You are on page 1of 47




Question 1: The Proud Peacock

Question 2: Mavericks & Co
Question 3: Cologne For Men (Pty) Ltd
Question 4: Seatle Maitse
Question 5: Top Fashions (Pty) Ltd
Question 6: Original Living Ideas Ltd
Question 7: Africhem Ltd
Question 8: LaVee (Pty) Ltd
Question 9: Graded Questions on Auditing 2011 14.16
Question 10: Graded Questions on Auditing 2011 14.24


(25 MARKS)

Mr Ntato Mokonane achieved his lifelong dream when he opened his own restaurant, The
Proud Peacock, in partnership with his brother-in-law, Mr Xolile Xosi. The restaurant has
been open for 18 months and has proved to be very popular. Mr Mokonane has asked you
to advise him on the controls he should have in place in his restaurant.
Your initial enquiries have revealed the following:
The restaurant employs a cashier, four permanent waitresses, a barman and a
second chef (to fill in on the nights that Mr Mokonane is off duty).
The waitresses are currently paid a basic wage of R100 per night and whatever they
can earn in tips.
All food and drinks orders are recorded on pre-numbered order pads. Each waitress
has her own unique sequence.
The restaurant has a set menu selection that is changed once a quarter.
On completion of their meal, customers are required to proceed to the cashier and
quote their table number. The cashier then rings up the cost of the meal using a copy
of the waitress's completed order form. The cash register is situated at the exit point.
Mr Mokonane has expressed interest in computerising his business. He has identified the
Pastel Point of Sale software package as being the most appropriate to the restaurants
needs. He has indicated that he is planning to replace the current cash register with a
computer terminal linked to a cash drawer and to install a terminal in his office which will be
used for recording all other accounting activities. Initial enquiries about the software have
shown that it is a reliable package with adequate access control features.


a) Describe the controls that Mr Mokonane should implement to restrict access to the sales
and computerized accounting applications.
b) Describe the programmed controls that you would expect to find that would ensure that
all valid restaurant sales are captured accurately and completely.
You may disregard controls to ensure the integrity of standing data contained in the
master files.
Presentation (2)



a) Access controls:
The terminals should be situated in such a manner that only staff members have access
Each user should be assigned a unique user ID and password that should be contained
in the access table of the operating system.
The access table/ user matrixes should define each users access privileges according
to the least privilege principle i.e. only grant access to a user for those applications that
he requires in order to perform his duties.
Only Ntato should have access to the access table in order to change a users privileges.
Upon logging in the user should be authenticated by means of a password that is: (1)
Changed regularly
The system should also provide for:
Automatic shutdown in the event of illegal access attempts (e.g. no more than 3
incorrect password attempts)
Time-out facilities (shutdown or password controlled screen savers) in the event of
non-activity for a period of say 3 minutes.
Automatic logging of all access and access violations.
These logs should be reviewed on a daily basis by Ntato.
Only Ntato should have access privileges to these logs
Encryption of confidential information, for example, passwords.
Maximum (10)

b) Programmed controls to ensure that restaurant sales are captured correctly.

Access controls see above
Verification/ existence checks on:
menu choice alternatively there can be pre-programmed menu keys. (1)
waitress code against the masterfile.
Override function there should be no need for an override function however, in
the event that there are system overrides, the package should automatically log these
overrides (so that Ntato can review these logs the next morning and investigate the
reasons therefore).

Automatic pricing of sales according to prices on the menu masterfile.
Limit check (any valid example) eg. that cash received is not less than the amount
Alphanumeric and field size checks on all input fields (any valid examples). (1)
Reasonableness testing (any valid examples) eg. On quantities ordered.
Automatic calculation of price x quantity and calculation of change by computer.(1)
Format tests on sales codes (or other valid examples).
Screen tests by cashier.
Dependency tests eg. Sales only accepted if waitress code is entered (any other
valid examples).
Field size tests eg. On table number (or other valid examples).

Missing data check on key entry fields.

Use of appropriate screen design and screen prompts.
Sequential pre-numbering of invoices.
Control totals (any valid example)
Exception reports (any valid example) eg. On missing entry fields.


Maximum (13)
Presentation (2)



(55 MARKS)

Mavericks & Co is stock brokers on the Johannesburg Securities Exchange (JSE). The
following computer-based client transactions are used by the firm to purchase shares on behalf
of their clients:

Open new accounts

A client must have an account with the firm before shares may be purchased on their
behalf. Only the debtors manager may open new accounts on the computer system. In
order to open the account the transaction must exceed R2 000 in value. Opening
accounts as well as the buying and selling of shares are mainly done telephonically,
while a few are done over the counter at the firm's offices in Sandton. All new clients are
put through to Alesandro, the debtors manager, who immediately captures the
information provided telephonically by the client.


Sales transactions captured

Tyron, the debtors clerk calls up the client's account as provided by the client from any
terminal in the office and captures the details of the transaction on the account.
Transaction details consist of the client account number, name of the client and the
number and maximum price of the shares that the client wishes to purchase.
Immediately after the transaction has been captured, a brokers note is printed which
contains the details of the transaction. The brokers note is then sent to the traders, who
buy the shares on the trading floor. As soon as the shares have been purchased, the
trader records the price at which they were purchased on the brokers note and signs
the brokers note as proof that the shares were purchased. The transactions are
processed by the JSE on the exchange's central sales and clearance system. The
same debtors clerk who captured the details of the transaction (Tyron), then captures
the details of the purchase. The client's account as well as the debtors control is debited
with the amount of the transaction. At the end of the month a monthly statement is sent
to the client. Share certificates are kept in electronic format (STRATE).


Computer processing and files

Three files are involved in the process, namely:
o Debtors pending file
o Debtors transaction file
o Debtors master file
As soon as the transaction is entered into the system, the transactions details are
captured and stored in the debtors pending file. The brokers note is printed from these
details. When the purchase details are captured, the transaction is removed from the
pending file and placed in the transaction file at the purchase price. The debtors master
file is updated immediately with the captured details from the purchase transaction, and
this file's movement and total are used to update the debtors control account.


Enquiries and controls

Debtors can phone in if there are queries on their accounts. Real-time enquiry facilities
are available, and debtors clerks can make corrections to the account, if necessary,
while they are speaking to the client. Enquiries are recorded on exception reports and
followed up with the traders if necessary.
No other controls, except those which are obvious from the above system description,
have been implemented.


Please answer part (a) and part (b) in tabular format.

Set out in point form the weaknesses in internal controls identified in the above


Suggest internal controls which would increase the reliability and effectiveness of the
system and therefore eliminate the weaknesses identified in the internal controls of the


List the risks associated with electronic data transfer, if the firm wishes to make use of
Electronic Data Transfer (EDT) to load the transactions directly from the JSE's system
on to the firm's system.
Presentation (3)





No completeness control (e.g. number
sequence) is performed on the brokers notes.(1)

Transaction enquiries must be recorded on prenumbered documentation.

