computers question bank 2011
DESCRIPTION
questions involving the audit of computers in an organisationTRANSCRIPT
UNIVERSITY OF JOHANNESBURG
DEPARTMENT OF ACCOUNTANCY
AUDITING 300/BCTA
2011
COMPUTERS: QUESTION BANK
Question 1: The Proud Peacock Question 2: Mavericks & Co Question 3: Cologne For Men (Pty) Ltd Question 4: Seatle – Maitse Question 5: Top Fashions (Pty) Ltd Question 6: Original Living Ideas Ltd Question 7: Africhem Ltd Question 8: LaVee (Pty) Ltd Question 9: Graded Questions on Auditing 2011 – 14.16 Question 10: Graded Questions on Auditing 2011 – 14.24
2
QUESTION 1 (25 MARKS) Mr Ntato Mokonane achieved his lifelong dream when he opened his own restaurant, The Proud Peacock, in partnership with his brother-in-law, Mr Xolile Xosi. The restaurant has been open for 18 months and has proved to be very popular. Mr Mokonane has asked you to advise him on the controls he should have in place in his restaurant. Your initial enquiries have revealed the following:
The restaurant employs a cashier, four permanent waitresses, a barman and a second chef (to fill in on the nights that Mr Mokonane is off duty).
The waitresses are currently paid a basic wage of R100 per night and whatever they can earn in tips.
All food and drinks orders are recorded on pre-numbered order pads. Each waitress has her own unique sequence.
The restaurant has a set menu selection that is changed once a quarter.
On completion of their meal, customers are required to proceed to the cashier and quote their table number. The cashier then rings up the cost of the meal using a copy of the waitress's completed order form. The cash register is situated at the exit point.
Mr Mokonane has expressed interest in computerising his business. He has identified the Pastel Point of Sale software package as being the most appropriate to the restaurant‟s needs. He has indicated that he is planning to replace the current cash register with a computer terminal linked to a cash drawer and to install a terminal in his office which will be used for recording all other accounting activities. Initial enquiries about the software have shown that it is a reliable package with adequate access control features. YOU ARE REQUIRED TO: a) Describe the controls that Mr Mokonane should implement to restrict access to the sales
and computerized accounting applications. (10) b) Describe the programmed controls that you would expect to find that would ensure that
all valid restaurant sales are captured accurately and completely. (13) You may disregard controls to ensure the integrity of standing data contained in the master files. Presentation (2)
3
QUESTION 1 (SUGGESTED SOLUTION)
a) Access controls:
The terminals should be situated in such a manner that only staff members have access thereto. (1)
Each user should be assigned a unique user ID and password that should be contained in the access table of the operating system. (1)
The access table/ user matrixes should define each user‟s access privileges according to the least privilege principle – i.e. only grant access to a user for those applications that he requires in order to perform his duties. (1)
Only Ntato should have access to the access table in order to change a user’s privileges. (1)
Upon logging in the user should be authenticated by means of a password that is: (1) o Unique o Confidential o Changed regularly (2)
The system should also provide for: o Automatic shutdown in the event of illegal access attempts (e.g. no more than 3
incorrect password attempts) (1) o Time-out facilities (shutdown or password controlled screen savers) in the event of
non-activity for a period of say 3 minutes. (1)
Automatic logging of all access and access violations. (1)
These logs should be reviewed on a daily basis by Ntato. (1)
Only Ntato should have access privileges to these logs (1)
Encryption of confidential information, for example, passwords. (1) access table.
Maximum (10)
4
b) Programmed controls to ensure that restaurant sales are captured correctly.
Validity:
Access controls – see above (1) Verification/ existence checks on:
menu choice – alternatively there can be pre-programmed menu keys. (1) waitress code against the masterfile. (1)
Override function – there should be no need for an override function – however, in the event that there are system overrides, the package should automatically log these overrides (so that Ntato can review these logs the next morning and investigate the reasons therefore). (1)
Accuracy:
Automatic pricing of sales according to prices on the menu masterfile. (1) Limit check (any valid example) eg. that cash received is not less than the amount
due. (1) Alphanumeric and field size checks on all input fields (any valid examples). (1) Reasonableness testing (any valid examples) eg. On quantities ordered. (1) Automatic calculation of price x quantity and calculation of change by computer.(1) (1) Format tests on sales codes (or other valid examples). (1) Screen tests by cashier. (1) Dependency tests eg. Sales only accepted if waitress code is entered (any other
valid examples). (1) Field size tests eg. On table number (or other valid examples). (1)
Completeness:
Missing data check on key entry fields. (1) (1) Use of appropriate screen design and screen prompts. (1) Sequential pre-numbering of invoices. (1) Control totals (any valid example) (1) Exception reports (any valid example) eg. On missing entry fields. (1)
Maximum (13) Presentation (2)
5
QUESTION 2 (55 MARKS)
Mavericks & Co is stock brokers on the Johannesburg Securities Exchange (JSE). The following computer-based client transactions are used by the firm to purchase shares on behalf of their clients: 1) Open new accounts A client must have an account with the firm before shares may be purchased on their
behalf. Only the debtors manager may open new accounts on the computer system. In order to open the account the transaction must exceed R2 000 in value. Opening accounts as well as the buying and selling of shares are mainly done telephonically, while a few are done over the counter at the firm's offices in Sandton. All new clients are put through to Alesandro, the debtors manager, who immediately captures the information provided telephonically by the client.
2) Sales transactions captured Tyron, the debtors clerk calls up the client's account as provided by the client from any
terminal in the office and captures the details of the transaction on the account. Transaction details consist of the client account number, name of the client and the number and maximum price of the shares that the client wishes to purchase. Immediately after the transaction has been captured, a brokers‟ note is printed which contains the details of the transaction. The brokers‟ note is then sent to the traders, who buy the shares on the trading floor. As soon as the shares have been purchased, the trader records the price at which they were purchased on the brokers‟ note and signs the brokers‟ note as proof that the shares were purchased. The transactions are processed by the JSE on the exchange's central sales and clearance system. The same debtors clerk who captured the details of the transaction (Tyron), then captures the details of the purchase. The client's account as well as the debtors control is debited with the amount of the transaction. At the end of the month a monthly statement is sent to the client. Share certificates are kept in electronic format (STRATE).
3) Computer processing and files Three files are involved in the process, namely:
o Debtors pending file o Debtors transaction file o Debtors master file
As soon as the transaction is entered into the system, the transactions details are captured and stored in the debtors pending file. The brokers note is printed from these details. When the purchase details are captured, the transaction is removed from the pending file and placed in the transaction file at the purchase price. The debtors‟ master file is updated immediately with the captured details from the purchase transaction, and this file's movement and total are used to update the debtors control account.
4) Enquiries and controls Debtors can phone in if there are queries on their accounts. Real-time enquiry facilities
are available, and debtors‟ clerks can make corrections to the account, if necessary, while they are speaking to the client. Enquiries are recorded on exception reports and followed up with the traders if necessary.
No other controls, except those which are obvious from the above system description, have been implemented.
6
YOU ARE REQUIRED TO: Please answer part (a) and part (b) in tabular format. a) Set out in point form the weaknesses in internal controls identified in the above
scenario. (21) b) Suggest internal controls which would increase the reliability and effectiveness of the
system and therefore eliminate the weaknesses identified in the internal controls of the company. (26)
c) List the risks associated with electronic data transfer, if the firm wishes to make use of
Electronic Data Transfer (EDT) to load the transactions directly from the JSE's system on to the firm's system. (5)
Presentation (3)
7
QUESTION 2 (SUGGESTED SOLUTION)
WEAKNESS INTERNAL CONTROL
Completeness
No completeness control (e.g. number sequence) is performed on the brokers‟ notes.(1)
Transaction enquiries must be recorded on pre-numbered documentation. (1)
Numerical sequence tests must be performed on transaction queries and opening account documentation, and outstanding queries must be followed up. (1)
A register should be opened for the control of brokers‟ notes where number sequence is reviewed. (1)
Brokers‟ notes received back as purchases must be matched per register with brokers‟ notes handed to traders. (1)
No follow-up on outstanding (incomplete) brokers‟ notes. (1)
A daily printout of the movement on the transactions file must be compared with the signed brokers‟ notes for the day. (1)
The movement for the day on the master file must be reconciled with the movement on the transaction file. (1)
No recognition of receipt of brokers‟ notes is provided by traders. (1)
Trader must sign in the register for the receipt of brokers‟ notes. (1)
No follow-up on outstanding items on pending file. (1)
Follow up the contents of the pending file with traders on a daily basis. (1)
No reconciliations between the purchases for the day and the updating on the transactions file.(1)
The movement for the day on the master file must be reconciled with the movement on the transaction file. (1)
Regular back-ups of files are not done. (1)
Regular back-ups of files should be made. (1)
Accuracy
No comparison of the brokers‟ note with the client's original demand. (1)
Brokers‟ note must be compared with the client's transaction enquiry. (1)
No matching of purchase details with the JSE-system. (1)
Purchase details must be compared with the details per the JSE system before it is captured. (1)
No reconciliation between debtors accounts (files) and brokers‟ notes. (1)
The total per transaction file must be reconciled with the total per master file. (1)
No reconciliation between debtors accounts and control account (file). (1)
Debtors statements must be reconciled with share certificates or signed brokers‟ notes before they are sent to clients. (1)
Deviations between the pending file and transaction file are not followed up for correctness. (1)
Management must check a printout of the pending file on a weekly basis. (1)
Transactions are not followed up to ensure that the maximum purchase price is not exceeded.
