BINDURA UNIVERSITY OF SCIENCE EDUCATION
FACULTY OF SCIENCE AND ENGINEERING
DEPARTMENT OF COMPUTER SCIENCE
STUDENT NAME
:
BAKO ALEXANDER ANESU
REGISTRATION NUMBER
:
B202176B
PROGRAMME
:
SOFTWARE ENGINEERING
COURSE CODE
:
LECTURER
LEVEL
ASSIGNMENT
SWE213
:
Mr. MUSARIWA
:
2.2
:
2
Question 3
a) Audit planning" means developing a general strategy and a detailed approach for the
expected nature, timing and extent of the audit. The auditor plans to perform the audit in an
efficient and timely manner. In simple words, developing an overall strategy for the effective
conduct and scope of the examination. In establishing the overall audit strategy, the auditor
should identify the characteristics of the engagement that define its scope, ascertain the
reporting objectives of the engagement in order to plan the timing of the audit and the nature
of the communications required. The audit planning process have the following vital
activities carried out in order to plan a successful audit.
Firstly, it is essential to understand the business process or function to be audited. If not
familiar with it, thoroughly research the process or function to fully understand the subject
matter. Review internal procedures, search the internet for resources, and seek help from
subject matter experts. This means if an auditor is contracted to audit a financial accounts of
an organization then that person should have some expertise in accounts in order to undertake
the audit, if not the auditor is expected to do some research about the audit area. This is
initiative is supported by ISACA standards which encourages professionals only to take
responsibility in work that they have the skills in. Within the same motive, the contracted
auditor can even hire a specialist in accounts auditing to help where special kills are required
to come up with purely informing audit reports and recommendations.
Establish communication ways to the auditee and maintain pen communications throughout
the planning process is another important activity. The sooner the audit team reaches out to
the auditee, the better. There is a certain amount of trepidation involved in any audit.
Working with an auditee prior to the audit helps ease concerns the auditee may have.
Communicating in person is always preferable. If this is not possible, telephone calls are the
next best thing. Avoid communicating by email if possible. This will help the auditor to
remain in line with what the client really want and the auditor can also communicate his/her
views from a professional point of view based on the audit works.
The auditor also conducts walk through armed with a working understanding of the process
or function, conduct a face-to-face walk through with the auditee. Identify key business
objectives, methods employed to meet objectives, and applicable rules or regulations. A
walkthrough may include a tour of facilities. You may gather background information
relative to the nature, purpose, volume, size, or complexity of automated systems, processes,
or organizational structure. You might scan documents or records for general condition. All
these activities provide opportunities to interface with the auditee and build rapport before
the formal entrance conference.
Crucially mapping risks to the organization, Process, or function is also important. The
auditor asks the auditee what his concerns are, within the audit works through research and
interviews, identify risks to meeting business objectives and controls employed to mitigate
those risks. Rate risks with the auditee based on probability of occurrence and potential
impact. Consider control design, gaps, or mitigating factors to determine if the control system
effectively mitigates risks.
Finally, obtaining data prior to fieldwork, this has become a principal focus recently. It
emphasizes in initial requests for information. Data analytics is performed before beginning
of field work. Identifying anomalies to confirm a condition or weakness early helps us target
testing and optimize sample selections.
Conclusively, audit planning is the audit phase in which we can best influence audit results.
It is a key but too easily overlooked component of the audit process. It is something that
needs to be emphasized and institutionalized into a habit. This habit ultimately leads to audit
success.
b) Economy - obtaining the appropriate quantity and quality of resources at the lowest cost
possible; optimizing the resources (inputs) which an organization has.
Efficiency - maximizing the output generated from units of resource used; optimizing the
process by which inputs are turned into outputs. This can often be measured in terms of the
cost of providing a service per unit of resource used, per unit of output, or per beneficiary
served (in the context of a service).
Effectiveness - the relationship between the organization’s intended and actual results
(outputs); the extent to which it achieves its objectives.
c) An audit aims to establish whether information systems are safeguarding corporate assets,
maintaining the integrity of stored and communicated data, supporting corporate objectives
effectively, and operating efficiently. The complexity and number of parts that make up
today's information systems combine to generate a business solution. Only until each
component of an information system has been analyzed and safeguarded can assurances be
obtained about it. The strength of the chain as a whole depends on the proverbial weakest
link. The main components of an IS audit can be grouped generally into:
 Physical and environmental review—This includes physical security, power supply,
air conditioning, humidity control, and other environmental factors.
 System administration review—This includes a security review of the operating
systems, database management systems, all system administration procedures, and
compliance.
 Application software review—The business application could be payroll, invoicing, a
web-based customer order processing system, or an enterprise resource planning
system that actually runs the business. Review of such application software includes
access control and authorizations, validations, error and exception handling, business
process flows within the application software, and complementary manual controls