Numerical sequence tests must be performed on
transaction queries and opening account
documentation, and outstanding queries must be
followed up.
A register should be opened for the control of
brokers notes where number sequence is
Brokers notes received back as purchases must
be matched per register with brokers notes
handed to traders.

No follow-up on outstanding (incomplete)

brokers notes.

A daily printout of the movement on the

transactions file must be compared with the
signed brokers notes for the day.
The movement for the day on the master file
must be reconciled with the movement on the
transaction file.

No recognition of receipt of brokers notes is

provided by traders.

Trader must sign in the register for the receipt of

brokers notes.

No follow-up on outstanding items on pending


Follow up the contents of the pending file with

traders on a daily basis.

No reconciliations between the purchases for the

day and the updating on the transactions file.(1)

The movement for the day on the master file

must be reconciled with the movement on the
transaction file.

Regular back-ups of files are not done.


Regular back-ups of files should be made. (1)

No comparison of the brokers note with the
client's original demand.

Brokers note must be compared with the client's

transaction enquiry.

No matching of purchase details with the JSEsystem.


Purchase details must be compared with the

details per the JSE system before it is captured.

No reconciliation between debtors accounts

(files) and brokers notes.

The total per transaction file must be reconciled

with the total per master file.

No reconciliation between debtors accounts and

control account (file).

Debtors statements must be reconciled with

share certificates or signed brokers notes before
they are sent to clients.

Deviations between the pending file and

transaction file are not followed up for

Management must check a printout of the

pending file on a weekly basis.

Transactions are not followed up to ensure that

the maximum purchase price is not exceeded.

System should compare price of shares to

maximum price the client is willing to pay.

No controls exist to ensure that queries are
followed up properly.

Exception reports produced and reviewed of

such occurrences.
Enquiries must be recorded in writing on prenumbered documentation.
Number sequence tests must be performed on
enquiries and outstanding enquiries must be
followed up.
Completed enquiries must be signed off by a
Completed enquiries must be signed by the clerk
and the supervisor as proof of authorisation.(1)

Inadequate controls and follow-up of corrections

on accounts.

A log (report) must be printed by the computer of

changes to accounts, and the supervisor must
compare the log with the change documentation.

There is no proper management information i.r.o.

debtors purchases and follow-up.

Management information of debtors and

purchases must be reviewed weekly by


No edit tests are performed to ensure that the

input of transactions details is correct.

Calculations and updates must be performed

programmatically by the computer after prices
and quantities for the purchase have been

There is no proper supervision of debtors clerks.


Proper supervision should be implemented over

debtors clerks.

No follow-up of long-outstanding balances on


Long outstanding balances must be followed up.


No controls procedure to ensure that only the
debtors manager opens new accounts. (1)

A daily list of new accounts opened must be

reviwed and initialled by the debtors manager.(1)
Enquiries regarding the opening of new accounts
must be completed on pre-numbered
documentation document should preferably look
like input screen).
A screen enquiry test i.r.o. the capturing of new
clients must be performed to ensure that
information is captured correctly.

No password control to limit access and levels of

access to the computer.

Security levels by means of security software

must be implemented, to ensure that only
authorised persons have access to Open new
Access control to the computer must be
implemented through passwords.
Physical access to terminals should be limited
through lockable terminals.

First transactions not reviewed to ensure that

their value exceeds R2 000.

The computer should not process the first

transactions if not in excess of R2 000.

No credit control or credit limits.

Credit limits must be set by management.


Management must review and approve credit

limits for each new client
Credit limits must be reviewed before new
transactions are accepted (independence tests).

No proper division of duties. (Debtors clerk deals

with purchases and transaction details). (1)

Inadequate access controls to terminals. (1)

Inadequate physical safeguarding of share


There must be division of duties so that the

same person who captures the transaction query
does not also capture the purchase details. (1)
Access controls to be implemented:
Identification of user
Authorisation of user
Password control
Terminal shut down after 3 attempts to log on
Terminal logs off after 5 min inactivity etc
Any (3)
Share certificates should be kept in a safe. (1)

Maximum (21)

Maximum (26)

c) Risks of EDT

No written evidence and user involvement.

Tax and legal implications.
Duplication of transactions.
Data damaged during transfer.
Transmission of data to incorrect addresses.
Interruption and non-processing of transactions.

Maximum (5)
Presentation (3)


(10 MARKS)

You are the auditor of Cologne For Men (Pty) Ltd. This company imports mens cologne from
all over the world, but mainly from Europe and the USA. Inventory is generally kept in the
companys warehouse for an average of one month, before being sold to cosmetic stores.
These cosmetic stores are located in Johannesburg, Durban and Cape Town. A decision
was thus taken a number of years ago to set up branches in Durban and Cape Town (the
companys head office is in Johannesburg). Grant Cornish heads up the head office in
Johannesburg, while Nicole Soares heads up the Durban branch and Wade Manthe, the
Cape Town branch. These branches are connected to the Johannesburg head office via an
extended real-time network system. All of the application programmes and general ledger
have been computerised
You have been given the responsibility to perform the audit of Inventory.
You have already attended the inventory count and all audit work in respect of the inventory
quantities that appear in the final inventory list has been completed. You only have to
complete the audit work on the valuation of the inventory including the provision for slow
moving inventory and cut-off.
From the systems description, you obtained the following data fields that exist for the
inventory valuations, movements and ageing:
Product number
Product category
Description of the item
Quantity on hand
Average age (in days) of inventory
Selling price
Cost price
Inventory movements between the stores and branches and
between branches
* document number
* date
* quantity received or despatched
* whether inventory is still in transit
Date of last inventory count
Date on which there was last a movement in the inventory


Name five reports that you can generate with generalized audit software that you can use to
audit the valuation, provision and cut-off of inventory. Your answer should refer to the
data fields that you would use and how you would combine the data fields and manipulate
them if required. Explain in each case how the report would assist you in completing the
audit procedures. Answer this question in the following column format:




Report that separates the stock into categories
and prints it according to ageing in which
inventory last moved
Report of last movements before year end in
each location
Report that shows the quantity items on hand
and multiplies it with the cost price per item to
get a total
Report of inventory totals per category of

Gives the values of stock by age to assist with
the provision of stock calculation
Testing cut-off at year-end


Confirms the balance of stock at year end (1)

Confirm the different classes for disclosure

purposes. Highlights high value inventory
categories that will assist in focusing our audit
procedures for the valuation assertion.
Report that indicates which inventory is still in Conformation that inventory in transit has been
transit at year end.
included in inventory at year end when it should
have been (FOB) or excluded when it should
have been (CIF)
Report that indicates the date on which the Indicates slow moving inventory and inventory
inventory item last moved.
that will most likely be written of if it hasnt
moved for a long period of time.
Report of inventory items where sale price is Net realisable value indicates inventory items
smaller than cost price
that require a write down to net realisable value.



