BINDURA UNIVERSITY OF SCIENCE EDUCATION
FACULTY OF SCIENCE
NAME
:
FORTUNE
SURNAME
:
DANGA
REG.NUMBER
:
B1953014
COURSE CODE
:
IT 211
COURSE
: INFORMATION SYSTEMS AUDITING
PROGRAM
:
INFORMATION TECHNOLOGY
PART
:
2.2
ASSIGNMENT
:
ONE
1 a) What is the sole purpose of an Information System (IS) Audit?
[5]
Answer
Information systems auditing, is an examination of the management controls within
an Information technology (IT) infrastructure and business applications. The purpose of
Information systems auditing is to establish whether information systems are safeguarding
corporate assets, maintaining the integrity of stored and communicated data, supporting
corporate objectives effectively, and operating efficiently, to compare actual and planned
performance.
In other words; Information systems auditing is undertaken to verify that the stated objectives of
system are still valid in current environment, to evaluate the achievement of stated objectives, to
ensure the reliability of computer based financial and other information. To ensure all records
included while processing and to ensure protection from frauds.
b) Discuss any five contents of an information system audit charter.
[10]
Answer
The information systems auditing charter is a formal document that clearly defines and
articulates “marching orders” for the internal audit function from the governing body
(typically the audit committee) and management. The Charter also defines others’
responsibilities for providing access and cooperation during audits or other reviews. It should
be reviewed and approved by the governing body on an annual basis. Discussed below are
the five vital components contents of an information system audit charter.
Mission and Purpose; the charter should define both the mission and the purpose of the internal
audit function. The mission should be to enhance and protect organizational value by providing
risk-based and objective assurance, advice, and insight. Internal audit’s independent and
objective assurance and consulting services should be designed to add value and improve the
organization’s operations.
Authority ; a statement should be included in the charter affirming that the governing body will
establish, maintain, and assure that the internal audit function has sufficient authority to fulfill its
duties.
Quality Assurance and Improvement Program - The charter should define the internal audit’s
Quality Assurance and Improvement Program (QAIP), which covers all aspects of the internal
audit function including:


Evaluation of conformance to IIA Standards and requirement to report the results of its
QAIP periodically to senior management and the governing body
An external assessment of the activity at least once every five years
Independence and Objectivity; the charter should state that the CAE will ensure independence
and objectivity of the internal audit function to carry out its duties in an unbiased manner.
Furthermore, internal audit should have no direct operational responsibility or authority over any
of the activities audited.
Scope of Internal Audit Activities; the charter should define the scope of the internal audit
function. The scope should include providing independent assessments of the adequacy and
effectiveness of governance, risk management, and control processes.
c.) Discuss the various issues that are of primary concerns for an auditor involved in
information system audit
[10]
Answer
Carrying out an audit requires the auditor to consider 3 types of risks. Firstly, inherent risk - The
'natural' risk that will occur with every information system. Different information systems have
different degree of risks. For example, a company's logistics information system might face less
inherent risks as compared to its financial information system (simply because the financial
information system is more attractive to people looking to commit fraud).
Moreover, control risk - This type of risk occurs because of poor internal controls. Any type of
information system will have control risks if it has poor controls. For example, if the payroll
department's files are not securely locked in a separate room, it faces a higher control risk.
Furthermore, detection risk - The risk that auditors face: The audit may not be able to detect
material flaws or errors in the system.
An Auditor should also be concerned about, Cybersecurity; cyber security audit is designed to be
a comprehensive review and analysis of your business’s IT infrastructure. It encompasses
everything that pertains to protecting our sensitive data, personally identifiable information,
protected health information, personal information, intellectual property data and governmental
and industrial information systems. It helps mitigate the consequences of a breach and
demonstrate that your organization has taken the necessary steps to protect client and company
data
Additionally, an Auditor should also be concerned about finding the right staff and emerging
technology and infrastructure changes.
4.(a)A company has decided to outsource the IS audit function. Explain the reasons why
some organizations outsource information systems audit activity. State three advantages
and three disadvantages of outsourcing the audit function.