System should compare price of shares to maximum price the client is willing to pay.
8
(1)
Exception reports produced and reviewed of such occurrences.
No controls exist to ensure that queries are followed up properly. (1)
Enquiries must be recorded in writing on pre-numbered documentation. (1)
Number sequence tests must be performed on enquiries and outstanding enquiries must be followed up. (1)
Completed enquiries must be signed off by a supervisor. (1)
Completed enquiries must be signed by the clerk and the supervisor as proof of authorisation.(1)
Inadequate controls and follow-up of corrections on accounts. (1)
A log (report) must be printed by the computer of changes to accounts, and the supervisor must compare the log with the change documentation. (1)
There is no proper management information i.r.o. debtors purchases and follow-up. (1)
Management information of debtors and purchases must be reviewed weekly by management. (1)
No edit tests are performed to ensure that the input of transactions details is correct. (1)
Calculations and updates must be performed programmatically by the computer after prices and quantities for the purchase have been captured. (1)
There is no proper supervision of debtors clerks. (1)
Proper supervision should be implemented over debtors clerks. (1)
No follow-up of long-outstanding balances on debtors. (1)
Long outstanding balances must be followed up. (1)
Validity
No controls procedure to ensure that only the debtors manager opens new accounts. (1)
A daily list of new accounts opened must be reviwed and initialled by the debtors manager.(1)
Enquiries regarding the opening of new accounts must be completed on pre-numbered documentation document should preferably look like input screen). (1)
A screen enquiry test i.r.o. the capturing of new clients must be performed to ensure that information is captured correctly. (1)
No password control to limit access and levels of access to the computer. (1)
Security levels by means of security software must be implemented, to ensure that only authorised persons have access to Open new accounts. (1)
Access control to the computer must be implemented through passwords. (1)
Physical access to terminals should be limited through lockable terminals. (1)
First transactions not reviewed to ensure that their value exceeds R2 000. (1)
The computer should not process the first transactions if not in excess of R2 000. (1)
No credit control or credit limits. (1) Credit limits must be set by management.
9
Management must review and approve credit limits for each new client (1)
Credit limits must be reviewed before new transactions are accepted (independence tests). (1)
No proper division of duties. (Debtors clerk deals with purchases and transaction details). (1)
There must be division of duties so that the same person who captures the transaction query does not also capture the purchase details. (1)
Inadequate access controls to terminals. (1)
Access controls to be implemented:
Identification of user
Authorisation of user
Password control
Terminal shut down after 3 attempts to log on
Terminal logs off after 5 min inactivity etc
Any (3)
Inadequate physical safeguarding of share certificates. (1)
Share certificates should be kept in a safe. (1)
Maximum (21) Maximum (26)
c) Risks of EDT
1 No written evidence and user involvement. (1) 2 Tax and legal implications. (1) 3 Duplication of transactions. (1) 4 Data damaged during transfer. (1) 5 Transmission of data to incorrect addresses. (1) 6 Interruption and non-processing of transactions. (1) Maximum (5) Presentation (3)
10
QUESTION 3 (10 MARKS) You are the auditor of Cologne For Men (Pty) Ltd. This company imports men‟s cologne from all over the world, but mainly from Europe and the USA. Inventory is generally kept in the company‟s warehouse for an average of one month, before being sold to cosmetic stores. These cosmetic stores are located in Johannesburg, Durban and Cape Town. A decision was thus taken a number of years ago to set up branches in Durban and Cape Town (the company‟s head office is in Johannesburg). Grant Cornish heads up the head office in Johannesburg, while Nicole Soares heads up the Durban branch and Wade Manthe, the Cape Town branch. These branches are connected to the Johannesburg head office via an extended real-time network system. All of the application programmes and general ledger have been computerised You have been given the responsibility to perform the audit of Inventory. Inventory: You have already attended the inventory count and all audit work in respect of the inventory quantities that appear in the final inventory list has been completed. You only have to complete the audit work on the valuation of the inventory including the provision for slow moving inventory and cut-off. From the systems description, you obtained the following data fields that exist for the inventory valuations, movements and ageing:
YOU ARE REQUIRED TO:
Name five reports that you can generate with generalized audit software that you can use to audit the valuation, provision and cut-off of inventory. Your answer should refer to the data fields that you would use and how you would combine the data fields and manipulate them if required. Explain in each case how the report would assist you in completing the audit procedures. Answer this question in the following column format: (10)
Report Purpose
Product number
Product category
Description of the item
Location
Quantity on hand
Average age (in days) of inventory
Selling price
Cost price
Inventory movements between the stores and branches and between branches
* document number
* date
* quantity received or despatched
* whether inventory is still in transit
Date of last inventory count
Date on which there was last a movement in the inventory item
11
QUESTION 3 (SUGGESTED SOLUTION)
REPORT OBJECTIVE
Report that separates the stock into categories and prints it according to ageing in which inventory last moved (1)
Gives the values of stock by age to assist with the provision of stock calculation (1)
Report of last movements before year end in each location (1)
Testing cut-off at year-end (1)
Report that shows the quantity items on hand and multiplies it with the cost price per item to get a total (1)
Confirms the balance of stock at year end (1)
Report of inventory totals per category of inventory (1)
Confirm the different classes for disclosure purposes. Highlights high value inventory categories that will assist in focusing our audit procedures for the valuation assertion. (1)
Report that indicates which inventory is still in transit at year end. (1)
Conformation that inventory in transit has been included in inventory at year end when it should have been (FOB) or excluded when it should have been (CIF) (1)
Report that indicates the date on which the inventory item last moved. (1)
Indicates slow moving inventory and inventory that will most likely be written of if it hasn‟t moved for a long period of time. (1)
Report of inventory items where sale price is smaller than cost price (1)
Net realisable value – indicates inventory items that require a write down to net realisable value. (1)
MAXIMUM (10)
12
QUESTION 4 (40 MARKS) PART A (20 MARKS) Ms OG Seatle – Maitse achieved her lifelong dream when she opened her own restaurant, Complex 49, in partnership with the love of her life, only known to most as “Jingles”. The restaurant has been open for 22 months and has proved to be very popular. Ms Seatle - Maitse has expressed interest in computerising her business. She has identified the Pastel Point of Sale software package as being the most appropriate to the restaurant‟s needs. She has indicated that she is planning to replace the current cash register with a computer terminal linked to a cash drawer and to install a terminal in her office which will be used for recording all other accounting activities. Initial enquiries about the software have shown that it is a reliable package with adequate access control features. Being new to this “computer environment” topic, Ms Seatle – Maitse was not quite sure of what exactly she should expect as characteristics of a CIS environment and was hoping that you could also assist her regarding this query. YOU ARE REQUIRED TO:
a) Discuss the controls that you would have expected to find during the development and implementation of the new Pastel Point of Sale software system. (10)
b) State what advice you would offer to Ms Seatle - Maitse, as to controls which should
be implemented so that the restaurant will be prepared in the event of any disasters occurring in the future; (10)
PART B (20 MARKS) As part of your period audit of Big Shots (Pty) Ltd, you identified inventory as a significant balance and would like to perform detail procedures on the balance. You have already gathered the following information about the inventory:
Big Shots has a central warehouse in Johannesburg and 12 distribution warehouses spread throughout the country.
They (Big Shots) uses a fully computerised inventory system which is able to determine inventory quantities for any item at any warehouse at any time by adding and deducting quantities sold, transferred and adjusted.
