QUESTION ONE [30 MARKS]

a) Information Systems Auditing [2

Marks]
Information systems auditing is the process
of evaluating an organization’s IT systems,
processes, and controls to ensure they are
secure, reliable, and compliant with
standards and regulations. It assesses
risks, data integrity, and operational
efficiency.
b) ISACA IS Auditing Standards
Framework [6 Marks]
The ISACA framework includes three levels:
Standards, Guidelines, and Procedures.
i. Standards
Standards are mandatory requirements
defining the principles and expectations for
IS auditing to ensure consistency and
quality.
Example: Auditors must assess IT controls
to mitigate risks, as per ISACA’s standard on
control evaluation.
ii. Guidelines
Guidelines provide detailed, non-
mandatory advice to support standards,
offering best practices for specific audit
areas.
Example: Guidelines on auditing cloud
environments suggest reviewing service-
level agreements for compliance.
iii. Procedures
Procedures are practical, non-mandatory
steps or techniques to implement
standards and guidelines, tailored to
specific audits.
Example: A procedure for auditing access
controls might involve reviewing user logs
for unauthorized attempts.
c) Internal Controls [2 Marks]
Internal controls are processes, policies,
and mechanisms implemented by an
organization to ensure operational
efficiency, financial accuracy, compliance,
and risk mitigation within its IT and
business systems.
d) Two Components of Internal Control
Systems [4 Marks]
i. Control Activities
Control activities are specific actions, such
as approvals, reconciliations, and
segregation of duties, designed to mitigate
risks. For example, requiring dual
authorization for financial transactions
reduces fraud risk by ensuring no single
individual has unchecked power.
ii. Risk Assessment
Risk assessment involves identifying,
analyzing, and prioritizing risks to IT and
business processes. For instance, regularly
evaluating vulnerabilities in a network helps
allocate resources to patch critical
systems, reducing the likelihood of
cyberattacks.
e) Identity Theft and Fraud in Information
Systems [2 Marks]
Identity theft involves stealing personal
information, such as login credentials or
financial details, to impersonate victims. In
information systems, fraudsters use stolen
identities to access accounts, transfer
funds, or manipulate data. For example,
phishing emails trick users into revealing
passwords, enabling unauthorized
transactions.
f) Code of Professional Ethics [6 Marks]
i. Objectivity
Objectivity means maintaining impartiality
and avoiding bias or conflicts of interest
during audits. Auditors must base findings
on evidence, not personal relationships. For
example, an auditor should not favor a
client’s preferred outcome when evaluating
control weaknesses.
ii. Due Diligence
Due diligence refers to performing audits
thoroughly and competently, ensuring all
relevant risks and controls are assessed.
For instance, an auditor verifies compliance
by cross-checking multiple data sources to
confirm system security.
iii. Professional Care
Professional care involves applying
expertise, skepticism, and adherence to
standards to deliver high-quality audits. For
example, an auditor stays updated on
cybersecurity trends to identify emerging
threats during system reviews.
g) Overview of the Audit Process [5
Marks]
The audit process follows these steps in
order:
1. Planning: Define objectives, scope,
and resources. For example, identify
critical systems to audit and gather
relevant policies.
2. Risk Assessment: Evaluate risks to
prioritize audit focus. For instance,
assess vulnerabilities in financial
systems.
3. Fieldwork: Collect evidence through
interviews, tests, and observations. For
example, test access controls for
compliance.
 4. Analysis and Evaluation: Analyze
findings against standards to identify
gaps. For instance, compare encryption
practices to best practices.
5. Reporting and Follow-Up: Document
findings, recommend fixes, and verify
remediation. For example, report weak
passwords and confirm their correction.
h) Terms in System Auditing Environment
[3 Marks]
i. Confidentiality [1 Mark]
Confidentiality ensures data is accessible
only to authorized users, protecting
sensitive information from leaks. For
example, encryption safeguards customer
records.
ii. Integrity [1 Mark]
Integrity ensures data remains accurate,
complete, and unaltered. For instance,
checksums verify that files haven’t been
tampered with.
iii. Availability [1 Mark]
Availability ensures systems and data are
accessible to authorized users when
needed. For example, redundant servers
prevent downtime during failures.
a) Types of Audit in Information Systems
Auditing
i. Technological Position Audit [3 Marks]
A technological position audit assesses an
organization’s IT infrastructure, including
hardware, software, and network systems,
to evaluate their alignment with business
objectives and industry standards. It
examines the current state of technology,
identifying strengths, weaknesses, and
potential risks such as obsolescence or
security vulnerabilities. For example, it may
review whether a company’s servers
support modern cybersecurity protocols or
if legacy systems hinder scalability.
ii. Application and Systems Audit [3
Marks]
This audit focuses on evaluating the
integrity, functionality, and security of
specific software applications and their
underlying systems. It ensures that
applications meet user requirements,
comply with regulations, and operate
reliably. Auditors check aspects like data
processing accuracy, access controls, and
error handling. For instance, auditing a
financial application would involve verifying
transaction accuracy and ensuring
compliance with standards like PCI-DSS.
iii. Systems Development Audit [3 Marks]
A systems development audit reviews the
processes involved in designing,
developing, and implementing IT systems
to ensure they meet quality, security, and
performance standards. It assesses project
management, requirement analysis, coding
practices, and testing phases. For example,
auditors might evaluate whether a new ERP
system’s development follows a structured
methodology like SDLC, ensuring no critical
vulnerabilities are introduced before
deployment.
b) Hot Site in Contingency Recovery
Planning [1 Mark]
A hot site is a fully operational backup
facility equipped with mirrored IT systems,
data, and infrastructure, ready to take over
immediately during a disaster. It ensures
minimal downtime by allowing seamless
business continuity. For example, a bank
might maintain a hot site with real-time
data replication to resume online banking
services instantly if the primary data center
fails.
c) IT Resources Under COBIT and Their
Roles in System Auditing [10 Marks]
COBIT identifies five key IT resources
critical to governance and auditing. Below
is a discussion of each and their roles in
system auditing: i. Data [2 Marks]
Data includes all information processed or
stored in IT systems. Auditing ensures data
accuracy, confidentiality, and compliance
(e.g., GDPR). Auditors verify integrity,
security (e.g., encryption), and availability
(e.g., backups). For example, customer
data audits confirm protection against
breaches.
ii. Application Systems [2 Marks]
Application systems are software like CRM
or accounting tools. Auditing checks
functionality, security, and compliance.
Auditors assess processing accuracy and
vulnerabilities (e.g., SQL injection). For
instance, auditing inventory software
ensures accurate stock updates and
restricted access.
iii. Technology [2 Marks]
Technology covers hardware, OS, and
networks. Auditing evaluates performance,
security, and updates. Auditors check
configurations and resilience. For example,
firewall audits confirm protection, while
server audits ensure capacity for peak
loads.
iv. Facilities [2 Marks]
Facilities are physical IT environments like
data centers. Auditing verifies physical
security, environmental controls, and
disaster readiness. Auditors check access
(e.g., biometric locks) and backups (e.g.,
UPS). For example, data center audits
ensure safeguards against unauthorized
entry.
v. People [2 Marks]
People include IT staff and users. Auditing
assesses training, access roles, and policy
adherence. Auditors verify permissions and
awareness to reduce errors. For instance,
user access audits prevent excessive rights,
and training reviews ensure phishing
awareness.
a) Three Major Classifications of Controls
in Information Systems Environment [6
Marks]
Controls in information systems are
categorized into three types to manage
risks and ensure security:
1. Preventive Controls: These aim to
stop undesirable events before they
occur.
 Example: Firewalls block unauthorized
network access to prevent cyberattacks.
2. Detective Controls: These identify
and report incidents after they happen
to mitigate damage.
Example: Intrusion detection systems
(IDS) alert administrators to suspicious
login attempts.
3. Corrective Controls: These restore
systems or processes after an incident
to minimize impact.
Example: Data backups enable recovery
of files lost due to ransomware.

