W1-2-60-1-6

JOMO KENYATTA UNIVERSITY OF AGRICULTURE AND TECHNOLOGY

UNIVERSITY EXAMINATIONS 2016/2017
YEAR IV SEMESTER II EXAMINATION FOR THE DEGREE OF BACHELOR OF
INFORMATION TECHNOLOGY
BIT 2318: INFORMATION SYSTEM AUDIT
DATE: JULY 2017 TIME: 2 HOURS
INSTRUCTIONS: Answer question one (compulsory) and any other two questions.

QUESTION ONE (30 MARKS)

a. State any two basic operations that can be supported by information systems. We looked
into the topic of operations when discussing two basic types of business processes – operational and
strategic. In everyday life, managers usually talk about operations, rather than operational processes.
The very term has a military origin, as in “military operation.”
(2 marks)

 b. List any two professional requirements that is auditors need to observe when
conducting an audit. Honesty: An auditor must be honest in his work if he has to carry
out his duties successfully. ...
 Tactful: The auditor should be tactful in dealing with the client's staff.
 Ability to Work Hard: The auditor must have a painstaking attitude and
willingness to work hard.
(2 marks)

c. Describe what is meant by IS audit. An information technology audit, or information

systems audit, is an examination of the management controls within an Information technology
infrastructure and business applications. (2 marks)

d. Explain what is meant by IS controls. In business and

accounting, information technology controls (or IT controls) are specific activities performed
by persons or systems designed to ensure that business objectives are met. ... IT
application controls refer to transaction processing controls, sometimes called "input-
processing-output" controls. (2 marks)

e. Differentiate between compliance and substantive testing. (2 marks)

Compliance testing checks for the presence of controls. Substantive Testing: ... Substantive
testing checks the integrity of contents. Substantive procedures are tests designed to
obtain evidence to ensure the completeness, accuracy and validity of the data.
f. Differentiate between audit effectiveness and audit efficiency
 . Effectiveness is how well a process accomplishes its objective. Efficiency is how well a
process turns inputs into outputs—more efficient processes have less waste than inefficient
processes. (2 marks)

g. Describe two key areas of IS audit, that is of interest in project management. entify all of
the project's issues, concerns and challenges. Identify all of the project's opportunities that
can be realised through the report's recommendations. Identify the lessons learned that can
improve the performance of future projects within the organisation
(2 marks)

1. h. State any two reasons why it is important to perform an audit on live

applications. Provides objective insight
2. Improves efficiency of operations
3. Evaluates risks and protects assets
4. Assesses organizational controls
5. Ensures legal compliance

(2 marks)

i. State any two risk categories whose materiality may go undetected during auditing.
(2 marks)

j. Differentiate between IS audit standards and guidelines. n its Statement on Auditing

Standards No. 95, the AICPA's Accounting Standards Board distinguishes between auditing
standards and audit procedures by stating that “Auditing procedures are acts that
the auditor performs during the course of an audit to comply with auditing standards
(2 marks)

k. Explain the need or an IT framework in a business. (2 marks)

l. List four advantages that LaaTs bring to IS business environment. (2 marks)

m. Explain the role of computer forensics to IS audit. A forensic audit is an analysis and
review of the financial records of a company or person to extract facts, which can be used in a
court of law. Forensic auditing is a speciality in the accounting industry, and most major
accounting firms have a department forensic auditing (2 marks)

n. Describe two techniques that can be used to gather evidence in an audit exercise. Audit
procedures to obtain audit evidence can include inspection, observation, confirmation,
recalculation, reperformance, and analytical procedures, often in some combination, in addition
to inquiry.
(2 marks)

 o. List any four items that should be addressed during disaster recovery audit.
Create a disaster recovery team. ...
 Identify and assess disaster risks. ...
 Determine critical applications, documents, and resources. ...
 Determine critical applications, documents, and resources. ...
 Specify backup and off-site storage procedures. ...
 Specify backup and off-site storage procedures. ...
 Test and maintain the DRP

(2 marks)

QUESTION TWO (20 MARKS)

a. Discuss any four functions of IS service support in an IT business

environment. Expanding Means of Communication
Long before computers and information technology, communication was a vital part of any
business. IT, however, has redefined the way we communicate with each other. Seemingly
everyone has a smartphone nowadays, and it is possible to contact anyone around the world
within a few clicks. Not only is this convenient for communication between employees of the same
company, but it also opens the communication lines between companies - making for more
efficient partnerships and collaborations.

IT allows an organization to communicate by multiple means, including phone, email, video

conferencing and social media. Phone and email were the two primary means of communicating in
the early days of IT, but the introduction of video conferencing has led to an increase of virtual
meetings that allow employees to save time and companies to save money on in-person meetings.

The rise of social media has changed how companies communicate with their customers.
Companies can use social media for advertising or customer service, as they are able to talk to
customers in a way that makes them feel more connected with the brand.

Data Collection and Management

Data has become one of the most valuable resources a company can have. Many companies -
Facebook and Google, for example - have built their business models around collecting users'
data and using it to sell advertisements.

Even if a company is not a technology company, it still needs data such as sales data, financial
records, inventory information and customer records. IT systems allow an organization to collect,
store, manage and utilize data.

The days of storing information on paper in rows of filing cabinets are gone; databases store vast
amounts of information for businesses. And with the introduction of cloud technology, this
information can often be accessed at any time from anywhere.

IT tools allow organizations to take raw data and put it in a format that allows for analyzing.