and procedures. Additionally, a review of the system development lifecycle should be
completed.
Network security review—Review of internal and external connections to the system,
perimeter security, firewall review, router access control lists, port scanning, and
intrusion detection are some typical areas of coverage.
Business continuity review—This includes the existence and maintenance of faulttolerant and redundant hardware, backup procedures and storage, and documented
and tested disaster recovery/business continuity plan.
Data integrity review—The purpose of this is the scrutiny of live data to verify the
adequacy of controls and impact of weaknesses, as noticed from any of the above
reviews. Such substantive testing can be done using generalized audit software (e.g.,
computer-assisted audit techniques).
All these elements need to be addressed to present to management a clear assessment of the
system. For example, application software may be well designed and implemented with all the
security features, but the default super-user password in the operating system used on the server
may not have been changed, thereby allowing someone to access the data files directly. Such a
situation negates whatever security is built into the application. Likewise, firewalls and technical
system security may have been implemented very well, but the role definitions and access
controls within the application software may have been so poorly designed and implemented that
by using their user IDs, employees may get to see critical and sensitive information far beyond
their roles.
d) Obtaining an understanding of the entity and its environment is an essential aspect of
performing an audit in accordance with ISAs. In particular, that understanding establishes a
frame of reference within which the auditor plans the audit and exercises professional
judgment about assessing risks of material misstatement of the financial statements and
responding to those risks throughout the audit.
An understanding of the entity and its environment, including its internal control, is a
continuous, dynamic process of gathering, updating and analyzing information throughout
the audit. As described in ISA 500, audit procedures to obtain an understanding are referred
to as “risk assessment procedures” because some of the information obtained by performing
such procedures may be used by the auditor as audit evidence to support assessments of the
risks of material misstatement. In addition, in performing risk assessment procedures, the
auditor may obtain audit evidence about classes of transactions, account balances, or
disclosures and related assertions and about the operating effectiveness of controls, even
though such audit procedures were not specifically planned as substantive procedures or as
tests of controls. The auditor also may choose to perform substantive procedures or tests of
controls concurrently with risk assessment procedures because it is efficient to do so.
The auditor should perform the following risk assessment procedures to obtain an
understanding of the entity and its environment, including its internal control. This includes
inquiries of management and others within the entity, analytical procedures, observation and
inspection. The auditor is not required to perform all the risk assessment procedures
described above for each aspect of the understanding. However, all the risk assessment
procedures are performed by the auditor in the course of obtaining the required
understanding.
In addition, reviewing information obtained from external sources such as reports by
analysts, banks, or rating agencies, trade and economic journals or regulatory or financial
publications may also be useful in obtaining information about the entity.
When the auditor intends to use information about the entity and its environment obtained in
prior periods, the auditor should determine whether changes have occurred that may affect
the relevance of such information in the current audit. For continuing engagements, the
auditor’s previous experience with the entity contributes to the understanding of the entity.
For example, audit procedures performed in previous audits ordinarily provide audit evidence
about the entity’s organizational structure, business and controls, as well as information
about past misstatements and whether or not they were corrected on a timely basis, which
assists the auditor in assessing risks of material misstatement in the current audit. However,
such information may have been rendered irrelevant by changes in the entity or its
environment. The auditor makes inquiries and performs other appropriate audit procedures,
such as walk-throughs of systems, to determine whether changes have occurred that may
affect the relevance of such information.
Question 4a
Advantages of outsourcing the audit function
 It can also provide greater value for money depending upon the situation or
circumstances in the business organization.

