W1-2-60-1-6
JOMO KENYATTA UNIVERSITY OF AGRICULTURE AND TECHNOLOGY
UNIVERSITY EXAMINATIONS 2016/2017
EXAMINATION FOR THE DEGREE OF BACHELOR OF SCIENCE IN INFORMATION TECHNOLOGY
BIT 2318 : INFORMATION SYSTEM AUDIT
DATE: DECEMBER 2016 TIME: 2 HOURS
INSTRUCTIONS:
ANSWER QUESTION ONE [COMPULSORY] AND ANY OTHER TWO QUESTIONS
QUESTION ONE [COMPULSORY][30 MARKS]
(a) What is meant by IS auditing? [2 marks]
(b) What is the role of control in an information system ? [2 marks]
(c) With examples, differentiate between compliance testing and substantive testing [4 marks]
(d) Discuss three types of security risks that a computerized business environment is exposed to [3 marks]
(e) Explain the role of firewalls in an information system [1 mark]
(f) What criteria does an auditor consider when administering evidence in their audit reports [4 marks]
(g) In a risk –based audit approach, how can a IS auditor conduct an effective audit [2 marks]
(h) While conducting an audit , an external IS auditor detected presence of viruses in the system. Explain two priority approaches the auditor can follow when handing the observed situation [2 marks]
(i) Explain the uses of an audit charter [2 marks]
(j) Explain two reasons why an information auditor needs to establish an audit trail during audit process [2 marks]
(k) Explain the need for coats in an audit firm [2 marks]
(l) Explain why a multi national company would require to have a clearly spelt out IT framework [2 marks]
(m) Discuss two emerging areas of IS auditing [2 marks]
QUESTION TWO [20 MARKS]
(a) What is meant by continuous self assessment (CSA) . Explain two approaches which can contribute to the success of CSA [4 marks]
(b) What is meant by a risk ? Differentiate between a risk and a threat. [2 marks]
(c) Explain the need for documentation security procedures when testing a security audit of IT processes [2 marks]
(d) Explain a case when an IS auditor would choose to use statistical sampling and not judgment (non-statistical) sampling when doing audit sampling [2 marks]
(e) What considerations an IS auditor needs to consider when communicating audit results to the management [4 marks]
(f) Discuss four procedures that an auditor can follow when reviewing the business continuity [4 marks]
(g) Explain why an IS auditor would want t review management’s long-term stratetegic plans [2 marks]
QUESTION THREE [20 MARKS]
(a) Discuss standard procedures that are followed during the system audit process [4 marks]
(b) Explain two types of risk materiality that may to undetected in a business during auditing [4 marks]
(c) State two advantages of cuats in a large organization [2 marks]
(d) Discuss any two types of computer crimes that a mobile phone company management may have to frequently deal with [2 marks]
(e) What is meant by computer forensic ? state any two skills requirements for a computer forensic profession [4 marks]
(f) State and explain two methods by hiding data that an auditor should be familiar with [2 marks]
(g) Explain two reasons why email systems have become useful source of evidence for litigation [2 marks]
QUESTION FOUR [20 MARKS]
(a) Explain why an auditor would require to use graphs and flow charts in an audit report [2 marks]
(b) Explain four job requirements responsibilities that a computer forensic expert may be required to perform [4 marks]
(c) What are internal controls? Discuss the objectives of an internal audit [4 marks]
(d) Discuss the audit methodology that a team of IS experts, auditing a supermarket, retail chain can follow to accomplish their mission. [2 marks]
(e) Explain why work papers are necessary to the management of an organization [2 marks]
(f) Explain the steps an internal auditor can take when responding to a fraud incidence as an emergency situation. [4 marks]