b) Types of Audit in Information Systems

Auditing [9 Marks]
i. System Development Audit [3 Marks]
This audit evaluates the process of
designing, developing, and implementing IT
systems to ensure quality and security. It
reviews project management, coding
standards, and testing.
Example: Auditing an e-commerce
platform’s development ensures secure
payment integration before launch.
ii. Technological Position Audit [3 Marks]
This assesses an organization’s IT
infrastructure (hardware, software,
networks) for alignment with goals and
standards. It identifies risks like outdated
technology.
Example: Reviewing server configurations
to confirm they meet modern cybersecurity
standards.
iii. Application and System Audit [3
Marks]
This focuses on the functionality, security,
and compliance of software applications
and systems. It verifies data accuracy and
access controls.
Example: Auditing a payroll system ensures
accurate salary calculations and restricted
access.

c) Differentiate Between the Following [8

Marks]
i. Control vs. Control Objectives [4
Marks]
• Control: A specific mechanism or
process to achieve a desired outcome,
reducing risks.
Example: Password policies enforce
strong credentials.
• Control Objective: The goal or purpose a
control aims to achieve, often tied to
security or compliance.
Example: Ensuring only authorized
users access sensitive data.
 Difference: Controls are the tools or
actions, while control objectives define
the intended results. Controls are
implemented to meet objectives.
• Risk Assessment vs. Risk Management
[4 Marks]
• Risk Assessment: The process of
identifying, analyzing, and prioritizing
risks in an IT environment.
Example: Scanning for vulnerabilities in
a network to rank threats.
• Risk Management: The broader process
of assessing risks and implementing
strategies to mitigate, avoid, or accept
them.
Example: Deploying firewalls and
training staff to address identified cyber
risks.
Difference: Risk assessment is a subset
 of risk management, focusing on
identification, while risk management
includes mitigation and monitoring.

