MIDLANDS STATE UNIVERSITY

FACULTY OF COMMERCE

DEPARTMENT OF ACCOUNTING

NAME OF STUDENT: TAEDZERWA MCDONALD TINASHE

REG NUMBER: R172662A

DEGREE PROGRAMME: ACCOUNTING

LEVEL: 4.2

MODE OF ENTRY: CONVENTIONAL

MODULE: AUDITING (ACC 412)

LECTURER: MRS TAKACHICHA

ASSIGNMENT QUESTION

Describe the controls which Mr Bonanza can implement to solve the risk of limited
segregation of duties in ABC (Pvt) Ltd without having to employ additional personnel.

1
Taedzerwa Mcdonald Tinashe R172662A
Exercise

You are the auditor of ABC (Pvt) Ltd which uses a micro-computer for general accounting
purposes. ABC (Pvt) Ltd is a small company where one employee, Mrs Wilson, creates and
authorises source documents and the second employee, Mrs Fizzer, keys in the data, operates the
micro-computer and uses the output. The Director, Mr Bonanza, realises that this is not the ideal
situation and has asked you for advice on the effective structuring of the financial function in the
company.

Required

Describe the controls which Mr Bonanza can implement to solve the risk of limited
segregation of duties in ABC (Pvt) Ltd without having to employ additional personnel.

2
Taedzerwa Mcdonald Tinashe R172662A
In this write up, the scholar will be acting as an auditor for ABC (Pvt) Ltd which is a small
company which uses a micro-computer for general accounting purposes. The scholar, (the
auditor) will be sharing advice to Mr Bonanza, the director of the company on ways on which
effective structuring of the financial function in the company can be implemented describing
controls that can be put in place to cater for the risk of limited segregation of duties in ABC (Pvt)
Ltd without having to employ additional personnel. The academic will begin by defining the key
variables in the question in accordance to the audit definitions. The fundamental terms to be
defined include controls, risk and limited segregation of duties. The auditor will firstly highlight
how internal controls can be categorized by their types and purpose. Subsequent to that, the
writer will identify the controls that can be utilised to solve the deficiency and goes on to explain
to the director how these can be of effect to solve the risk associated.

Controls are a central element of IT management, defined and referenced through standards,
guidance, methodologies, and frameworks addressing business processes; service delivery and
management; information systems design, implementation, and operation; information security;
and IT governance, Gantz, (2014).The author further indicates in his study that the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a
process “designed to provide reasonable assurance regarding the achievement of objectives”
including operational effectiveness and efficiency, reliable reporting, and legal and regulatory
compliance. Al-Khaddash, Al Nawas and Ramadan, (2013) indicated in their study that the
International Organization of Supreme Audit Institutions (INTOSA), [1998] defined internal
control as “a process, affected by an entity's board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives”.
Risk in auditing is the risk that auditors can issue an incorrect audit opinion to the audited
financial statements. The risks are classified into three different types and these include inherent
risks, control risks and detection risks. Limited segregation of duties may result in violation of
these three types of risks therefore controls of segregation of duties is the best practice approach
to managing these risks.
Limited segregation of duties is the case where tasks supposed to be performed by many
individuals are performed by few or one individual. It is important that the business takes
responsibility for assessing the business processes to identify the risks and determine which tasks

3
Taedzerwa Mcdonald Tinashe R172662A
should be segregated. The organisation can work with the IT users to map the tasks to specific
applications and define the segregation of duties rules.
Controls can be separated by function into administrative, technical, and physical control types.
Administrative controls include organizational policies, procedures, and plans that specify what
an organization intends to do to safeguard the integrity of its operations, information, and other
assets. Technical controls are the mechanisms including technologies, operational procedures,
and resources implemented and maintained by an organization to achieve its control objectives.
Physical controls comprise the provisions an organization has in place to maintain, keep
available, and restrict or monitor access to facilities, storage areas, equipment, and information
assets. 
Figure 1.1 Examples of internal controls categorized by type and purpose
Preventive Detective Corrective
Administrative Acceptable use policy; Audit log review Disaster recovery plan; Plan
Security awareness procedures; IT audit of action and milestones
training program
Technical Application firewall; Network monitoring; Incident response center;
Logical access control Vulnerability Data and system backup
scanning
Physical Locked doors and Video surveillance; Alternate processing facility;
server cabinets; Burglar alarm
Biometric access Sprinkler system
control
Source, Gantz (2014)
As the auditor of ABC (Pvt) Ltd I would advise Mr Bonanza, the company director to make sure
that the following controls are put in place.
Administrative controls
Acceptable use policy
The director should ensure that management policy in respect of computer usage that will
instruct Mrs Wilson and Mrs Fizzer are clearly stipulated and that these two employees are very
aware of these policies. Policies in respect to personal use and in regard to usage of external hard
drives should be well clear and to what extent if acceptable does these employees have to use the
company computers for personal use so that they will not exceed this limit so as to reduce the

