ARTHUR NJERU

SCT221-0543/2016

INFORMATION SYSTEM AUDIT

CAT 1

a) Explain your understanding of the term information systems Audit.

It’s an examination of the management controls for IT infrastructure and a complete

review of the security of computer systems. It determines whether information systems
are safeguarding assets, maintaining data integrity and operating effectively to achieve an
organization’s goals.

b) Explain the following terms as used in IT auditing.

I. Materiality
It’s a concept within auditing relating to the importance or significance of an
amount, transaction or discrepancy.
II. Self-Assessment audit
It’s a measure that an organizational performance against a selected business
excellence model. 
III. Work papers
They refer to the documents prepared by or use by auditors as part of their works.
IV. Service level agreement
It’s a formal agreement between two or more parties that articulates the terms and
conditions of a particular service relationship.
c) Distinguish between financial audit and IS audit.
Financial audit generally starts after the close of the financial year and after making all
accounts ready and IS audit may be conducted at any time depends on the needs and
circumstances
d) Briefly discuss why a banking organization should employ a skilled IS auditor.
 Skilled IS auditor are able to provide assurance to a banking organization’s financial
statements from an objective and independent opinion and they are also able to
maintaining consistency, finding errors in their processing, or detecting fraud
e) Describe the significance of Risk Analysis to an IT auditor.
It assists the IT auditor in identifying risks and the threats to an IT
environment and IS system- risks and threats that would need to be addressed by
management and in identifying system-specific internal controls.
f) Describe the following types of illegal activities which an IS auditor may be
interested in
unearthing.
i. Suppression
Is an act or instance of suppressing the books of accounts and ensuring that
they are kept against the rules stipulated in the Companies Act and hide the
books of accounts that shows the true and fair view of the state of affairs of
the company.
ii. Racketeering
Is the act of acquiring and divert funds from a legal business to use it for
illegal activities without the company’s knowledge.
g) Explain the following in relation to audit risks.
i. Detection risk
Is the chance that an auditor will fail to find material misstatements that exist
in an entity's financial statements. These misstatements may be due to either
fraud or error. 
ii. Operational risk
Is the risk of loss resulting from ineffective or failed internal processes,
people, systems, or external events that can disrupt the flow of business
operations. The losses can be directly or indirectly financial.
h) Distinguish between circumstantial and direct types of evidence.
Direct evidence is direct proof of a fact such as testimony by a witness about what that
witness personally saw or heard or did and Circumstantial evidence is indirect evidence,
that is, it is proof of one or more facts from which one can find another fact.
i) Distinguish between the following types of IT audit.
a) Compliance audit
It’s an assessment as to whether the provisions of the applicable laws,
rules and regulations made there under and various orders and instructions
issued by the competent authority are being complied with

b) Integrated audit

It considers the relationship between information technology, financial

and operational controls in establishing an effective and efficient internal
control environment.
j) The auditing environment is usually very wide and each environment has a specific
way in which audit can be carried out. Identify the specific ICT Audit environment.
Giving examples explain how audit can be carried out in the environments you have
identified.
• Technological position audit - This audit reviews the technologies that the
business currently has and that it needs to add in its inventory. The technologies are
characterized as being either base, key, pacing or emerging.
• Technological innovation process audit - This audit constructs a risk profile for
existing and new projects. The audit will assess the length and depth of the company's
experience in its chosen technologies, as well as its presence in the organization of each
project, relevant markets and the structure of the portion of the industry that deals with
this project or product, organization and industry structure.
• Innovative comparison audit - This audit is an analysis of the innovative abilities
of the company being audited, in comparison to its competitors in the market. This
requires examination of company's research and development facilities, as well as its
track record in actually producing new products.