d) Four Roles of Information Systems and

Information System Audit [4 Marks]
1. Data Security: Information systems
protect sensitive data; audits ensure
controls like encryption are effective.
2. Operational Efficiency: Systems
automate processes; audits verify
performance and reliability.
3. Compliance: Systems ensure
adherence to laws (e.g., GDPR); audits
confirm regulatory alignment.
4. Risk Management: Systems mitigate
risks; audits identify control gaps to
prevent fraud or breaches.
e) Descriptions in Information Systems
Audit [8 Marks]
i. Disaster Recovery [2 Marks]
Disaster recovery involves restoring IT
systems after disruptions like natural
disasters or cyberattacks. It ensures
minimal downtime.
Example: Using offsite backups to recover a
database corrupted by ransomware.
ii. Contingency Planning [2 Marks]
Contingency planning prepares for
unexpected IT disruptions by outlining
response strategies. It ensures business
continuity.
Example: Maintaining a hot site to switch
operations if a primary server fails.
iii. Incident Response [2 Marks]
Incident response is the process of
identifying, containing, and resolving
security incidents to limit damage.
Example: Isolating a compromised server to
stop malware spread and analyzing logs to
trace the attack.
iv. Business Continuity [2 Marks]
Business continuity ensures critical
operations continue during and after
disruptions. It integrates IT and business
processes.
Example: Using cloud-based tools to allow
remote work during a data center outage.

f) Two Characteristics of Information

System Audit [4 Marks]
1. Independence: Auditors must be
unbiased, free from conflicts, to provide
objective findings.
Example: An external auditor evaluates
 IT controls without influence from
management.
2. Systematic Approach: Audits follow
structured methodologies (e.g., COBIT)
to ensure thoroughness.
Example: Using checklists to assess all
system components methodically.

g) Five Active Threats to a Computerized

System [10 Marks]
1. Malware: Malicious software like
viruses disrupts systems or steals data.
Example: Ransomware encrypts files,
demanding payment for access.
2. Phishing: Fraudulent emails trick
users into revealing credentials.
Example: A fake login page captures
employee passwords.
 3. Insider Threats: Employees misuse
access to harm systems.
Example: A disgruntled worker deletes
critical databases.
4. Distributed Denial-of-Service
(DDoS): Overwhelms systems, causing
downtime.
Example: Flooding a website with traffic
to crash it.
5. SQL Injection: Exploits database
vulnerabilities to manipulate data.
Example: Injecting code into a web form
to extract customer records.

h) Four Factors for System Auditors to

Consider [8 Marks]
1. Scope and Objectives: Define audit
boundaries to focus on critical systems.
 Example: Auditing financial systems for
compliance with PCI-DSS.
2. Risk Environment: Understand
threats like cyberattacks to prioritize
controls.
Example: Focusing on cloud security
due to recent breaches.
3. Regulatory Requirements: Ensure
compliance with laws like GDPR or SOX.
Example: Verifying data encryption
meets privacy standards.
4. Organizational Policies: Align audits
with internal IT governance.
Example: Checking adherence to the
company’s access control policy.

i) Four Guidelines to Detect and Deter

Fraud [8 Marks]
 1. Segregation of Duties: Divide tasks
to prevent single-person fraud.
Example: Separating transaction
approval and record-keeping roles.
2. Regular Monitoring: Use logs and
analytics to detect anomalies.
Example: Reviewing access logs for
unauthorized login attempts.
3. Employee Training: Educate staff on
fraud risks like phishing.
Example: Conducting workshops to
recognize suspicious emails.
4. Strong Access Controls: Limit
system access to authorized users.
Example: Implementing multi-factor
authentication for sensitive systems.
a) Four Major Factors That Affect Planning
in Information Auditing [8 Marks]
Planning an information systems audit
requires careful consideration of factors to
ensure effectiveness and alignment with
organizational goals. The four major factors
are:
1. Organizational Objectives and Risks
[2 Marks]
The audit plan must align with the
organization’s goals and address its
specific IT risks. For example, a bank
prioritizing cybersecurity due to
frequent phishing attempts will focus
audits on network security and user
access controls. Understanding these
risks shapes the audit scope and
resource allocation.
2. Regulatory and Compliance
Requirements [2 Marks]
Legal and industry standards, such as
GDPR or PCI-DSS, influence audit
 planning. Auditors must ensure systems
comply to avoid penalties. For instance,
planning an audit for a healthcare
provider includes verifying HIPAA
compliance for patient data protection.
3. IT Environment Complexity [2 Marks]
The size, structure, and complexity of
the IT infrastructure affect planning. A
multinational company with cloud-
based systems and legacy servers
requires a broader audit scope than a
small firm with a single server. Planners
must account for technologies like IoT
or virtualization.
4. Resource Availability and Expertise
[2 Marks]
The availability of skilled auditors, tools,
and time impacts planning. For
example, a limited budget may prioritize
critical systems like financial databases
 over less sensitive areas, while a lack of
expertise in cloud auditing may
necessitate external consultants.

b) Purpose of Control in an Information

System [8 Marks]
Controls in an information system are
mechanisms designed to ensure security,
reliability, and efficiency. Their purposes
include:
1. Safeguard Assets [2 Marks]
Controls protect physical and digital
assets, such as hardware and data,
from theft or damage. For example,
access controls like biometric
authentication prevent unauthorized
access to servers, preserving asset
integrity.
2. Ensure Data Integrity and Accuracy
[2 Marks]
Controls maintain the correctness and
completeness of data. For instance,
input validation in a payroll system
ensures salaries are calculated
accurately, preventing financial errors.
3. Promote Operational Efficiency [2
Marks]
Controls streamline processes and
reduce errors. Automated backup
systems, for example, ensure data
availability without manual intervention,
saving time and reducing downtime
risks.
4. Ensure Compliance and Security [2
Marks]
Controls enforce adherence to laws
(e.g., GDPR) and protect against threats.
Firewalls and encryption, for instance,
 secure sensitive customer data,
ensuring compliance and mitigating
cyberattack risks.

