UNIVERSITY EXAMINATIONS: 2022/2023

EXAMINATION FOR THE DEGREE OF BACHELOR OF SCIENCE IN

BUSINESS INFORMATION TECHNOLOGY

BBIT 307/ BAC 3116, 3104/BISF 3207/ BSD 3103: IS MANAGEMENT AND
AUDITING
FULL TIME/ PART TIME/ DISTANCE LEARNING
ORDINARY EXAMINATION
DATE: DECEMBER, 2022 TIME: 2 HOURS

INSTRUCTIONS: Question ONE IS COMPULSORY, Choose TWO OTHER Questions

QUESTION ONE (20 marks) Compulsory

a) Differentiate between the following set of terms

● IT auditing and Financial Auditing
IT Auditing: Focuses on evaluating and ensuring the integrity, confidentiality, and
availability of information technology systems and data. It assesses IT controls, security,
and compliance with IT policies and procedures.
Financial Auditing: Primarily involves the examination of financial statements and
accounting records to ensure accuracy, compliance with accounting standards, and the
prevention and detection of fraud.

● Risk assessment and risk management

Risk assessment Risk assessment is the process of identifying, analyzing, and
evaluating the risks faced by an organization.
Risk management Risk management is the process of developing and implementing
strategies to mitigate the risks faced by an organization.

● Efficiency and Effective systems (6 marks)

Efficiency is the ability to do something with the least amount of effort or resources.
 Effectiveness Effectiveness is the ability to achieve a desired result.

b) Define the following terms as used in auditing

i). Substantive Testing
Substantive testing is a type of audit test that is used to verify the accuracy and
completeness of an organization's financial statements.
ii). Integrity
Integrity refers to the accuracy and consistency of data. It’s about protecting data
from being altered or destroyed in an unauthorized manner.
iii). Availability
Availability in auditing refers to the ability of auditors to access the information
and resources they need to complete the audit.
iv). Vulnerability
Vulnerability in auditing refers to a weakness in an organization's IT systems or
controls that could be exploited by an attacker to cause harm
v). Internal controls (5 Marks)
Internal controls are the policies and procedures that an organization has in place
to prevent and detect fraud and errors.
c) What do you understand by the code of professional ethics that bids auditors to their daily
work? Mention any two of these. (3 marks)
Confidentiality: Auditors must keep the information they learn during an audit
confidential. This means that auditors cannot share this information with anyone outside
of the audit team.
Integrity: Auditors should be straightforward and honest in all professional and business
relationships.
Objectivity: Auditors should not allow bias, conflict of interest, or undue influence of
others to override professional or business judgments.
d) What do you understand by the term IT Resources in an organization(2 marks)
IT resources encompass the technological assets, tools, and infrastructure, including
hardware, software, networks, databases, and other information technology components,
used to support business processes and operations.
e) What do you understand by the term computer forensics? Give three common scenarios
that might happen within this area. (4 marks)
It involves the identification, collection, and analysis of digital evidence from
electronic devices, such as computers or smartphones.
 Scenarios include
A company discovers that a data breach has occurred and needs to investigate to
determine how the breach occurred and what data was stolen.
A law enforcement agency seizes a computer from a suspect in a crime and needs to
examine the computer's contents for evidence.
A company needs to investigate an employee for suspected misconduct and needs to
examine the employee's computer for evidence
QUESTION TW0 (15 marks)
a) Define the following types of risk that are encountered when conducting an audit
assignment. Investment risk, Detection risk, Overall audit risk (6marks)
Investment risk refers to the possibility that an investment's actual returns may
differ from the expected returns, potentially resulting in financial loss
Investment risk for an auditor is the chance they might not do enough checks to
catch significant mistakes in the financial statements.
Detection risk is the risk that auditors may fail to detect material misstatements in
financial statements
Overall Audit Risk: This is the risk that financial statements are materially
incorrect, even though the audit opinion states that the financial reports are free of
any material misstatements
b) Discuss the term Evidence in systems auditing. (2 marks)
evidence refers to the information gathered and documented during the audit process to
support the auditor's conclusions and opinions
c) Define Control Self-Assessment (CSA) as the term is used in this field of information
system auditing
Control Self-Assessment (CSA) in information system auditing is a process where
management and employees assess and evaluate the effectiveness of internal controls
within their areas of responsibility (2 marks)
d) Any organization that has employed Control Self-Assessment (CSA) in its operation
enjoys a lot of benefits. Discuss four major advantages among many others.
(5 marks)
Improved internal controls: CSA can help organizations to identify and improve their
internal controls. This can lead to a reduction in fraud and errors, and to improved compliance with
regulations.
Reduced audit costs: CSA can help to reduce the amount of audit work that needs to be performed,
which can lead to reduced audit costs.
Improved communication between management and auditors: CSA can improve communication
between management and auditors, as it requires management to be transparent about their internal
controls. This can lead to a better understanding of the organization's risks and to a more efficient
audit process.
Increased confidence in the organization's financial statements: CSA can help to increase
confidence in the organization's financial statements, as it shows that management is committed to
maintaining effective internal controls.

