UQ Business School
19th February 2023



BISM7221 Information Systems
Control, Governance and Audit
Report – Business Consulting Report
(IS Recommendations)
Assessment Guideline
SEMESTER 1 2023
UQ Business School
19th February 2023

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations)
Assessment Guideline
(Semester 1 2023)
1
Purpose
This document identifies the requirements for this assessment and a marking rubric to provide
guidance in undertaking this assessment.
Details:
Type: Report
Due Date: 2:00pm 9th June 2023
Weight: 50%
In Brief: One Business Consulting Report with recommendations to inform the Company's
Board and Management regarding IT Governance, Fraud assessment, and
assessment of General controls and Operations to improve business performance.
Task Description
This is an individual assignment.
Students will use their understanding from the course of IT governance, fraud detection, and general
controls to prepare a Business Consulting Report with recommendations that improve business
performance.
This report is derived from a case organisation described in the Assignment Specification.
The Business Consulting Report will require analytical skills to assess the case organisation's portfolio
of IT governance mechanisms, consider the potential for fraud arising from weaknesses in the internal
control mechanisms, document any findings of fraud, and how to improve organisational performance
through recommendations that strengthen the internal controls environment.
The report will document the project rationale and approach, findings, and key recommendations for
IT governance, fraud prevention, and the IT general controls environment.
The report is a cohesive document that can be communicated to the client.
The results are communicated as a Business Consulting Report of 8 to 12 pages in length (excluding
appendices).
Students are to use SQL data analytic techniques used in tutorials for fraud detection work and use
Excel data visualisations to highlight their findings in the report.
These visualisations should be to a high standard as they are to be communicated directly to the
client.
Software Required:
• PostgreSQL is available as open source software for installation on your own computer
• PostgreSQL is not installed on the University's computer laboratories
• Excel is available as part of the Office 365 package available to students free-of-charge and
installation on your own computer
Key to success in this assessment is a professional Business Consulting Report that demonstrates
completeness, attention to detail, insightful analysis, and clear communication.
UQ Business School
19th February 2023

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations)
Assessment Guideline
(Semester 1 2023)
2
Criteria and Marking
The grading rubric allocates marks to six dimensions:
• IT Governance assessment and recommendations (10%)
• Assessment of Internal Controls and Recommendations (20%)
• Fraud assessment, detection, conclusions, and recommendations (20%)
• Assessment of Operational Performance and Recommendations (20%),
• Design and Performance of SQL Tests (20%),
• Presentation and Communication (10%).
A full and complete Business Consulting Report (between 8 and 12 pages in length excluding title
pages and appendices) is to be submitted.
Requirements
This assessment task is a full and complete Business Consulting Report, formatted
professionally and appropriately.
Students shall address this task individually.
This Business Consulting Report is to be written by you as an individual consultant that has been
asked to use your understanding of IT governance as well as the systems analytical skills and
techniques to provide advice to a client identified in the accompanying Assignment Specification.
The Assignment Specification is provided on Learn.UQ as a supporting document separate to this
Guideline. You are to document the results of your analysis as a business consulting report. The
business consulting report is addressed to the audience noted in the Assignment Specification but is
to be executed to a high standard as this report will be provided to the Board and Chief Executive
Officer.
In the Assignment Specification, you are provided with four Guiding Questions. Answering these
questions requires that you apply your understanding of IT Governance and IT General Controls to
provide IT governance and operational advice, and use the PostgreSQL and Microsoft Excel tools to
undertake fraud analysis.
The data files used are provided with the Assignment Specification in the assessment folder –
it is a zip file that will need to be unzipped. You are to download these files to your computer
and import the data into PostgreSQL
Format
Your report should be typed (in Times Roman 10-point font or equivalent, single-spaced) and it should
be between 8 and 12 pages in length (excluding Executive Summary, appendices, figure,
diagrams, tables, or, where used, references in the reference list). In all ways you should format
the report to conform to the standards of a professional business consulting report.
On the cover/title page note the essay title, your student number, name, the course code and course
title, the date, the word count (excluding cover page, Executive Summary, appendices, figures,
diagrams, tables, appendices and, where used, references in the reference list) and the
reference citation style where relevant.
The length of the main body of the report report is specified as being no more than 12 pages in
length. You should write a consulting report that, in your professional judgment, best addresses the
Guiding Questions whilst also aiming for clarity and conciseness. Too short and there may be
insufficient detail. Too long, and you may not have summarised the material sufficiently.
Use appendices well for reference and supporting material.
UQ Business School
19th February 2023