(40 MARKS)


(20 MARKS)

Ms OG Seatle Maitse achieved her lifelong dream when she opened her own restaurant,
Complex 49, in partnership with the love of her life, only known to most as Jingles. The
restaurant has been open for 22 months and has proved to be very popular.
Ms Seatle - Maitse has expressed interest in computerising her business. She has identified
the Pastel Point of Sale software package as being the most appropriate to the restaurants
needs. She has indicated that she is planning to replace the current cash register with a
computer terminal linked to a cash drawer and to install a terminal in her office which will be
used for recording all other accounting activities. Initial enquiries about the software have shown
that it is a reliable package with adequate access control features.
Being new to this computer environment topic, Ms Seatle Maitse was not quite sure of what
exactly she should expect as characteristics of a CIS environment and was hoping that you
could also assist her regarding this query.
a) Discuss the controls that you would have expected to find during the development and
implementation of the new Pastel Point of Sale software system.
b) State what advice you would offer to Ms Seatle - Maitse, as to controls which should
be implemented so that the restaurant will be prepared in the event of any disasters
occurring in the future;


(20 MARKS)

As part of your period audit of Big Shots (Pty) Ltd, you identified inventory as a significant
balance and would like to perform detail procedures on the balance.
You have already gathered the following information about the inventory:
Big Shots has a central warehouse in Johannesburg and 12 distribution warehouses
spread throughout the country.
They (Big Shots) uses a fully computerised inventory system which is able to
determine inventory quantities for any item at any warehouse at any time by adding
and deducting quantities sold, transferred and adjusted.
The system determines the cost of inventories on a weighted average basis.
The system has not changed significantly over the last year and no major changes
are expected in the immediate future.
You have established that your in house audit retrieval software (CAAT) package is fully
compatible with the clients system.
a) List the possible functions of your audit retrieval software.


b) In relation to the above, list how you would use the functions of the softwares
capabilities to audit the inventory system
PLEASE NOTE: a) and b) should be answered in a tabular format.
Presentation (2)



Part A
a) Program development and implementation controls

Perform a feasibility study to determine:

The users needs (users, CIS staff, auditors);
Specifications and requirements of available packages;
Costs (hardware, packages and documentation);
Support from suppliers;
Possibility of future amendments ;
Reputation of suppliers.
Enquiry from other users of packages regarding:
o facilities offered by program;
o freedom from program errors;
o speed & efficiency;
o ease of use;
o costs;
Testing of packages.



Authorisation of purchase of package:

Authorisation of purchase by Ms Seatle Maitse and the cashier based on results
of feasibility study.


The conversion must be planned:
prepare date and time schedules for conversion;
cut-off points must be determined;
the conversion method must be defined (parallel, launch, direct).
Preparation for conversion:
preparation of files with standing data on the new system;
training of staff in respect of the use of the new system;
the preparation of the premises (constant power supply/airconditioning, etc.).
Control over the conversion by the data control group:
supervision by competent senior management;
the auditors should also be involved.

b) Business continuity controls

Physical environment
Protection against the elements
Fire: extinguishers etc
Water: away from water pipes
Power: backup supply
Environment: air con etc
Emergency plan & disaster recovery procedures
Establish procedures
list of files & data to be recovered
alternative processing facilities
plan, document & test the plan
Regular backups on rotational basis
Copies off premises


Hardware backup facilities

Fireproof safe
Other controls
Adequate insurance
No over reliance on staff
Virus protection


Part B
Uses of Audit Retrieval Software
Castings and Calculations


Uses to audit inventory system

Test castings and cross castings of
inventory files
Test the castings of balances within the
files eg. Inventory quantities for each
category of inventory
Test calculations of weighted average cost
of inventories for each category of stock(1)
Calculate ratios such as inventory holding,
% obsolete stock, inventory turnover etc
for analytical procedures

Investigations and analyses


Detail analyses of account balances eg

obsolete inventory
Examine files for unusual items eg. Cost
price is higher than the sales prices and
negative balances
Investigate missing items eg. Missing
Compare transaction data with standing
data (e.g. prices on invoices with price
Identify slow moving inventory eg inventory
where no recent sales were recorded(1)



Items for testing eg sample of GRNs(1)

Items which meet certain criteria eg sales
prices lower than the cost price
Items for test counts at year end


Printout of transactions at year end for the

performance of cut off tests


Items per category


Stratification of balances



Print out of master files eg supplier



Computer files with each other eg general

ledger with supporting ledgers
Amounts eg cost prices vs NRV




Previous years files with current year eg

inventory lists.
Obtain a printout of goods in transit(1)
Obtain a printout of material inventory
adjustments to follow up

PART A: Maximum (5)

PART B: Maximum (13)
Presentation: (2)



(20 MARKS)


(10 MARKS)

You are the second year clerk on the audit of Top Fashions (Pty) Ltd. For the 28 February
2011 period end audit you are responsible to evaluate the internal controls over the sales
order entry system. You have obtained the following information:

Orders are received from customers by phone.

The company does not make cash sales.
All orders are put through to Ms Polo, who after informing the customer of the price at
which the order is taken, enters them directly onto the system. She does not perform
a stock availability enquiry at the time the order is placed. The directors acknowledge
that this may lead to customers dissatisfaction but they argue that it is less important
than losing a sale.
Ms Polo is linked from her office via a terminal to the mini-computer situated in the
data processing department.
When an order is received it is entered via the terminal onto an order pending file at
which time it is given a sequential number, and a cross referenced computer
generated picking slip is printed out in the stores department.
Identify the application controls which you would expect in the sales ordering system of Top
Fashions (Pty) Ltd, to ensure that orders received are accurately recorded and complete.



(10 MARKS)

Top Fashions (Pty) Ltds sales are on credit and the sales have improved in recent years
due to the directors constantly monitoring sales patterns and fashion trends. All account
receivable records are maintained at head office. The account receivable system is fully
You have identified that the following data fields exists in the accounts receivable system:
Account number
Debtors name
Credit rating dependent on new customers introduced, length of service, regularity of
Credit limit
Aged outstanding balances:
o Current
o 30 days
o 60 days
o 120 days
o 150 days
o 180 days
o Over 180 days
Total balance outstanding
Date of last purchase, invoice number and amount
Date of last payment, receipt number and amount
Sales month-to-date
Receipts month-to-date
Sales year-to date
Receipts year-to-date
List the reports that you would extract from the accounts receivable master file using your
audit retrieval software. Give reasons for the selection of each report.






All orders are sequentially numbered.

- Missing numbers are printed on exception report and follow-up by


The computer matches the delivery notes with the order and print a list of
outstanding orders:
it is followed up by management.


The computer calculates a daily total of all orders received:

of the quantity and amount of orders and matches it with the total
recorded in the order file (control total).
compare the total to the control total on picking slips


An audit trail is printed of all orders received.

reviewed by Ms Polo and management for duplication or missing
numbers .


