UNIVERSITY OF JOHANNESBURG

DEPARTMENT OF ACCOUNTANCY

AUDITING 3A

2013

General Computer Controls: QUESTION BANK

QUESTION 1 (25 MARKS)

Mr Ntato Mokonane achieved his lifelong dream when he opened his own
restaurant, The Proud Peacock, in partnership with his brother-in-law, Mr Xolile
Xosi. The restaurant has been open for 18 months and has proved to be very
popular. Mr Mokonane has asked you to advise him on the controls he should
have in place in his restaurant.

Your initial enquiries have revealed the following:

 The restaurant employs a cashier, four permanent waitresses, a barman

and a second chef (to fill in on the nights that Mr Mokonane is off duty).
 The waitresses are currently paid a basic wage of R100 per night and
whatever they can earn in tips.
 All food and drinks orders are recorded on pre-numbered order pads.
Each waitress has her own unique sequence.
 The restaurant has a set menu selection that is changed once a quarter.
 On completion of their meal, customers are required to proceed to the
cashier and quote their table number. The cashier then rings up the cost
of the meal using a copy of the waitress's completed order form. The cash
register is situated at the exit point.

Mr Mokonane has expressed interest in computerising his business. He has

identified the Pastel Point of Sale software package as being the most
appropriate to the restaurant’s needs. He has indicated that he is planning to
replace the current cash register with a computer terminal linked to a cash
drawer and to install a terminal in his office which will be used for recording all
other accounting activities. Initial enquiries about the software have shown that it
is a reliable package with adequate access control features.

YOU ARE REQUIRED TO:

a) Describe the controls that Mr Mokonane should implement to restrict

access to the sales and computerized accounting applications. (10)

b) Describe the programmed controls that you would expect to find that
would ensure that all valid restaurant sales are captured accurately and
completely. (Application controls) (13)

You may disregard controls to ensure the integrity of standing data

contained in the master files.
Presentation (2)

2
QUESTION 1 (SUGGESTED SOLUTION)

Access controls

 The terminals should be situated in such a manner that only staff

members have access thereto.
 Each user should be assigned a unique user ID and password that
should be contained in the access table of the operating system.
 The access table/ user matrixes should define each users access
privileges according to the least privilege principle – i.e. only grant access
to a user for those applications that he requires in order to perform his
duties.
 Only Ntato should have access to the access table in order to change a
user’s privileges. (1)
 Upon logging in the user should be authenticated by means of a
password that is:
o unique
o confidential
o changed regularly (2)
 The system should also provide for:
o Automatic shutdown in the event of illegal access attempts (e.g. no
more than 3 incorrect password attempts) (1)
o Time-out facilities (shutdown or password controlled screen savers)
in the event of non-activity for a period of say 3 minutes. (1)
o Automatic logging of all access and access violations. (1)
o These logs should be reviewed on a daily basis by Ntato. (1)
o Only Ntato should have access privileges to these logs (1)
o Encryption of confidential information, for example, passwords,

Maximum (10)

Programmed controls to ensure that restaurant sales are captured

correctly.

Validity
Access controls – see above (1)

Verification/ existence checks checks on:

menu choice – alternatively there can be pre-programmed menu keys. (1)

Override function – there should be no need for an override function – however,

in the event that there are system overrides, the package should automatically

3
log these overrides (so that Ntato can review these logs the next morning and
investigate the reasons therefore). (1)

Accuracy

 Automatic pricing of sales according to prices on the menu masterfile.

(1)
 Limit check (any valid example) eg. that cash received is not less than
the amount due. (1)
 Alphanumeric and field size checks on all input fields (any valid
examples). (2)
 Reasonableness testing (any valid examples) eg. On quantities
ordered. (1)
 Automatic calculation of price x quantity and calculation of change by
computer. (1)
 Format tests on sales codes (or other valid examples). (1)
 Screen tests by cashier. (1)
 Dependency tests eg. Sales only accepted if waitress code is entered
(any other valid examples). (1)
 Field size tests eg. On table number (or other valid examples). (1)
 Max (5)

Completeness

 Missing data check on key entry fields. (1)

 Use of appropriate screen design and screen prompts. (1)
 Sequential pre-numbering of invoices. (1)
 Control totals (any valid example) (1)
 Exception reports (any valid example) eg. On missing entry fields. (1)

Maximum (13)
Presentation (2)

4
QUESTION 2 (45 MARKS)

PART A (25 MARKS)

Mrs Human, along with being a very good lecturer, decided to open a Game
Butchery. The butchery specialises in the production of salami from wild Game
meat, specifically Zebra. She is still considering whether or not it would be worth
her while to also open a shop that sells Ottomans, but this is still in the pipeline.

