ISA822S - INFORMATION SYSTEMS AUDITING - 1ST OPP - JUNE 2022


ISA822S - INFORMATION SYSTEMS AUDITING - 1ST OPP - JUNE 2022



1 Page 1

▲back to top


n Am I BIA un IVE RSITV
OF SCIEnCE Ano TECHnOLOGY
FACULTY OF COMPUTING AND INFORMATICS
DEPARTMENT OF INFORMATICS, JOURNALISM AND MEDIA TECHNOLOGY
QUALIFICATION: POSTGRADUATE CERTIFICATEIN INFORMATICS (INFORMATION SYSTEMSAUDIT)
QUALIFICATION CODE: 08PGIN
LEVEL: 8
COURSE: INFORMATION SYSTEMSAUDITING
COURSE CODE: ISA822S
DATE: JUNE 2022
PAPER: THEORY
DURATION: 3 HOURS
MARKS: 100
EXAMINER(S)
FIRST OPPORTUNITY EXAMINATION QUESTION PAPER
MRS RUUSA IPINGE
MODERATOR:
MR PANDULENI NDILULA
THIS QUESTION PAPER CONSISTS OF 8 PAGES
(Excluding this front page)
INSTRUCTIONS
• Answer ALL questions in Part 1, Part 2, and Part 3,
• NUST examinations rules apply
• DO NOT open this examination cover until you are instructed to do so.
• DO NOT FORGET to write down your student number at the designated places on the
examination page.

2 Page 2

▲back to top


PART 1: MULTIPLE QUESTIONS (40 MARKS MAXIMUM 2 MARK FOR EACHCORRECTANSWER)
Answer all questions. Select ONLY ONE BESTASWER to each questions.
1. An IS auditor is reviewing the physical security controls of a data center and notices several
areas for concern. Which of the following areas is the MOST important?
a. The emergency power off button cover is missing.
b. Scheduled maintenance of the fire suppression system was not performed.
c. There are no security cameras inside the data center.
· d. The emergency exit door is blocked.
2. Enterprise's risk appetite is BEST established by
a. the chief legal officer
b. security management.
c. the audit committee.
d. the steering committee.
3. An IS auditor is assigned to audit a software development project, which is more than 80
percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which
of the following actions should the IS auditor take?
a. Report that the organization does not have effective project management.
b. Recommend the project manager be changed.
c. Review the IT governance structure.
d. Review the conduct of the project and the business case.
4. Which of the following choices BESThelps information owners to properly classify data?
a. Understanding of technical controls that protect data
b. Training on organizational policies and standards
c. Use of an automated data leak prevention {OLP)tool
d. Understanding which people need to accessthe data
2

3 Page 3

▲back to top


5. What is the process of extremely large data sets that may be analysed computationally to reveal
patterns, trends, and associations, especially relating to human behaviour and interactions?
a. Big Data
b. Business intelligence
c. Electronic Data interchange
d. Machine Learning
6. A company performs a daily backup of critical data and software files, and stores the backup
tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption.
This is a:
a. Preventive control.
b. Management control.
c. Corrective control.
d. Detective control.
7. The FIRSTstep in planning an audit is to:
a. Define audit deliverables.
b. Finalize the audit scope and audit objectives.
c. Gain an understanding of the business' objectives.
d. Develop the audit approach or audit strategy.
8. The approach an IS auditor should use to plan IS audit coverage should be based on:
a. Risk.
b. Materiality.
c. Professional scepticism.
d. Sufficiency of audit evidence.
9.The IS scope should outline the:
a. The findings identified by the Auditor.
b. The systems in scope, controls to be tested, timelines and objective of the audit.
c. The authority of the IS audit function.
d. The IS auditor's CV.
3

4 Page 4

▲back to top


10. What is the first step in performing a risk assessment?
a. Risktreatment.
b. Risk evaluation.
c. Risk response.
d. Risk identification.
11. Why should a BCP be tested?
a. To identify a future incident.
b. To train employees.
c. To identify limitations and improvement areas.
d. To assessthe competence of the CEO.
12. Which of the following can increase capacity and reliability of an application? Choose the best
answer.
a. Live replication to various geographic regions.
b. Load balancing.
c. Clustering.
d. None of the above.
13. Raised floors, fire suppression systems, and air cooling systems are examples of?
a. Access control.
b. Change management.
c. Environmental controls.
d. Voice over IP (VoIP).
14. Requiring a password, and code sent to your phone in order to use an application is an example
of?
a. Multifactor authentication.
b. Single sign-on.
c. Two-factor authentication.
d. Native authentication.
4