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations)
Assessment Guideline
(Semester 1 2023)
3
Figures/diagrams/tables presented in the main body of the report should not exceed one page.
There is no limit on the number of pages of appendices.
However, in this vein, you should think in terms of a highly paid, busy senior executive spending his or
her time reading your report. You would want to get your arguments across forcefully, but not waste
the person's time. The senior executive would probably not read the appendices, so the body of your
report should be able to stand on its own and match to the expectations of a business consulting
report. The senior executive's staff analysts would likely examine your appendices in depth, however,
so they must also be executed and presented to a high standard.
You may need to use external independent sources in support of the arguments you present in the
report, or the tests that you discuss. References when used can be cited using APA 7th, Chicago, or
Vancouver styles (you must note the referencing style on the title page). Other citation styles may
be allowed through permission granted by the lecturer.
Always remember that the report should conform to the standards of a professional business
consulting report.
Frequently Asked Questions
• Are independently researched quality academic sources required, and what are they?

No they are not required. You may however choose to cite such sources in support of your
answers to guiding questions.

• Can we cite non-academic ‘industry’ sources?

Yes you can, although are not required. You may however choose to cite such sources in
support of your answers to guiding questions.

• How long does the report need to be?

The specification sheet says that the main body of the report (excluding title page, executive
summary, and appendices) should be no more than 12 pages in length in Times Roman 10-
point font or equivalent. You will need to keep in mind the need for a professionally presented
report. The main part of the report should be sufficient for the busy executive to understand
the core answers addressing the guiding questions. Detailed material and reports (query files,
long reports, etc.) should be placed in the appendices.

In writing your report, consider the busy executive who is reading the report, and aim for
efficiency and ease of communication rather than for density and exhaustive analysis in the
main report. Each student’s response will vary, not least due to the selected format and
approach. Although no minimum length is specified, it is likely though that the main report will
be somewhere in the range of between 8 to 12 pages in length.

Given the usual rule of thumb of approximately 10% leeway – the report should not be
more than 14 pages in length.

Appendices and detailed analysis can (and should) be included in appendices to support your
overall analysis. You should include some detail in the main body of your report and provide
greater detail in the appendices.

UQ Business School
19th February 2023

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations)
Assessment Guideline
(Semester 1 2023)
4
• How professional is professional? What does that even mean?

It means that in every way the report is true to what you would expect a professional to
provide in a consulting engagement. The internet has several examples available.

Several pointers:

• Use dot points judiciously. Perhaps open and close your answer to each question with a
full paragraph, but focused dot points statements that explicitly address the question are
clear and concise in a business report.
• Consider following an exemplar format of a consulting report that you have found as a
guide. If this is done, however, be sure that the report is structured to clearly relate to the
guiding questions set out in the Assignment Specification.
• Do not allow your report to become waffly, vague, and wordy. Explicitly identify
recommendations made (for example, "It is recommended that [insert
recommendation].").
You should structure your report to match the requirements of the case.

• What goes on the cover page again?