[6]
Answer
Service providers have good quality staff i.e. have specialized skill and assess what management
wants them to do. Also they have a high degree of professionalism since the service providers
are trained in many areas enhancing the quality of advice to the management on best practices.
Some organizations outsource information systems audit activity, in order to get an immediate
audit department instead of employing audit staff thereby cutting costs e.g. salaries to the
employees, benefits and allowances. Furthermore, to enhance independence and thereby
minimizing room for collision thereby giving value added reports i.e. there is real value for
money. Moreover, some organizations outsource information systems audit activity to enhance
their understanding on business environment policies and procedures thereby increasing the
credibility of the financial reports and reducing their liability.
Advantages of outsourcing the audit function
Flexibility increment – If a company does not have the means to form a full-time staff to
handle internal audits, it can opt for outsourcing
Ensures Scalability – With an outsourcing partner, an organization can easily scale its audit
team to meet their needs.
Fresh Perspectives – Third-party providers offer their services to businesses from different
verticals. As a result, an organization can benefit from new ideas that can improve its operations,
internal risk, and risk control.
Disadvantages of outsourcing the audit function
Security Concerns – Just as with any service provided by a third party, there are inherent risks
when an organization outsources any business process.
Cost – Depending on another service provider, the hourly rate of an external resource can cost
about three to five times that of an in-house staff.
Continuity – As with any outsourcing engagement, continuity can be an issue if there are
frequent changes in an organization’s team. Challenges may arise during the internal audit if its
sourcing team does not have a thorough understanding of its work processes.
Confusion – In the case of co-sourcing, confusion about responsibilities may arise if an
organization is not aligned with its internal auditors.
b) The auditor would consider the most appropriate audit approach, specifically to follow a
system-based audit approach or a substantive approach. Explain the following manners in
which the auditor acquires audit evidence:
i. Auditing around the computer
ii. Auditing through the computer
iii. Auditing with the computer
[5]
[5]
[5]
Answer
(i) Auditing around the computer means that processing done by the computer system needs
not to be audited as auditor expects that sufficient appropriate audit evidence can be obtained by
reconciling inputs with outputs. It is often known as black box audit approach. For example; the
list of names sorted by computer.
(ii) Auditing through the computer” refers to an audit approach that the auditor tests the
design and operating effectiveness of internal controls embedded in applications
that are only available electronically to determine the extent to which the controls are
effective and can be relied upon. In this case, the auditor can use the computer controls to reduce
control risks. Challenges of auditing through computer are; the IT setup may be expensive and
technical aspects may not always easy to test.
(iii) Auditing with the computer is a systematic and logical audit approach that follows a risk
based approach to determine whether the information systems of an entity, including its detailed
information technology processes, controls and activities, will achieve its IT objectives and will
thereby ultimately enable the organization to achieve their organizational goals.
c) Providing a sound and comprehensive reference of good practices is one of the ways in
which COBIT framework delivers to its stakeholders the most complete and up-todate guidance on governance and management of enterprise IT. Describe five principles
of COBIT in brief.[15]
Answer
COBIT stands for Control Objectives for Information and Related Technology. It is a business
framework that is used for the management and governance of the IT enterprise. Powered from
ISACA, COBIT packs the latest methodology in management techniques and enterprise
governance. Being a highly reliable and used IT management framework across the entire globe,
COBIT has its own set of rules or principles that make it one of the leading technologies in the
market. COBIT has a total number of 5 principles that make it a complete IT management and
governance framework. Described below are the principles of COBIT.
Meeting Stakeholder Needs; Enterprises exist to create value for their stakeholders by
maintaining a balance between the realization of benefits and the optimization of risk and use of
resources. COBIT 5 provides all of the required processes and other enablers to support business
value creation through the use of IT. Because every enterprise has different objectives, an
enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating
high-level enterprise goals into manageable, specific, IT-related goals and mapping these to
specific processes and practices.