The following edit checks are performed:

Format checks


The system verifies/checks that:

clients name is alphabetical;
number is numerical.
Screen testing


Ms Polo verifies the detail of the client and order on screen.

Existence testing


the computer test if goods are in stock, if not it is written to a

suspense file.

Limit or reasonable tests



the computer tests the reasonableness of quantities entered

(within reasonable limits).

Check digits


for accuracy thereof.

Field length


computer test if the quantities, codes, etc, are withing the

acceptable range.



The computer calculates automatically the amount of the orders as

quantity: keyed in;
price: master file:
calculate the sale price.
Max (2)

Printout of selected items for testing
Printout of circularisation requests
Report of payments after year end

Printout of


total outstanding

Printout of dormant accounts

Printout of slow moving accounts
Printout of age-analyses
Printout of accounts in excess of credit
Report of accounts with invoice numbers
greater than a specified number
Report of accounts with receipts greater
than a specified number


Enables auditor to evaluate circularised
accounts receivable
Enables auditor to circularise accounts
To provide evidence that accounts exist
and to assist auditor in provision for
doubtful debts calculation
Enables auditor to remove credit balances
to accounts payable or investigate reasons
Enables auditor to identify accounts of
possible untraceable customers
Enables auditor to identify possible bad
To assist auditor in provision of doubtful
debts calculation
Enables auditor to identify possible bad
Assist auditor in ensuring cut-off correctly
accounted for
Assist auditor in ensuring cut-off correctly
accounted for



(35 MARKS)

You were recently appointed the auditor of Original Living Ideas Ltd (OLI), an entity that
listed on the JSE. The company operates a number of designer furniture store outlets
situated in Rosebank, Sandton, Hyde Park and Randburg. OLI has a financial year end of 31
May. It is the first year that you will be auditing OLI. The audit committee has informed you
that the audit has to be completed by 20 June 2011. As the financial statements will be
required by NBOSA, the companys bankers, on 25 June 2011 to review whether OLIs loan
facility should be renewed.
As part of your risk assessment procedures, during the planning of the audit, you
documented the following regarding the fully computerised system used by OLI:
OLI receives designs for furniture from a number of well-known interior decorators. These
are appraised and the most popular furniture is manufactured according to the latest lifestyle
trends. The furniture is stored in a central warehouse and distribution takes place from this
point. The various stores only hold furniture for display purposes to encourage the public to
order a specific piece. Once ordered the piece is dispatched from the warehouse for delivery
to the customer.
During the current year OLI launched a new on line sales platform that allows customers to
order furniture electronically via the Internet. Orders that are received via the internet are
also distributed from the warehouse for delivery to customers. Customers specify the date
and time of delivery on their orders. Upon delivery of the furniture the customer also receives
an invoice from OLI which includes all packaging and delivery costs. The company does not
make any cash or credit card sales. The customers account is debited before delivery takes
OLI uses a central file server situated at their head office in Killarney to control the system.
The store outlets and central warehouse facility use an electronic data interchange hub
through on-line terminals to connect to the system. This allows terminals at each outlet to
form part of a wide area network and integrate with the central database mainframe on a real
time basis. You noted that no back up of the system was maintained and there is also no
data recovery plan in the event of a disaster.
Store orders that are captured by a sales rep in the store, are processed after verifying all
client information. The sales reps may make changes to the customer masterfiles if any
details have altered. When an order is received at a store outlet it is entered via a terminal
into an orders pending file at which time it is given a sequential number. This file links with
orders received via the internet sales platform so that all orders generated run sequentially.
The system automatically generates a cross referenced picking slip after verifying stock
This slip can be printed out at the store and warehouse. If there is no stock available a
picking slip will not be generated and an error report can be generated of all orders with no
stock availability. The warehouse clerks pick stock, package it for delivery, update the
orders pending file and a combined invoice/delivery note is automatically generated for
those items picked. Should an item not be available then the order remains in the orders
pending file and appears on daily outstanding orders report.
The directors of OLI have raised a concern with you about an incident that occurred shortly
after the launch of the new internet sales system. A customer has denied his obligation to
make payment claiming that he did not place an order with OLI at anytime or receive any
furniture. The directors would like to know which controls should be present in the system to
prevent unauthorised orders being placed by a person using customers details (personal
information) without their knowledge or consent.



Identify the audit risks arising from the information provided.


Describe the controls required to ensure that changes made to customers standing
data are complete, accurate and valid.





Part (a)

1. Company Listed on the JSE:
Risk of non-compliance with stringent JSE listing requirements; complex reporting
requirements as auditor has to report on companys adherence to JSE listing
Risk that client overstates assets and profits to retain listing status
2. New audit client
Risk that opening balances may be misstated
Risk that accounting policies may not be consistently applied
Risk that we as auditors will not identify misstatements as we are unfamiliar with the
3. Tight audit deadline
Risk that post balance sheet date events might not be identified
Risk that financial information may be incomplete
Risk that creditors and provisions may be understated -statements not received in
4.3rd Party reliance
Risk of legal liability i.t.o S46 as we are aware financial statements will be used by
5. Fully Computerised environment: (General Risks)
Risk that weak general controls could affect the continuity of processing (1)
Risk that a weak control environment exists because:
o Management is not committed to proper IT governance,
o There is no backup / data recovery plan
Risk that weak application controls could affect the completeness, validity and
accuracy of recorded transactions
Risk of errors and ineffective programmed controls because of a lack of user training
Risk that there will be an absence of input documentation
Use of WAN increases risk of unauthorised access; changes to transactional
6. On-Line System
Risk that there will be inadequate audit trails providing evidence of authorization
Increased risk that there will be unauthorised use of the computer:
- Unauthorised changes made to transactions / balances
- Unauthorised access to data
- Unauthorised processing of data resulting in update of incorrect data to
Risk that masterfiles are amended without the necessary authorization
Risk of corruption of data due to concurrent processing
7. Real Time processing of transactions:
Risk that incorrect data processed onto the system
Risk of data loss due to any interruption during processing (no backup)


8. No Backup or Data Recovery Plan

Increased risk relating to business continuity in the event of a disaster:
o Loss of data (if there is a system failure all data might not be reinstated)
o Risk that the company might not be a going concern (inability to continue
operations in event of a serious system breakdown)
9. Trading via the internet
Increased security risk: (unauthorised access of data on the public network)
o Failure of encryption based security
o Overload of file servers resulting in system being unavailable for trade due to
breakdown (business continuity risk)
o Unauthorised hacking of customer information
o Increased threat of data corruption from viruses
o Risk of incorrect revenue recognition (date risks and rewards pass)(1)
10. EDI
Increased risk that there will be interruptions/errors transferring data to central server:
o Hardware failures
o Server overload (availability of processing time)
o Duplications on retransmission after system recovery
11. Central File Server
Risk that there will be unauthorised access to data due to:o No firewalls and virus protection
o No encryption of data
Risk to business continuity through the collection of data in one central location with
no adequate backup assurances;