At present, Mrs Human uses a manual accounting system to record all her
transactions in the company. She is a little unsure of her accuracy and technical
accounting knowledge, and is considering developing a computerised system
that will perform all her accounting functions for her. She has asked for the
advice from her esteemed auditor regarding the controls that need to be in place
in the newly developed system during this changeover from the manual system
to the computerised system.

REQUIRED:

Briefly outline the stages in the development and implementation of the new
computer application. (25)

PART B (20 MARKS)

One of the major implications of on-line computer systems is that the user can
have direct access to the master files within the system, through the medium of a
terminal.

REQUIRED:

a) Describe the potential control weaknesses, specific to on-line systems,

and (10)

b) Detail the methods that can be adopted to overcome these weaknesses

as mentioned above. (10)

5
QUESTION 2 (SUGGESTED SOLUTION)

PART A

Self developed system

a) Overall management of system development (1)

Steering committee (½)

Made up of senior management from both user and computer departments
Steering committee must ensure that:
 project authorized
 timetables are adhered to
 budgets are achieved
 quality requirements (½)

The system development should have involvement from:

User department (½)

 departmental requirements
 internal / external auditors (½)

Data processing department (½)

 technical soundness
 compatibility with other systems
 operational aspects (½)

Quality control department (½)

 standard of design
 testing
 documentation (½)

A feasibility study should be performed (½)

 buy / self develop
 cost / benefit analysis

A project team should be established to manage the project and their

responsibilities should include: (½)
 day to day management of project
 ensure project is developed in stages
 prepare timetables for each stage (½)

b) System specification (1)

6
The entity should define the way the system must work to meet the specification
of users and business (½)

There are two methods of specifying systems:

Traditional method (½)

 written systems specification by means of discussions between the
data processing dept and users (½)

Prototype systems (½)

 design prototype
 user department try out
 refine the design through a series of prototypes (½)

c) System design and programming standards (1)

System design and programming standards needed to:

 Ensure system interacts properly with existing systems and system

software(½)
 Ensure that appropriate control-related programmed procedures
are built in(½)
 Ensure there is supervision over system design (½)
 Comply with predeterimed standards (½)
 Done on program library not live data (½)

d) Testing should take place in 3 stages: (1)

1. Program testing (½)

 Checking the logic of the program to their specs
 Methods used :
 Test data (½)
 Desk checking (program code analysis) (½)

2. System testing (½)

 Ensure the logic of various individual programs links together to
form a system in line with the detailed system description
 Methods used
 test data (½)
 user testing (½)

3. Live testing (½)

 tested under operational conditions
 parallel running (½)
7
  pilot running (½)

e) Cataloguing/ Conversion (1)

Planning and preparation

 Prepare timetables for conversion (½)
 Define methods used (e.g. parallel / pilot) (½)
 Determine cut-off dates (½)
 Prepare data files for conversion (e.g. Standing data) (½)
 Training of staff (½)
 Balance files on old system (C, A, V/ Control total) (½)
 Prepare premises (constant power / aircon) (½)

Control over conversion of data by data control group

 supervision by senior management (½)
 auditor involvement (½)

Update system documentation

 system flowcharts
 system descriptions
 operating manuals (1)

Testing
 balancing old files with new files (½)
 third party confirmations (½)
 follow up of exception reports (½)
 comparison with data run on old system (parallel) (½)
 manual comparison of data (½)
 approval by users (½)

Backup of new system (½)

Post-implementation review (½)
Maximum (25)

8
PART B

a) The potential control weaknesses specific to on-line systems include:

1. Unauthorised personnel may have access via a terminal to confidential

information which may be misused by them. (1)
 Unauthorised access, (1)
 Unauthorised processing and (1)
 Unauthorised change (1)

