 |
SAU620S - SYSTEMS AUDIT - 1ST OPP - NOV 2022 |
|
|
1 Page 1 |
▲back to top |
nAmlBIA unlVERSITY
OF SCIEnCE Ano TECHnOLOGY
Faculty of Computing and Informatics
Department of Computer Science
QUALIFICATION: Bachelor of Computer Science
QUALIFICATION CODE: 07BACS
LEVEL: 6
COURSE: Systems Audit
COURSE CODE: SAU620S
DATE: November 2022
DURATION: 2 hours 30 minutes
SESSION: 1
MARKS: 100
EXAMINER{S)
MODERATOR:
FIRSTOPPORTUNITY EXAMINATION QUESTION PAPER
MS HELENA HAINANA
DR MERCY CHITAURO
THIS QUESTION PAPER CONSISTS OF 6 PAGES
(Including this front page)
INSTRUCTIONS
1. Answer ALL the questions.
2. Write clearly and neatly.
3. Number the answers clearly.
4. When answering questions you should be guided by the allocation
of marks. Do not give too few or too many facts in your answers.
1
|
|
2 Page 2 |
▲back to top |
SECTION A: True/False. (5 marks)
Choose the correct option.
1} High-level and detailed generic statements of minimum good control are known as control
objectives. TRUE/FALSE
2} Code of ethics define mandatory requirements for IS auditing and reporting. TRUE/FALSE
3} The "Assessment" phase in the IT audit process involves defining the audit scope, objectives
and internal control questionnaire. TRUE/FALSE
4} The ITIL framework is directed specifically toward service management, a part of that is,
itself, directed toward the governance of service delivery. TRUE/FALSE
5} Patents refer to Intellectual Property rights to design or expression that distinguishes a
product/service. TRUE/FALSE
SECTION B: Select the correct option. (5 marks)
1} Which of the following is not a component of COSO'sdefined internal control standards
in providing assurance to achieving business objectives ?
a} Sound Control Environment
b} Sound Risk Assessment Process
c} Sound internal Control Activities
d} Sound Information and Communications Systems
2} Basic concerns or risks in On-Line Transaction Processing (OLTP}system would include all
the following except.
a} Accuracy
b} Dependability
c} Security
d) Unauthorized access
2
|
|
3 Page 3 |
▲back to top |
3. Which of the following is not an objective of internal controls ?
a} Compliance with Policies and Regulations
b} Reliability and Integrity of Information
c} Safeguarding of Audit Personnel
d} Effectiveness and Efficiency of Operations
4. The transfer of structured data, by agreed message standards, from one computer system
to another without human intervention is known as .........................................
a} CoSo
b} PCI
c} EDI
d} MST
5............................. define mandatory requirements for IS auditing and reporting.
a} Guidelines
b} Standards
c} Policies
d} Procedures
SECTION C: {90 marks)
1. Introduction to Systems Audit [10 Marks]
a} What are the primary objectives of ISAuditing? [5 Marks]
b} State three professional certifying bodies/organisations for IS auditors. [3 Marks]
c} Name two primary control objectives of early batch systems. [2 Marks]
2. IT Audit Process:Technology and audit [21 Marks]
a} Engagement planning is an essential component which ensures a successful audit and
achieving flexibility in identifying control objectives and risks. Briefly explain three tasks
involved in the engagement planning phase. [3 Marks]
3
|
|
4 Page 4 |
▲back to top |
b) According to NISTSP800-39, risk management is classified at 3 levels, what are the three
levels of security risk in the Information Technology (IT) function ? [3 marks]
c) The audit program provides for the collection of what audit evidence? [3 Marks]
d) Define IS Auditing, and in chronological order, name and briefly explain the four main
stages in an IT audit process. [10 Marks]
d) List and explain two internal control types. [2 Marks]
3. Standards and Guidelines for IS auditing [13]
a) The framework for the IT auditing standards provides multiple levels of guidance, that is,
standards, guidelines and procedures. Briefly define the three levels. [3]
b) Name two Standards or Guidelines for IT Auditing. [2 Marks]
c) When conducting IT risks analysis, what are the possible sources of threats? [3 Marks]
d) Information Systems Auditors are required to sign an ethics code of conduct. Briefly define
code of ethics and state why it is important to you as an ISAuditor. [3 Marks]
e) What is the objective of the IS Auditing Guidelines? [2 Marks]
4. Information systems/information technology governance [9 Marks]
a. Briefly define project lifecycle and list two project lifecycle models. [3 Marks]
b. Coco is an Audit body Intended to translate COSOcontrols into practical, implementable
activities. State four ways in which Coco promotes the treatment of IS risks. [4 Marks]
c. The Payment Card Industry Security Standards Council developed a set of standards to
encourage cardholder data security and facilitate the adoption of consistent data security
measures on a global basis. State two directives defined by the standard. [2 Marks]
4
|
|
5 Page 5 |
▲back to top |
5. Audit and development of application controls [5 Marks]
a} What are some of the problems associated with the use of CAATS? [2 Marks]
b} Each database in IDEA has several properties associated with it; which are accessible from
the Properties window. List and explain one property of your choice. [2 Marks]
c} State the importance of Audit trails in ISAuditing. [1 Mark]
6. Information Technology Service Delivery and Support. [10 Marks]
a} Briefly define a Service-Level Agreement (SLA} and state three objectives.
[4 Marks]
b} Which type of auditing permits auditors to monitor an organization's systems using
appropriate sensors and digital agents? [1 Mark]
c} Define change control and state its' core objective. [3 Marks]
d} As an IS Auditor, state any two tasks that needs to be carried out when auditing a change
control. [2 Marks]
7. Auditing UNIX and Windows. [13 Marks]
a} Define password shadowing and state the benefit of implementing it [3 Marks]
b} Passwords are vulnerable to which attacks? State three [3 Marks]
c} When does it become absolutely necessary to store encrypted passwords on both UNIX
and Windows platforms? [2 Mark]
d} Give any three examples of UNIX daemons. [3 Marks]
e} Give two aspects the systems administrator should check for problem areas on a random
basis. [2 Marks]
5
|
|
6 Page 6 |
▲back to top |
8. Investigating IT fraud [9 Marks]
a) What constitutes a forensic response toolkit? [2 Marks]
b) State the difference between Browser hijacking and SQL injection [4 Marks]
b) In relation to IS Auditing, state three reasons why cyber fraud prosecution fails? [3 Marks]
[THE END]
6