The system determines the cost of inventories on a weighted average basis.
The system has not changed significantly over the last year and no major changes are expected in the immediate future.
You have established that your in house audit retrieval software (CAAT) package is fully compatible with the client‟s system. YOU ARE REQUIRED TO:
a) List the possible functions of your audit retrieval software. (5) b) In relation to the above, list how you would use the functions of the software‟s
capabilities to audit the inventory system (13) PLEASE NOTE: a) and b) should be answered in a tabular format. Presentation (2)
13
QUESTION 4 (SUGGESTED SOLUTION) Part A a) Program development and implementation controls 1. Perform a feasibility study to determine:
The users‟ needs (users, CIS staff, auditors); (1) Specifications and requirements of available packages; (1) Costs (hardware, packages and documentation); (1) Support from suppliers; (1) Possibility of future amendments ; (1) Reputation of suppliers. (1) Enquiry from other users of packages regarding:
o facilities offered by program; (1) o freedom from program errors; (1) o speed & efficiency; (1) o ease of use; (1) o costs; (1)
Testing of packages. (1) 2. Authorisation of purchase of package: Authorisation of purchase by Ms Seatle – Maitse and the cashier based on results
of feasibility study. (1) 3. Implementation
The conversion must be planned: - prepare date and time schedules for conversion; (1)
- cut-off points must be determined; (1) - the conversion method must be defined (parallel, launch, direct). (1)
Preparation for conversion: - preparation of files with standing data on the new system; (1) - training of staff in respect of the use of the new system; (1) - the preparation of the premises (constant power supply/air-
conditioning, etc.). (1) Control over the conversion by the data control group:
- supervision by competent senior management; (1) - the auditors should also be involved. (1) MAXIMUM (10)
b) Business continuity controls Physical environment
• Protection against the elements Fire: extinguishers etc (1) Water: away from water pipes (1) Power: backup supply (1) Environment: air con etc (1)
Emergency plan & disaster recovery procedures
• Establish procedures (1)
• list of files & data to be recovered (1)
• alternative processing facilities (1)
• plan, document & test the plan (1) Backups
• Regular backups on rotational basis (1)
• Copies off premises (1)
14
• Hardware backup facilities (1)
• Fireproof safe (1) Other controls
• Adequate insurance (1)
• No over reliance on staff (1)
• Virus protection (1)
(MAXIMUM 10) Part B
Uses of Audit Retrieval Software Uses to audit inventory system
Castings and Calculations (1) Test castings and cross castings of inventory files (1) Test the castings of balances within the files eg. Inventory quantities for each category of inventory (1) Test calculations of weighted average cost of inventories for each category of stock(1) Calculate ratios such as inventory holding, % obsolete stock, inventory turnover etc for analytical procedures (1)
Investigations and analyses (1) Detail analyses of account balances eg obsolete inventory (1) Examine files for unusual items eg. Cost price is higher than the sales prices and negative balances (1) Investigate missing items eg. Missing GRN‟s (1) Compare transaction data with standing data (e.g. prices on invoices with price lists) (1) Identify slow moving inventory eg inventory where no recent sales were recorded(1)
Selection (1) Items for testing eg sample of GRN‟s(1) Items which meet certain criteria eg sales prices lower than the cost price (1) Items for test counts at year end (1) Printout of transactions at year end for the performance of cut off tests (1)
Summary (1) Items per category (1) Stratification of balances (1)
15
Print out of master files eg supplier listing (1)
Comparisons (1) Computer files with each other eg general ledger with supporting ledgers (1) Amounts eg cost prices vs NRV (1) Previous year‟s files with current year eg inventory lists. (1)
General (1) Obtain a printout of goods in transit(1) Obtain a printout of material inventory adjustments to follow up (1)
PART A: Maximum (5) PART B: Maximum (13) Presentation: (2)
16
QUESTION 5 (20 MARKS) PART A (10 MARKS) You are the second year clerk on the audit of Top Fashions (Pty) Ltd. For the 28 February 2011 period end audit you are responsible to evaluate the internal controls over the sales order entry system. You have obtained the following information:
Orders are received from customers by phone.
The company does not make cash sales.
All orders are put through to Ms Polo, who after informing the customer of the price at which the order is taken, enters them directly onto the system. She does not perform a stock availability enquiry at the time the order is placed. The directors acknowledge that this may lead to customers‟ dissatisfaction but they argue that it is less important than losing a sale.
Ms Polo is linked from her office via a terminal to the mini-computer situated in the data processing department.
When an order is received it is entered via the terminal onto an “order pending file” at which time it is given a sequential number, and a cross referenced computer generated picking slip is printed out in the stores department.
YOU ARE REQUIRED TO: Identify the application controls which you would expect in the sales ordering system of Top Fashions (Pty) Ltd, to ensure that orders received are accurately recorded and complete. (10)
17
PART B (10 MARKS) Top Fashions (Pty) Ltd‟s sales are on credit and the sales have improved in recent years due to the directors constantly monitoring sales patterns and fashion trends. All account receivable records are maintained at head office. The account receivable system is fully computerized. You have identified that the following data fields exists in the accounts receivable system:
Account number Debtor‟s name Address Credit rating dependent on new customers introduced, length of service, regularity of
payments Credit limit Aged outstanding balances:
o Current o 30 days o 60 days o 120 days o 150 days o 180 days o Over 180 days
Total balance outstanding Date of last purchase, invoice number and amount Date of last payment, receipt number and amount Sales month-to-date Receipts month-to-date Sales year-to date Receipts year-to-date
YOU ARE REQUIRED TO: List the reports that you would extract from the accounts receivable master file using your audit retrieval software. Give reasons for the selection of each report. (10)
18
QUESTION 5 (SUGGESTED SOLUTION) PART A: APLICATION CONTROLS
Completeness
1. All orders are sequentially numbered. (1) - Missing numbers are printed on exception report and follow-up by
management (1)
2. The computer matches the delivery notes with the order and print a list of
outstanding orders: (1) - it is followed up by management. (1)
3. The computer calculates a daily total of all orders received: (1)
- of the quantity and amount of orders and matches it with the total recorded in the order file (control total). (1)
- compare the total to the control total on picking slips (1)
4. An audit trail is printed of all orders received. (1) - reviewed by Ms Polo and management for duplication or missing
numbers . (1)
Accuracy
1. The following edit checks are performed:
Format checks (1)
The system verifies/checks that: - clients‟ name is alphabetical; - number is numerical.
Screen testing (1)
- Ms Polo verifies the detail of the client and order on screen.
Existence testing (1)
- the computer test if goods are in stock, if not it is written to a
suspense file. Limit or reasonable tests (1)
- the computer tests the reasonableness of quantities entered
(within reasonable limits).
Check digits (1)
- for accuracy thereof.
Field length (1)
- computer test if the quantities, codes, etc, are withing the
acceptable range.