A proper and advanced technology will be used by the Internal Auditing outsourcer that
the internal audit section of the business firm may lack. They are provided with all the
latest innovations in the techniques of auditing and also given the opportunity of benchmarking by the outsourcer.

More cost and time effective, freeing up internal resources. Outsourced internal audits
often take much less time to perform with greater effectiveness and efficiency.

The organization is benefited from the access to experts and specialists that can also help
in providing a key insight for achieving the goals of the business.
Drawbacks of outsourcing the auditing Function.

The people of the business organization can be a bit non-cooperative and non-receptive to
some external outsourcer or internal Auditing Service provider.

The outsourcer will be on a disadvantage of lack of internal knowledge about the
organizations culture and working environment. It will take some time to get used to the
whole processes and the system of the entity.

If Internal Auditing is outsourced, then there is a chance that the opportunities for internal
promotions may be reduced or disappear significantly with time as Internal Audit is used
as a ground for training often.

A risk of confusion will always prevail over accountability and responsibility.
Question 4b
i)
Auditing around the computer is one of the methods of evaluating a client's computer
controls. It picks source documents randomly and verifies the outputs with the inputs.
This method can only exist when controls over the computer system are non-existent. In
other words, the audit team doesn’t inspect IT system controls. Instead, they obtain
source documentation from the system thus system reports and compare that information
to the financial statements. Unless the audit team has specific IT knowledge, this is the
route most audit teams take as its less complex. It is more often known as black box
audit approach. Most often this approach is used either because processing done by the
computer is too simple e.g. casting, sorting and the auditor is already aware of the
software’s reliability. Examples of the audit is an audit of financial statements of a
company, in which the auditor will conduct audits to assess the financial statements that
the data is relevant, accurate, complete and fairly presented. Auditor issued the results
correctly and will be even better if it comes from an independent opinion.
ii)
Auditing through the computer focuses on the computer and its programs directly in the
audit for example submits data for processing and analyze results to determine the
processing reliability and accuracy of the computer program and on-line data entry,
system designed with elimination or reduction of printouts and real-time updating. It is
mostly used when there are no source documents or program reports present to be
evaluated. From the example above the auditor will not only check accuracy of the figure
but will also probably check the accounting software of the organization to be certain on
its reliability. These techniques focus on testing automated processing steps,
programming logic, edit routines and programmed controls. The approach assumes that,
if the processing programs are soundly developed and incorporate adequate edit routines
and programmed checks, then errors and irregularities are not likely to slip by undetected.
If these programs are functioning as designed, the outputs can reasonably be accepted as
reliable. The auditing through the computer approach is particularly appropriate for
testing controls in the complex IT systems emphasized in SAS No. 94. This approach
embraces a family of techniques including test data, parallel simulation, integrated test
facility and embedded audit module. In a survey conducted by the authors, only 26 of 91
responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the
computer techniques were used in an audit of the purchase function, usually a highly
automated and complex IT application.
iii)
The auditing with the computer approach embraces a variety of techniques and often is
referred to as computer-assisted audit techniques (CAATs). CAATs involve using
computers, often a microcomputer, to aid auditors. Although the utilization of CAATs
has radically improved the capabilities and effectiveness of auditors, they are primarily
used to perform substantive tests. One widely used CAAT, known as general audit
software (GAS), is frequently employed to perform substantive tests and may be used for
limited testing of controls. For example, GAS can be used to test the functioning of
complex algorithms in computer programs, but it requires extensive experience in using
the software. In contrast, the auditing through the computer techniques are designed
specifically to test automated controls, and some techniques do not require extensive IT
experience
Question 4c
Principle 1:

Meeting Stakeholder Needs—Enterprises exist to create value for their stakeholders by
maintaining a balance between the realization of benefits and the optimization of risk and
use of resources. COBIT 5 provides all of the required processes and other enablers to
support business value creation through the use of IT. Because every enterprise has
different objectives, an enterprise can customize COBIT 5 to suit its own context through
the goals cascade, translating high-level enterprise goals into manageable, specific, ITrelated goals and mapping these to specific processes and practices.
Principle 2:

Covering the Enterprise End-to-end—COBIT 5 integrates governance of enterprise IT
into enterprise governance. It covers all functions and processes within the enterprise. It
does not focus only on the IT function, but treats information and related technologies as
assets that need to be dealt with just like any other asset by everyone in the enterprise. It
considers all IT-related governance and management enablers to be enterprise wide and
end-to-end thus inclusive of everything and everyone internal and external, that is
relevant to governance and management of enterprise information and related IT.
Principle 3:

Applying a Single, Integrated Framework—There are many IT-related standards and
good practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with
other relevant standards and frameworks at a high level, and thus can serve as the
overarching framework for governance and management of enterprise IT.
Principle 4:

Enabling a Holistic Approach—Efficient and effective governance and management of
enterprise IT require a holistic approach, taking into account several interacting
components. COBIT 5 defines a set of enablers to support the implementation of a
comprehensive governance and management system for enterprise IT. Enablers are
broadly defined as anything that can help to achieve the objectives of the enterprise. The
COBIT 5 framework defines some categories of enablers which are principles, policies
and frameworks, processes, organizational structures, culture, ethics and behavior,
information Services, Infrastructure and applications, skills and competencies
Principle 5:

Separating governance from management—The COBIT 5 framework makes a clear
distinction between governance and management. These two disciplines encompass
different types of activities, require different organizational structures and serve different
purposes. COBIT 5’s view on this key distinction between governance and management,
governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved, setting direction
through prioritization and decision making and monitoring performance and compliance
against agreed-on direction and objectives.
Together, these five principles enable the enterprise to build an effective governance and
management framework that optimizes information and technology investment and use for
the benefit of stakeholders.
Question 4d
i)
Data

Data auditing is the assessment of data for quality throughout its lifecycle to ensure its
accuracy and efficacy for specific usage.

Data performance is measured and issues are identified for remediation.

Data auditing results in better data quality, which enables enhanced analytics to improve
operations.
ii)
Application systems

Application System means a collection of Hardware and Software products designed to
meet all of the requirements of a certain market for a specific type of exchange.

An application system is designed to ensure that an application's transactions and the data
it outputs are secure, accurate and valid.
iii)
Technology

One of the biggest benefits of using technology and data analytics in the audit is the
elimination of constraints that sampling places on an engagement analytics in the audit is
the elimination of constraints that sampling places on an engagement.

Data analytics gives practitioners the ability to analyze an entire population of data for
anomalies, trends, and areas of risk

The use of key technologies such as advanced analytics, adaptable artificial intelligence
and virtualization all of which help auditors boost productivity, efficiency and deliver a
better audit.
iv)
Facilities

A facility audit (or inventory) is a comprehensive review of a facility's assets.

Facility audits are a standard method for establishing baseline information about the
components, policies, and procedures of a new or existing facility.

The purpose of routine facility audits is to perform a comprehensive review of all assets
in a facility.

They aim to provide you with information about all the policies, procedures, and
components of a facility, regardless of whether it is new or has been in operation for a
while. Facility audits take time and effort.
v)
People.

They are responsible for performing audits of the information technology governance
structure, general and data application controls, data.

These people include system analysts, programmers, data entry operators, data providers,
users, vendors of hardware, software and services, computer security specialists and PC
users.
Question 4e
Control Environment
How has management put into place policies and procedures that guide the organization?
What kind of tone has management set in the organization so that everyone knows that they
are supposed to make sure that your controls are operating effectively and are achieving the
results that they expect?
Risk Assessment
How does your organization assess risk in order to identify the things that threaten the
achievement of their objectives?
Information and Communication
How does management communicate to their internal and external users what is expected of
them? How do you make sure that you receive acknowledgement from those people that they
understand what you’re asking them to do?
Monitoring Activities
How does management oversee the functioning of the entire organization? How do you
identify when things aren’t working correctly and correct those deficiencies as quickly as you
possibly can?
Existing Control Activities
What are the controls that you currently have in place? Were they in place and operating
effectively over a period of time?
Question 9a.
i)
The recommendation that your department be responsible for the pre-audit of supplier's
invoices.
Accept



ii)
This is because the department team is responsible for evaluating operational
procedures.
This is because the department team is responsible for risk management
This is because the department team is responsible for control functions
The request that you make suggestions during system development.
accept



it helps to know the increase or decrease in accounts payable system
helps provide a data accurate system
helps to adapt to economic changes
iii. The request that you assist in the installation of the system and approve the system after
making a final review
accept



it helps to know what you want to achieve.
you can ensure that quality is maintained
product of release can be finalized as per client’s requirements
b. Explain preventive, detective and corrective controls.
Preventive controls



