ISA822S - INFORMATION SYSTEMS AUDIT - 1ST OPP - JUNE 2025 :: NUST past examination papers between 2021 and 2025

Expand document

Collapse document

ISA822S - INFORMATION SYSTEMS AUDIT - 1ST OPP - JUNE 2025

1 Page 1

2 Page 2

3 Page 3

4 Page 4

5 Page 5

6 Page 6

7 Page 7

8 Page 8

9 Page 9

ISA822S - INFORMATION SYSTEMS AUDIT - 1ST OPP - JUNE 2025

1 Page 1

▲back to top

nAmlBIA unlVERSITY

OF SCIEnCE Ano TECHnOLOGY

QUALIFICATION: POSTGRADUATECERTIFICATEIN INFORMATICS(INFORMATION SYSTEMS

AUDIT)

QUALIFICATIONCODE: 08PGIN

LEVEL:8

COURSE: INFORMATION SYSTEMSAUDIT

COURSECODE: ISA822S ..-

..,

DATE:JUNE 2025

SESSION:JUNE2025

DURATION: 3 HOURS

MARKS: 100

EXAMINER:

MODERATOR:

FIRSTOPPORTUNITYEXAMINATION QUESTION PAPER

Ms. Sinte Mutelo

Mr. Paduleni Ndilula

THIS QUESTION PAPERCONSISTSOF 9 PAGES

(Including this front page)

INSTRUCTIONS:

1. Answer ALL the questions.

2. Write clearly and neatly.

3. Number the answers.

PERMISSIBLEMATERIALS:

.\\

\\,\\

1. Examination paper.

2. Examination script.

·\\

2 Page 2

▲back to top

SECTIONA MULTIPLECHOICE

[20]

1. An .............is an overarching document that covers the entire scope of an audit

activities in an entity.

A. Audit Charter

B. Engagement letter

C. Service Level Agreement

D. Data implementatioi)

2. An ISAuditor observes that an enterprise has outsourced software development to a

third party that is a start-up wmpany. To ensure that the enterprise's investment in :.

software is protected, which of the following should be recommended by the IS auditor?

A. Due diligence should be performed on the software vendor.

B. A quarter!y audit of the vendor facilities should be performed.

C. There should be a source code escrow agreement in place.

D. A high penalty clause should be included in the contract

3. Which organisations set forth this Code of Professional Ethics to guide the professional

and personal conduct of members of the association and/or its certification holders.

A. CISA

B. ITAF

C. ISACA

D. ISO

4. Having controls to review system logs on a monthly basis is an example of a:

A. Preventive control

B. Corrective control

'',

C. Detective control

D. Hire to retire business process

5. Procuring new laptops for the finance department is part of which business process

3 Page 3

▲back to top

A. Record to report

B. Hire to retire

C. Order to cash

D. None of the above

6. Which of the following is an example of an automated control?

A. The IT managers review audit logs on a weekly basis

B. The Finance team performs a reconciliation of manual journal entries

C. The system is configured to revoke access assigned to terminated users on the last

working day.

D. Management performs a recertification of users on a quarterly basis.

7. System-generated reports obtained when performing an audit are referred to as:

A. IPE

B. PIE

C. ICE

D. IDE

8. The procedures performed by an auditor when testing a control should be documented

in a:

A. Working paper

B. Audit charter

C. Management letter

D. None of the above

9. ACLand Data Analytics is an example of

A. Manual audit procedures

B. Data governance

C. Computer-assisted audit techniques

D. None of the above

4 Page 4

▲back to top

10. Which of the following is an example of a collection technique?

A. Reviewing

B. Piggybacking

C. Inspection

D. None of the above

11. What should be considered in a business case?

A. The system design.

B. The return on investment.

C. The testing plan.

D. The data migration plan.

12. A challenge commonly associated with the Agile development model is

A. Lack of communication.

B. Lack of documentation.

C. Lack of testing.

D. Lack of resources.

13. What is the purpose of performing a post-implementation review?

A. To gather requirements.

B. To assesswhether objectives have been met.

C. To identify future iterations.

D. None of the above.

14. Requiring a password, fingerprint scan and an access badge to access an application

is an example of?

A. Multifactor authentication.

B. Single sign-on.

C. Two-factor authentication.

D. Native authentication.

5 Page 5

▲back to top

15. What is the purpose of a firewall?

A. Restrict incoming and outgoing traffic.

B. Identify phishing attacks.

C. Prevent piggybacking.

D. Allow remote access.

16......... : are automated checks that make sure data is entered correctly

A. Control

B. Edit check

C. Physical barriers

D. Transaction authorization

17. Knowingly and objectively not taking action, provided the risk satisfies the

organization's p~licy and criteria for risk acceptance is referenced to:

A. Risk mitigation

B. Risk acceptance

C. Risk avoidance

D. Risk sharing

18. Means that the business goals and objectives align directly with the objectives of the

organisation.

A. IT governance

B. Strategic Governance

C. Enterprise Governance of IT (EGIT)

D. GEIT

19. These are detailed steps and actions that support the policy objectives [1]

A. Procedure

B. Guidelines

C. Standards

6 Page 6

▲back to top

D. Policies

20. Is the bedrock or first gate to access a corporate network or information system? [1)

A. Password

B. Authentication

C. Firewall

D. network

7 Page 7

▲back to top

SECTIONB TRUE OR FALSE

(10]

QUESTION 2

1. Ethics help implement the standards.

2. For effective audit planning, it is important that the IS auditor has a thorough

understanding of business process applications and controls.

3. Practical knowledge of the business environment and business objectives is

unnecessary to plan a risk-based audit.

4. Internal controls provide reasonable assurance to management about the

achievement of business objectives.

5. Risk may be accepted if, for example, it is assessedthat the risk is low.

6. Technical implementations are the tools and software that logically enforce controls

(such as passwords).

7. Auditing is defined as verifying specific controls.

8. EGITis a component of corporate governance focused specifically on IT-related

decisions.

9. Business case and feasibility study needs to be performed after an organisation

invests in the implementation of an information system.

10. A successful business continuity program helps the company achieve its strategic

goals.

8 Page 8

▲back to top

SECTION C STRUCTURED QUESTIONS

QUESTION 3: Short answers

1. Define the following terminologies

a. Internal Control

b. Audit charter

c. Enterprise governance of IT (EGIT)

d. A disaster recovery plan

e. A policy

[70]

[25]

[5]

2. List the important information to be included in the audit charter.

[5]

3. If the system or its data were lost, the system's functionality would be unavailable,

resulting in a loss of your ability to track outstanding receivables or post new payments.

What are some internal controls that would mitigate this risk?

[6]

4. Discuss the consequences of IT control failure?

[6]

5. What is the purpose of EGITis to ensure that:

[3]

QUESTION 4: STRUCTURED QUESTIONS: LONG ANSWERS

[45]

1. Based on understanding the difference between an internal and external audit that

you have gained in ISA, identify and highlight three differences between an internal

and external audit.

[9]

2. Governance Enterprise of IT has become very important to the Namibian institutions

for the following reasons: list any five reasons

[5]

' 3. What areas of importance does an ISAuditor need to know to perform their audit tasks

in IT Governance?

[10]

9. Analyse the activities an IS Auditor plays while auditing the business continuity plan?

[6]

10 . In an essay format determine what the ISAuditor should be of interest when

auditing physical controls:

[10]

9 Page 9

▲back to top

11. When it comes to emerging technology, the IS auditor should understand the nature of

the usage of the technology within the organization. Evaluate information system audit

considerations for emerging technology.

[5]

END OF EXAMINATION