19
2. Calculations
- The computer calculates automatically the amount of the orders as
follows: * quantity: keyed in; * price: master file: * calculate the sale price. Max (2) MAXIMUM (10)
PART B
REPORT REASON FOR SELECTION
Printout of selected items for testing Enables auditor to evaluate circularised accounts receivable
Printout of circularisation requests Enables auditor to circularise accounts receivable
Report of payments after year end To provide evidence that accounts exist and to assist auditor in provision for doubtful debts calculation
Printout of negative total outstanding balances
Enables auditor to remove credit balances to accounts payable or investigate reasons therefore
Printout of dormant accounts Enables auditor to identify accounts of possible untraceable customers
Printout of slow moving accounts Enables auditor to identify possible bad debts
Printout of age-analyses To assist auditor in provision of doubtful debts calculation
Printout of accounts in excess of credit limit
Enables auditor to identify possible bad debts
Report of accounts with invoice numbers greater than a specified number
Assist auditor in ensuring cut-off correctly accounted for
Report of accounts with receipts greater than a specified number
Assist auditor in ensuring cut-off correctly accounted for
(1 MARK PER REPORT) (1 MARK PER REASON) MAXIMUM (10)
20
QUESTION 6 (35 MARKS) You were recently appointed the auditor of Original Living Ideas Ltd (OLI), an entity that listed on the JSE. The company operates a number of designer furniture store outlets situated in Rosebank, Sandton, Hyde Park and Randburg. OLI has a financial year end of 31 May. It is the first year that you will be auditing OLI. The audit committee has informed you that the audit has to be completed by 20 June 2011. As the financial statements will be required by NBOSA, the company‟s bankers, on 25 June 2011 to review whether OLI‟s loan facility should be renewed. As part of your risk assessment procedures, during the planning of the audit, you documented the following regarding the fully computerised system used by OLI: OLI receives designs for furniture from a number of well-known interior decorators. These are appraised and the most popular furniture is manufactured according to the latest lifestyle trends. The furniture is stored in a central warehouse and distribution takes place from this point. The various stores only hold furniture for display purposes to encourage the public to order a specific piece. Once ordered the piece is dispatched from the warehouse for delivery to the customer. During the current year OLI launched a new on line sales platform that allows customers to order furniture electronically via the Internet. Orders that are received via the internet are also distributed from the warehouse for delivery to customers. Customers specify the date and time of delivery on their orders. Upon delivery of the furniture the customer also receives an invoice from OLI which includes all packaging and delivery costs. The company does not make any cash or credit card sales. The customer‟s account is debited before delivery takes place. OLI uses a central file server situated at their head office in Killarney to control the system. The store outlets and central warehouse facility use an electronic data interchange hub through on-line terminals to connect to the system. This allows terminals at each outlet to form part of a wide area network and integrate with the central database mainframe on a real time basis. You noted that no back up of the system was maintained and there is also no data recovery plan in the event of a disaster. Store orders that are captured by a sales rep in the store, are processed after verifying all client information. The sales reps may make changes to the customer masterfiles if any details have altered. When an order is received at a store outlet it is entered via a terminal into an “orders pending file” at which time it is given a sequential number. This file links with orders received via the internet sales platform so that all orders generated run sequentially. The system automatically generates a cross referenced picking slip after verifying stock availability. This slip can be printed out at the store and warehouse. If there is no stock available a picking slip will not be generated and an error report can be generated of all orders with no stock availability. The warehouse clerks pick stock, package it for delivery, update the “orders pending file” and a combined invoice/delivery note is automatically generated for those items picked. Should an item not be available then the order remains in the “orders pending file” and appears on daily outstanding orders report. The directors of OLI have raised a concern with you about an incident that occurred shortly after the launch of the new internet sales system. A customer has denied his obligation to make payment claiming that he did not place an order with OLI at anytime or receive any furniture. The directors would like to know which controls should be present in the system to prevent unauthorised orders being placed by a person using customers‟ details (personal information) without their knowledge or consent.
21
YOU ARE REQUIRED TO: (a) Identify the audit risks arising from the information provided. (20) (b) Describe the controls required to ensure that changes made to customer‟s standing
data are complete, accurate and valid. (15)
22
QUESTION 6 (SUGGESTED SOLUTION) Part (a) NON-IT RISKS: 1. Company Listed on the JSE:
Risk of non-compliance with stringent JSE listing requirements; complex reporting requirements as auditor has to report on company‟s adherence to JSE listing requirements (1)
Risk that client overstates assets and profits to retain listing status (1) 2. New audit client
Risk that opening balances may be misstated (1) Risk that accounting policies may not be consistently applied (1) Risk that we as auditors will not identify misstatements as we are unfamiliar with the
client (1) 3. Tight audit deadline
Risk that post balance sheet date events might not be identified (1) Risk that financial information may be incomplete (1) Risk that creditors and provisions may be understated -statements not received in
time (1) 4.3rd Party reliance
Risk of legal liability i.t.o S46 as we are aware financial statements will be used by NBOSA (1)
IT RISKS: 5. Fully Computerised environment: (General Risks)
Risk that weak general controls could affect the continuity of processing (1) Risk that a weak control environment exists because: (1)
o Management is not committed to proper IT governance, (1) o There is no backup / data recovery plan (1)
Risk that weak application controls could affect the completeness, validity and accuracy of recorded transactions (1)
Risk of errors and ineffective programmed controls because of a lack of user training (1)
Risk that there will be an absence of input documentation (1) Use of WAN increases risk of unauthorised access; changes to transactional
data/masterfiles (1)
6. On-Line System Risk that there will be inadequate audit trails providing evidence of authorization
(1) Increased risk that there will be unauthorised use of the computer:
- Unauthorised changes made to transactions / balances (1) - Unauthorised access to data (1) - Unauthorised processing of data resulting in update of incorrect data to
system (1) Risk that masterfiles are amended without the necessary authorization (1) Risk of corruption of data due to concurrent processing (1)
7. Real Time processing of transactions:
Risk that incorrect data processed onto the system (1) Risk of data loss due to any interruption during processing (no backup) (1)
23
8. No Backup or Data Recovery Plan
Increased risk relating to business continuity in the event of a disaster: (1) o Loss of data (if there is a system failure all data might not be reinstated)
(1) o Risk that the company might not be a going concern (inability to continue
operations in event of a serious system breakdown) (1) 9. Trading via the internet
Increased security risk: (unauthorised access of data on the public network) o Failure of encryption based security (1) o Overload of file servers resulting in system being unavailable for trade due to
breakdown (business continuity risk) (1) o Unauthorised “hacking” of customer information (1) o Increased threat of data corruption from viruses (1) o Risk of incorrect revenue recognition (date risks and rewards pass)(1)
10. EDI Increased risk that there will be interruptions/errors transferring data to central server:
o Hardware failures (1) o Server overload (availability of processing time) (1) o Duplications on retransmission after system recovery (1)
11. Central File Server
Risk that there will be unauthorised access to data due to:- o No firewalls and virus protection (1) o No encryption of data (1)
Risk to business continuity through the collection of data in one central location with no adequate backup assurances; (1)
MAXIMUM (20)
24
Part (b) MASTERFILE CONTROLS: Completeness: All changes to customers master file data should be:
o Requested in writing on a pre-numbered, pre-printed master file amendment form (1)
o Master File amendment forms should be designed to facilitate the capturing of all data (1)
o Any unused Master file amendment forms should be subject to standard stationery control protocol (under lock and key; the responsibility of a designated staff member with appropriate authority) (1)
Changes to Master files should be reconciled:
o To a list/register of requested amendments (completeness) (1) o To the master file amendment forms (accuracy and completeness of changes)
(1) o All outstanding items/ exceptions should be followed up by management
(1) o To supporting documentation (minutes of meeting/contract with customer)(1)
Accuracy: All master file changes should be logged by the system (1)
o This activity log should be reviewed by management on a regular basis (1) All changes made to standing data should be agreed to authorised master file amendment forms (1)
Programmed Input validation tests/ edit tests should be carried out:-
o Alpha-numeric and field size checks on customer account numbers; ID numbers o Missing data checks o Reasonableness checks on ID numbers o Recordcounts o Any other valid edit check max=3
Validity: All proposed masterfile amendments must be authorised in writing by two senior officials (1) All amendments should be reviewed by management before; during and after implementation (1) Write access to masterfiles should be restricted to authorised personnel by means of user ID, passwords and terminal ID controls (1) General:
All changes to customers master file data should be made off-line and only go live after approval and testing (1)
The master file should be reviewed regularly by management (1) The masterfile data should be encrypted and kept in a library with strict access
control (1) Adequate backup procedures should be implemented in order to recover standing
data in the event of data corruption during an amendment (1) Password Controls (1)
MAXIMUM (15)
25
QUESTION 7 (50 MARKS) You have been the external auditor responsible for the audit of Africhem Limited (“Africhem”) for the past three years and have been reappointed to perform the audit for the reporting period ended 30 June 2011. Africhem is a company listed on the Johannesburg Security Exchange (JSE) and is South Africa‟s oldest producer of chemical products to the farming industry. Africhem apply innovation and technology to help farmers to produce higher quality products to the public. They assist farmers in producing healthier foods, better animal feeds and more fiber, while also reducing agriculture's impact on our environment. Africhem‟s head office is located in Bloemfontein, and has multiple branches around South Africa. The locations are variously administrative and sales offices, manufacturing plants, seed production facilities, research centers, and learning centers – all part of the corporate focus on agriculture and supporting farmers. Africhem‟s accounting system is fully computerised. This system is an integrated complex application which minimises the use of hard copy documents wherever possible and handles a high volume of transactions on a daily basis. The system makes use of real time processing. Your first year audit clerk George Clooney was responsible for documenting the understanding of the internal control environment of the purchase system and Meg Ryan, the senior audit clerk, was responsible for documenting any audit differences identified during the audit that could affect the audit opinion. The following documents are attached:
WORKING PAPER
REFERNCE
DESCRIPTION
C4 Purchase system – Internal controls
C6 Audit differences
26
Client: Africhem Ltd Period end: 30 June 2011 C4
Prepared by: G Clooney Date: 25 July 2011
Reviewed by: Date:
Purchase System – Internal Controls
The purchasing function is decentralised across the various branches, with each branch having its own purchasing department. Three years ago Africhem implemented SAP application software customised to meet the company‟s specific processing needs. The financial module, which includes accounts payable, was successfully implemented at the same time and no problems were experienced. The company currently does not use EDI in the purchasing process and therefore the controls around networks are not of concern. Manual purchased requisitions are used which then serve as input to the computer system. The rest of the purchasing process is fully computerised. The company has a CIS control group which monitors the entire computer environment. The CIS control group makes use of an internal control questionnaire to assess the control environment of the purchasing computer system. The internal control questionnaire deals with the following internal controls:
YES NO
Business continuity
Are control in place for:
Protection against physical environmental elements?