Information Security Management

Company IT departments should also be tasked with putting information security measures in
place to keep the company's data secure and free from hackers. Not only can data leaks lead to
fines and regulatory action, but they also put an organization's reputation at risk.

Consumers do not feel comfortable giving their data away to companies who cannot keep it
secure. IT security measures prevent this from happening.

Customer Relations Management

IT is being used to improve the way organizations interact with their customers. Specifically,
customer relationship management systems - often referred to simply as CRM in the business
world - track and organize every interaction a company has with its current and potential
customers.

These systems keep track of where an individual may be in the sales pipeline and aggregates all
information so the company can provide a better user experience. Without IT, this process would
not be nearly as effective.

Improvement of Processes
(4 marks)

b. Describe any four important considerations that need to be taken into account during IS
audit planning. Size of the company and nature of its operations. Accounting system,
internal control and adherence to standard. Environment in which the company operates.
Knowledge of client's business (4
marks)

c. Explain any four general areas that an internal auditor can review in its infrastructure.
Size of the company and nature of its operations. Accounting system, internal control and
adherence to standard. Environment in which the company operates. Knowledge of client's
business.
(4 marks)

d. Explain any four IS standards that Auditors have to observe in their profession.
(4 marks)

e. What is a work paper. Explain two qualities of a good work paper. Working Papers are
pre-publication versions of academic articles, book chapters, or reviews. Papers posted on this
site are in progress, under submission, or in press and forthcoming elsewhere. ... Working
Papers are offered on this site by the author, in the interests of scholarship. Working
Papers are not refereed
ach of the audit working papers should have a proper subject, objective, name of the client,
date of the working paper, the period of audit, sources of evidence, staff who prepare, and staff
who review. Reference to relevance working paper should properly cross. (4marks)

QUESTION THREE (20 MARKS)

 a. Describe any two scopes of auditing that can be conducted in an IT business, in each
state an example of an audit that can be carried out. (4 marks)
Audit scope, defined as the amount of time and documents which are involved in an audit, is
an important factor in all auditing. The audit scope, ultimately, establishes how deeply
an audit is performed. It can range from simple to complete, including all company documents.
b. Describe the basic procedures that are followed during a system audit process.
(4 marks)

c. State what is meant by IS control procedures, and list any three of such procedures.
(4 marks)

d. Explain four areas where CaaTs can be applied in a business environment.

(4 marks)

 e. Describe the basic process that an internal Auditor can follow when responding
to a security incident. Preparation. Preparation is the key to effective incident
response. ...
 Detection and Reporting. The focus of this phase is to monitor security events in
order to detect, alert, and report on potential security incidents. ...
 Triage and Analysis. ...
 Containment and Neutralization. ...
 Post-Incident Activity.
(4 marks)

QUESTION FOUR (20 MARKS)

a. Describe the procedures that you as a IS Auditor would require when performing Audit
testing and evaluation activities. A typical audit is comprised of four stages: planning,
fieldwork, reporting, and follow-up. (4 marks)

b. Explain any four guiding tools that can be used during audit planning. A
process audit may: Check conformance to defined requirements such as time, accuracy,
temperature, pressure, composition, responsiveness, amperage, and component mixture
(4 marks)

c. Discuss the standard components of an effective Auditing methodology. (4 marks)

There are three kinds of quality assurance audits: Process audit: Examines processes,
including the resources used and defined requirements within those processes, like weights,
times and measurements. It also examines work instructions, flow charts and worker training.

d. Describe the basic types that are followed during computer forensics exercise.
 Policy and Procedure Development. ...
 Evidence Assessment. ...
 Evidence Acquisition. ...
 Evidence Examination. ...
 Documenting and Reporting
(4 marks)

 e. State any four activities that an auditor can consider when auditing a business
continuity plan of an IT department. Review IT organizational structure.
 Review IT policies and procedures.
 Review IT standards.
 Review IT documentation.
 Review the organization's BIA.
 Interview the appropriate personnel.
 Observe the processes and employee performance.
(4 marks)

QUESTION FIVE (20 MARKS)

a. Giving real case examples, explain two IT control categories. Separation of duties. Pre-
approval of actions and transactions (such as a Travel Authorization) Access controls (such as
passwords and Gatorlink authentication) Physical control over assets (i.e. locks on doors or a
safe for cash/checks) (4 marks)

b. Describe any four tools that can be used to perform an effective audit. This would
include programs such as data analysis and extraction tools, spreadsheets (e.g. Excel),
databases (e.g. Access), statistical analysis (e.g. SAS), generalized audit software (e.g. ACL,
Arbutus, EAS), business intelligence (e.g. Crystal Reports and Business Objects), (4
marks)

 c. Describe the major processes of managing risks during IS Audit process. (4

marks) Risk Management Process. ...
 Step 1: Identify the Risk. ...
 Step 2: Analyze the Risk. ...
 Step 3: Evaluate or Rank the Risk. ...
 Step 4: Treat the Risk. ...
 Step 5: Monitor and Review the Risk. ...
 The Basics of The Risk Management Process Stay the Same. ...
 Risk Management.

d. State the basic criteria that IS auditors consider when administering evidence in their
audit reports. The auditor considers many factors in determining the nature, timing,
and extent of auditing procedures to be performed in an audit of an entity's financial
statements. One of the factors is the existence of an internal audit function.
(4 marks)
 e. Discuss any four roles of IS auditors when auditing a disaster recovery plan.
Assisting with risk analysis during planning and development stages
 Critically evaluating the plan once drafted
 Providing the business with assurance the plan is current through regular audits

(4 marks)