Professional Documents
Culture Documents
Bit 2318 Information System Audit
Bit 2318 Information System Audit
Bit 2318 Information System Audit
a. State any two basic operations that can be supported by information systems. We looked
into the topic of operations when discussing two basic types of business processes – operational and
strategic. In everyday life, managers usually talk about operations, rather than operational processes.
The very term has a military origin, as in “military operation.”
(2 marks)
b. List any two professional requirements that is auditors need to observe when
conducting an audit. Honesty: An auditor must be honest in his work if he has to carry
out his duties successfully. ...
Tactful: The auditor should be tactful in dealing with the client's staff.
Ability to Work Hard: The auditor must have a painstaking attitude and
willingness to work hard.
(2 marks)
g. Describe two key areas of IS audit, that is of interest in project management. entify all of
the project's issues, concerns and challenges. Identify all of the project's opportunities that
can be realised through the report's recommendations. Identify the lessons learned that can
improve the performance of future projects within the organisation
(2 marks)
(2 marks)
i. State any two risk categories whose materiality may go undetected during auditing.
(2 marks)
m. Explain the role of computer forensics to IS audit. A forensic audit is an analysis and
review of the financial records of a company or person to extract facts, which can be used in a
court of law. Forensic auditing is a speciality in the accounting industry, and most major
accounting firms have a department forensic auditing (2 marks)
n. Describe two techniques that can be used to gather evidence in an audit exercise. Audit
procedures to obtain audit evidence can include inspection, observation, confirmation,
recalculation, reperformance, and analytical procedures, often in some combination, in addition
to inquiry.
(2 marks)
o. List any four items that should be addressed during disaster recovery audit.
Create a disaster recovery team. ...
Identify and assess disaster risks. ...
Determine critical applications, documents, and resources. ...
Determine critical applications, documents, and resources. ...
Specify backup and off-site storage procedures. ...
Specify backup and off-site storage procedures. ...
Test and maintain the DRP
(2 marks)
The rise of social media has changed how companies communicate with their customers.
Companies can use social media for advertising or customer service, as they are able to talk to
customers in a way that makes them feel more connected with the brand.
Even if a company is not a technology company, it still needs data such as sales data, financial
records, inventory information and customer records. IT systems allow an organization to collect,
store, manage and utilize data.
The days of storing information on paper in rows of filing cabinets are gone; databases store vast
amounts of information for businesses. And with the introduction of cloud technology, this
information can often be accessed at any time from anywhere.
IT tools allow organizations to take raw data and put it in a format that allows for analyzing.
Consumers do not feel comfortable giving their data away to companies who cannot keep it
secure. IT security measures prevent this from happening.
These systems keep track of where an individual may be in the sales pipeline and aggregates all
information so the company can provide a better user experience. Without IT, this process would
not be nearly as effective.
Improvement of Processes
(4 marks)
b. Describe any four important considerations that need to be taken into account during IS
audit planning. Size of the company and nature of its operations. Accounting system,
internal control and adherence to standard. Environment in which the company operates.
Knowledge of client's business (4
marks)
c. Explain any four general areas that an internal auditor can review in its infrastructure.
Size of the company and nature of its operations. Accounting system, internal control and
adherence to standard. Environment in which the company operates. Knowledge of client's
business.
(4 marks)
d. Explain any four IS standards that Auditors have to observe in their profession.
(4 marks)
e. What is a work paper. Explain two qualities of a good work paper. Working Papers are
pre-publication versions of academic articles, book chapters, or reviews. Papers posted on this
site are in progress, under submission, or in press and forthcoming elsewhere. ... Working
Papers are offered on this site by the author, in the interests of scholarship. Working
Papers are not refereed
ach of the audit working papers should have a proper subject, objective, name of the client,
date of the working paper, the period of audit, sources of evidence, staff who prepare, and staff
who review. Reference to relevance working paper should properly cross. (4marks)
c. State what is meant by IS control procedures, and list any three of such procedures.
(4 marks)
e. Describe the basic process that an internal Auditor can follow when responding
to a security incident. Preparation. Preparation is the key to effective incident
response. ...
Detection and Reporting. The focus of this phase is to monitor security events in
order to detect, alert, and report on potential security incidents. ...
Triage and Analysis. ...
Containment and Neutralization. ...
Post-Incident Activity.
(4 marks)
a. Describe the procedures that you as a IS Auditor would require when performing Audit
testing and evaluation activities. A typical audit is comprised of four stages: planning,
fieldwork, reporting, and follow-up. (4 marks)
b. Explain any four guiding tools that can be used during audit planning. A
process audit may: Check conformance to defined requirements such as time, accuracy,
temperature, pressure, composition, responsiveness, amperage, and component mixture
(4 marks)
d. Describe the basic types that are followed during computer forensics exercise.
Policy and Procedure Development. ...
Evidence Assessment. ...
Evidence Acquisition. ...
Evidence Examination. ...
Documenting and Reporting
(4 marks)
e. State any four activities that an auditor can consider when auditing a business
continuity plan of an IT department. Review IT organizational structure.
Review IT policies and procedures.
Review IT standards.
Review IT documentation.
Review the organization's BIA.
Interview the appropriate personnel.
Observe the processes and employee performance.
(4 marks)
a. Giving real case examples, explain two IT control categories. Separation of duties. Pre-
approval of actions and transactions (such as a Travel Authorization) Access controls (such as
passwords and Gatorlink authentication) Physical control over assets (i.e. locks on doors or a
safe for cash/checks) (4 marks)
b. Describe any four tools that can be used to perform an effective audit. This would
include programs such as data analysis and extraction tools, spreadsheets (e.g. Excel),
databases (e.g. Access), statistical analysis (e.g. SAS), generalized audit software (e.g. ACL,
Arbutus, EAS), business intelligence (e.g. Crystal Reports and Business Objects), (4
marks)
d. State the basic criteria that IS auditors consider when administering evidence in their
audit reports. The auditor considers many factors in determining the nature, timing,
and extent of auditing procedures to be performed in an audit of an entity's financial
statements. One of the factors is the existence of an internal audit function.
(4 marks)
e. Discuss any four roles of IS auditors when auditing a disaster recovery plan.
Assisting with risk analysis during planning and development stages
Critically evaluating the plan once drafted
Providing the business with assurance the plan is current through regular audits
(4 marks)