Covering the Enterprise End-to-end; COBIT 5 integrates governance of enterprise IT into
enterprise governance: – It covers all functions and processes within the enterprise; COBIT 5 does
not focus only on the ‘IT function’, but treats information and related technologies as assets that
need to be dealt with just like any other asset by everyone in the enterprise. – It considers all ITrelated governance and management enablers to be enterprise wide and end-to-end, i.e., inclusive
of everything and everyone—internal and external—that is relevant to governance and
management of enterprise information and related IT.
Applying a Single, Integrated Framework ; COBIT comes with an ability to align or integrate
with all the latest relevant frameworks and standards used by other enterprises. The major ones
of them are CMMI, PMBOK/Prince2, TOGAF, ISO 27000 series, ITIL, ISO 38500, ISO 31000,
ISO 9000, COSO ERM, COSO, etc. By the availability of this facility, COBIT can be used as
the overarching management and governance framework integrator. It simply means that it can
be integrated with any of these above-given frameworks and standards to make your business
achieve new heights. In simple words, we can say that the COBIT is a one-way solution or
panacea to be integrated with any of the leading management and governance IT frameworks.
Enabling a holistic approach; the fourth principle of the COBIT framework is to enable a
holistic approach in your organizational work, which means your entire organization must work
as a single unit. For this, the latest version of COBIT defines a specific set of enablers to support
the implementation of a comprehensive management and governance system for enterprise IT.
Separating governance from management; Governance and management are not the same
thing. Governance is the process of understanding the needs of the organization, defining the
direction through prioritization and decision making and monitoring compliance against
objectives. Management is the mechanism through which the plans are created and run in line
with the agreed objectives. Governance says what needs to be done, whereas management
focusses on how it will be done.
d) Under COBIT, the following are IT resources:
i. Data;
ii. Application systems;
iii. Technology;
iv. Facilities; and
v. People.
Discuss each and explain their roles in system auditing
[10]
Answer
Data - are objects in their widest sense (i.e., external and internal), structured and nonstructured, graphics, sound, etc.)
Application Systems - are understood to be the sum of manual and programmed
procedures.
Technology - covers hardware, operating systems, database management systems,
networking, multimedia, etc.
Facilities - are all the resources to house and support information systems.
People - include staff skills, awareness and productivity to plan, organize, acquire,
deliver, support and monitor information systems and services.
e) Discuss any four internal control components described in the COSO framework.
[12]
Answer
Internal Environment- Management sets a philosophy regarding risk and establishes a risk
appetite. The internal environment sets the basis for how risk and control are viewed and
addressed by an entity’s people. It is critical that upper management express the importance
of ERM throughout all levels of an entity.
Objective Setting- Objectives must exist before management can identify potential events
affecting their achievement. ERM ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the entity’s mission and are
consistent with its risk appetite.
Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they
should be managed. Risks are associated with objectives that may be affected. Risks are
assessed on both an inherent and residual basis, with the assessment considering both risk
likelihood and impact. Risk assessment needs to be done continuously and throughout an entity.
Risk Response- Personnel identify and evaluate possible responses to risks, which include
avoiding, accepting, reducing, and sharing risks. Management selects a set of actions to align
risks with the entity’s risk tolerances and risk appetite.
Control Activities- Policies and procedures are established and executed to help ensure the risk
responses management selects are effectively carried out.
Information and Communication- Relevant information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their
responsibilities. Information is needed at all levels of an entity for identifying, assessing, and
responding to risk.
Monitoring- Then entirety of ERM is monitored, and modifications made as necessary. In this
way, it can react dynamically, changing as conditions warrant.
6 a.) The assistant finance director for the City of Bindura, was fired after city officials
discovered that she had used her access to city computers to cancel her daughter’s $300 water
bill. An investigation revealed that she had embezzled a large sum of money from Tustin in this
manner over a long period. She was able to conceal the embezzlement for so long because the
amount embezzled always fell within a 2% error factor used by the city’s internal auditors.
i.
ii.
iii.
iv.
What weaknesses existed in the audit approach?
How could the audit plan be improved?