Part (b)
All changes to customers master file data should be:
o Requested in writing on a pre-numbered, pre-printed master file amendment form
o Master File amendment forms should be designed to facilitate the capturing of all
o Any unused Master file amendment forms should be subject to standard stationery
control protocol (under lock and key; the responsibility of a designated staff member
with appropriate authority)
Changes to Master files should be reconciled:
o To a list/register of requested amendments (completeness)
o To the master file amendment forms (accuracy and completeness of changes)
o All outstanding items/ exceptions should be followed up by management
o To supporting documentation (minutes of meeting/contract with customer)(1)
All master file changes should be logged by the system
o This activity log should be reviewed by management on a regular basis


All changes made to standing data should be agreed to authorised master file amendment
Programmed Input validation tests/ edit tests should be carried out:o Alpha-numeric and field size checks on customer account numbers; ID numbers
o Missing data checks
o Reasonableness checks on ID numbers
o Recordcounts
o Any other valid edit check
All proposed masterfile amendments must be authorised in writing by two senior officials
All amendments should be reviewed by management before; during and after
Write access to masterfiles should be restricted to authorised personnel by means of user
ID, passwords and terminal ID controls
All changes to customers master file data should be made off-line and only go live
after approval and testing
The master file should be reviewed regularly by management
The masterfile data should be encrypted and kept in a library with strict access
Adequate backup procedures should be implemented in order to recover standing
data in the event of data corruption during an amendment
Password Controls


(50 MARKS)

You have been the external auditor responsible for the audit of Africhem Limited (Africhem)
for the past three years and have been reappointed to perform the audit for the reporting
period ended 30 June 2011.
Africhem is a company listed on the Johannesburg Security Exchange (JSE) and is South
Africas oldest producer of chemical products to the farming industry. Africhem apply
innovation and technology to help farmers to produce higher quality products to the public.
They assist farmers in producing healthier foods, better animal feeds and more fiber, while
also reducing agriculture's impact on our environment.
Africhems head office is located in Bloemfontein, and has multiple branches around South
Africa. The locations are variously administrative and sales offices, manufacturing plants,
seed production facilities, research centers, and learning centers all part of the corporate
focus on agriculture and supporting farmers.
Africhems accounting system is fully computerised. This system is an integrated complex
application which minimises the use of hard copy documents wherever possible and handles
a high volume of transactions on a daily basis. The system makes use of real time
Your first year audit clerk George Clooney was responsible for documenting the
understanding of the internal control environment of the purchase system and Meg Ryan,
the senior audit clerk, was responsible for documenting any audit differences identified
during the audit that could affect the audit opinion.
The following documents are attached:

Purchase system Internal controls
Audit differences


Client: Africhem Ltd

Period end: 30 June


Prepared by: G Clooney

Date: 25 July 2011

Reviewed by:



Purchase System Internal Controls

The purchasing function is decentralised across the various branches, with each branch
having its own purchasing department. Three years ago Africhem implemented SAP
application software customised to meet the companys specific processing needs. The
financial module, which includes accounts payable, was successfully implemented at the
same time and no problems were experienced. The company currently does not use EDI in
the purchasing process and therefore the controls around networks are not of concern.
Manual purchased requisitions are used which then serve as input to the computer system.
The rest of the purchasing process is fully computerised.
The company has a CIS control group which monitors the entire computer environment. The
CIS control group makes use of an internal control questionnaire to assess the control
environment of the purchasing computer system.
The internal control questionnaire deals with the following internal controls:
Business continuity
Are control in place for:
Protection against physical environmental
Personnel control?
Does the system establish and enforce clearly defined
lines of responsibility and authorisation limits within the
decentralised buying departments?
Does the system enable buyers to check who is
authorised to raise and approve purchase requisitions?
Can increasing levels of authorisation be required for
increasing values in purchase orders?
Completeness and accuracy of transaction input/generation
Does the system automatically check that all pre-printed
sequence numbers used on purchase requisitions are
accounted for?
Describe how the system subjects transactions to programmed edit/validation checks:

Are exception reports produced, in which large or unusual

items are listed to allow for individual comparison with
input documents?
Are exception reports produced, in which purchase orders
that do not match authorised requisitions are listed for
subsequent follow-up?
Are overrides of system warnings by the user
automatically reported for independent approval?
Completeness and accuracy of processing
Does the system generate exception reports of
unmatched or mismatched purchase transactions for
review and follow-up?

Is a reconciliation automatically generated of records

accessed and records updated?
Are system-generated purchase transactions subject to the same processing controls as
input transactions? Describe the controls:

Organisational and management controls
Is there proper segregation of duties?
Are levels of responsibility clearly defined?
Are proper policies in place regarding staff recruitment
and training?
Are there proper controls in place around virus
Does the system automatically generate reports for
management review? For example:
Exception reports (fluctuation in purchase
volumes; significant purchase orders; material
price variations).
Management information reports (audit trial;
deviations from budgets).
Performance-related reports (stock-outs; supplier
performance; delivery lead times).
Logical access
Does the system provide the following logical access
The user is required to input an ID and password
combination in order to gain access to the
Effective password controls around the use of
Menu selections displayed are restricted based
upon the access privileges defined by the user ID.
User access rights are restricted to those
processing functions and data files required for
the users normal duties.
Changes to user access rights are automatically
reported for review by management.
Logon IDs are automatically disabled/revoked
after a prescribed number of logon failures, a set
period of inactivity, or when employees resign or
relocate within the organization.
An activity log for review by an authorized person
is generated in respect of unauthorized access.
Physical access
Is the following physical access controls in place?
Access controls to the computer hardware.
Access control to the terminals.
Access controls to programs and data files.
Manual logs and review of logs.
Screening and training of staff on physical access
Emergency access controls.


Client: Africhem Ltd

Period end: 30 June


Prepared by: M Ryan

Date: 28 July 2011

Reviewed by:



Audit differences
One of Africhems major branches that is situated in Kroonstad commenced the
manufacturing of a highly toxic chemical and two months before year end two of the
employees working at this branch died after falling seriously ill. The initial investigation into
their deaths suggested that they were victims of chemical poisoning suffered from working
with the toxic chemicals. A government investigation was instituted on 15 May 2011.
At the last directors meeting for the current reporting period the directors of Africhem took
the decision to close the branch in Kroonstad, with immediate effect, until completion of the
government investigation. The board of directors also took the decision that should the
government investigation indicate that the employees illness and death was directly
attributable to their work conditions at the branch, the Kroonstad branch would remain
closed permanently. In addition a firm of attorneys has instituted legal proceedings against
Africhem on behalf of the family members of the two employees. We have established that
should the government investigation connect the employee illness to the companys process,
the employees family members will in all likelihood be successful in their actions against the
Through discussions with the companys financial manager, Julia Roberts, we have been
informed that the company has decided to treat the matter as follows in the financial
statements for the period ended 30 June 2011:
No reference to the temporary or possible permanent closure of the branch will be
made. However full disclosure will be made to the shareholders at the annual general
The following note will be included:
o The company is the defendant in a lawsuit brought against it by two
employees. The case concern health problems allegedly caused by the
employees work environment at the Kroonstad branch. The total claim is R2
500 000 but it is at present impossible to determine the outcome of the
The going concern ability of Africhem is in no way threatened by this matter. All other
aspects of the audit have been satisfactorily dealt with. The outcome of the government
investigation is expected to take some months.