QESTION THREE (15 marks)

a) What are the main objectives of CAATs? Describe any four functional capabilities of
CAATs (5 marks)
Objectives include:
Efficiency: To improve the efficiency of the audit process by automating repetitive tasks and
allowing auditors to focus on more complex analysis.
Accuracy: To enhance the accuracy of audit procedures through the use of computerized tools
for data analysis, reducing the risk of human error.
Completeness: To ensure the completeness of audit testing by examining a larger sample size
or even entire datasets, providing more comprehensive coverage.
Timeliness: To facilitate timely auditing processes by quickly extracting and analyzing large
volumes of data, enabling auditors to obtain real-time insights.
Functionalities
Data extraction and analysis: CAATs can be used to extract and analyze large amounts of data
from a variety of sources. This can be used to identify trends, patterns, and anomalies that may
indicate fraud or errors.
Program testing: CAATs can be used to test the validity and accuracy of computer programs.
This can help to identify potential security vulnerabilities and to ensure that programs are
working as intended.
Access control testing: CAATs can be used to test the effectiveness of access controls. This
can help to ensure that only authorized users have access to sensitive data and systems.
System security testing: CAATs can be used to test the security of computer systems and
networks. This can help to identify potential security vulnerabilities and to ensure that systems
are protected from unauthorized access and attack.

b) Describe the COBIT structure describing each stage of its domain. (3 marks)
Evaluate, Direct, and Monitor (EDM): This domain focuses on ensuring that IT activities
are in harmony with business goals and guided by robust governance and management
practices3.
Align, Plan, and Organize (APO): This domain involves strategic planning, meticulous
process definition, and the orchestration of IT resources to seamlessly support
 overarching business objectives3.
Build, Acquire, and Implement (BAI): This domain encompasses the complete lifecycle
of IT projects – from development to procurement and integration3.
Deliver, Service, and Support (DSS): Once IT solutions are implemented, the focus shifts
to their ongoing operation and sustenance3.
Monitor, Evaluate, and Assess (MEA): This domain ensures that the organization’s
governance, risk management, and control processes are monitored and evaluated
regularly3.

c) IT Audit Process has five basic steps. Describe each with details (5 marks)
Audit Planning: Define the scope, objectives, and resources required for the audit,
including understanding the IT environment and identifying key risks.
Risk Assessment: Evaluate and prioritize IT risks to determine the focus of the audit,
considering potential impacts and likelihood.
Audit Testing: Perform substantive testing and compliance testing, utilizing CAATs and
other audit techniques to gather evidence on the effectiveness of internal controls and the
accuracy of IT processes.
Reporting: Communicate audit findings, conclusions, and recommendations to
management and stakeholders, providing insights into the IT control environment.
Follow-up: Ensure that management addresses and implements recommendations,
monitoring the resolution of identified issues and tracking improvements.

d) Describe on main two characteristics of an auditor. (2 marks)

Independence: Auditors must be independent of the organizations they audit. This means
that auditors cannot have any financial or personal ties to the organizations they audit.
Objectivity: Auditors must be objective in their audit work. This means that auditors must
be free from bias and must be willing to report their findings accurately and fairly.
Integrity: Auditors should be honest, trustworth and not biased in order to reach
constructive resolutions.

QUESTION FOUR (15 marks)

a) Discuss three major areas that you consider while Controlling for active threats to
information systems assets (3 marks)
Threat Identification: This involves recognizing potential threats to the system, such
as malware, hacking attempts, or insider threats1.
Risk Assessment: This involves evaluating the potential impact of each identified
 threat and the likelihood of its occurrence
Incident response: This involves having a plan in place to respond to and recover
from security incidents.
b) There are numerous factors that a system auditor ought to put into consideration when
undertaking there duties. Discuss any four [4Marks]
The organization's IT environment: The auditor should consider the organization's IT
environment, including its hardware, software, networks, and applications, when
developing an audit plan and performing audit procedures.
The organization's internal controls: The auditor should consider the organization's
internal controls when assessing the risk of material misstatement and when
designing and performing audit procedures.
The organization's compliance requirements: The auditor should consider the
organization's compliance requirements when developing an audit plan and
performing audit procedures.
Risk Assessment: The auditor needs to assess the risks of material misstatement in the
financial statements.
c) .Define Forensics. Discuss five steps a data forensics firm goes through while reviewing
a case [5 Marks]
Forensics Definition: Forensics involves the application of investigative techniques to
collect, analyze, and preserve electronic evidence in legal cases.
Steps in Data Forensics:
Identification: Determine the scope of the investigation and identify the systems,
devices, and data relevant to the case.
Collection: Collect and preserve electronic evidence using forensically sound methods
to maintain its integrity and admissibility in court.
Analysis: Analyze the collected data to reconstruct events, identify patterns, and draw
conclusions relevant to the investigation.
Documentation: Document the findings, methodologies, and the chain of custody to
support the credibility of the evidence in legal proceedings.
Reporting: Present a comprehensive and clear report detailing the results of the
investigation, including any discovered evidence, conclusions, and recommendations.

d) Discuss three functions and facilities built-in to well-designed computer systems to make
the systems auditors job easier. [3 Marks]
Logging and auditing: Well-designed computer systems log and audit all activity on the
system. This can be valuable for auditors when investigating security incidents or when
assessing the effectiveness of internal controls.
Access controls: Well-designed computer systems have access controls in place to
restrict who can access what resources. This can help to prevent unauthorized access to
sensitive data and systems.

System auditing tools: Well-designed computer systems have built-in system auditing
tools that can be used to monitor and analyze system activity. This can help auditors to
identify potential security threats and to assess the effectiveness of internal controls.