c) Roles of an Information System Auditor

[4 Marks]
Information system auditors evaluate IT
systems to ensure they meet organizational
and regulatory standards. Their key roles
include:
1. Risk Assessment: Identify
vulnerabilities in IT systems. For
example, testing for weak passwords to
prevent unauthorized access.
2. Control Evaluation: Assess the
effectiveness of controls like firewalls to
ensure they mitigate risks adequately.
3. Compliance Verification: Confirm
adherence to standards like SOX. For
 instance, verifying audit trails for
financial transactions.
4. Reporting and Recommendations:
Document findings and suggest
improvements, such as recommending
encryption upgrades to enhance data
security.

d) Characteristics of Information System

Audit [4 Marks]
Information system audits have distinct
features that ensure their effectiveness:
1. Independence [2 Marks]
Auditors must remain unbiased and free
from conflicts of interest to provide
objective findings. For example, an
external auditor evaluates a company’s
IT controls without influence from
 management, ensuring impartial
results.
2. Systematic and Structured
Approach [2 Marks]
Audits follow a methodical process,
often guided by frameworks like COBIT
or ISACA standards. For instance,
auditors use predefined checklists to
assess system security, ensuring
comprehensive coverage of all
components.
b) Three Factors for Using CAATs in
Information Systems Auditing [4 Marks]
Computer-Assisted Audit Techniques
(CAATs) enhance audit efficiency, but their
use depends on specific factors:
1. Complexity and Volume of Data [1.5
Marks]
CAATs are ideal for analyzing large
 datasets or complex systems where
manual review is impractical. For
example, auditors use data analytics
tools to process millions of transactions
in a bank’s database to detect
anomalies.
2. Availability of Tools and Expertise
[1.5 Marks]
The auditor must have access to CAATs
software (e.g., ACL, IDEA) and the skills
to use it. For instance, lack of training in
data extraction tools may limit CAATs’
applicability, prompting reliance on
manual methods.
3. Audit Objectives and Scope [1 Mark]
CAATs should align with the audit’s
goals, such as fraud detection or
compliance testing. For example, if the
objective is to verify user access
controls, CAATs can automate log
 analysis, but may not be needed for
physical security reviews.

c) Structure of an Information System

Audit Report [8 Marks]
An information system audit report
communicates findings effectively and
typically includes the following
components:
1. Executive Summary [2 Marks]
A concise overview of the audit’s
purpose, scope, and key findings,
tailored for senior management. For
example, it might highlight critical
vulnerabilities like unpatched servers
and recommend urgent fixes.
2. Introduction and Background [1.5
Marks]
Describes the audit’s objectives, scope,
 and audited systems. For instance, it
could specify that the audit focused on
a company’s ERP system to assess data
security.
3. Methodology [1.5 Marks]
Explains the audit approach, including
techniques like interviews, CAATs, or
penetration testing. For example, it
might note the use of log analysis to
verify access controls.
4. Findings and Observations [1.5
Marks]
Details issues identified, such as weak
encryption or unauthorized access, with
evidence. For instance, a finding might
report outdated firewall rules
compromising network security.
5. Recommendations and Conclusion
[1.5 Marks]
 Provides actionable solutions for each
finding and summarizes the audit’s
outcome. For example, recommending
multi-factor authentication to address
weak access controls, with a
conclusion on overall system risk levels.

d) How Audit Trails Support Information

Systems Security Objectives [4 Marks]
Audit trails are records of system activities
that enhance security by supporting key
objectives:
1. Monitoring and Detection [2 Marks]
Audit trails track user actions, enabling
detection of unauthorized access or
anomalies. For example, logs showing
repeated failed login attempts can alert
auditors to a potential brute-force
attack, facilitating timely response.
 2. Accountability and Compliance [2
Marks]
They ensure traceability of actions to
specific users, supporting
accountability and regulatory
requirements like GDPR. For instance,
an audit trail of database changes helps
verify that only authorized personnel
modified financial records, ensuring
compliance and deterring fraud.
a) Four Common Computer Forensic
Scenarios Encountered by an Information
System Auditor [8 Marks]
Information system auditors often deal with
computer forensic scenarios to investigate
incidents or ensure compliance. Four
common scenarios include:
1. Data Breach Investigation [2 Marks]
Auditors investigate unauthorized
 access to sensitive data, such as
customer records. For example,
analyzing server logs to trace a hacker’s
entry point after a reported leak helps
identify compromised systems and
assess damage.
2. Fraud Detection [2 Marks]
Auditors examine financial systems for
fraudulent activities, like
embezzlement. For instance, reviewing
transaction logs in an accounting
system may reveal unauthorized
transfers, requiring forensic analysis to
confirm the perpetrator’s identity.
3. Malware Analysis [2 Marks]
Auditors investigate malware infections
disrupting operations. For example,
analyzing a ransomware attack involves
examining infected files and network
 traffic to determine the malware’s
source and impact on data integrity.
4. Employee Misconduct [2 Marks]
Auditors probe internal misuse of
systems, such as data theft. For
instance, forensic analysis of an
employee’s workstation may uncover
unauthorized copying of confidential
files to external drives, supporting
disciplinary action.