4
Taedzerwa Mcdonald Tinashe R172662A
level of risk associated with personal computer usage. Formal written instructions informing data
processing personnel of prescribed computer usage procedures should be put in place by the
director for the employees. Ongoing monitoring by the director, on the usage of computers, to
ensure that usage is in accordance with the authorised policies as stipulated.
Security awareness training
Mr Bonanza should ensure that proper training requirements for security awareness and
computer usage are executed by Mrs Wilson and Mrs Fizzer to reduce the risk of losing crucial
company information that might disadvantage the firm. Training will equip the employees with
adequate knowledge to cater for certain circumstances or errors since the company will have
limited personnel to come and take care of the issues. Training will boost the employees’
efficiency and effective ways of performing their duties, thus benefiting the company.
Back-up plan
Disaster recovery plan should be implemented to cater for the risks of huge loss of data since few
employees will be doing book keeping for the company. The director should monitor that the
employees are backing up data frequently so that if circumstances do occur which might lead to
loss of data, the employees may be able to recover it since there is less segregation of duties. The
director should also put in place systems like the use of one drive by every employee when
conducting work to minimize the risk associated of losing company data and costs for employing
additional personnel to take care of the same information of the company since now work will be
saved and accessed through the drive when in need.
IT audit program
The director should ensure that IT audit program is conducted frequently to observe if the
employees are properly doing the correct procedures in conducting work using micro-computer
for general accounting purposes. This will assist in detecting if work is being conducted as per
the stipulated guidelines and if not, the director will be advised by the auditor on ways to
improve performance to outcome the shortages.
Technical controls
Logical access control
Mr Bonanza must ensure that logical access controls are put in place on computers to be used for
the purposes of work. These include the use of one drive when doing work related issues where
these three work mates can access the documents they might be in need of when for instance if

5
Taedzerwa Mcdonald Tinashe R172662A
one employee falls sick, instead of logging in to that person’s computer the workers will just
access the required material there for the progress of work on one drive.
Network monitoring
The director should ensure that network is monitored for the sake of company progress. Since the
company has limited employees, Mr Bonanza should make use of the available staff to complete
the tasks assigned. Network monitoring can be put in place to monitor the staff to do work within
stipulated working hours. Normally workers sometimes get carried away with work unrelated
issues during working hours due to the unlimited availability of Wi-Fi at work stations. Workers
normally use sites like You Tube, and other social media applications like Instagram, Face book
and Twitter during work hours and this will reduce productivity and increase chances of workers
making errors when preparing their books since their maximum concentration will be distorted
when using these applications.
Blocking unnecessary work unrelated websites or applications for the use of Wi-Fi will be
necessary since the employees may abuse the usage of company Wi-Fi exhausting company
resources and also chances are very high of getting computer viruses through cookies that will be
popping up sometimes when trying to log into those websites.
Vulnerability scanning
Mr Bonanza should make sure that all computers at the work place are installed virus scanning
applications, thus the use of antivirus softwares. This is very crucial to ABC (Pvt) Ltd to a
greater extent since chances of losing company information will be very low due to viruses.
Circumstances may happen for instance that requires the use of flash sticks although the
company might have put in place the use of emails when transmitting documents, it may so
happen that one of ABC (Pvt) Ltd employees may require very crucial information to work on
that may be of importance to the client which will require to be done immediately since the
documents might have due dates but the network as for that day will be down. Some action will
now need to be taken by the staff to meet cliental needs so they might take risk and use flash
sticks to transfer the information and it might happen that the stick will be affected by virus and
if not protected the computers may end up affected which might result in loss of company data.
Physical Controls
Locked doors and server cabinets

6
Taedzerwa Mcdonald Tinashe R172662A
The director must ensure that emphases is given to the employees on the issue of locking doors
and server cabinets to prevent the issue of break – ins and loss of company data through theft of
computers. Proper pad locks and key blockers should be bought, screen doors inserted and
burglar bars if possible put on windows to ensure safety and protection of the computers and
other work documents that are very essential that may be manipulated. Physical security over
hardware should be put in place.
Video surveillance
Video surveillance can also be put in place as a way to detect in case there is an attack or
attempts to attack on company premises. CCTV can be utilised as part of security tools to detect
theft without employing the additional employees like security guards and these can be very
cheap in the long run in the sense that once the system is put in place, the company will not run
further expenses compared to monthly salary for employing two or more people to guard the
premises.
Conclusively the above controls can be of use to effective structuring of the financial function in
the company to mitigate the risk of segregation of duties if the company intends not to employ
additional workers. The controls can be cheap and very effective and will solve the issue of
limited segregation of duties within the company if the director, Mr Bonanza manages to
implement them successfully.

7
Taedzerwa Mcdonald Tinashe R172662A
REFERENCES

Al-Khaddash., H, Al Nawas., R and Ramadan, A (2013). Factors affecting the quality of

Auditing: The Case of Jordanian Commercial Banks, International Journal of Business and
Social Science, USA.

Gantz, S. D, (2014). The Basics of IT Audit.

8
Taedzerwa Mcdonald Tinashe R172662A