step-by-step guide to successful
implementation and control of IT systems—including the Cloud. Wiley; 2 edition. 2012.
ISBN 1118147618 / 978-1118147610.
13
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
Extended reading
1. James A. Hall. Information Technology Auditing. South-Western College Pub; 3 edition.
2010. ISBN 1439079110 / 978-1439079119.
2. COBIT 5 ISACA, 2013. http://www.isaca.org/COBIT/Pages/Product-Family.aspx
3. Chris Davis, Mike Schiller, Kevin Wheeler. IT Auditing Using Controls to Protect
Information Assets, 2nd Edition. -McGraw-Hill Osborne Media; -2011; 512p.
4. Craig S. Wright. IT Regulatory and Standards Compliance Handbook: How to Survive
Information Systems Audit and Assessments. – Syngress; 2008. 750p.
5. Шеремет А.Д., Суйц В.П. Аудит. М. Инфра-М. 2009 ISBN 978-5-16-002517-9. (657
Ш492).
6. Insu Park. Ph.D.Thesis: Essays on Information Assurance. University of New York at
Buffalo. 2010. UMI Number: 3423590. ProQuest LLC.
7. Asunur Cezar. Ph.D.Thesis: Essays On Information Security And Risk Management. The
University of Texas at Dallas. 2009. UMI Number: 3391603. ProQuest LLC.
8. David Stamm. Ph.D.Thesis: Information Assurance Practice and Standards for Commercial
Business. Walden University. 2011. UMI Number: 3457224. ProQuest LLC
9. Said Ghezal. Ph.D.Thesis: Information Assurance Alignment: A Study Of Performance
Impacts. Capella University. 2011. UMI Number: 3443661. ProQuest LLC.
10. Kiron Ravindran. Ph.D.Thesis: Governance Mechanisms in Information Technology
Outsourcing. UNIVERSITY OF CALIFORNIA, IRVINE. 2010. UMI Number: 3404761.
ProQuest LLC.
9
Procedure for the formation of estimates on discipline
Generating estimates of the discipline is made in accordance with the Regulations on the
organization of the control of knowledge, approved by the Academic Council of the HSE.
Calculation of the grade
The grade for the course (Qfinal ) is determined as weighted average of follows marks:
Q1-6 =1/6  Qi - the mark for progress tests, Qi = (1…10) – the mark for the topic i;
Qe – the mark for the essay, Qe = (1…10);
Qcs – the mark for the case study, Qcs = (1…10);
Qexam– the mark for the exam Qexam = (1…10);
Qfinal = 0,3 Q1-6 +0,2 Qe + 0,2 Qcs+ 0,3 Qexam
14
"National Research University - Higher School of Economics"
Program of Discipline " Information Systems Audit"
for Master training direction 38.04.05 "Business Informatics"
10 Inventory and logistics support of discipline
Personal computer (laptop) and a projector are used for lectures and seminars. Technical
equipment of computer classes may be used too.
Author of the program
Grekul V.I.
15
Download