DePaul University IS 444 IT Audit Midterm Exam Solution, Fall 2018

Verified

Added on 2023/06/03

AI Summary

This document provides a detailed solution to the IS 444 IT Audit midterm exam from DePaul University (Fall 2018). The solution covers key areas such as IT governance, risk management, internal and external auditing, IT audit processes, and information assurance. It addresses the elements of IT governance, indicators of ineffective IT governance, and the importance of defined roles and responsibilities. Furthermore, the solution discusses enterprise risk management (ERM), the role of a risk officer, and the significance of establishing a common risk language. The document also highlights the similarities and differences between internal and external auditing, outlines the phases of the IT audit process, and explains the importance of information assurance in a business environment. Desklib provides this solution to aid students in their studies, offering a valuable resource for understanding complex IT audit concepts.

Running head: IT AUDIT
IT audit
Name of the Student:
Name of the University:
Author note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1IT AUDIT
Table of Contents
Answer to 1 (a):...............................................................................................................................1
Answer to 1 (b):...............................................................................................................................2
Answer to 1 (c):...............................................................................................................................3
Answer to 2 (a):...............................................................................................................................3
Answer to 2 (b):...............................................................................................................................3
Answer to 2 (c):...............................................................................................................................3
Answer to 3:.....................................................................................................................................4
Answer to 4:.....................................................................................................................................5
Answer to 5:.....................................................................................................................................5
References:......................................................................................................................................7
Answer to 1 (a):

2IT AUDIT
Information technology (IT) governance deals with the investment and use of IT to achieve
company’s goals. The key elements of IT governance are as follows.
1) Compliance with regulators: It refers to the way the company conforms to guidelines, laws,
specifications and regulations that are required to smoothly carry out business. Failing to comply
with regulations or violating any regulatory compliance is a legal misconduct which may lead to
federal fines as well as legal punishment (English, Stacey and Susannah Hammond).
2) Competitive advantage: It refers to conditions that allow a company to provide good service
or product of equal value in a desired trend at a relatively lower price.
3) Growth and innovation: Growth drives the company’s overall performance and innovation is
demanding for growth. A company builds its business by identifying various opportunities of
growth and improves the business performance through innovation of processes, business model,
services and products.
4) Increase in tangible assets: Tangible assets exist in physical form and they include fixed
assets such as land, buildings, machinery and current assets such as cash, marketable securities
and stock or inventory.
5) Risk mitigation: It is a risk management activity of IT governance that allows a company to
achieve changes of new business and reduces risks in IT projects.
Answer to 1 (b):
The following indicators imply that a company’s IT governance is not working (Wu et al.).
 Lack of shared vision and understanding;
 Lack of continuous involvement and executive support;
 Underestimation of effort level to extent steady state;
 Fail to establish the corporate culture;

3IT AUDIT
 Fail to identify the other efforts of change through which company has gone.
Answer to 1 (c):
While defining IT governance, clearly defining roles, responsibilities and accountability
are important due to following reasons. Clearly defined roles and responsibilities make every
people know what to do and work together better at all level. This provides advantages such as
improved operational performance, increased process management, enhanced internal control
that are required for company’s regular growth. Accountability defines obligation of people to be
liable, responsible to their job.
Answer to 2 (a):
In today’s global and complex business scenario, everything is dynamic and hence the
risk is increasing and emerging remarkably at every level. Thus, hiring a risk officer for risk
management or setting up a separate section to handle and manage risk is equally important as
other factors for the growth and execution of the business. Hence, one must totally disagree with
Maria Alvarez, the COO point of view.
Answer to 2 (b):
Enterprise risk management (ERM) involves strategies that consistently determines,
measure, minimize, control and monitor the revelation to different types of risks such as
operational, strategic, financial, compliance and reporting risks. Companies are better able to
preserve their value in long term basis when they examine and plan for the end risk. ERM is a
way of adding value to company by distribution of risk awareness and decision-making
throughout the company (Mikes, Anette, and Kaplan).
Answer to 2 (c):

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4IT AUDIT
In a company every people plays a role in risk management. However, if any common or
general definition of risk has not been fixed then everybody will try to manage risk based on
their individual view and concept. Here both who are risk seekers and risk adverse realise that
they manage risks at the acceptable levels. A common risk language helps management in
evaluating the fullness of its efforts to determine scenarios and events that are entitled for
consideration in risk assessment. Because of the above reasons, IT auditor need to establish or
set a common risk language with management.
Answer to 3:
Similarities between internal auditing and external auditing (Simon et al.).
 In both internal and external auditing, testing routines are conducted which involves
verification and analysis of several transactions.
 Both internal and external auditing issues report only after task completion.
 Both internal and external auditing need quality works to ensure that examination in both
cases are trustworthy by related parties.
Differences between internal auditing and external auditing (Simon et al.).
 Internal auditing is conducted by a separate internal department within the company while
external auditing is conducted by an independent body outside the company.
 Internal auditing reviews routine activities and give suggestion for improvement. Whereas
external auditing verify and analyse the company’s financial statement.
 Internal auditing is conducted by employees while external auditing is conducted by third
party.
 Internal auditing is voluntary and it is a continuous process while external auditing is
mandatory it is conducted annually.