b) Three Factors to Consider When

Deciding to Use CAATs [4 Marks]
Computer-Assisted Audit Techniques
(CAATs) enhance audit efficiency, but their
use depends on specific factors:
1. Complexity and Volume of Data
[1.33 Marks]
CAATs are suitable for large, complex
 datasets where manual analysis is
impractical. For example, auditing
millions of transactions in a retail
database requires CAATs to detect
anomalies quickly.
2. Availability of Tools and Expertise
[1.33 Marks]
Auditors must have access to CAATs
software (e.g., ACL, IDEA) and the skills
to use it. For instance, lack of training in
data analytics tools may limit their
effective application in auditing system
logs.
3. Audit Objectives and Scope [1.34
Marks]
The audit’s goals determine CAATs’
relevance. For example, if the objective
is to test compliance with access
controls, CAATs can automate log
 analysis, but they may be unnecessary
for a policy review audit.

c) Structure of an Information System

Audit Report [8 Marks]
An information system audit report
communicates findings effectively, with a
structure tailored to organizational needs
but including key components:
1. Executive Summary [2 Marks]
A brief overview of the audit’s purpose,
scope, and key findings, designed for
senior management. For example, it
might highlight critical vulnerabilities
found in a network audit.
2. Introduction and Background [1.5
Marks]
Describes the audit’s objectives, scope,
and context, such as auditing a new ERP
 system to ensure compliance with ISO
27001 standards.
3. Methodology [1.5 Marks]
Outlines the audit approach, including
tools and standards used (e.g., COBIT).
For instance, it may detail how
penetration testing was conducted to
assess system security.
4. Findings and Analysis [1.5 Marks]
Details issues identified, such as weak
encryption, with evidence and risk
levels. For example, it might note
unauthorized access risks due to
outdated passwords.
5. Recommendations and Conclusion
[1.5 Marks]
Suggests actionable fixes, like
implementing multi-factor
authentication, and summarizes the
 audit’s impact. It concludes with an
overall assessment of system health.

d) How Audit Trails Support Information

Systems Security Objectives [4 Marks]
Audit trails, which are chronological
records of system activities, play a critical
role in supporting information systems
security objectives by enhancing
monitoring, accountability, and
compliance. Below are the key ways they
contribute:
1. Detection of Unauthorized Access [2
Marks]
Audit trails track user activities, such as
logins and file access, enabling early
detection of unauthorized actions. For
example, a log showing repeated failed
login attempts from an unknown IP
 address can alert administrators to a
potential brute-force attack, allowing
timely mitigation to protect system
integrity.
2. Ensuring Accountability [2 Marks]
By linking actions to specific users or
accounts, audit trails hold individuals
accountable for their activities. For
instance, if sensitive customer data is
altered, the audit trail can identify who
made the changes, helping to
investigate insider threats or errors and
reinforcing user responsibility.
3. Supporting Incident Investigation
and Forensics [2 Marks]
Audit trails provide detailed evidence for
analyzing security incidents, such as
data breaches. For example, after a
malware infection, logs of network
traffic and file modifications help
 auditors trace the attack’s origin and
scope, facilitating recovery and
preventing future incidents.
4. Facilitating Compliance with
Regulations [2 Marks]
Audit trails demonstrate adherence to
security standards and laws like GDPR
or PCI-DSS by documenting access and
data handling. For instance, in a
healthcare system, an audit trail
showing only authorized staff accessed
patient records ensures compliance
with HIPAA, avoiding legal penalties.
a) Description and Example of Each
Element
i. Contingency Planning [2 Marks]
Description: Contingency planning involves
preparing strategies to handle unexpected
IT disruptions, ensuring preparedness for
potential risks. It outlines procedures to
maintain operations during crises.
Example: A company maintains a hot site
with real-time data backups to switch
operations if a primary server fails due to a
power outage.
ii. Incident Response [2 Marks]
Description: Incident response is the
process of identifying, containing, and
resolving security incidents to minimize
damage and prevent recurrence. It focuses
on rapid reaction to threats.
Example: Upon detecting malware, a team
isolates the affected server, removes the
malware, and analyzes logs to identify the
attack’s source.
iii. Disaster Recovery [2 Marks]
Description: Disaster recovery focuses on
restoring IT systems and data after major
disruptions, such as natural disasters or
cyberattacks, to resume normal operations
quickly.
Example: Using offsite backups to restore a
database corrupted by ransomware,
enabling a retail firm to resume online sales
within hours.
iv. Business Continuity [2 Marks]
Description: Business continuity ensures
critical operations persist during and after
disruptions by integrating IT recovery with
business processes to maintain service
delivery.
Example: A bank uses cloud-based tools to
allow remote transactions during a flood
that closes its main branch, ensuring
customer access.
b) Relationship of the Four Elements with
a Well-Labeled Diagram [No Marks
Specified]
Description of the Diagram:
The diagram illustrates the interconnected
roles of contingency planning, incident
response, disaster recovery, and business
continuity in managing IT disruptions. It is a
flowchart showing their sequential and
overlapping relationships:
• Contingency Planning is at the top, as it
proactively prepares for potential
disruptions by defining strategies and
resources. An arrow points downward to
Incident Response, indicating that plans
guide responses to incidents.
• Incident Response follows, focusing on
immediate reaction to security events.
An arrow connects it to Disaster
 Recovery, as resolving incidents often
leads to recovery efforts for major
disruptions.
• Disaster Recovery is next, emphasizing
system restoration post-disaster. An
arrow links it to Business Continuity,
showing that recovery enables ongoing
operations.
• Business Continuity is at the base,
ensuring overall organizational
resilience. A feedback arrow loops back
to Contingency Planning, reflecting how
lessons learned improve future
preparedness.
Text-Based Diagram Representation (due to
text-only format):
[Contingency Planning]
|
v
[Incident Response]
|
v
[Disaster Recovery]
|
v
[Business Continuity]
|
v
[Feedback to Contingency Planning]
Labels:
• Contingency Planning: "Prepares
strategies for disruptions"
• Incident Response: "Handles
immediate security incidents"
• Disaster Recovery: "Restores systems
after major events"
 • Business Continuity: "Ensures ongoing
operations"
• Arrows: Indicate flow and feedback
(e.g., "Guides response," "Enables
recovery," "Supports continuity,"
"Improves planning").
Explanation of Relationships:
• Contingency Planning sets the
foundation by preparing for risks,
informing Incident Response protocols.
• Incident Response addresses
immediate threats, triggering Disaster
Recovery for severe incidents requiring
system restoration.
• Disaster Recovery supports Business
Continuity by restoring critical IT
functions, enabling overall operations to
persist.
 • Business Continuity feeds back to
Contingency Planning, as post-incident
reviews refine future strategies.
b) Audit Planning: Short- and Long-Term
Planning
i. Description of Short- and Long-Term
Planning [2 Marks]
• Short-Term Planning: Focuses on
immediate audit activities, detailing
specific tasks, timelines, and resources
for a single audit cycle. For example,
planning a quarterly review of network
security controls within a month.
• Long-Term Planning: Involves strategic
audit goals over an extended period,
aligning with organizational objectives.
For instance, scheduling annual audits
to ensure compliance with GDPR over
three years.
ii. Four Major Factors That Affect Planning
[8 Marks]
1. Organizational Objectives and Risks
[2 Marks]
Audit plans align with business goals
and prioritize risks, such as data
breaches. For example, a financial firm
plans audits to focus on payment
systems to prevent fraud, reflecting its
risk profile.
2. Regulatory and Compliance
Requirements [2 Marks]
Laws like PCI-DSS or SOX shape audit
scope. For instance, planning an audit
for an e-commerce platform includes
verifying encryption standards to meet
compliance needs.
3. IT Environment Complexity [2 Marks]
The scale and technology of IT systems
 affect planning. For example, auditing a
global company with cloud and IoT
systems requires more resources than a
local firm’s single server setup.
4. Resource Availability and Expertise
[2 Marks]
Budget, tools, and auditor skills
influence planning. For instance, limited
expertise in blockchain auditing may
lead to prioritizing traditional database
audits or hiring specialists.