What internal control weaknesses were present in the system?
[3]
Should Tustin’s internal auditors have discovered this fraud earlier?
[3]
[3]
Answer:
i.)
The error factor indicate that the auditors didn’t pursue transactions that fell below that
range even though multiple transactions of a given type might evolve into amounts that
exceeded that threshold. Most fraud occurs in lower dollar value items.
There were inappropriate and inadequate computer access controls in place that allowed
the fraud to occur.
ii.)
Reconciling collections with billings, and list any discrepancies for further investigation
using Audit software.
iii.)
There should have been documentation to support such transactions. Certainly An
assistant finance director should not have the authority to enter credits to customer
accounts; and lastly the assistant finance director should not have been granted rights to
cancel water or other utility bills.
iv.)
While she was able to embezzle a large sum of money from Tustin, it was over a long
period of time therefore, the fraud should have been uncovered earlier.
One of the keys
to her success was that she did not get greedy and the amounts taken in any one year was
probably immaterial to the city therefore, these kinds of frauds are very hard to detect.
b.) Explain the four steps of the risk-based audit approach, and discuss how they apply to the
overall security of a company.
[12]
A risk-based audit approach starts with a risk universe as the basis for the audit plan. In a riskbased audit approach, the goal for the department is to address management’s highest priority
risks. Many audit departments think they are risk-based, but the audit plan is generally built from
an audit universe consisting of departments or processes. A true risk-based audit approach starts
with an assessment of management’s top risks. All of the audits on the plan are designed to
address those risks and provide insights back to senior management.
Risk based audit approach accompanies a framework to conduct information system audits. The
four steps provided by this approach, are explained below.
Firstly, decide the dangers confronting the organization; this is a rundown of the incidental or
deliberate abuse and harm to which the information system is uncovered. The threat to the
information system includes human frauds and errors.
Furthermore, control procedure determination for preventing and correcting threats, all the
following control procedures are set up by the administration. The auditors are ought to survey
and test for the minimization of threats.
Moreover; evaluation of control procedures; is done in two methods which are systems review,
a method to determine whether all the control procedures are put in place is done in systems
review and test of control, the test of control is used to evaluate whether the existing controls are
working as intended is referred as test of controls.
Lastly, impact of control weakness evaluation in timing, degree of auditing and nature; this
is the event that the auditor confirms light having more control risk when the control system is
lacking. So the proof, confirmation or more opportune confirmation may submitted by the
auditor.
9a)(i) The recommendation that your department be responsible for the pre-audit of
supplier's invoices.
[4]
Answer
Internal auditing should not assume responsibility for pre-audit of disbursements. Objectivity is
essential to the audit function, and internal auditors should be independent of the activities they
must review. They should not prepare records or engage in any activity that could compromise
their objectivity and independence. Moreover, because internal auditing is a staff function,
involvement in such a line function would be inconsistent with the proper role of an internal
auditor.
ii. The request that you make suggestions during system development. [4]
Answer
It would be advantageous for internal auditing to make specific suggestions during the design
phase concerning controls and audit trails to be built into a system. Internal auditing should
build an appropriate interface with the Data Processing Department to help achieve this goal.
Neither objectivity nor independence is compromised if the auditor makes recommendations for
controls in the system under review. For example, internal auditing may, provide a list of control
requirements, review testing plans and design progress - Internal auditing must refrain, however,
from actual participation in system design.
iii. The request that you assist in the installation of the system and approve the system after
making a final review
[4]
Answer
The auditor must remain independent of any system they will subsequently audit. Therefore, the
auditor must refrain from giving overall approval of the system in final review. The auditor may
help in the installation or conversion of the system by continuing to offer suggestions for
controls, particularly during the implementation period. In this situation, the auditor may review
for missing segments, results of testing, and adequacy of documentation of program and
procedures in order to determine readiness of the system for installation or conversion. After
installation or conversion, the auditor may participate in a post-installation audit, either alone or
as part of a team.
b) Preventive controls
Occur before the fact but can never be 100 percent effective and therefore cannot be wholly
relied upon. These could include controls such as restrictions on users, requirements for
passwords, and separate authorization of transactions.