On the cover/title page note the essay title, your student number, name, the course code and
course title, the date, the word count (excluding Cover Page, Abstract,
Figures/Diagrams/Tables, Appendices and References) and the reference citation style.
Assessment
The criterion-based marking rubric below applies the Criteria and Marking noted above. Part marks
are rounded up to the nearest half mark.
Assignment Submission
There will be electronic submission of assignments through TurnItIn in the course website (Learn.UQ)
under Assessment. The drop-box will remain open to allow for late submission.
Your document must be submitted in either Microsoft Word document format or PDF format.
You must name your document with your last name followed by your initial(s) (e.g., Smith_A.doc). All
students will receive an electronic copy of their marked assignment through Learn.UQ.
When you submit your assignment to the drop−box, this act will certify that you have acknowledged
and understand the Plagiarism Statute of the University of Queensland.
As a safeguard, you may wish to submit your assignment to the lecturer by electronic email at the
same time as submitting via Blackboard (m.axelsen@business.uq.edu.au).
Please discuss any problems that may lead to late submission with your lecturer at the earliest
possible opportunity. Items (for which no extension has been granted) submitted after the due date
and time, incur a late submission penalty. The penalty is at the rate of 10% of the total available
marks for that piece of assessment, for each calendar day or part thereof that the item is overdue.
Additional information
Additional information will be given to students in class on how to undertake the assignment.

BISM7221 – MARKING RUBRIC: BUSINESS CONSULTING REPORT (IS RECOMMENDATIONS)

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations) Assessment Guideline
(Semester 1 2023)
5
Assessed out of 100 points and scaled back to 50 marks. Part marks are rounded up to the nearest half mark.
Below Expectations
< 50%
Meets Expectations
50% - 65%
Good
65% to 75%
Very Good
75% to 85%
Outstanding
85% to 100%
IT governance assessment and recommendations (10 points)
No IT Governance mechanisms from
the 'Engagement Model' from the
case are considered in the analysis.
Some IT Governance mechanisms
from the 'Engagement Model' from the
case are considered in the analysis.
Most Key IT Governance mechanisms
from the 'Engagement Model' from the
case are considered in the analysis.
Key IT Governance mechanisms from
the 'Engagement Model' from the
case are considered in the analysis.
All IT Governance mechanisms from
the 'Engagement Model' from the
case are considered in the analysis.
No evaluation considering current
issues and future directions is
provided.
An evaluation considering some
issues and future needs is provided.
A thorough evaluation considering
issues and future needs is provided.
A thorough evaluation is provided that
considers key issues and future
needs whilst also linking the
evaluation to the recommendations
made.
A clear and professional evaluation is
provided that considers key issues
and future needs whilst also linking
the evaluation to the
recommendations made.
Fewer than two recommendations are
provided to improve IT Governance.
Two or more recommendations are
provided to improve IT Governance.
Two or more recommendations are
provided to improve IT Governance &
the recommendations are supported
by the evaluation.
Two or more recommendations are
provided to improve IT Governance &
explicitly address the evaluation.
Two or more highly relevant
recommendations are provided to
improve the IT Governance &
explicitly address the evaluation.
Assessment of Internal Controls and Recommendations (20 points)
No physical controls are identified. Some physical controls are identified
and evaluated.
Most physical controls are identified
and evaluated.
Key physical controls are selected
according to criteria, identified and
evaluated.
Key physical controls are selected
according to criteria, identified and
thoroughly evaluated.
No general controls are identified. Some general controls are identified
and evaluated.
Most general controls are identified
and evaluated.
Key general controls are selected
according to criteria, identified and
evaluated.
Key general controls are selected
according to criteria, identified and
thoroughly evaluated.
No application controls are identified. Some application controls are
identified and evaluated.
Most application controls are
identified and evaluated.
Key application controls are selected
according to criteria, identified and
evaluated.
Key application controls are selected
according to criteria, identified and
thoroughly evaluated.
No evaluation of the internal controls
system as a whole is provided.
An evaluation of the internal controls
system as a whole is provided.
An evaluation of the internal controls
system as a whole is provided, and
the evaluation is structured and
considered in its approach.
An evaluation of the internal controls
system as a whole is provided, and
the evaluation is structured and
complete in its approach.
An evaluation of the internal controls
system as a whole is provided, and
the evaluation is insightful, structured
and complete in its approach.
Fewer than three recommendations,
are provided to improve internal
controls.
Three or more recommendations are
provided to improve internal controls.
Three or more recommendations are
provided to improve internal controls
and the recommendations address
the weakness(es).
Three or more recommendations are
provided to improve internal controls
and the link between control
weaknesses & the recommendation is
explicit.
Three or more highly relevant
recommendations are provided to
improve internal controls and the link
between control weaknesses & the
recommendation is explicit
BISM7221 – MARKING RUBRIC: BUSINESS CONSULTING REPORT (IS RECOMMENDATIONS)