c) Evidence in System Auditing [2 Marks]

Evidence in system auditing refers to the
verifiable data or documentation collected
to support audit findings and conclusions.
Examples include system logs,
configuration files, or user access records,
used to assess control effectiveness and
compliance.

d) Four Possible Active Threats to

Information Systems [8 Marks]
1. Malware [2 Marks]
Malicious software, like ransomware,
disrupts systems or steals data. For
example, a virus encrypts hospital
records, halting patient services until a
ransom is paid.
2. Phishing Attacks [2 Marks]
Fraudulent emails trick users into
revealing credentials. For instance, a
fake login page captures an employee’s
password, granting hackers access to
corporate systems.
3. Insider Threats [2 Marks]
Employees misuse access to harm
 systems. For example, a disgruntled
worker leaks customer data to
competitors, compromising
confidentiality.
4. Distributed Denial-of-Service
(DDoS) Attacks [2 Marks]
Overwhelms systems with traffic,
causing downtime. For instance, a retail
website crashes during a sale due to a
DDoS attack, resulting in lost revenue.

e) When and How an Information System

Firm Should Retain a Data Forensic
Expert [8 Marks]
A data forensic expert specializes in
investigating digital incidents, and their
retention is critical in specific scenarios.
Below are when and how to engage them:
1. When: Suspected Data Breach [2
Marks]
Retain an expert when unauthorized
access is detected, such as a
compromised database. Their skills are
needed to analyze the breach’s scope
and source.
How: Engage a certified forensic expert
(e.g., with CCE credentials) through a
trusted firm, ensuring they follow legal
protocols to preserve evidence for
potential litigation.
2. When: Regulatory Investigation [2
Marks]
If regulators demand evidence of
compliance (e.g., GDPR violations), an
expert ensures accurate data recovery.
How: Contract the expert early, defining
scope (e.g., recovering deleted logs),
 and ensure they use tools like EnCase
to maintain evidence integrity.
3. When: Internal Fraud or Misconduct
[2 Marks]
Suspected employee wrongdoing, like
data theft, requires forensic analysis to
confirm actions.
How: Hire an expert via a formal
agreement, tasking them to analyze
devices (e.g., employee laptops) while
adhering to privacy laws and chain-of-
custody standards.
4. When: Complex Incident Recovery
[2 Marks]
Major incidents, like ransomware, need
experts to trace attack vectors and
recover data.
How: Select an expert with experience
in the specific threat, coordinating with
IT teams to provide system access and
 ensuring findings are documented for
audits.