Personnel control?
Authorisation
Does the system establish and enforce clearly defined lines of responsibility and authorisation limits within the decentralised buying departments?
Does the system enable buyers to check who is authorised to raise and approve purchase requisitions?
Can increasing levels of authorisation be required for increasing values in purchase orders?
Completeness and accuracy of transaction input/generation
Does the system automatically check that all pre-printed sequence numbers used on purchase requisitions are accounted for?
Describe how the system subjects transactions to programmed edit/validation checks: …………………………………………………………………………………………………………………………………………………………………………………………………………………………
Are exception reports produced, in which large or unusual items are listed to allow for individual comparison with input documents?
Are exception reports produced, in which purchase orders that do not match authorised requisitions are listed for subsequent follow-up?
Are overrides of system warnings by the user automatically reported for independent approval?
Completeness and accuracy of processing
Does the system generate exception reports of unmatched or mismatched purchase transactions for review and follow-up?
27
Is a reconciliation automatically generated of records accessed and records updated?
Are system-generated purchase transactions subject to the same processing controls as input transactions? Describe the controls: ……………………………………………………………………………………………………………
YES NO
Organisational and management controls
Is there proper segregation of duties?
Are levels of responsibility clearly defined?
Are proper policies in place regarding staff recruitment and training?
Are there proper controls in place around virus protection?
Does the system automatically generate reports for management review? For example:
Exception reports (fluctuation in purchase volumes; significant purchase orders; material price variations).
Management information reports (audit trial; deviations from budgets).
Performance-related reports (stock-outs; supplier performance; delivery lead times).
Logical access
Does the system provide the following logical access control?
The user is required to input an ID and password combination in order to gain access to the application.
Effective password controls around the use of passwords.
Menu selections displayed are restricted based upon the access privileges defined by the user ID.
User access rights are restricted to those processing functions and data files required for the user‟s normal duties.
Changes to user access rights are automatically reported for review by management.
Logon ID‟s are automatically disabled/revoked after a prescribed number of logon failures, a set period of inactivity, or when employees resign or relocate within the organization.
An activity log for review by an authorized person is generated in respect of unauthorized access.
Physical access
Is the following physical access controls in place?
Access controls to the computer hardware.
Access control to the terminals.
Access controls to programs and data files.
Manual logs and review of logs.
Screening and training of staff on physical access controls.
Emergency access controls.
28
Client: Africhem Ltd Period end: 30 June 2011 C6
Prepared by: M Ryan Date: 28 July 2011
Reviewed by: Date:
Audit differences
One of Africhem‟s major branches that is situated in Kroonstad commenced the manufacturing of a highly toxic chemical and two months before year end two of the employees working at this branch died after falling seriously ill. The initial investigation into their deaths suggested that they were victims of chemical poisoning suffered from working with the toxic chemicals. A government investigation was instituted on 15 May 2011. At the last directors‟ meeting for the current reporting period the directors of Africhem took the decision to close the branch in Kroonstad, with immediate effect, until completion of the government investigation. The board of directors also took the decision that should the government investigation indicate that the employees‟ illness and death was directly attributable to their work conditions at the branch, the Kroonstad branch would remain closed permanently. In addition a firm of attorneys has instituted legal proceedings against Africhem on behalf of the family members of the two employees. We have established that should the government investigation connect the employee illness to the company‟s process, the employees‟ family members will in all likelihood be successful in their actions against the company. Through discussions with the company‟s financial manager, Julia Roberts, we have been informed that the company has decided to treat the matter as follows in the financial statements for the period ended 30 June 2011:
No reference to the temporary or possible permanent closure of the branch will be made. However full disclosure will be made to the shareholders at the annual general meeting.
The following note will be included: o “The company is the defendant in a lawsuit brought against it by two
employees. The case concern health problems allegedly caused by the employees work environment at the Kroonstad branch. The total claim is R2 500 000 but it is at present impossible to determine the outcome of the litigation.”
The going concern ability of Africhem is in no way threatened by this matter. All other aspects of the audit have been satisfactorily dealt with. The outcome of the government investigation is expected to take some months. YOU ARE REQUIRED TO: a) Refer to working paper C4 and list the general computer controls relating to the
purchasing process that have not been included in the internal control questionnaire. (30)
b) Describe the audit strategy for the audit of the reporting period ended 30 June 2011,
taking into consideration that Africhem has a fully computerized environment. (9) c) Refer to working paper C6 and discuss fully the audit report that you would consider
appropriate should the directors treat the matters in the financial statements in the manner indicated by the financial manager. (9)
Presentation (2)
29
QUESTION 7 (SUGGESTED SOLUTION)
a) GENERAL COMPUTER CONTROLS
System Maintenance (Change) Controls:
Requests for changes/corrections to the system should be completely carried out:
o Written requests on standard pre-numbered change request forms.(1)
o Change request form should be entered into a register. (1)
o Regular sequence checks must be performed on the request forms to identify
outstanding requests. (1)
o Outstanding request must regularly be reviewed by senior management.
(1)
Only valid changes should be made:
o Request for changes by the user should be approved by the following parties:
Correct level of authority (management/computer steering committee
(1)
Data processing department (technical IT department) (1)
o All system change should be documented and system documentation should
be modified. (1)
All changes must be tested to ensure effective functioning. (1)
Other considerations:
o Changes to the system should be backed up. (1)
o Training of users in respect of the use of the updated system. (1)
o Post-implementation reviews should be performed on the changes.(1)
Computer operating controls:
There must be scheduling of processing which is regularly reviewed. (1)
Set-up and execution of programmes must be in place: (1)
o This must be done my competent persons (1)
o Assisted by means of a procedure manuals/instructions. (1)
o Regularly tested. (1)
o Constant supervision and review over this process. (1)
MAX (3)
Ensure the use of correct programmes and data files. (1)
Operating procedures that should in place:
o Monitoring and review of the functioning of hardware (1)
o Operating instructions and manuals to assist users (1)
o Monitoring of operations through logs (1)
o General controls around segregation of duty, rotation of duties and
supervision and review of activities. (1)
MAX (3)
Recovery procedures to prevent interruption in operations:
o Emergency plan & instructions in the event of crisis. (1)
o Effective backup procedures for data and hardware. (1)
30
System Software Controls: Security over system software:
o Integrity of staff. (1)
o Segregation of duties. (1)
o Employment policies. (1)
o Supervision and review. (1)
MAX (3)
Database systems:
o Access controls around database system. (1)
o Supervision and review (by database manager). (1)
o Documented policies. (1)
MAX (2)
Processing on microcomputers:
o Control over software. (1)
o Programs written internally are tested and should be documented. (1)
Business Continuity Controls Emergency plan and disaster recovery procedures:
o Establish procedures in respect of procedures and responsibilities in case of
a disaster. (1)
o Prepare a list of files and data to be recovered in the case of a disaster.