5 Page 5

▲back to top


15. Which of the following is an example of social engineering?
a. Penetration testing.
b. Tailgating.
c. VPN.
d. Logging.
16. Which of the following is an example of a cloud service model?
a. DEFI.
b. Private cloud.
c. Infrastructure as a Service.
d. None of the above.
17. The waterfall software development model is appropriate when:
a. Requirements are well defined and do not change.
b. Requirements are constantly changing.
c. Unit tests are performed in iterations.
d. Prototypes are not required.
18. A challenge commonly associated with the Agile development model is
a. Lack of communication.
b. Lack of documentation.
c. Lack of testing.
d. Lack of resources.
19. Who should approve the implementation of a system?
a. The receptionist.
b. The CEO.
c. Board members.
d. Project Manager.
20. What is the purpose of performing a post-implementation review?
a. To gather requirements.
b. To assesswhether objectives have been met.
c. To identify future iterations.
d. None of the above
5

6 Page 6

▲back to top


PART 2: WRITTEN OR ESSAY QUESTIONS (35 MARKS ALLOCATED)
ANSWER ALL QUESTIONS
1. State two characteristics of an Information System Auditor?
[2]
2. Explain the following term
[8)
a)
A metaverse;
b)
Machine learning;
c)
Internet of things(IOT);
d)
Augmented reality.
3. What are the different standards that should meet the audit charter documents during an
Information System Audit?
[4)
4. Implementation is the process of identifying and evaluating the system's performance in light of
the requirements and goals. What is the roles of the auditor during post implementation? [7)
5. Differentiate between Internal and External Audit regarding their assurance functionality [4)
6. There is no global template of the components to include on a working paper. The format of
working papers differs for each organisation. What are some of the information that should be on
the documented working paper?
[6]
7. Why should organisation carry out Business Impacts Analysis (BIA)?
[4)
6

7 Page 7

▲back to top


PART 3: GENERAL AND CASESTUDY BASED QUESTIONS {25 MARKS ALLOCATED) Home Health Arena
The present investigation regards the selection of a software package by a medium-size regional hospital
for use in the Home Health segment of their organization. The hospital (to be referred to in this
monograph by a fictitious name, General Hospital) is located in the central portion of a southern state in
the USA, within 30 minutes of the state capital. Its constituents reside in the largest SMSA (standard
metropolitan statistical area) in the state and consist of both rural, suburban, and city residents. Services
offered include Emergency Department, Hospice, Intensive Care Unit (ICU), Obstetrics, Open Heart
Surgery, and Pediatrics. Additional components of General Hospital consist of an Imaging Center, a
Rehabilitation Hospital, Four Primary Care Clinics, a Health and Fitness Center (one of the largest in the
nation with more than 70,000 square feet and 7,000 members), a Wound Healing Center, regional
Therapy Centers, and Home Care (the focal point of this study)
The Home Health portion currently encounters difficulties, the software they were using was at least
seven years old and could simply not keeping up with all the changes in billing practices and Medicare
requirements and payments. The current system was not scalable to the growing needs and
transformation within the environment. To solve this challenge, portion of the Analysis stage, great care
is taken to ensure that the new proposed system meets the objectives put forth by management. To that
end, we met with the various stakeholders (i.e., the Director of the Home Care facility and potential end-
users) to map out the requirements needed from the new system. Copious notes were taken at these
meetings that helped to understand the business needs, and a conscientious effort to synthesize our
recollections was done. Afterwards, the requirements were collated into a spreadsheet for ease of
inspection).
The health system will store some of its data on the cloud so that the data is easily accessed through a
web interface, this might possess some security issues. The project is assumed to commerce soon, and
the SLDCwill be used for implementation of the new system. The Director hope that these
advancements will be disruptive during everyday operations. Such upgrades are especially important in
the health care industry, as changes to Medicare and billing practices are common occurrences. General
Hospital expects to use the software for the foreseeable future, with no plans to have to embark on
another project of this magnitude for quite some time.
Read the case study above and answer the questions below, note some questions requires your general
knowledge
1. What does SDLCstand for
[1)
7

8 Page 8

▲back to top


2. What are the challenges with home health current system?
[2]
3. Explain 3 main stage of the SDLCthat Home health can implements to migrate from the old system to
the new system
[6]
4. How were the business requirements gathered?
(4]
5. Using a really example, what are the 7 cloud storage security risk?
(7]
6. How should an Information System Auditor audit emerging technologies
[S]
END OF QUESTION PAPER.. ··'
8