2. Locating terminal devices throughout the entity increases the opportunity for
unauthorised use of a terminal device and the entry of unauthorised transactions.
(1)

3. If on-line processing is interrupted for any reason, for example, due to faulty
telecommunications, there may be a greater chance that transactions or files
may be lost and that the recovery may not be accurate and complete. (1)

4. On-line access to data and programs from remote sites through

telecommunications may provide greater opportunity for access to data and
programmes by unauthorised persons (1). Organisations that have links to the
Internet require greater controls, such as firewalls, to manage the risk of
unauthorised access to data and programmes. (1)

5. The use of electronic commerce and EDI for the exchange of documents
between two organisations results in the loss of traditional paper audit trails,
including invoices and purchase orders. (1)

7. Improper input may corrupt files either for fraudulent purposes or as a result of
innocent error. Such a corruption is likely to be difficult to discover. (1)

8. The system may be dominated by one person with a lack of separation of

authorisation, recording and custody procedures. (1)

9. Senior management may have a very limited understanding of the system

compared to operators or middle management. (1)

Maximum (10)

9
b) The methods that can be adopted to help overcome these weaknesses
include:
Student should describe these controls in order to allocate marks!

Access controls should overcome weaknesses as discussed in an on-line

system:

Programmed (logical) controls

a)Terminals
 The use of TINS
 Limited access to system
 Shut off after 5 mins non-use
 Shut down after 3 unsuccessful attempts
 Limited to 1 workstation log on
 Polling by central computer (Any 2)

b) Identification of users
 User ID’s & passwords
 IP address
 Magnetic cards
 Voice recognition (Any 2)

c)Authorisation of users
 Logon ID’s
 Passwords
 Multilevel passwords
 User matrixes (Any 2)

d)Monitor of access & processing

 Audit trails reviewed
 Console logs
 Application software (unauthorised access)
 Firewalls (Any 2)

e)Communication lines & networks

 Passwords
 Dial & dial back
 Identification data
 Different routes for sensitive data
 Encryption of data (Any 2)

f)Password control
 Minimum length

10
  Not easily guessed not shown on screen
 Changed regularly
 Confidentiality emphasised
 Cancelled on resignation/ dismissal
 Cancelled after period of inactivity
 Use for authorisation
 Limit access to part of system
 Limit access to certain times of day
 Authorisation levels linked (Any 2)

g)Programme libraries
 Access to backup programmes controlled by access software
 Passwords
 Updating authorised (Any 2)

h)Utlilities
 Stored separately Use logged and reviewed (Any1)

i.Terminals
 Physically locked
 Located in visible area
 Situated in lockable room (Any 2)

ii. Computer hardware

 Lockable room
 Supervision & review
Removable mediums secure (Any 2)

iii. Manual logs

iv Program libraries
 Register
 Access controlled (1)

v. Distributable processing
 Only executable programmes (instead of production programmes)
at branches
 Independent comparison of exec. Programs to source programmes
(e.g. internal auditor) (2)

vi. Logs reviewed (1)

vii. Screening & training of staff (1)

Maximum (10)

11
QUESTION 3 (20 MARKS)

Ms OG Seatle – Maitse achieved her lifelong dream when she opened her own
restaurant, Complex 49, in partnership with the love of her life, only known to
most as “Jingles”. The restaurant has been open for 22 months and has proved
to be very popular.

Ms Seatle - Maitse has expressed interest in computerising her business. She

has identified the Pastel Point of Sale software package as being the most
appropriate to the restaurant’s needs. She has indicated that she is planning to
replace the current cash register with a computer terminal linked to a cash
drawer and to install a terminal in her office which will be used for recording all
other accounting activities. Initial enquiries about the software have shown that it
is a reliable package with adequate access control features.

Being new to this “computer environment” topic, Ms Seatle – Maitse was not
quite sure of what exactly she should expect as characteristics of a CIS
environment and was hoping that you could also assist her regarding this query.