They are proactive in that they attempt to prevent undesirable events from occurring.
Preventive controls, on the other hand, are designed to keep errors and irregularities
from occurring in the first place.
Examples of preventative controls include policies, standards, processes, procedures,
encryption, firewalls, and physical barriers.
Detective controls




They are designed to detect errors or irregularities that may have occurred.
Detective controls provide evidence that an error or irregularity has occurred.
These controls may also be referred to as mitigating controls. They help to reduce risk
associated with a failure to implement preventive controls.
Some examples of detective controls are internal audits, reconciliations, financial
reporting, financial statements, and physical inventories
Corrective controls



They are put in place when errors or irregularities have been detected.
Examples of common corrective controls include disciplinary actions, blocking
access or transactions when fraud is detected, fire-activated sprinkler systems, and
software patches.
Corrective controls are designed to correct errors or irregularities that have been
detected.
c)
i) Confidentiality
 Confidential information means any information that the auditor receives in the
course of conducting the audit, and which pertain explicitly to the business of the
client, as well as any other information that can be reasonably deemed confidential
information from the client's position.
 The Confidentiality Principle states that Principle Internal auditors respect the value
and ownership of information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation to do so.
ii) Integrity
 it is the quality of being honest and having strong moral principles.



The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.
Integrity is the core value of a Code of Ethics.
Auditors have a duty to adhere to high standards of behavior e.g. honesty in the
course of their work and in their relationships whether it be personal or with the staff
of audited entities.
iii) Availability
 it is the quality of being able to be used.
 The availability principle refers to the accessibility of the system, products or services
as stipulated by a contract or service level agreement (SLA). As such, the minimum
acceptable performance level for system availability is set by both parties
iv) Reliability
 Reliability is defined as the probability that a product, system, or service will perform
its intended function adequately for a specified period of time, or will operate in a
defined environment without failure
 The reliability of evidence depends on the nature and source of the evidence and the
circumstances under which it is obtained.
 For example, evidence obtained from a knowledgeable source that is independent of
the company is more reliable than evidence obtained only from internal company
sources
v) Compliance with legal and regulatory requirements.
 Regulatory compliance is an organization's adherence to laws, regulations, guidelines
and specifications relevant to its business processes.
 regulatory compliance is when a business follows state, federal, and international
laws and regulations relevant to its operations.
 The specific requirements can vary, depending largely on the industry and type of
business.
Question 10a.
Specific audit procedures that can be recommended include:
1. Testing the effectiveness of specific internal controls by analyzing transactions and testing
reconciliations. This helps to see whether the controls are properly detecting or preventing
material errors.
2. Reviewing policies and procedures to ensure they are properly documented and followed.
Strong internal controls are critical in safeguarding the organizations assets. Tis also
minimizes fraud. It improves effectiveness and efficiency of the business processes.
3. Analyzing financial statements to identify any anomalies or errors. It enhances the
reliability of financial reports. it also ensures that financial statements are free from major
misstatements.
4. Conducting interviews with key personnel to assess their understanding of internal
controls and their level of compliance. This helps in accuracy of information. It also aids in
additional analysis of information.
5. Performing a physical inventory count to ensure that physical inventory quantities match
the recorded amounts. This enables an organization to know that it has sufficient resources.
b. Differentiate Business Continuity Planning from Disaster Recovery Planning.
Business Continuity Planning focuses on maintaining essential business operations during
and after a disruptive event, while Disaster Recovery Planning focuses on restoring key IT
systems and infrastructure after a disruptive event. Business Continuity Planning is a broader
approach that includes Disaster Recovery Planning as one of the strategies to ensure
continuity of operations. Business continuity focuses on keeping business operational during
a disaster. Disaster recovery focuses on restoring data access and infrastructure after a
disaster.