IS Audit 2022
IS Audit 2022
IS Audit 2022
BBIT 307/ BAC 3116, 3104/BISF 3207/ BSD 3103: IS MANAGEMENT AND
AUDITING
FULL TIME/ PART TIME/ DISTANCE LEARNING
ORDINARY EXAMINATION
DATE: DECEMBER, 2022 TIME: 2 HOURS
b) Describe the COBIT structure describing each stage of its domain. (3 marks)
Evaluate, Direct, and Monitor (EDM): This domain focuses on ensuring that IT activities
are in harmony with business goals and guided by robust governance and management
practices3.
Align, Plan, and Organize (APO): This domain involves strategic planning, meticulous
process definition, and the orchestration of IT resources to seamlessly support
overarching business objectives3.
Build, Acquire, and Implement (BAI): This domain encompasses the complete lifecycle
of IT projects – from development to procurement and integration3.
Deliver, Service, and Support (DSS): Once IT solutions are implemented, the focus shifts
to their ongoing operation and sustenance3.
Monitor, Evaluate, and Assess (MEA): This domain ensures that the organization’s
governance, risk management, and control processes are monitored and evaluated
regularly3.
c) IT Audit Process has five basic steps. Describe each with details (5 marks)
Audit Planning: Define the scope, objectives, and resources required for the audit,
including understanding the IT environment and identifying key risks.
Risk Assessment: Evaluate and prioritize IT risks to determine the focus of the audit,
considering potential impacts and likelihood.
Audit Testing: Perform substantive testing and compliance testing, utilizing CAATs and
other audit techniques to gather evidence on the effectiveness of internal controls and the
accuracy of IT processes.
Reporting: Communicate audit findings, conclusions, and recommendations to
management and stakeholders, providing insights into the IT control environment.
Follow-up: Ensure that management addresses and implements recommendations,
monitoring the resolution of identified issues and tracking improvements.
d) Discuss three functions and facilities built-in to well-designed computer systems to make
the systems auditors job easier. [3 Marks]
Logging and auditing: Well-designed computer systems log and audit all activity on the
system. This can be valuable for auditors when investigating security incidents or when
assessing the effectiveness of internal controls.
Access controls: Well-designed computer systems have access controls in place to
restrict who can access what resources. This can help to prevent unauthorized access to
sensitive data and systems.
System auditing tools: Well-designed computer systems have built-in system auditing
tools that can be used to monitor and analyze system activity. This can help auditors to
identify potential security threats and to assess the effectiveness of internal controls.