Test, questions and answers PDF

Preview

Summary

UNIVERSITY OF PRETORIADepartment of AuditingAUDITING 300 (ODT 300)LA 2COMPUTERISED CONTROLS – ADDITIONAL QUESTIONS - PRIOR TESTSCEV 2 – 2018 – QYou are a third year trainee accountant at Bradshaw & Jones Incorporated (B&J) and you have been assigned to the audit of Net Solutions Limi...

Description

UNIVERSITY OF PRETORIA

Department of Auditing AUDITING 300 (ODT 300)

LA 2 COMPUTERISED CONTROLS – ADDITIONAL QUESTIONS - PRIOR TESTS

CEV 2 – 2018 – Q4 You are a third year trainee accountant at Bradshaw & Jones Incorporated (B&J) and you have been assigned to the audit of Net Solutions Limited (Net Solutions). The company’s financial year end was 31 January 2018. Client: Net Solutions Ltd A-300

Prepared by: Third year trainee

Reviewed by: Audit manager Description: Background to the procurement and safe keeping of lease equipment Year-end: 31/01/2018

Date: 26/02/2018 Date: 28/02/2018

Apart from agreements with corporate clients, Net Solutions also offers walk-in clients the option to enter into short term contracts. This requires that the company have equipment readily available at the warehouse for immediate lease. Available lease equipment is displayed in the windows of the warehouse to show the variety of equipment. Net Solutions sources the lease equipment from various local and overseas suppliers. It takes approximately four weeks for overseas procurements to arrive and shipment is done free on board. The equipment is stored at Net Solutions’ warehouse situated in Johannesburg, alongside the N1 highway. This is the only place of business for Net Solutions. The warehouse building consists of three levels and is designed with a very modern touch. Net Solutions only utilise ground floor to house the equipment and lease the top two floors. The warehouse has high glass windows and a glass sliding door at the entrance that automatically opens as it senses movement. There are no other security measures to restrict access to the warehouse except for the glass sliding doors at the entrance. In addition to the lease equipment that is housed in the warehouse, the warehouse is also fitted with the latest air conditioning system. This air conditioning system is deemed as ‘safety equipment’ for the protection of the lease equipment and is the only ‘safety equipment’ that is installed in the warehouse. Different depreciation methods such as the straight line method or diminishing balance method are used for the lease equipment and the ‘safety equipment’ respectively.

REQUIRED: 4

Based on the information included in working paper A-300: 4.1

Identify the weaknesses in the general controls relating to Net Solutions’ continuity of operations with specific reference to its warehouse. (2)

4.2

For each weakness identified, recommend the general controls that Net Solutions Limited should implement to ensure the continuity of its operations into the future. (4)

Note: Present your answer to 4.1 and 4.2 in a tabular format (1)

Communication skills: Presentation

SUGGESTED SOLUTION QUESTION 4

(7 marks)

4.1 Identification of weakness

4.2 Recommendation

The warehouse is not located within a secure area within a building with no outside walls and windows. (1)

The equipment should at least not be displayed in the window. (1)

Access to the warehouse is not restricted. (1)



The warehouse should have a secure door that is kept locked with no automatic entry to just anyone. (1)



There should be access control devices in order to enter the premises and to open the door such as: swipe cards, biometric devices like fingerprint scanning etc. (1)



Entry/ exit points should be monitored by security cameras or closed circuit TV. (1)



Customers should “buzz” at the entrance and only be let in by authorised personnel on the inside. (1) Customers should be escorted out the building at the conclusion of their business. (1) MAX (4) In addition to the air conditioning, the warehouse should also be fitted with smoke detectors, fire extinguishers, automatic gas release (C02) and no smoking allowed signs. (1)

 The warehouse is not fitted with any other ‘safety equipment’ except for the latest air conditioning system. (1) Available (3) Maximum (2)



Available (6) Maximum (4)