5IT AUDIT
 Internal auditing checks operational efficiency of the company while external auditing
checks the validity and accuracy of the financial statement.
 Management uses the report of internal auditing while stakeholders use the report of external
auditing.
Answer to 4:
The key phases of the IT audit process are as follows.
1) Audit universe: It consists of initiatives and projects that are linked with the company’s
strategic plan and it is organized by systems, programmes, processes or control. Audit universe
allows the audit activity to be apparent about the coverage extent of key risks. The audit universe
must be updated periodically and it capture all the functions, regions and businesses that make up
the company (Aksoy, Tamer, and Sezer).
2) IT risk assessment: It refers to the use of risk management procedures to IT for manage risks
in IT. IT risk assessment helps IT professional to determine any events that could have negative
affect on the company (Yang et al.).
3) Audit planning: It is a particular guideline that needs to be followed while conducting an
audit. It helps in keeping audit costs at a reasonable level as well as allows auditor to collect
appropriate and sufficient evidence for circumstances. Effective audit plan ensures that auditor
must efficiently conduct their audit by focussing on greater risk areas (Chou).
Answer to 5:
Information assurance (IA) is a method that ensures that some risks or data are
appropriately managed by means of application usage, process, transmission and storage. IA is
important to business environment as it ensures that user data is protected both throughout
storage and in transit. IA benefits company business by using information on trust management,

6IT AUDIT
risk management and system safety and security which allows the use of information to
authorised people and minimises the use of information to the unauthorized people (Park et al.).
In supporting the need for information assurance IT auditor gives assurance that there is
protection of information assets and the data must be processed in a secured and safe manner.
Separate valuations of COSO framework implies monitoring activities comprises of
auditing and take corrective action to address the flaws in the system of controls. Auditing is an
inter control. Thus, internal auditor supports this component of internal control and thereby
provides information assurance. Internal auditor designs the internal control process to provide
reasonable assurance of appropriately managing information assets (Rae et al.).
The 3 lines of defense model differentiates among 3 lines or groups that are involved in
risk management. As per first line of defence, operational management has the responsibility for
maintaining productive internal controls and for risk execution on daily basis. As per second line
of defense, implementation of risk management by risk owners and operational management are
monitored. The third line of defence in the 3 lines of defense model provides the internal audit
function. The third line emphasizes that internal audit must not be taken as a primary control
measure (Pizzini et al.). Thus, 3 lines of defense model help in achieving the principle of
separate valuations.
References:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7IT AUDIT
Aksoy, Tamer, and Sezer Kahyaoglu. "Measuring the internal audit performance: tips for
succesful implementation in turkey." American International Journal of Contemporary Research
3.4 (2013): 76.
Chou, David C. "Cloud computing risk and audit issues." Computer Standards & Interfaces 42
(2015): 137-142.
English, Stacey, and Susannah Hammond. "Cost of compliance 2014." Thomson Reuters Accelus
(2014).
Mikes, Anette, and Robert S. Kaplan. "Towards a contingency theory of enterprise risk
management." (2013).
Park, Insu, Raj Sharman, and H. Raghav Rao. "Disaster experience and hospital information
systems: an examination of perceived information assurance, risk, resilience, and HIS
usefulness." Journal of Consumer Research 12.4 (2015): 382-405.
Pizzini, Mina, Shu Lin, and Douglas E. Ziegenfuss. "The impact of internal audit function
quality and contribution on audit delay." Auditing: A Journal of Practice & Theory 34.1 (2014):
25-58.
Rae, Kirsten, John Sands, and Nava Subramaniam. "Associations among the five components
within COSO internal control-integrated framework as the underpinning of quality corporate
governance." Australasian Accounting, Business and Finance Journal 11.1 (2017): 28-54.
Simon, A., Yaya, L.H.P., Karapetrovic, S. and Casadesús, M., 2014. An empirical analysis of the
integration of internal and external management system audits. Journal of Cleaner Production,
66, pp.499-506.

8IT AUDIT
Wu, Shelly Ping-Ju, Detmar W. Straub, and Ting-Peng Liang. "How information technology
governance mechanisms and strategic alignment influence organizational performance: Insights
from a matched survey of business and IT managers." Mis Quarterly 39.2 (2015): 497-518.
Yang, Yu-Ping Ou, How-Ming Shieh, and Gwo-Hshiung Tzeng. "A VIKOR technique based on
DEMATEL and ANP for information security risk control assessment." Information Sciences
232 (2013): 482-500.