UNIVERSITY EXAMINATION 2020/2021

YEAR IV SEMESTER II EXAMINATION FOR THE DEGREE OF BACHELOR OF

SCIENCE IN COMPUTER SCIENCE, INFORMATION TECHNOLOGY AND
BUSINESS INFORMATION TECHNOLOGY
BIT 2318 SPI 2406: Information System Audit Information Systems Audit Year IV
Semester II

Date: Thursday, 9th September 2021 Time: 8.30am – 10.30am

INSTRUCTIONS:
Answer question ONE (compulsory) and any other two questions

QUESTION ONE [30MARKS]

a) What do you understand by ‘Information systems auditing? [2 Marks]

b) The framework for the ISACA IS Auditing Standards provides for multiple levels, as
follows: [6 Marks]
(i) Standards
(ii) Guidelines
(iii) Procedures

Describe each and give at least one example.

c) What do you understand by the term ‘Internal controls? [2 Marks]

d) Discuss any two components of internal control systems that are employed in an
organization to reduce risks [4 Marks]
e) Discuss how identity theft is used to cause fraud in information systems
[2 Marks]
f) One of the Codes of professional ethics states that “Perform their duties with
objectivity, due diligence and professional care, in accordance with professional

Page 1 of 3
 standards and best practices”. [6 Marks]
Discuss what is meant by:
i. Objectivity
ii. Due diligence
iii. Professional care
g) Overview of the Audit process consists of several steps. Describe them in their
correct order and elaborate each step. [5 Marks]
h) Describe the following terms in system auditing environment
(i) Confidentiality [1 Mark]
(ii) Integrity [1 Mark]
(iii) Availability [1 Mark]

QUESTION TWO [20 MARKS]

a) Controls are generally categorized into three major classifications. List these three
and give an example of each in relation to information systems environment.
[6 Marks]
b) Audit planning consists of both short- and long-term planning.
(i) Describe each type mentioned above [2 Marks]
(ii) There are four major factors that affect planning. Describe them. [8 Marks]

c) What is ‘Evidence’ in relationship to System Auditing? [2 Marks]

d) An Information system auditor encounters several computer forensic scenarios in

the course of his work. Discuss two common scenarios in the field [4 Marks]

QUESTION THREE [20 MARKS]

a) Describe and give an example of each of the following:

i. Contingency planning, [2 Marks]
ii. Incident response, [2 Marks]
iii. Disaster Recovery [2 Marks]
iv. Business Continuity [2 Marks]
b) With a well labeled diagram, show the relationship of the four elements given
above. [4 Marks]
c) Differentiate between the following set of terms:
i. Control and control objectives [4 Marks]
ii. Risk assessment and Risk management [4 Marks]

Page 2 of 3
 QUESTION FOUR [20 MARKS]

a) Briefly state two characteristics of an Information systems Auditor. [2 Marks]

b) There are numerous factors that a System Auditor ought to put into
consideration when undertaking their duties. Discuss any three. [3 Marks]
c) Discuss three possible active threats to information systems. [3 Marks]

d) Describe three guidelines that assist system auditors detect and deter fraud
occurrences in an organization [6 Marks]
e) Discuss when and how an information system firm should retain a Data Forensic
Expert. [4 Marks]
f) What is IT governance? Discuss how it helps in any organization [2 Marks]

QUESTION FIVE [20 MARKS]

a) Discuss the following type of audit as they apply to Information systems auditing:
i. Technological position audit [3 Marks]
ii. Application and systems audit [3 Marks]
iii. Systems development audit [3 Marks]

b) During contingency recovery planning, we can opt to deal with hot or cold site.
Discuss hot site giving relevant examples. [1 Mark]

c) Under COBIT, the following are IT resources:

i. Data
ii. Application systems
iii. Technology
iv. Facilities
v. People

Discuss each and explain their roles in system auditing [10 Marks]

Page 3 of 3