YEAR TEST 1 – 2018 – Q3 & 4 Background to FOFA Airlines Limited FOFA Airlines Limited (FOFA) is a low cost airline, operating on major domestic routes from Cape Town International Airport, OR Tambo International Airport, as well as from two small regional airports. FOFA’s financial year end is 31 March 2018. MBRR has been the designated auditors of FOFA for the past three years. The managing director of FOFA, Len Scam, a very autocratic man, has a material shareholding in the company. There are 23 other shareholders of which none is a director. FOFA’s board consists of seven directors. The audit is currently underway and your team is busy performing the planning procedures for the annual audit. The team has reviewed the internal control policies regarding the computer controls at FOFA and also read through the minutes of the directors’ meetings. Your audit team compiled the following working papers for your perusal: Working paper reference A-101 B-101

Description Abstract of the computer environment at the FOFA head office Abstract of the on-line flight booking process

Client: FOFA Airlines Prepared by: Date: 7/02/2018 A Trainee Limited 1/1 Year-end: 31/3/2018 Reviewed by: Date: Description: Abstract of the computer environment at the FOFA head office

A-101

FOFO’s head office is located at the OR Tambo International airport and the offices are rented from the Airports Company of South Africa (ACSA). The main reason FOFA decided to rent these offices, was because it offers high security with 24 hour electronic surveillance. FOFA’s accounting system and related data are located on a server at these offices. Due to the nature of the company’s business, FOFA has sound logical access controls, since large numbers of very sensitive information regarding its customers are stored on the FOFA server. All the departments of FOFA are linked by the local area network and all employees are allocated to a specific terminal. A user profile is created for every employee at FOFA containing a user ID (which allow for the allocation of access rights to the specific user ID). However, due to its small workforce, FOFA has given read and write access to all employees to all the modules of the computer applications. When the employee logs onto the system, the server will automatically confirm that the computer is a valid FOFA computer. After confirming the user’s ID, the system will then grant the employee access to the computer applications. Every employee of FOFA is also assigned a password. The initial (default) password for all new employees at head office starts with HO followed by the employee’s date of appointment. Passwords must be changed once a year. Passwords are saved in a text file, kept on the server and all employees have access to all the data files kept on the server, should they wish to change a password.

Client: FOFA Airlines Prepared by: Limited A Trainee Year-end: 31/3/2018 Reviewed by: Description: Abstract of the on-line flight booking process

B-101 1/1

Date: 7/02/2018 Date:

ON-LINE FLIGHT BOOKING Flights can only be booked online. FOFA uses the Business Management System (BMS) to manage all flight bookings. Customers have to first register online where a unique login name and password, consisting of at least 8 characters, is created. Customers cannot make a booking without first going through this registration process. During the first step in the booking process a customer has to select the date of travel; the number of travellers (restricted to 10) and the destination he/she wants to travel to. The available flights are then displayed on the screen, together with the departure and arrival times. The customer selects his/her appropriate flight/s, as well as the class of travel (Economy/Business). Once the customer accepts the selected flight and costs, they have to verify their personal details such as name and surname; gender, identity (ID) number and email address. Customers should also agree to the terms and conditions of the airline. A confirmation screen then appears showing details of the pending booking to the customer that requires verification. The second step involves the payment of the booked flight. Payment can only be made by credit card, and full payment is expected upon booking. Upon successful payment, a confirmation email, in the form of a pre-numbered Flight Booking Slip (FBS), is automatically sent to the customer, confirming the booking. The FBS contains the booking reference number (consisting of alphabet letters and numbers) as well as the flight and passenger details. The FBS should be handed to the check-in attendant on the day of the flight.

REQUIRED:

QUESTION 3 Refer to the information included:  

Under the heading BACKGROUND TO FOFA AIRLINES LIMITED, and Working paper A-101 – Abstract of the computer environment at the FOFA head office 3.1 Explain the concept of an “access table” and the function that access tables serves in logical access control. (6) 3.2

Identify the weaknesses in FOFA’s logical access controls.