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations) Assessment Guideline
(Semester 1 2023)
6
Below Expectations
< 50%
Meets Expectations
50% - 65%
Good
65% to 75%
Very Good
75% to 85%
Outstanding
85% to 100%
Fraud assessment, detection, conclusions, and recommendations (10 points)
Two or fewer fraud detection
techniques using SQL are designed &
performed.
Most fraud detection techniques using
SQL are designed & performed (or a
reason given as to why not) to test for
the existence of fraud.
Key fraud detection techniques using
SQL are designed & performed (or a
reason given as to why not) to test for
the existence of fraud.
Key fraud detection techniques using
SQL are designed & performed (or a
reason given as to why not) to test for
the existence of fraud.
All fraud detection techniques using
SQL are designed & performed (or a
reason given as to why not) to test for
the existence of fraud.
No data visualisations (Excel Charts)
are used in support of the analysis
assessing fraud detection techniques.
Some data visualisations (Excel
Charts) are used in support of the
analysis assessing some fraud
detection techniques.
Informative data visualisations (Excel
Charts) are used in support of the
analysis assessing some fraud
detection techniques.
Informative and well-presented data
visualisations (Excel Charts) are used
in support of the analysis assessing
all fraud detection techniques.
Informative and outstandingly
presented data visualisations (Excel
Charts) are used in support of the
analysis assessing all fraud detection
techniques.
Limited fraud review results are
presented and discussed, or major
detail is missing.
Fraud review results are presented
and discussed; however, key details
are missing.
Fraud review results are presented
and discussed including key details.
Fraud review test results are
discussed, fully detailed, and clearly
explained.
Fraud review test results are
discussed, fully detailed, and clearly
explained in a concise & focused
manner.
Fewer than two recommendations are
provided that address fraud
weaknesses.
Two recommendations are provided
that address fraud weaknesses.
Two actionable recommendations are
provided that address fraud
weaknesses.
Two actionable recommendations are
provided that address fraud
weaknesses and they are relevant.
Two actionable recommendations are
provided that address fraud
weaknesses and they are highly
relevant.
Assessment of Operational Performance and Recommendations (20 points)
One or fewer operational concerns
are identified.
Two operational concern is identified. Two operational concerns are
identified and supported by an
explanation as to why they are
operational concerns.
Three operational concerns are
identified and supported by an
explanation as to why they are
operational concerns.
At least three insightful operational
concerns are identified and supported
by an explanation as to why they are
operational concerns.
No recommendation, or only one
recommendation, is provided to
address operational concerns.
Two recommendations are provided
to address the operational concern(s).
At least three recommendations are
provided to address the operational
concern(s) and a rationale for the
recommendations is provided.
At least three relevant
recommendations are provided to
address the operational concern(s).
At least four relevant to highly
relevant recommendations are
provided to address the operational
concern(s).
No rationale for recommendations is
provided, or the rationale does not link
the recommendations to identified
operational concerns.
A rationale for some
recommendations is provided that
links the recommendations to
identified operational concerns.
A rationale for some
recommendations is provided that
links the recommendations to
identified operational concerns while
recognising some dependencies
between the recommendations.
A rationale for most recommendations
is provided that links the
recommendations to identified
operational concerns while
recognising critical dependencies
between the recommendations.
A clear and concise rationale for each
recommendation is provided that links
the recommendations to identified
operational concerns while
recognising critical dependencies
between the recommendations.
An inadequate (or no) analysis in
support of recommendations made is
provided..
An analysis that supports a range of
recommendations is provided.
A high-level analysis that supports a
range of relevant recommendations is
provided.
A thorough high-level analysis that
supports an actionable range of
relevant recommendations is
provided.
A comprehensive but high-level
analysis that supports an excellent
and actionable range of relevant and
creative recommendations is
provided.
BISM7221 – MARKING RUBRIC: BUSINESS CONSULTING REPORT (IS RECOMMENDATIONS)