(1)
o Provide alternative processing facilities. (1)
o Plan, document and test the disaster recovery plan. (1)
MAX (3)
Backups:
o Backup data files regularly on a rotational basis. (1)
o Perform on-line or real-time backups. (1)
o Store copies of backup files on separate premises. (1)
o Have hardware backup facilities. (1)
o Store backups in a fireproof safe. (1)
o Policies around retention of files or records (1)
MAX (4)
Other controls:
o Adequate insurance. (1)
o On over reliance on staff. (1)
o Virus protection controls (1)
o Physical security measures (1)
o Cable protection. (1)
MAX (2)
31
Logical Access Controls
Terminals:
o Terminal identification numbers (TINS) (1)
o Limited to one workstation log on (1)
o Simultaneous login prohibited (1)
MAX (2)
Program Libraries:
o Access to backup programmes controlled by access software (1)
o Passwords (1)
o Updating must be authorized (1)
MAX (2)
Utilities:
o Stored separately (1)
o Use logged and reviewed (1)
MAX (1)
TOTAL MAXIMUM (30)
b) AUDIT STRATEGY
Africhem has a fully computerized environment which will have the following influence on the audit strategy for 2010:
Obtain a thorough understanding of the client‟s internal control and information
systems environment (1)
An combined audit approach should be considered due to the following: (1)
o Complex computer system (1)
o High volume of transaction (1)
o Less hard copy evidence available (1)
o Transactions are generated automatically (1)
Combined audit approach could only be used when reliance can be placed on the
company‟s internal controls (1)
If reliance cannot be placed on the internal controls more extensive substantive
procedures will have to be performed. (1)
Following an combined audit approach (if reliance can be placed on controls) will
include:
o Testing the general computer controls (1)
o Testing the application controls (1)
o Above can be performed by auditing through the computer
o Performing limited substantive procedures (1)
o Above can be performed by auditing with the computer
o Controls will be tested throughout the period of reliance (1)
Effective function of general computer controls is a pre-requisite for the effective
function of application controls. (1)
Consider the use of CAATS in performing of audit procedures. (1)
Consider the use of experts. (1)
MAXIMUM (9)
32
c) AUDIT REPORT
ISSUE 1: LITIGATION
The treatment of the pending litigation is satisfactory, no adjustment (provision) to
the financial statements need be made as the outcome of the case is unknown,
and damages cannot be reasonable quantified. (1)
However the wording of the note (disclosure) is inaccurate and inadequate and
appears to be an attempt to play down the matter especially in view of the director‟s
intention not to make any reference to the closure of the branch. (1)
Therefore an uncertainty exist which has not been adequately disclosed. (1)
This represents a disagreement on inadequate disclosure of the matter. (1)
The disagreement is material to the fair presentation of the AFS, but not pervasive.
(1)
A qualified audit report will be required. (1)
ISSUE 2: TEMPORARY/PERMANENT CLOSURE OF BRANCH
This matter should at least be disclosed as the financial statements should deal with
every fact or circumstances material to the appreciation of the state of the company
affairs. (AFS should present fairly) (1)
It is also possible that losses may rise out of the temporary closure of the branch
(penalties, labour disputes). (1)
In addition at period end there is uncertainty about the future of the branch (could
be permanently closed down). This is vital information for the users. (1)
There is no need to treat this as a closure of a division as there has been no
implementation of a permanent closure or other known costs. (1)
Therefore a disagreement exists on the failure to disclose the matter. (1)
The matter is material to the fair presentation of the AFS, but not pervasive. (1)
A qualified audit report will be required. (1)
MAXIMUM (9) PRESENTATION (2)
33
QUESTION 8 (50 MARKS)
You have recently been promoted to manager in the computer audit division of RGL Incorporated (hereafter “RGL”), a well established medium size auditor firm situated in Sandton, Johannesburg. RGL is part of a global organisation of independent professional service firms, united by a common desire to provide the highest quality of services to their clients.
RGL has grown steadily since its inception on 1 March 1982. The RGL network is a medium-sized professional services organisation. This growth has been attained primarily through a reputation of giving sound professional advice and formulating trusted confidential business relationships. RGL has a broad-based clientele which includes local and national clients, as well as international clients of both a personal and corporate nature. One of their clients is LaVee (Pty) Ltd (hereafter “LaVee”), a medium sized company in the domestic foods market. The company has a 30 June period end and this year will be the first year that RGL has held the appointment as auditor.
LaVee has a number of food production facilities spread around Gauteng with the head office situated in Isando. The company has fully integrated computerised financial accounting and management reporting systems which were developed some years ago. The systems were developed in-house to ensure that the complex procedures and controls required by the directors of LaVee could be incorporated. Most of the data processing takes place at a data processing centre at the head office. The production facilities all have on-line terminals linking them to head office and other branches which allows for real time processing of certain applications.
Unfortunately things at LaVee did not get off to a great start. The senior manager on the audit, Sechaba Mooi, has (like most of the other staff members) little experience in computers and believes that auditing around the computer is perfectly adequate. The “planning meeting” for the 30 June audit, in fact turned out to be Sechaba Mooi simply issuing instructions to the audit team, with no mention of LaVee‟s computerisation being made at all.
On challenging Sechaba on this, he responded:
“This firm adheres to the planning statement ISA 300 in developing the overall audit strategy. This statement does not even mention the word computers which suggest to me that auditing around the computer is a perfectly adequate approach to the audit.”
Accounts receivable
Your concern regarding the approach was further justified when the third year audit clerk on the audit, approached you to assist him with “auditing accounts receivable around the computer”. He gathered the following information for the period end audit:
June 2010 June 2011
Accounts receivable balance R 2 546 215 R 3 765 935
Accounts receivable days
Outstanding
65 days 84 days
Accounts receivable as % of
current assets
33% 41%
Number of accounts receivable 398 529
34
All customers are supplied with a hardcover copy of the product catalogue from which they can select the goods to be purchased from the company. Orders must be placed by phoning the company‟s toll–free number. Calls are automatically directed to one of four clerks who enters the order directly into the system.
In June 2011 RGL‟s computer division conducted an evaluation, including test of controls on the revenue and receipts cycle, and found that the information produced by the system was valid, accurate and complete.
The accounts receivable department is headed by Zama Zamini, the credit manager, and is staffed by three debtors clerks. Zama reports to Joan Richardson, the financial manager.
The accounts receivable master file contains the following fields:
Fields Example
Account Number S4359
Name MashDee (Pty) Ltd
Address and contact details 7 Sgodi Ave, Orlando East, Soweto
2106, 082 123 6920
Date account opened July 2005
Total owed R 35 001.90
Ageing of total amount owed 30 days, 60 days, 90 days, 120 days
and over
Credit limit R 36 000
Credit terms 60 days
Account status (which remains blank
other than when information
regarding status is entered)
Handed over to attorneys
To ascertain the allowance for credit losses at year end, a percentage of the amount appearing in each of the aged fields is determined. The amounts are then added together. These percentages are:
30 days – 3% 60 days – 7% 90 days – 20% 120 days and over – 30%
As in past, Joan is quite prepared to allow you to interrogate the accounts receivable master file using RGL‟s generalised audit software and you intend to do so.
Possible expansion
During a casual conversation in the corridors of LaVee, Joan mentioned to you that they (LaVee) are considering taking advantage of the business opportunities presented by E commerce which she briefly explained as the buying and selling of products or services over electronic systems such as the Internet and other computer networks. She has indicated to you that she has done a detailed analysis regarding all the benefits E commerce presents to LaVee but is still not sure of what the disadvantages or more in particular, the risks are of conducting business via the internet.
35
YOU ARE REQUIRED TO:
a) Discuss whether Sechaba Mooi‟s decision to audit LaVee using the “around the computer” approach is sound. (7)
b) Briefly describe the disadvantages of the other two approaches. (5)
For the remainder of the questions assume a different approach was adopted to that suggested by Sechaba.
c) Describe the application controls that you would expect to find in place to ensure that all
orders are taken from customers are valid, accurate and complete (15)
d) Identify the information which you would extract from the accounts receivable master file to assist you in the audit of the allowance for credit losses. Describe how you would use the information. Do not give audit procedures. (11)
e) Assist Joan in setting out the risks of conducting business over the internet. (10)
Presentation (2)
36
QUESTION 8 (SUGGESSTED SOLUTION)
a) Sechaba Mooi‟s decision to audit LaVee using the “around the computer” approach Sechaba‟s decision to audit around the computer is not sound because: (1)
The approach is only suitable where o The system is simple; LaVee‟s system is however:
Is an integrated financial accounting and management reporting system. (1)
Has a central processing department and a series of on line links to its production facilities. Its system therefore complex not simple. (1)
It is also unsound to ignore the power of the computer in conducting an audit. (1)
It is also unlikely that RGL will attain a cost effective audit using this approach. (1)
To use this approach no significant controls should be built into the system. LaVee‟s system is complex and includes significant controls in the system which realistically cannot be ignored by the auditor of LaVee (1)
A clear audit trail must exist to use this approach: Whilst this may the case in LaVee‟s case, this alone cannot facilitate the use of around the computer approach. (1)
Due to the fact that company has wide spread branches which could be indicative of a higher volume of transactions. Because of this, an around the computer approach is also not sound. (1)
The adoption of the approach is not consistent with the firm‟s policy/intention to adhere to the auditing standard ISA 300. (1)
o The “understanding the entity” cannot be adequately completed without obtaining a thorough understanding of LaVee‟s computerisation. (1)
o ISA 315 requires that the clients internal control be thoroughly understood so that the risk of material misstatement can be addressed. (1)
o If this is not the done the audit strategy and plan will not reduce the level of audit risk to an acceptable level. (1)
The decision to audit around the computer cannot be justified on the grounds that the manager (and the firm) have limited skills in computer audit – if the firms does not have the skills to perform the audit they should have declined the audit or have obtained the skills of a computer auditor. (1) MAXIMUM (7)
37
b) Briefly describe the disadvantages of the other two approaches.