(3)

3.3

Describe four (4) additional logical access controls that FOFA can put in place to safequard its programmes and data. (4)

QUESTION 4 Refer to the information contained in: 

BACKGROUND TO FOFA AIRLINES LIMITED and Working paper B-101 – Abstract of on-line flight booking

List the programmed application controls and briefly explain the purpose of the controls, then link the controls to the data field/(s) that you would expect FOFA to have implemented to ensure the validity, accuracy and completeness of the input data used in the on-line flight booking process. (14)

(1)

Communication skills (layout and structure) Present your answer in the following format: List the programmed application controls and explain the purpose of the controls

Data field/(s) applicable

(½) Note: Data fields may be used more than once, if multiple controls are applicable to the field.

SUGGESTED SOLUTION QUESTION 3

(13 marks)

LOGICAL ACCESS CONTROLS 3.1 FUNCTION WHICH ACCESS TABLES SERVE IN LOGICAL ACCESS CONTROL 

An access table is a (computerised) table in which a number of access details are defined and to which the computer can refer when an attempt at accessing the computer is made. (1)



Without access tables there can be no logical division of duties (segregation of duties). (1)



These tables identify all “objects” and “conditions” which the computer has to know in order to control access. These objects and conditions include: (1)





the identity of all authorised PC’s

(1)



the identity of all authorised users

(1)



all passwords

(1)



all programmes and functions within the programme

(1)



all possible modes of access (no access, read only, read and write).

(1)

Once the access table is set up, user and PC profiles can be created which specify the combinations of the above objects and conditions which should be allowed and which combinations should be disallowed for the particular user. (1) Available (9) Maximum (6)

3.2 IDENTIFY THE WEAKNESSES IN FOFA’S LOGICAL ACCESS CONTROLS. 

The functions of the employees are not restricted as all employees are given read and write access to all the modules of the accounting application. (1)



The initial passwords for new users are not unique to each user, or confidential, as they consist of the letters “HO” followed by the employee’s date of appointment.(1)



The passwords are not changed on a regular basis, only once a year.



Access to passwords are not restricted as passwords are accessible by employees, who have access to all data, including the text file with passwords, stored on the server. (1)



Passwords are not encrypted as they are saved as text files on the server.

(1)

(1) Available (5) Maximum (3)

3.3 ADDITIONAL ACCESS CONTROLS 

Automatic lock-out in the event of an access violation, e.g. incorrect password entered three times. (1)



Time-out facility after several minutes of no user activity.

(1)



Automatic logging, review and follow up of access and access violations.

(1)



Encryption of confidential information.

(1)



Additional passwords e.g. two or more passwords (more than one user e.g. EFT payment authorisation) or a pin to gain access to sensitive information. (1)



Combinations of passwords and devices such as “dongles” and random number generators (one time password or pin to phone). (1) Available (6) Maximum (4)

QUESTION 4

(15 marks)

PROGRAMMED APPLICATION CONTROLS List the programmed application controls and the purpose of the controls Validation check / validity check / related data test / matching test - validate data keyed in against the Masterfile. Mandatory field tests / missing data check / completeness test – processing of information cannot happen until all key fields are completed.

Field/(s) applicable

Customer unique user name.

Date of travel Destination Desired flight / appropriate flight Class of travel Number of passengers Name of passengers ID number/s of passengers Gender E-mail address Terms and conditions Credit card expiry month and year Maximum marks for application

Limit check - the data being entered must fall within specific limits. Range check – the data selected must fall within a specific data range. Drop down list - minimum keying in of information by providing pre-set options on a list to choose from.