BISM7221 Information Systems Control, Governance, and Audit – Business Consulting Report (IS Recommendations) Assessment Guideline
(Semester 1 2023)
7
Below Expectations
< 50%
Meets Expectations
50% - 65%
Good
65% to 75%
Very Good
75% to 85%
Outstanding
85% to 100%
Design and Performance of SQL Tests (20 points)
No SQL Scripts1 are provided in
support of the assessment of internal
controls.
At least four SQL Scripts are provided
in support of the assessment of
internal controls.
At least four SQL Scripts are provided
in support of the assessment of
internal controls & most are
advanced.
At least four SQL Scripts are provided
in support of the assessment of
internal controls & all are advanced.
At least four purposeful SQL Scripts
are provided in support of the
assessment of internal controls & all
are advanced.
No SQL Scripts are provided in
support of the assessment and
detection of fraud.
At least four SQL Scripts are provided
in support of the assessment and
detection of fraud.
At least four SQL Scripts are provided
in support of the assessment and
detection of fraud & most are
advanced.
At least four SQL Scripts are provided
in support of the assessment and
detection of fraud & all are advanced.
At least four purposeful SQL Scripts
are provided in support of the
assessment and detection of fraud &
all are advanced.
No SQL Scripts are provided in
support of the assessment of
operational performance.
At least four SQL Scripts are provided
in support of the assessment of
operational performance.
At least four SQL Scripts are provided
in support of the assessment of
operational performance & most are
advanced.
At least four SQL Scripts are provided
in support of the assessment of
operational performance & all are
advanced.
At least four purposeful SQL Scripts
are provided in support of the
assessment of operational
performance & all are advanced.
Presentation and communication (10 points)
No Executive Summary is provided,
or the Executive Summary is
inadequate.
The Executive Summary summarises
most assessment points and most
recommendations made.
The Executive Summary summarises
key assessment points and key
recommendations made.
The Executive Summary summarises
all assessment points and
recommendations made.
The Executive Summary summarises
all points and recommendations made
and is clear & concise.
You have not identified the scope and
audience for the report.
You have identified the scope or
audience for the report.
You have identified the scope and
audience for the report.
You have clearly identified the scope
and audience by name for the report.
You have clearly identified the scope
and audience by name for the report
and identified the report's purpose.
The report is not written to an
adequate professional business
standard (grammar, spelling,
structure).
The report is consistently written to an
adequate professional business
standard (grammar, spelling,
structure).
The report is consistently written to a
good professional business standard
(grammar, spelling, structure).
The report is consistently written to a
high professional business standard
(grammar, spelling, structure) with
clear arguments.
The report is consistently written to a
high professional business standard
(grammar, spelling, format) with clear
arguments demonstrating logical flow.
Formatting & referencing
requirements are not addressed.
Formatting & referencing
requirements are adequate.
Formatting & referencing
requirements are good.
Formatting & referencing
requirements are addressed well.
Formatting & referencing
requirements are addressed very well.
Prepared by: Micheal Axelsen
Senior Lecturer (Business Information Systems)
Date: 19th February 2023

1 Important: A SQL script is a single SQL Statement, or a series of SQL statements that are inter-dependent. An 'advanced' SQL script is one that contains
at least three different criteria in the where clause, a group by clause with a having clause, multiple table joins, a view, or at least three sql statements in a
single script that are inter-dependent. In addition, an 'advanced' SQL Script must execute to completion without errors, and provide a final result.

学霸联盟