Refer to working paper C4 and list the general computer controls relating to the
purchasing process that have not been included in the internal control questionnaire.


Describe the audit strategy for the audit of the reporting period ended 30 June 2011,
taking into consideration that Africhem has a fully computerized environment. (9)


Refer to working paper C6 and discuss fully the audit report that you would consider
appropriate should the directors treat the matters in the financial statements in the
manner indicated by the financial manager.
Presentation (2)




System Maintenance (Change) Controls:
Requests for changes/corrections to the system should be completely carried out:
o Written requests on standard pre-numbered change request forms.(1)
o Change request form should be entered into a register.
o Regular sequence checks must be performed on the request forms to identify
outstanding requests.
o Outstanding request must regularly be reviewed by senior management.
Only valid changes should be made:
o Request for changes by the user should be approved by the following parties:
Correct level of authority (management/computer steering committee
Data processing department (technical IT department)
o All system change should be documented and system documentation should
be modified.
All changes must be tested to ensure effective functioning.


Other considerations:
o Changes to the system should be backed up.
o Training of users in respect of the use of the updated system.
o Post-implementation reviews should be performed on the changes.(1)
Computer operating controls:
There must be scheduling of processing which is regularly reviewed.
Set-up and execution of programmes must be in place:
o This must be done my competent persons
o Assisted by means of a procedure manuals/instructions.
o Regularly tested.
o Constant supervision and review over this process.
Ensure the use of correct programmes and data files.


MAX (3)

Operating procedures that should in place:

o Monitoring and review of the functioning of hardware
o Operating instructions and manuals to assist users
o Monitoring of operations through logs
o General controls around segregation of duty, rotation of duties and
supervision and review of activities.
MAX (3)
Recovery procedures to prevent interruption in operations:
o Emergency plan & instructions in the event of crisis.
o Effective backup procedures for data and hardware.

System Software Controls:

Security over system software:
o Integrity of staff.
o Segregation of duties.
o Employment policies.
o Supervision and review.

MAX (3)

Database systems:
o Access controls around database system.
o Supervision and review (by database manager).
o Documented policies.

MAX (2)

Processing on microcomputers:
o Control over software.
o Programs written internally are tested and should be documented. (1)
Business Continuity Controls
Emergency plan and disaster recovery procedures:
o Establish procedures in respect of procedures and responsibilities in case of
a disaster.
o Prepare a list of files and data to be recovered in the case of a disaster.
o Provide alternative processing facilities.
o Plan, document and test the disaster recovery plan.
MAX (3)
o Backup data files regularly on a rotational basis.
o Perform on-line or real-time backups.
o Store copies of backup files on separate premises.
o Have hardware backup facilities.
o Store backups in a fireproof safe.
o Policies around retention of files or records
MAX (4)
Other controls:
o Adequate insurance.
o On over reliance on staff.
o Virus protection controls
o Physical security measures
o Cable protection.

MAX (2)


Logical Access Controls

o Terminal identification numbers (TINS)
o Limited to one workstation log on
o Simultaneous login prohibited

MAX (2)

Program Libraries:
o Access to backup programmes controlled by access software
o Passwords
o Updating must be authorized
MAX (2)
o Stored separately
o Use logged and reviewed
MAX (1)
Africhem has a fully computerized environment which will have the following influence on the
audit strategy for 2010:
Obtain a thorough understanding of the clients internal control and information
systems environment
An combined audit approach should be considered due to the following:
o Complex computer system
o High volume of transaction
o Less hard copy evidence available
o Transactions are generated automatically
Combined audit approach could only be used when reliance can be placed on the
companys internal controls
If reliance cannot be placed on the internal controls more extensive substantive
procedures will have to be performed.
Following an combined audit approach (if reliance can be placed on controls) will
o Testing the general computer controls
o Testing the application controls
o Above can be performed by auditing through the computer
o Performing limited substantive procedures
o Above can be performed by auditing with the computer
o Controls will be tested throughout the period of reliance
Effective function of general computer controls is a pre-requisite for the effective
function of application controls.
Consider the use of CAATS in performing of audit procedures.
Consider the use of experts.


The treatment of the pending litigation is satisfactory, no adjustment (provision) to
the financial statements need be made as the outcome of the case is unknown,
and damages cannot be reasonable quantified.
However the wording of the note (disclosure) is inaccurate and inadequate and
appears to be an attempt to play down the matter especially in view of the directors
intention not to make any reference to the closure of the branch.
Therefore an uncertainty exist which has not been adequately disclosed. (1)
This represents a disagreement on inadequate disclosure of the matter.
The disagreement is material to the fair presentation of the AFS, but not pervasive.
A qualified audit report will be required.
This matter should at least be disclosed as the financial statements should deal with
every fact or circumstances material to the appreciation of the state of the company
affairs. (AFS should present fairly)
It is also possible that losses may rise out of the temporary closure of the branch
(penalties, labour disputes).
In addition at period end there is uncertainty about the future of the branch (could
be permanently closed down). This is vital information for the users.
There is no need to treat this as a closure of a division as there has been no
implementation of a permanent closure or other known costs.
Therefore a disagreement exists on the failure to disclose the matter.
The matter is material to the fair presentation of the AFS, but not pervasive. (1)
A qualified audit report will be required.



(50 MARKS)

You have recently been promoted to manager in the computer audit division of RGL
Incorporated (hereafter RGL), a well established medium size auditor firm situated in
Sandton, Johannesburg. RGL is part of a global organisation of independent professional
service firms, united by a common desire to provide the highest quality of services to their
RGL has grown steadily since its inception on 1 March 1982. The RGL network is a mediumsized professional services organisation. This growth has been attained primarily through a
reputation of giving sound professional advice and formulating trusted confidential business
relationships. RGL has a broad-based clientele which includes local and national clients, as
well as international clients of both a personal and corporate nature. One of their clients is
LaVee (Pty) Ltd (hereafter LaVee), a medium sized company in the domestic foods market.
The company has a 30 June period end and this year will be the first year that RGL has held
the appointment as auditor.
LaVee has a number of food production facilities spread around Gauteng with the head
office situated in Isando. The company has fully integrated computerised financial
accounting and management reporting systems which were developed some years ago. The
systems were developed in-house to ensure that the complex procedures and controls
required by the directors of LaVee could be incorporated. Most of the data processing takes
place at a data processing centre at the head office. The production facilities all have on-line
terminals linking them to head office and other branches which allows for real time
processing of certain applications.
Unfortunately things at LaVee did not get off to a great start. The senior manager on the
audit, Sechaba Mooi, has (like most of the other staff members) little experience in
computers and believes that auditing around the computer is perfectly adequate. The
planning meeting for the 30 June audit, in fact turned out to be Sechaba Mooi simply
issuing instructions to the audit team, with no mention of LaVees computerisation being
made at all.
On challenging Sechaba on this, he responded:
This firm adheres to the planning statement ISA 300 in developing the overall audit strategy.
This statement does not even mention the word computers which suggest to me that
auditing around the computer is a perfectly adequate approach to the audit.
Accounts receivable
Your concern regarding the approach was further justified when the third year audit clerk on
the audit, approached you to assist him with auditing accounts receivable around the
computer. He gathered the following information for the period end audit:
June 2010