Number of travellers (i.e. maximum 10 passengers) Date of travel. (e.g. dates restricted to flight schedules and cannot be in the past) Destination Date (on-screen calendar) Desired flight Class of travel Number of passengers Gender Credit card expiry month and year Maximum marks for application

Alpha-numeric check - format check to prevent/detect numeric fields which have been entered as alphabetic and vice versa. Field size/length check – format check to prevent/detect that a field contains a specific number of characters. Valid character and sign test – the letters, digits or signs entered in a field are checked against valid characters or signs for that field. Echo check – data entered are echoed back to the user to verify the data. Reasonability / reasonableness test – data being entered must fall within reasonable limits when compared to other data / a number of logical tests against which an input can be tested. Dependency check – an entry in a field will only be accepted depending on what has been entered in another field. (11)

Names and surnames of passengers. ID number of passengers. Contact number. Credit card number ID number Credit card number E-mail address (“@” sign) for the confirmation email. No number entered may be negative. All fields: booking confirmation screen Amount due for the flight Flights available Date of travel Time of flight All flights available based on: Date of travel Class of travel Destination Terms and conditions (14)

YEAR TEST 2 - 2018 – Q3 You are a third-year trainee at TDO Incorporated and the firm was recently appointed as the external auditors of Chill-Flick (Proprietary) Limited (Chill-Flick). The company has a 31 May financial year-end and is situated in Pretoria. The following working paper was provided to you: Chill-Flick (Pty) Ltd

Client: Year end:

31/05/2018

Prepared by: Date:

Aud Trainee 15/05/2018

Reviewed by: Date:

C101 (1 of 1)

Subject: System description of minor updates and changes to computer software

Mr Dough is Chill-Flick’s information technology (IT) manager. As many of the staff in Chill-Flick also have IT knowledge and experience, the IT department does not have any designated personnel. When minor changes and updates to computer software such as changes to screen layouts and report headings are required, Mr Dough calls on volunteers from the users department to assist him. The volunteers inform their operations manager that they will be assisting Mr Dough, in addition to their other duties. All requests for changes are discussed in Mr Dough’s office with the persons who made the request. Mr Dough briefs the volunteer on the requirements and gives his verbal approval for the changes once he is certain the volunteer understands the requirements and will be able to carry out the change. Mr Dough encourages the volunteers to visit him from time to time in his office to discuss the progress of updates. He uses his vast experience in systems development to evaluate the volunteers’ work and to make further suggestions for improvements. Mr Dough has full confidence in the volunteers and he feels that too strict control over their activities could dampen their creativity. After the volunteer has coded the necessary updates, Mr Dough reviews them. It is almost never necessary for him to suggest changes before he gives his approval. One evening per week (usually a Wednesday), completed and reviewed changes are uploaded onto the operational programs. These updates are done after hours, to ensure as little disruption as possible. As soon as the update/change has been uploaded and tested, Mr Dough reviews the test results. If he is satisfied with the test results, he personally takes responsibility for updating the documentation and communication to all users. The documentation consists of a short description of the change (normally not more than one paragraph).

REQUIRED: 3

On the basis of the information included in Working paper C101: Identify the weaknesses present in the general computer controls of Chill-Flick (Proprietary) Limited. (7)

SUGGESTED SOLUTION QUESTION 3 WEAKNESSES PRESENT IN THE PROGRAM CHANGE/ SYSTEM IMPROVEMENT CONTROLS 1. The requests for changes are not done in writing on pre-numbered, pre-printed change control/request forms. (1) 2. No register is kept of all the changes made.

(1)

3. The skills of the staff updating the system might not be sufficient/ there is no formal personnel practice in place to ensure that staff have the requisite knowledge and skills. (1) 4. All program changes requests are approved by Mr Dough and he does not report these to any director or other management. (1) 5. The program changes are not done in accordance with system development- and programming standards and/or policies and procedures, but on experience. (1) 6. A copy of the live program is not used to make changes, but instead the operational (live) program versions are used and/or no backups are made before the changes/updates. (1) 7. The changes are only tested after it has been updated on the operation system and not before implementation. (1) 8. Due to the lack of personnel, the users are not separated from the IT personnel.

(1)

9. Test results/ changes are not discussed and approved by the users that requested the change prior to implementation. (1) 10. Volunteers are not held accountable for changes made by them, it is not properly documented. (1) 11. There is insufficient documentation of program changes, because the documentation consists of one descriptive paragraph only...