YOU ARE REQUIRED TO:

a) Discuss the controls that you would have expected to find during the
development and implementation of the new Pastel Point of Sale software
system. (10)

b) State what advice you would offer to Ms Seatle - Maitse, as to controls

which should be implemented so that the restaurant will be prepared in the
event of any disasters occurring in the future; (10)

12
QUESTION 3 (SUGGESTED SOLUTION)

Part A

a) Program development and implementation controls

1. Perform a feasibility study to determine:

 The users’ needs (users, CIS staff, auditors); (1)

 Specifications and requirements of available packages; (1)
 Costs (hardware, packages and documentation); (1)
 Support from suppliers; (1)
 Possibility of future amendments ; (1)
 Reputation of suppliers. (1)
 Enquiry from other users of packages regarding:
 facilities offered by program; (1)
 freedom from program errors; (1)
 speed & efficiency; (1)
 ease of use; (1)
 costs; (1)
 Testing of packages. (1)

2. Authorisation of purchase of package:

 Authorisation of purchase by Ms Seatle – Maitse and the cashier

based on results of feasibility study. (1)

3. Implementation

The conversion must be planned:

 prepare date and time schedules for conversion; (1)

 cut-off points must be determined; (1)
 the conversion method must be defined (parallel, launch, direct). (1)

Preparation for conversion:

 preparation of files with standing data on the new system; (1)

 training of staff in respect of the use of the new system; (1)
 the preparation of the premises (constant power supply/air-
conditioning, etc.). (1)

Control over the conversion by the data control group:

 supervision by competent senior management; (1)

13
  the auditors should also be involved. (1)
MAXIMUM (10)

b) Business continuity controls

 Physical environment
 Protection against the elements
 Fire: extinguishers etc (1)
 Water: away from water pipes (1)
 Power: backup supply (1)
 Environment: air con etc (1)
 Emergency plan & disaster recovery procedures
 Establish procedures (1)
 list of files & data to be recovered (1)
 alternative processing facilities (1)
 plan, document & test the plan (1)
 Backups
 Regular backups on rotational basis (1)
 Copies off premises (1)
 Hardware backup facilities (1)
 Fireproof safe (1)
 Other controls
 Adequate insurance (1)
 No over reliance on staff (1)
 Virus protection (1)
(MAXIMUM 10)

14
QUESTION 4 (22 MARKS)

You are the audit manager of Top Fashions (Pty) Ltd, a company trading in the
fashion industry with a 28 February 2010 period end. Top Fashions (Pty) Ltd acts
as a supplier of highly fashionable jeans to various store outlets across South
Africa.

The company was established by Mr. Levi and had grown significantly over the
past years into a well-known fashion icon in the industry. Mr. Levi started the
company in the back of his garage while studying for his degree in fashion
design. He specializes in the manufacturing of fashionable jeans for the youth of
today. His jeans became so popular over the years that most of the major
clothing stores across South Africa now sell his jeans. Mr. Levi expanded his
business from a sole propriety into a well established company with several
branches across South Africa.

Due to the increase in the volume of transactions, the company decided during
the year to convert to a more sufficient online update information system which
now integrates all areas of the company into one system. A central file server
(mainframe) located at the head office in Gauteng will control the system and all
of the company’s branches are connected to the system through on-line
terminals.

The new information system functions as follow:

 The mainframe is used as a central processing facility and for the
storage of the central database.

 The PC’s at each branch form part of a wide area network using
new software and networking technology to provide integration
between the mainframe and PC network, and to allow the PC’s at
each branch to communicate with the mainframe.

 Transactions are captured, on line, through the network.

 The PC’s utilize software which allows them to download, update

and manipulate data stored on the mainframe database.

Management is concerned that the new system will introduce control problems
not previously encountered, and is willing to go to any expense to implement
proper controls over the new system.

