Ch # 5.

Internal Control Page 217

Chapter # 5 Internal Control

Question # 1 Q.7(a) Spring 2010

Briefly explain the components of internal control as referred to in the International Standards on Auditing. (09)

Question # 2 Q.6 Autumn 2014

You are the training manager in a firm of chartered accountants. Prepare brief presentation for newly inducted
trainees, on the following:
a) Control Environment and its elements (04)
b) Walk through tests and why these are performed (03)

Question # 3 Q.9 Autumn 2014

Classify the following controls as preventive, detective, or corrective controls. Give brief reasons to justify your
answers.
(i) Training on applicable policies, department policy/ procedures
(ii) Batch totals
(iii) Segregation of duties
(iv) Contingency planning
(v) System logs
(vi) System backup (06)

Question # 4 Q.8 Autumn 2014

Deehan Super Stores has launched a sales promotion scheme. Accordingly, the customers who purchase a loyalty card
gain reward points on every purchase. The points may be redeemed by adjusting the value of the available points in
any subsequent purchase.

Required:
Draw a flow chart showing the payment process including point accumulation and point redemption. (09)

Question # 5 Q.10 Spring 2015

Controls over data transmission help to ensure that transmitted data is complete, secure and unaltered.

Required:
State any five controls over data transmission which help to ensure that the data is secure and unaltered. (04)

Question # 6 Q.1(b) Autumn 2015

International Standards on Auditing require an auditor to evaluate the control environment and assess its
effectiveness. State the factors that the auditor should consider in evaluating the control environment. ( 04)

Question # 7 Q.5 Autumn 2015

Following IT related controls are being employed at Vision Limited:

(i) The general ledger system is automatically updated with sub-ledger transactions (e.g. Accounts Receivable)
every night through batch processing.
(ii) The system automatically maintains second copies of all programs and data files.
(iii) Access to programs and data files is restricted using passwords.
(iv) Invoices that are entered into the system are physically counted.
(v) Firewalls (software and hardware) are installed to restrict unauthorized access.
(vi) Screen warnings are displayed as regards incomplete processing.
Ch # 5. Internal Control Page 218

(vii) Vision Limited has service level agreements with reliable software companies, for technical support.
(viii) Review of output against expected values.

Required:
a) In respect of each control, determine whether it is a preventive, detective or corrective control. (04)
b) Also classify each of the above between general IT controls and application controls. (04)

Question # 8 Q.8 Autumn 2015

a) Differentiate between Symmetric key ciphers and Asymmetric key ciphers in relation to data encryption
techniques. (02)
b) Identify any four types of information that can be extracted from system logs. (02)

Question # 9 Q.6(d) Spring 2016

List six physical access controls over an IT system. (3)

Question # 10 Q.10.a Spring 2016

Briefly describe the following concepts:

Audit trail in a computerized environment (03)

Question # 11 Q.1 Autumn 2016

You are working in IT department of a firm of Chartered Accountants. The partners are concerned about the
confidentiality of client data which is electronically transmitted by firm’s staff from the clients’ offices.

Required:
a) Suggest controls over data transmission to ensure confidentiality of data. (03)
b) In the context of control activities explain what is included in ‘Performance reviews’. (03)
c) Specify any four main categories of general controls that an auditor would expect to find in a computer based
information system. (04)

Question # 12 Q.9 (b) Spring 2017

Discuss the effects on Application controls where General IT controls are ineffective.

Question # 13 Q.9(a) Spring 2017

Differentiate between General IT controls and Application controls. Also give two examples of each type of control.

Question # 14 Q.4 Autumn 2017

Your firm is the auditor of Bell Limited (BL) which is engaged in manufacturing and assembling of vehicles. BL has
been encountering frequent stock-outs. To address this issue, it has developed an Inventory Management System
(IMS) and connected it with the systems of all the suppliers. IMS generates and sends purchase orders to the suppliers
automatically when the inventory reaches the reorder threshold.

Required:
a) Discuss the risks to be considered due to the introduction of the above mentioned solution. (04)
b) What controls would you expect in IMS to mitigate the above risks? (05)
Ch # 5. Internal Control Page 219

Question # 15 Q.5 Autumn 2017

TS Limited is a small software house. Due to the nature of the business no significant human resources are required
except the programmers and system analysts. The Managing Director (MD) oversees all the operations. Besides the
programmers and system analysts there is only one manager, who reports to the MD.

Required:
Describe the key characteristics of such organisations with respect to internal controls and the risk which the auditor
may face in such audits. (06)

Question # 16 Q.7 Spring 2018

You have been assigned the audit of Pacific Shipping Limited (PSL) for the year ended 31 December 2017. During the
audit, you have noted that the invoicing system was not operational for four days in January 2017. Upon inquiry, you
were informed that some changes were made by one of the three programmers working in the IT department, merely
on the request of a sales officer.
The change caused the whole invoicing system to malfunction and it had to be closed down. During these four days,
all invoices were generated manually.