June 2011

Accounts receivable balance

R 2 546 215

R 3 765 935

Accounts receivable days

65 days

84 days





Accounts receivable as % of
current assets
Number of accounts receivable


All customers are supplied with a hardcover copy of the product catalogue from which they
can select the goods to be purchased from the company. Orders must be placed by phoning
the companys tollfree number. Calls are automatically directed to one of four clerks who
enters the order directly into the system.
In June 2011 RGLs computer division conducted an evaluation, including test of controls on
the revenue and receipts cycle, and found that the information produced by the system was
valid, accurate and complete.
The accounts receivable department is headed by Zama Zamini, the credit manager, and is
staffed by three debtors clerks. Zama reports to Joan Richardson, the financial manager.
The accounts receivable master file contains the following fields:
Account Number



MashDee (Pty) Ltd

Address and contact details

7 Sgodi Ave, Orlando

2106, 082 123 6920

Date account opened

July 2005

Total owed

R 35 001.90

Ageing of total amount owed

30 days, 60 days, 90 days, 120 days

and over

Credit limit

R 36 000

Credit terms

60 days

Account status (which remains blank

regarding status is entered)

Handed over to attorneys



To ascertain the allowance for credit losses at year end, a percentage of the amount
appearing in each of the aged fields is determined. The amounts are then added together.
These percentages are:
30 days 3%
60 days 7%
90 days 20%
120 days and over 30%
As in past, Joan is quite prepared to allow you to interrogate the accounts receivable master
file using RGLs generalised audit software and you intend to do so.
Possible expansion
During a casual conversation in the corridors of LaVee, Joan mentioned to you that they
(LaVee) are considering taking advantage of the business opportunities presented by E
commerce which she briefly explained as the buying and selling of products or services over
electronic systems such as the Internet and other computer networks. She has indicated to
you that she has done a detailed analysis regarding all the benefits E commerce presents to
LaVee but is still not sure of what the disadvantages or more in particular, the risks are of
conducting business via the internet.



a) Discuss whether Sechaba Moois decision to audit LaVee using the around the
computer approach is sound.
b) Briefly describe the disadvantages of the other two approaches.


For the remainder of the questions assume a different approach was adopted to that
suggested by Sechaba.
c) Describe the application controls that you would expect to find in place to ensure that all
orders are taken from customers are valid, accurate and complete
d) Identify the information which you would extract from the accounts receivable master file
to assist you in the audit of the allowance for credit losses. Describe how you would use
the information. Do not give audit procedures.
e) Assist Joan in setting out the risks of conducting business over the internet.


Presentation (2)




a) Sechaba Moois decision to audit LaVee using the around the computer approach
Sechabas decision to audit around the computer is not sound because: (1)
The approach is only suitable where
o The system is simple; LaVees system is however:
Is an integrated financial accounting and management reporting
Has a central processing department and a series of on line links to its
production facilities. Its system therefore complex not simple.
It is also unsound to ignore the power of the computer in conducting an audit.
It is also unlikely that RGL will attain a cost effective audit using this approach.
To use this approach no significant controls should be built into the system. LaVees
system is complex and includes significant controls in the system which realistically
cannot be ignored by the auditor of LaVee
A clear audit trail must exist to use this approach: Whilst this may the case in
LaVees case, this alone cannot facilitate the use of around the computer approach.
Due to the fact that company has wide spread branches which could be indicative of
a higher volume of transactions. Because of this, an around the computer approach
is also not sound.
The adoption of the approach is not consistent with the firms policy/intention to
adhere to the auditing standard ISA 300.
o The understanding the entity cannot be adequately completed without
obtaining a thorough understanding of LaVees computerisation. (1)
o ISA 315 requires that the clients internal control be thoroughly understood so
that the risk of material misstatement can be addressed.
o If this is not the done the audit strategy and plan will not reduce the level of
audit risk to an acceptable level.
The decision to audit around the computer cannot be justified on the grounds that the
manager (and the firm) have limited skills in computer audit if the firms does not
have the skills to perform the audit they should have declined the audit or have
obtained the skills of a computer auditor.


b) Briefly describe the disadvantages of the other two approaches.

Audit through the computer
o Approach requires auditor to have a high level of computer knowledge
o The auditor is required to take stricter precautions due to potential
corruption of clients data.
o A high level of client co-operation is required which could in turn affect
o The approach only test operation of controls as at a certain point in
Audit with the computer
o Auditor must have a reasonably high level of computer expertise.
o The audit team requires training to use this approach as it involves
making use of the computer to obtain sufficient audit evidence
o Cost of audit hardware and software is relatively high.
c) Application controls to ensure that all orders are taken from customers are valid,
accurate and complete
Writing access to the order module of the sales application should be
restricted through the use of user profiles, user IDs and password (1)
Access to the order module should be restricted to the terminals in the order
department and the credit managers terminal
Order clerks should have read only access to the debtors master file (not
necessarily all fields) and the inventory master file (this enables them to
check inventory availability)
On phoning in an order, the customer must supply a valid account number
which is entered by the order clerk. This number will be validated against the
debtors master file and if it does not match no further progress can be made.
On entry of a valid account number the customers other details should
appear on screen and the order clerk will ask the customer to supply details.
Once the order has been entered the system, should:
o Perform an inventory availability check and if the inventory is not
available the customer should be asked whether they would like to
order something else or be placed on back order, and
o cost the order and automatically compare it to the amount of credit
available on the customers account.
Customer should be referred to the credit manager if:
o The order clerk has doubts regarding the validity of the customer e.g.
cannot supply details accurately, and
o On entering the account number, the order clerk is alerted to a
problem with the customers account e.g. insufficient credit or nonpayment