Audit through the computer
o Approach requires auditor to have a high level of computer knowledge
(1)
o The auditor is required to take stricter precautions due to potential
corruption of client‟s data. (1)
o A high level of client co-operation is required which could in turn affect
independence. (1)
o The approach only test operation of controls as at a certain point in
time (1)
Audit with the computer
o Auditor must have a reasonably high level of computer expertise.
(1)
o The audit team requires training to use this approach as it involves
making use of the computer to obtain sufficient audit evidence
(1)
o Cost of audit hardware and software is relatively high. (1)
MAXIMUM (5)
c) Application controls to ensure that all orders are taken from customers are valid,
accurate and complete
Validity
Writing access to the order module of the sales application should be
restricted through the use of user profiles, user ID‟s and password (1)
Access to the order module should be restricted to the terminals in the order
department and the credit manager‟s terminal (1)
Order clerks should have „read only‟ access to the debtors‟ master file (not
necessarily all fields) and the inventory master file (this enables them to
check inventory availability) (1)
On phoning in an order, the customer must supply a valid account number
which is entered by the order clerk. This number will be validated against the
debtors‟ master file and if it does not match no further progress can be made.
(1)
On entry of a valid account number the customer‟s other details should
appear on screen and the order clerk will ask the customer to supply details.
(1)
Once the order has been entered the system, should:
o Perform an inventory availability check and if the inventory is not
available the customer should be asked whether they would like to
order something else or be placed on back order, and (1)
o “cost” the order and automatically compare it to the amount of credit
available on the customer‟s account. (1)
Customer should be referred to the credit manager if:
o The order clerk has doubts regarding the validity of the customer e.g.
cannot supply details accurately, and (1)
o On entering the account number, the order clerk is alerted to a
problem with the customer‟s account e.g. insufficient credit or non-
payment (1)
38
Only the credit manager should have “write” access to remove a hold on the
customer‟s account. (1)
Programmed mandatory fields should be installed which enhance the validity
of the order, e.g. customer order number/name of buyer and date.
(1)
All telephone conversations should be recorded/information confirmed with
client. (1)
All orders should be logged. (1)
Completeness and Accuracy
Screen should be formatted to promote accurate and complete capture, e.g. as an internal sales order. (1)
Screen dialogue should be available to guide order clerk e.g. screen prompts (1)
Programme checks should be done e.g. o Alphanumeric check on the account number entered (1) o Limit checks on the credit available balance versus the amount
request for new goods (1) o Mandatory field such as completing fields such as account number,
goods purchased, stock code, etc. (1) All orders should be automatically sequenced. (1) Clerks should ask client to repeat order and compare this to the input screen
prior to proceeding with processing (1) Sequence testing should be performed by the system on all orders, and an
exception report should be printed for all gaps in the sequence. (1) o This should be followed up by Zama Zamini (1)
MAXIMUM (15)
d) Extract from the accounts receivable master file to assist you in the audit of the allowance for credit losses. Extract printouts of: A small random sample of debtors which reflects the aging of the amount owed
by the debtor. (1) Use: This would be used as a basis for checking the accuracy of the aging (by tracing to source documents). Accurate aging is necessary as the allowance is based on the aging fields. (1)
All debtors: o Where the balance owed exceeds the credit limit (1) o Where aging fields indicates that the debtor has exceeded his credit
terms. (1) Use: Each of these debtors would be discussed with Zama to obtain an explanation of why the credit limits/terms have been exceeded and whether it is an indication that the full amount will not be received from the debtor. (1)
All the debtors for whom there is an entry in the status field (1) Use: From this list all debtors with a status problem which may affect the collectability of the debt would be identified. Supporting documentation (e.g. correspondence with attorneys, letters to the debtor) would be reviewed and discussed with Zama. (1)
Use firm‟s software to re – perform the casts and extract the totals of all numeric fields on the master file. (1)
Use: These totals would be used to recalculate the allowance using prescribed percentages, e.g. 3% of the “30 days outstanding balance” (1)
39
Use totals to compare July 2010 amounts to July 2009 to determine whether the debtors‟ book is getting “older”. e.g. a greater percentage of debt is in the 120 days and over column. (1)
MAXIMUM (11)
e) Assist Joan in setting out the risks of conducting business over the internet. Lack of privacy of information (1) Unauthorised access to credit card information whilst being transmitted
(1) Unauthorised access to credit card information once it arrives at the supplier
(1) Dealing with a supplier without integrity, resulting in non delivery (1) Hardware failure resulting in immediate loss of revenue (1) Software failure resulting in immediate loss of revenue (1) No legal certainty in cases of non payment or non delivery who the responsible
person/party would be. (in which country and under what law does the aggrieved party sue?) (1)
Lack of visible audit trail (hard copies of documents) (1) Exposure to viruses (1) Possible data corruption (1) Loss of business – buyers not connected to internet (1) Competitors gain access to product information (1) International tax liabilities (1) Potential copyright liabilities (1) Information no updated regularly, resulting in loss of income (1) Lack of innovation and continuous improvement – lose competitive advantage.
(1) MAXIMUM (10) Presentation: Logic (1) Layout (1)
40
QUESTION 9 – Graded Questions 14.16 WEAKNESSES
1. There is too great a concentration of power in Sarah de Wet
1.1 She can initiate transactions 1.2 Enters them into the system 1.3 Has access to blank
stationery (she sets up the printer)
1.4 Is able to make masterfile amendments (see 2 below)
1.5 is responsible for incompatible functions e.g. paying creditors and reconciling the cash book (appears to have signing powers).
RECOMMENDATIONS 1. Peter Preemar must play a far more
extensive role in the business; he appears to have the time but not the inclination. There are a number of simple things that he could do to minimise the risk (e.g. theft, fraud) of the lack of division of duties. 1.1 he could control blank
stationery himself. 1.2 he and the receptionist/typist
could be solely responsible for the opening and recording of mail
1.3 he could engage our firm to perform the monthly bank reconciliation (and go through it with him each month).
1.4 he must become the second cheque signatory (Marie must have her authority removed) and he must insist on seeing all supporting documentation for all cheque payments.
2. Sarah de Wet is able to make
unauthorised masterfile amendments.
3. In addition as software is menu
driven, masterfile amendments are easily effected. This makes files susceptible to manipulation e.g. the inventory masterfile could be manipulated by inventory clerks through the terminal in manufacturing to cover losses/theft.
2/3 Peter Preemar should approve (by
signing form in 2.1) all masterfile amendments.
2.1 Masterfile amendments
should be entered onto pre-printed sequentially numbered forms.
2.2 The processing of masterfile amendments should be restricted to Sarah de Wet and her terminal.
2.3 Prenumbered printouts of masterfile amendments processed should be reviewed by Peter Preemar for * authority (validity) * accuracy * completeness.
2.4 In addition, frequent comparisons between the records and physical assets should take place e.g. inventory counts, wages and employees.
41
Note: A more effective (but more costly) control may be for our firm to perform the masterfile amendment review (for all masterfiles) say once a month.
4. The presence of Marie de Wet
(Sarah's sister) in the accounting department increases the risk of collusion. Virtually the entire accounting function is run by the sisters. e.g. Marie will be maintaining the debtors and creditors ledgers produced by Sarah.
4. Marie de Wet should be transferred out of the accounting department to an administrative position in the manufacturing administration department.
4.1 her signing powers
should be taken away. 5. Toybuild (Pty) Ltd is too dependent
on Compware CC. 5.1 There is a high incidence of small
computerware companies going out of business.