Detective controls
Detect irregularities after occurrence and may be cheaper than checking every transaction with a
preventative control. Such controls could include effective use of audit trails and the use of
exception reports
Corrective controls
Ensure the correction of problems identified by detective controls and normally require human
intervention within the IT. Controls in this area may include such processes as Disaster Recovery
Plans and transaction reversal capabilities. Corrective controls are themselves highly error-prone
because they occur in unusual circumstances and typically require a human decision to be made,
and an action decided upon and implemented. At each stage in the process a subsequent error
will have a multiplier effect and may compound the original mistake
c) (i) Confidentiality- concerns the protection of sensitive information from unauthorized
disclosure.
(ii) Integrity- relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
iii. Availability- relates to information being available when required by the business process
now and in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
iv. Reliability- relates to the provision of appropriate information for management to operate the
entity and for management to exercise its financial and compliance reporting responsibilities.
v. Compliance with legal and regulatory requirements-deals with complying with those laws,
regulations and contractual arrangements to which the business process is subject, i.e., externally
imposed business criteria.
11a) Information systems (IS) auditing -examines processes, IT assets, and controls at multiple
levels within an organization to determine the extent to which the organization adheres to
applicable standards or requirements. Virtually, all organizations use IT to support their
operations and the achievement of their mission and business objectives.
b)(i) Objectivity- The principle of objectivity imposes an obligation on all professional
accountants not to compromise their professional or business judgment because of bias, conflict
of interest or the undue influence of others.
(ii.) Due diligence- is the investigation, audit, or review performed to confirm the facts of a
matter under consideration. In financial world, due diligence requires an examination of financial
records before entering into a proposed transaction with another party.
(iii.) Professional care- is the application of the care and skill expected of a reasonably prudent
and competent auditor in similar circumstances. Due professional care is exercised when audits
are carried out in accordance with standards set for the profession.
c) The framework for the ISACA IS Auditing Standards provides for multiple levels, as follows:
Standards, define mandatory requirements for IS auditing and reporting. They inform: IS
auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors.
– Management and other interested parties of the profession’s expectations concerning the work
of practitioners
– Holders of the Certified Information Systems Auditor (CISA) designation of requirements.
Failure to comply with these standards may result in an investigation into the CISA holder's
conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in
disciplinary action.
Guidelines, provide guidance in applying IS Auditing Standards. The IS auditor should consider
them in determining how to achieve implementation of the standards, use professional judgment
in their application and be prepared to justify any departure. The objective of the IS Auditing
Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures, provide examples of procedures and IS auditor might follow in an audit
engagement. The procedure documents provide information on how to meet the standards when
performing IS auditing work, but do not set requirements. The objective of the IS Auditing
Procedures is to provide further information on how to comply with the IS Auditing Standards.
d) Describe the key benefits of IT Governance in IS Audit.
[10]
The key benefits of IT governance in IS audit include, enhancing the relationship between the
organization and Information Technology. IT governance structures and processes provide
mechanisms to link the use of IT to the overall strategies and goals of the organization. The
relationship between the organization and IT helps ensure limited resources are focused on doing
the right things at the right time. Communication between IT and the organization should be free
flowing and informative, providing insight into what IT is delivering to assist in the achievement
of organization goals, and the status of those efforts.
IT Governance Improves the Adaptability of IT to Changes in the Organization and the IT
Environment, IT governance provides a foundation for IT to better manage its responsibilities
and support of the organization through defined processes and responsibilities of IT personnel.
By having such formality in place, IT has the ability to better identify potential anomalies on a
daily and trending basis, leading to root cause identification.
Enterprise Risk Management of the Organization and Information Technology, IT governance
helps ensure close linkage to an organization’s risk management activities, including enterprise
risk management (ERM). IT governance should be an integral part of overall corporate risk
management efforts so that appropriate techniques are incorporated into IT activities, including
communication of status to key stakeholders.