Required:
Identify any three control weaknesses in the above situation and suggest any two mitigating controls against each
weakness. (09)

Question # 17 Q.6(e) Spring 2018

State any four controls that an auditor expects over data transmission. (03)

Question # 18 Q.7 Autumn 2018

a) Briefly describe what is a system log file and give any four types of information that may be generated by a system
log. (03)
b) Differentiate between General IT controls and Application controls. (04)
c) Advanced Limited (AL) uses an in-house developed integrated system for all its accounting and operational needs.
AL has been facing following issues in transaction processing:
I. While processing a batch of 50 purchase invoices, it was noticed that 3 invoices of suppliers were posted
twice in the accounts.
II. Some instances have been identified in which AL’s accountant had posted the amount received from the
customers in some other customer’s account due to a typing error of the customer code.
III. While processing the payments, the accountant often fails to mention the cheque number, due to which it
takes a lot of time to trace the payment in bank statement.
IV. While recording inventory movement, the accountant had used incorrect inventory codes. Since those
codes did not exist, the system posted the transaction in suspense account.

Required:
Identify and briefly describe one specific application control in respect of each of the above type of errors, to reduce
the risk of such errors. (08)

Question # 19 Q.9 Spring 2019

(a) Chand Travels (CT) is a tour operator, which provides airline ticket bookings, hotels reservations and customized
tour packages. CT has recently implemented a software for maintaining its financial records.
Required:
What do you understand by logical access controls? Briefly describe four logical access controls that CT should
employ. (07)
(b) Describe four controls which CT may employ to reduce the possibility of disruption of operations. (04)
Ch # 5. Internal Control Page 220

Question # 20 Q.2(b) Autumn 2019

Mention any four general controls over development of new computer information systems and applications. (04)

Question # 21 Q.9 Autumn 2019

Plover Limited has recently developed an integrated system for maintaining its financial records. During testing,
following input and processing errors were identified in the system:

Input errors
(i) A non-existent product number was mentioned on the online order form.
(ii) Inward movement of inventory was recorded in some other inventory account.

Processing errors
(i) Salaries of few employees were processed twice.

Required: Identify and briefly describe one application control in respect of each of the above type of errors that
would have been effective in either preventing or detecting the error. (08)

Question # 22 Q.7 Spring 2020

Sawari Limited (SL) is engaged in the business of assembling motorcycles. Following IT related matters are under
consideration of the management:
(i) SL uses Inventory Management System (IMS) which is connected with the systems of all its suppliers. IMS
generates and sends purchase orders to the suppliers automatically when the inventory reaches the reorder level.
SL has recently been receiving the complaints of short deliveries. On further inquiry it was revealed that the
supplier received different quantity orders than those actually generated by IMS. Initial investigation revealed
that data was changed during transmission to the suppliers.
(ii) SL’s IT data room maintained at its head office caught fire. All data including last month backup kept within the
premises was lost and critical hardware was also slightly damaged due to this incident. Consequently, SL’s IT
operations suffered a downtime of ten days.

Required: Suggest any three mitigating controls against each of the above matters. (06)

Question # 23 Q.10(b,c) Spring 2020

(b) What do you understand by logical access controls? Briefly describe any four logical access controls. (06)
(c) Briefly discuss the key characteristics of small sized organizations with respect to internal controls and risks
which the auditor may face in such audits. (06)

Question # 24 Q.6 Autumn 2020

(a) Differentiate between general IT controls and application controls. (04)

(b) The internal auditor of Cyprus (Private) Limited has identified some discrepancies in the sales revenue. After
investigation, it was identified that some unknown changes were made to the master price-list which resulted in
such discrepancies.
Required:
Suggest any three general IT controls and three application controls to prevent occurrence of such error. (06)

Question # 25 Q.8 Spring 2021

(a) Describe any four limitations of flow chart as a tool of system documentation. (04)
(b) Companies having large in-house developed software, have a risk that new programs might be introduced without
proper authorisation. Briefly discuss any four general IT controls to mitigate this risk. (04)
(c) Discuss effects on application controls where general IT controls are ineffective. (02)
Ch # 5. Internal Control Page 221

Question # 26 Q.8 Autumn 2021

The management of Rose (Private) Limited (RPL) seeks your guidance for the following matters:

(a) RPL is developing a sales invoicing system both for its cash and credit customers. The system would record
customer’s name, email address, cell number, NTN number etc. at the time of sale.

Required:
Briefly discuss any four application controls, with the help of examples, which should be incorporated in the
system to ensure completeness and accuracy of data. (06)

(b) RPL’s office has recently been damaged by fire causing a system downtime for five days.

Required:
Advise any three general controls to RL which may ensure continuity of its operations in future. (03)

Question # 27 Q.9(e) Autumn 2021

List any six examples of system logs. (03 marks)

Question # 28 Q.1(a) Spring 2022

Discuss any five IT General Controls relating to program change management. (05)