15
YOU ARE REQUIRED TO:

a) List the controls that Top Fashions (Pty) Ltd should implement over the
conversion from the old system to the new information system. (10)
b) List the most pertinent programmed controls that management should
implement to ensure that unauthorized access is gained to their new
system. (10)
Presentation 2

16
QUESTION 4 (SUGGESTED SOLUTION)

(a) Controls during conversion to the new system

(1) Planning and preparation (1)

 Prepare timetables for conversion (1)
 Define methods used (e.g. parallel / pilot) (1)
 Determine cut-off dates (1)
 Prepare data files for conversion (e.g. Standing data) (1)
 Train staff on the new system (1)
 Balance files on old system (e.g. Control totals) (1)
 Prepare premises (constant power / aircon) (1)
Maximum (4)

(2) Control over conversion of data by data control group (1)

 There should be constant supervision by senior management and
the IT manager (1)
 The auditor should be involved during the conversion (1)
Maximum (2)

(3) Update system documentation (1)

 system flowcharts (1)
 system descriptions (1)
 operating manuals (1)
Maximum (3)

(4) Testing (1)

 balance old files with new files using control totals or print-outs (1)
 obtain third party confirmations of balances on the new system (1)
 follow up exception reports printed during the conversion (1)
 perform a comparison with data run on old system by using parallel
run or pilot testing
 (1)
 perform a manual comparison of data on the old system with the
data in the new system (print-outs) (1)
 obtain approval from users after testing that the system is working
according to their specifications (1)
Maximum (4)

(5) Backup the new system (1)

(6) Perform a post-implementation review (1)
(7) Other :
 Formal documentation of the planning, preparation and testing of
the new system. (1)

17
 Formal procedures and authorisation of emergency changes and
limitation thereof. (1)
Maximum (1)
TOTAL MAXIMUM (10)

(b) Programmed access controls should include:

Control over terminals through the following: (1)

 terminal gives access to certain parts of the system
 terminal identification number (TIN), so system can identify terminal
as valid
 terminal switches off after 5 minutes of non-use
 shuts down after 3 unsuccessful attempts to gain access to system
 log-on by user to more than one terminal simultaneously prohibited
 polling by central computer of remote terminals to identify
unauthorised units
Maximum (3)

Identification of users via one of the following: (1)

 passwords and user identification numbers (ID)
 voice recognition, fingerprints etc.
 magnetic card
Maximum (2)

Authorisation of users via passwords (1)

 limit access to system / part of system
 limit access to certain terminals
 limit processing / access to certain times of the day
 Password control by implementing the following controls:
 not too short (minimum length)
 not easily guessed
 not shown on screen / pasted on screen
 changed regularly (forced by system)
 password file on system protected by operating system
against unauthorised access
 confidentiality emphasised with users (dismissal)
 must be rejected if already exists
 cancelled upon resignation/dismissal
 cancelled after period of inactivity
 cancelled after a number of attempts to gain unauthorised
access
 changes to password/ID should be logged and reviewed
Maximum (4)

Authorisation of users through the following: (1)

18
 responsibility levels linked to user IDs to limit access
only authorised personnel and EDI users should have the ability to
gain access to specific computerised functions
 firewalls to control access to the system
 multilevel passwords: two or more password required to obtain
access
 compile user matrixes for controlling access to application
programs and processing
 read only functions
 allowing only access to certain parts of the system
Maximum (4)

Monitoring of access and processing by the following controls: (1)

 print audit trail of daily activities and processing - for review by
senior personnel
 use console logs to monitor access / processing
 use application software to report unauthorised access or attempts
at unauthorised access
 console logs and activity registers maintained by the system of
unauthorised access and processing
Maximum (3)

Controls over communication lines and networks should include: (1)

 access controlled through passwords
 dial-and-dial-back transmission
 control or identification data included in data transmitted
 sensitive data transmitted via different routes
 encryption of data transmitted
Maximum (3)

Use of access control software especially over access at the VANS (1)
 Program libraries should be kept and the following controls should
be exercised: access to back-up programs should be controlled by
access software against unauthorised changes
 access to library protected by passwords
 updating to libraries should be authorised (senior)
 program libraries should be regularly reviewed by an independent
senior official
Maximum (2)

Utility programs: (1)

 should be removed from the system and stored separately
 use thereof logged and reviewed independently by senior
management
Maximum (2)

19
Other matters:
 Formal information security function, positioned well and ensuring
of technical expertise within the function to manage access control.
 Approval controls for the establishing of user id’s and granting of
priviledges.
 Physical access to computer facilities housing the financial
application and restrictions to the access rights.

Maximum (2)
TOTAL MAXIMUM (10)
Presentation (2)

20