5.2 They hold all of the systems documentation for the software they supply.
5.3 Possibly they do not have the necessary skills, resources to service Toybuild adequately (see 9 below)
5. A knowledgeable independent third party should be introduced, in this case our computer services department.
5.1 All program changes systems development should be made in conjunction with our computer services department.
5.2 A full set of systems documentation should be supplied and lodged with our firm.
(Note 5.1 and 5.2 would protect Toybuild (Pty) Ltd against the failure of Compware CC and any lack of skill, competence, resources they may have
6. There is insufficient control over
terminals and servers. 6.1 terminals appear to be allocated on
a “general use” basis. 6.2 Access to terminals does not seem
to be protected. 6.3 the main server is placed in Peter
Preemar‟s office.
6. 6.1 All of the terminals should be allocated to specific staff members who will be accountable therefore.
6.2 Some form of practical physical
protection should be introduced e.g. terminals secured to desks, located in lockable offices, visible to all etc.
6.3 Unless Peter Preemar‟s office is
subject to tight security (unlikely!) the main server should be in a secured area (even a walk-in safe) to protect it from wilful damage..
Access/systems security 7. There is insufficient control over
access to files 7.1 Passwords do not appear to be in
use. 7.2 Interrogation of files through the
terminals can be effected by simple commands.
7. Proper logical access controls
should be introduced. 7.1 only staff who require access
should be given access and only to the extent required to carry out their jobs (least privilege principle, no access, read-only, read and write.)
7.2 this principle must be implemented
42
7.3 any application can be accessed from any terminal.
by the use of user ID‟s, user profiles and passwords.
7.3 passwords should be subject to
sound password controls *unique, 6 digit, alphanumeric mix *not listed or visible on screen *kept confidential *chosen by employee (effected by
the software) * changed regularly
7.4 there should be terminal identification and authentication controls
7.5 access to the different applications should be restricted to only those terminals that are “authorised” to access the application in question e.g. factory terminals have no access to sales/debtors applications.
Continuity of operations 8. Back up is inadequate. Sarah will
back up files "at her discretion". This may result in the company losing important accounting information.
8. 8.1 Back up of files should be
regular, thorough and planned, Peter Preemar should ensure that this is done.
8.2 Backups should be secured in (at least) fire proof lockable locations.
9. No disaster recovery plans have
been made. 9.1 It is not in the service offered by
Compware CC. 9.2 Peter Preemar and Sarah de Wet,
being untrained, will know nothing of this requirement.
9. A disaster recovery arrangement should be made with our computer services department.
Control environment 10. Peter Preemar‟s lack of interest in
accounting matters will have to change.
10.1 He is the most senior staff member and must lead by example especially where the accounting function has poor division of duties.
10. He must get involved as indicated in
1, and it must be explained to him why he has to be involved. (If he doesn‟t want to, he must appoint a senior person to the company.)
43
Conversion (part of system development)
11. The proposed simultaneous
conversion of all accounting records could cause, inter alia, the destruction or muddling of data especially if it is carried out by Peter Preemar and Sarah de Wet.
11. The help of our computer services
department should be sought to ensure that the conversion is dealt with as a proper conversion project. * proper “existing data”
cleanup * proper selection of data
conversion method e.g. phasing in
* control over preparation and entry of existing data onto the system and
* proper post-implementation review
QUESTION 10 – Graded Questions on Auditing 2011: 14.24 a) Batch controls 1. When Maria Mathews removes the order from the order book she should
1.1 perform a sequence check, noting the sequence of numbers e.g. 3327 to 3391, and count the documents.
1.2 enter the sequence numbers and number of documents received from
each of the representatives in a suitably designed register e.g. date, name, etc. This will ensure that the orders from all of the 15 representatives are accounted for each week.
1.3 require that the sales representative sign the schedule to acknowledge
the details that have been recorded. 2. Maria Mathews should then check the last number in the sequence of orders
presented by each sales representative the previous week to ensure there is no gap in sequence. (Note: this procedure could also be done by the computer at a later stage.)
3. Maria Mathews should perform tests on the orders, ensuring that they have been
correctly and accurately completed, initialing the orders to acknowledge her tests.
4. She should then divide the orders into workable batches (by sales representative
would probably be the most practical) and for each batch, complete a pre-printed sequenced batch control sheet by entering: * a unique batch number and batch identification e.g. batch 10 of 15, week
ending Friday 3 July, “orders” * control totals
• Document count • Hash total, e.g. total quantity of items ordered
5. Maria Mathews should then enter the identification details and control totals into
a batch register and sign it. 6. Nicholas Zondi should count the number of batches he receives from Maria
Mathews, acknowledge receipt of the batches by signing the batch register. 7. Nicholas Zondi should key in the details and control totals of each batch (before
entering the date of the individual orders) to create a batch header label. 8. The data off each order should be keyed in (subjected to validation checks, see
below) and the computer should calculate the same control total but based upon what has been keyed in e.g. document count.
9. The computer generated totals should then be compared to the totals on the
header label; where there are discrepancies, the batch should be rejected and checked.
45
Data entry – access control (invalid order entry) 1. Simple physical access controls to the terminals used by Nicolas Zondi should be
in place as appropriate, e.g. terminal lock. 2. Access to the revenue application should be restricted to only the terminals of
those employees who need access to the application to fulfill their functional responsibility.
3. Once access to the revenue application has been obtained through an
authorised terminal, access to specific modules within the application should be restricted to specified individuals (least privilege) by the use of user identification passwords and access tables, e.g. Nicholas Zondi would have access to the “create picking slip” module but not to the debtors masterfile amendments module.
4. There should be a full range of password controls e.g.
4.1 no group passwords i.e. Nicholas Zondi has his own 4.2 changed regularly, not obvious, 4.3 not displayed or listed anywhere, kept confidential.
5. There should be terminal time out and automatic shutdown in the face of access
violations. 5.1 these should be logged and frequently reviewed by IT. Data entry – program checks and screen aids 1. Once the “create picking slip” module has been accessed, the screen should be
formatted in such a manner * that it resembles the hard copy picking slip which will be produced and
* it facilitates the easy capture of data off the order (accuracy) 2. The program should require the minimum keying in of data off the order form,
e.g. * entry of the inventory code should bring up the description and price
* entry of the account number should bring up the customers details. (Nicholas Zondi should only have to key in account number, order number, inventory item, quantity ordered and the sales representative‟s code.)
3. There should be mandatory field checks; in this case all fields are important and
Nicholas Zondi should not be able to proceed to the next order until he has entered data in all fields.
4. There should also be appropriate screen dialogue and prompts e.g. before
Nicholas Zondi moves to the next order he should be asked if “all items on the order have been correctly entered?”
5. There should be program checks e.g.
46
5.1 verification check – the customer account number is validated against the debtors masterfile
5.2 alpha numeric check e.g. only numerics in the quantity field 5.3 range or limit check on quantity field 5.4 sequence check on order numbers (within a batch).
b)
1. When the sales representatives return to the office on a Friday they should be given an up to date printout which lists each customer they will visit in the following week:
* balance owing * credit limit and * available credit
2. Before accepting an order, the sales representative should work out the value of the order and compare it to the available balance. If the available balance is exceeded the order should be reduced/tailored to fall within the available credit, and the matter discussed with the customer immediately. 2.1 where the order cannot be tailored/reduced to fall within the
available credit, application should be made to Rishi Patel to increase the credit limit before the order is finalised. Rishi Patel should only increase the credit limit after conducting thorough creditworthiness checks.
3. In addition, the application software should be enhanced by introducing a
control which identifies situations where a sale which pushes the debtor beyond his limit will be identified before the picking slip is printed. 3.1 when the order is entered by Nicholas Zondi the computer should
calculate the value of the sale, add it to the balance on the debtors account and compare it to the credit limit.
3.2 if the credit limit is exceeded, a hold should be placed on the printing of the picking slip.
3.3 this hold can either be overridden by Rishi Patel (only) or the details of the order written to a file for follow up and only acted upon (picking slip printed) once the matter has been
c) 1. Changes to credit limits should only be made after the customers
payment performance has been evaluated by Rishi Patel and the change agreed with the financial manager.
2. All changes should be recorded on a (preprinted sequenced) masterfile
amendment form, cross referenced to any supporting documentation and signed by Rishi Patel and the financial manager.
47
3. Write access to the masterfile amendment module of the revenue and receipts application should be restricted to Rishi Patel‟s section 3.1 terminal identification 3.2 user identification, passwords
4. All masterfile amendments should be sequentially logged by the
computer.
5. Rishi Patel and the financial manager should review the log, tracing from the log to the supporting documentation.