f) IT Governance and Its Role in

Organizations [2 Marks]
Definition: IT governance is a framework of
policies and processes ensuring IT systems
align with organizational goals, manage
risks, and comply with regulations.
Role: It helps organizations by optimizing IT
investments and enhancing security. For
example, implementing COBIT ensures
efficient resource use and compliance with
data protection laws, reducing breach risks.

g) Hot Site in Contingency Recovery

Planning [No Marks Specified, Assuming
2 Marks Based on Context]
A hot site is a fully operational backup
facility with mirrored IT systems and real-
time data, ready for immediate use during a
disaster to ensure minimal downtime.
Example: A stock exchange maintains a hot
site with synchronized trading data,
allowing seamless operations if the primary
data center fails due to a fire.

Question 5
(a) General Components of a Disaster
Recovery Plan [6 Marks]
A Disaster Recovery Plan (DRP) outlines
procedures to restore IT systems after
disruptions. Its general components
include:
1. Risk Assessment and Business
Impact Analysis [2 Marks]
Identifies potential threats (e.g.,
 cyberattacks, floods) and their impact
on operations. For example, assessing
how a server failure affects online
banking helps prioritize recovery efforts.
2. Recovery Strategies and Procedures
[2 Marks]
Defines steps to restore systems, such
as using backups or alternate sites. For
instance, a plan might specify restoring
data from an offsite cloud backup within
four hours of a ransomware attack.
3. Communication and Testing Plan [2
Marks]
Outlines how to notify stakeholders
during a crisis and regularly test the
DRP. For example, conducting annual
simulations ensures staff can execute
recovery procedures effectively.
(b) Data Privacy and Techniques for Privacy
Protection in IT Systems [6 Marks]
Definition of Data Privacy [2 Marks]:
Data privacy refers to protecting personal or
sensitive information from unauthorized
access, use, or disclosure, ensuring
compliance with laws like GDPR and user
trust. For example, safeguarding customer
payment details in an e-commerce system
prevents identity theft.
Major Techniques for Privacy Protection [4
Marks]:
1. Encryption [1 Mark]
Scrambles data to prevent unauthorized
access. For instance, encrypting patient
records in a hospital database ensures
only authorized staff can view them.
2. Access Controls [1 Mark]
Restricts system access to authorized
 users. For example, multi-factor
authentication (MFA) on a payroll
system prevents outsiders from
accessing employee data.
3. Data Anonymization [1 Mark]
Removes identifiable information from
datasets. For instance, replacing names
with codes in research data protects
user identities during analysis.
4. Privacy Policies and Training [1 Mark]
Establishes rules for data handling and
educates staff. For example, training
employees to recognize phishing emails
reduces accidental data leaks.

(c) Ways Audit Trails Support Security

Objectives [4 Marks]
Audit trails, records of system activities,
support security objectives in the following
ways:
1. Monitoring and Detection [2 Marks]
Audit trails track actions like logins,
enabling detection of suspicious
behavior. For example, logs showing
multiple failed login attempts from an
unknown device can alert
administrators to a potential hacking
attempt, supporting proactive defense.
2. Accountability and Compliance [2
Marks]
They link actions to users, ensuring
accountability and regulatory
adherence (e.g., PCI-DSS). For instance,
an audit trail in a financial system
showing who accessed transaction
records helps verify compliance and
deter unauthorized changes.
(d) Advantages and Disadvantages of
Continuous Auditing Techniques [10 Marks]
Continuous Auditing Techniques (CATs)
involve real-time or frequent automated
audits of IT systems. Below are their
advantages and disadvantages:
Advantages [5 Marks]:
1. Timely Detection of Issues [1.25
Marks]
CATs identify problems instantly. For
example, real-time monitoring detects
unauthorized access to a database,
enabling quick response.
2. Improved Accuracy [1.25 Marks]
Automation reduces human error. For
instance, automated transaction
checks ensure no discrepancies in
financial records.
 3. Enhanced Compliance [1.25 Marks]
Continuous monitoring ensures ongoing
adherence to regulations like SOX. For
example, daily log reviews confirm
access control compliance.
4. Cost Efficiency Over Time [1.25
Marks]
Reduces manual audit efforts. For
instance, automated tools lower the
need for extensive periodic audits,
saving resources.
Disadvantages [5 Marks]:
1. High Initial Costs [1.25 Marks]
Implementing CATs requires expensive
tools and infrastructure. For example,
purchasing software like ACL is costly
for small firms.
2. Complexity in Setup [1.25 Marks]
Configuring systems for continuous
 auditing is challenging. For instance,
integrating CATs with legacy systems
may require significant customization.
3. Data Overload [1.25 Marks]
Generates excessive data, complicating
analysis. For example, constant log
monitoring may overwhelm auditors
with false positives.
4. Dependence on Technology [1.25
Marks]
Relies heavily on system reliability. For
instance, a software glitch in CATs could
miss critical security events,
undermining audit effectiveness.
cenario Overview:
ABC Systems, a global automobile
company with multiple manufacturing
units, faces challenges due to legacy
systems on varied platforms that don’t
communicate, leading to duplicate data.
The company seeks to centralize and
consolidate information for timely MIS
reports, budgets, and profit/loss accounts.
As Senior Project Leader at XYZ
Consultancy Services, you are tasked with
developing a new system.
(a) Areas to Study for the Present System
and Problems Faced by ABC Systems [5
Marks]
Areas to Study:
1. Existing IT Infrastructure [1 Mark]:
Examine hardware, operating systems,
and software used across units to
understand compatibility issues. For
example, check if units use Windows,
Linux, or proprietary systems.
2. Data Flow and Processes [1 Mark]:
Analyze how data (e.g., production,
 inventory) is collected, stored, and
shared to identify inefficiencies.
3. System Integration [1 Mark]: Assess
why systems don’t communicate, such
as lack of standard protocols or APIs.
4. Data Quality and Duplication [1
Mark]: Review data entry methods and
formats causing redundancies.
Problems Faced [1 Mark]:
• Duplicate Data: Varied platforms lead to
redundant entries, e.g., same supplier
data stored differently across units.
• Lack of Communication: Incompatible
systems prevent real-time data sharing,
delaying reports.
• Inefficient Reporting: Manual data
consolidation slows MIS, budget, and
profit/loss account preparation.
 • Scalability Issues: Legacy systems
struggle to handle growing data
volumes.
Justification: Studying these areas reveals
root causes (e.g., non-standardized
platforms), enabling a targeted solution.

(b) Would You Suggest an ERP Solution? If

Yes, Explain Why [5 Marks]
Recommendation: Yes, an ERP solution is
recommended.
Reasons [5 Marks]:
1. Centralized Data Management [1.25
Marks]
ERP integrates all units into a single
database, eliminating duplicates. For
example, SAP can consolidate
production data across units, ensuring
uniform reporting.
2. Improved System Integration [1.25
Marks]
ERP enables seamless communication
across platforms. For instance, Oracle
ERP connects inventory and finance
modules, streamlining data flow.
3. Timely Reporting [1.25 Marks]
Real-time data access supports faster
MIS and financial reports. For example,
ERP dashboards provide instant
profit/loss insights, meeting ABC’s
needs.
4. Scalability and Standardization [1.25
Marks]
ERP scales with growth and
standardizes processes. For instance,
Microsoft Dynamics supports global
operations while aligning units to
common formats.
Justification: ERP addresses ABC’s core
issues—duplication, communication, and
reporting delays—by unifying systems,
making it ideal for centralization.

(c) Training Recommended for Effective

Utilization of the Proposed New System [5
Marks]
To ensure human resources can leverage
the new system (e.g., ERP), the following
training is recommended:
1. ERP System Usage Training [1.5
Marks]
Teach employees how to navigate and
use ERP modules (e.g., production,
finance). For example, hands-on
sessions on SAP for entering inventory
data ensure accurate usage.
 Justification: Familiarity with the system
reduces errors and boosts efficiency.
2. Data Standardization Training [1.5
Marks]
Train staff on uniform data entry
protocols to prevent duplication. For
instance, workshops on consistent
supplier data formats across units.
Justification: Standardization supports
clean, consolidated data for reporting.
3. Change Management and Security
Training [2 Marks]
Educate employees on adapting to the
new system and adhering to security
policies (e.g., strong passwords, access
controls). For example, role-based
training ensures only authorized staff
access financial modules.
Justification: Eases transition and
 protects the system from misuse,
ensuring effective utilization.

(d) Various Backup Techniques and

Recommended Technique [5 Marks]
Backup Techniques [3 Marks]:
1. Full Backup: Copies all data,
ensuring complete recovery but
requiring significant time and storage.
For example, backing up an entire
database nightly.
2. Incremental Backup: Saves only
changes since the last backup, faster
but complex to restore. For instance,
backing up daily production updates.
3. Differential Backup: Copies changes
since the last full backup, balancing
speed and restorability. For example,
weekly updates after a full backup.
 4. Mirror Backup: Creates an exact
real-time copy, ideal for critical systems
but storage-intensive. For instance,
mirroring a server for instant failover.
Recommended Technique and Why [2
Marks]:
• Recommended: Combination of Full
and Incremental Backups.
• Why: Full backups (e.g., weekly) ensure
a complete data copy for reliability,
while incremental backups (e.g., daily)
save time and storage for frequent
updates. For ABC Systems, this
balances timely recovery of
manufacturing data with resource
efficiency, critical for global operations.
• Justification: This approach meets
ABC’s need for centralized, reliable data
 access while managing large data
volumes cost-effectively.

Question 5
(a) General Components of a Disaster
Recovery Plan [6 Marks]
A Disaster Recovery Plan (DRP) outlines
procedures to restore IT systems post-
disruption. Its general components are:
1. Risk Assessment and Business
Impact Analysis [2 Marks]
Identifies threats (e.g., ransomware,
earthquakes) and their impact on
operations. For example, assessing
downtime costs for a manufacturing
unit’s ERP system prioritizes recovery
needs.
2. Recovery Strategies and Procedures
[2 Marks]
 Specifies methods to restore systems,
like using cloud backups or hot sites.
For instance, a plan to recover a
financial database within two hours
using offsite backups ensures minimal
disruption.
3. Communication and Testing Plan [2
Marks]
Defines stakeholder notification and
regular DRP testing. For example,
quarterly drills simulating a server
failure train staff and validate recovery
steps, ensuring preparedness.