Only the credit manager should have write access to remove a hold on the
customers account.
Programmed mandatory fields should be installed which enhance the validity
of the order, e.g. customer order number/name of buyer and date.
All telephone conversations should be recorded/information confirmed with
All orders should be logged.
Completeness and Accuracy
Screen should be formatted to promote accurate and complete capture, e.g.
as an internal sales order.
Screen dialogue should be available to guide order clerk e.g. screen prompts
Programme checks should be done e.g.
o Alphanumeric check on the account number entered
o Limit checks on the credit available balance versus the amount
request for new goods
o Mandatory field such as completing fields such as account number,
goods purchased, stock code, etc.
All orders should be automatically sequenced.
Clerks should ask client to repeat order and compare this to the input screen
prior to proceeding with processing
Sequence testing should be performed by the system on all orders, and an
exception report should be printed for all gaps in the sequence.
o This should be followed up by Zama Zamini
d) Extract from the accounts receivable master file to assist you in the audit of the
allowance for credit losses.
Extract printouts of:
A small random sample of debtors which reflects the aging of the amount owed
by the debtor.
Use: This would be used as a basis for checking the accuracy of the aging
(by tracing to source documents). Accurate aging is necessary as the
allowance is based on the aging fields.
All debtors:
o Where the balance owed exceeds the credit limit
o Where aging fields indicates that the debtor has exceeded his credit
Use: Each of these debtors would be discussed with Zama to obtain an
explanation of why the credit limits/terms have been exceeded and whether it
is an indication that the full amount will not be received from the debtor.
All the debtors for whom there is an entry in the status field
Use: From this list all debtors with a status problem which may affect the
collectability of the debt would be identified. Supporting documentation (e.g.
correspondence with attorneys, letters to the debtor) would be reviewed and
discussed with Zama.
Use firms software to re perform the casts and extract the totals of all numeric
fields on the master file.
Use: These totals would be used to recalculate the allowance using
prescribed percentages, e.g. 3% of the 30 days outstanding balance


Use totals to compare July 2010 amounts to July 2009 to determine whether
the debtors book is getting older. e.g. a greater percentage of debt is in the
120 days and over column.
e) Assist Joan in setting out the risks of conducting business over the internet.
Lack of privacy of information
Unauthorised access to credit card information whilst being transmitted
Unauthorised access to credit card information once it arrives at the supplier
Dealing with a supplier without integrity, resulting in non delivery
Hardware failure resulting in immediate loss of revenue
Software failure resulting in immediate loss of revenue
No legal certainty in cases of non payment or non delivery who the responsible
person/party would be. (in which country and under what law does the aggrieved
party sue?)
Lack of visible audit trail (hard copies of documents)
Exposure to viruses
Possible data corruption
Loss of business buyers not connected to internet
Competitors gain access to product information
International tax liabilities
Potential copyright liabilities
Information no updated regularly, resulting in loss of income
Lack of innovation and continuous improvement lose competitive advantage.
Presentation: Logic (1)
Layout (1)


QUESTION 9 Graded Questions 14.16



1. There is too great a concentration of

power in Sarah de Wet



Peter Preemar must play a far more

extensive role in the business; he
appears to have the time but not the
inclination. There are a number of
simple things that he could do to
minimise the risk (e.g. theft, fraud) of
the lack of division of duties.
he could control blank
stationery himself.
he and the receptionist/typist
could be solely responsible
for the opening and recording
of mail
he could engage our firm to
perform the monthly bank
reconciliation (and go
through it with him each
he must become the second
cheque signatory (Marie
must have her authority
removed) and he must insist
on seeing all supporting
documentation for all cheque


Peter Preemar should approve (by

signing form in 2.1) all masterfile

She can initiate transactions

Enters them into the system
Has access to blank
stationery (she sets up the
Is able to make masterfile
amendments (see 2 below)
is responsible for
incompatible functions e.g.
paying creditors and
reconciling the cash book
(appears to have signing


Sarah de Wet is able to make

unauthorised masterfile


In addition as software is menu

driven, masterfile amendments are
easily effected. This makes files
susceptible to manipulation e.g. the
inventory masterfile could be
manipulated by inventory clerks
through the terminal in
manufacturing to cover losses/theft.






Masterfile amendments
should be entered onto preprinted sequentially
numbered forms.
The processing of masterfile
amendments should be
restricted to Sarah de Wet
and her terminal.
Prenumbered printouts of
masterfile amendments
processed should be
reviewed by Peter Preemar
authority (validity)
In addition, frequent
comparisons between the
records and physical assets
should take place e.g.
inventory counts, wages and

Note: A more effective (but more

costly) control may be for our
firm to perform the masterfile
amendment review (for all
masterfiles) say once a






The presence of Marie de Wet

(Sarah's sister) in the accounting
department increases the risk of
collusion. Virtually the entire
accounting function is run by the
sisters. e.g. Marie will be maintaining
the debtors and creditors ledgers
produced by Sarah.
Toybuild (Pty) Ltd is too dependent
on Compware CC.
There is a high incidence of small
computerware companies going out
of business.
They hold all of the systems
documentation for the software they
Possibly they do not have the
necessary skills, resources to
service Toybuild adequately (see 9


There is insufficient control over

terminals and servers.
terminals appear to be allocated on
a general use basis.



Access to terminals does not seem

to be protected.


the main server is placed in Peter

Preemars office.

Marie de Wet should be transferred

out of the accounting department to
an administrative position in the
manufacturing administration

her signing powers
should be taken away.
A knowledgeable independent third
party should be introduced, in this
case our computer services
All program changes systems
development should be made in
conjunction with our computer
services department.
A full set of systems documentation
should be supplied and lodged with
our firm.
(Note 5.1 and 5.2 would protect Toybuild
(Pty) Ltd against the failure of
Compware CC and any lack of skill,
competence, resources they may
All of the terminals should be
allocated to specific staff members
who will be accountable therefore.


Some form of practical physical

protection should be introduced e.g.
terminals secured to desks, located
in lockable offices, visible to all etc.


Unless Peter Preemars office is

subject to tight security (unlikely!)
the main server should be in a
secured area (even a walk-in safe)
to protect it from wilful damage..


Proper logical access controls

should be introduced.
only staff who require access
should be given access and only to
the extent required to carry out their
jobs (least privilege principle, no
access, read-only, read and write.)


this principle must be implemented

Access/systems security


There is insufficient control over

access to files
Passwords do not appear to be in
Interrogation of files through the
terminals can be effected by simple


by the use of user IDs, user profiles

and passwords.

any application can be accessed

from any terminal.

passwords should be subject to

sound password controls
*unique, 6 digit, alphanumeric mix
*not listed or visible on screen
*kept confidential
*chosen by employee (effected by
the software)
changed regularly
there should be terminal
identification and
authentication controls
access to the different
applications should be
restricted to only those
terminals that are
authorised to access the
application in question e.g.
factory terminals have no
access to sales/debtors

Continuity of operations


Back up is inadequate. Sarah will

back up files "at her discretion".
This may result in the company
losing important accounting


No disaster recovery plans have

been made.
It is not in the service offered by
Compware CC.
Peter Preemar and Sarah de Wet,
being untrained, will know nothing of
this requirement.


A disaster recovery arrangement

should be made with our computer
services department.


He must get involved as indicated in

1, and it must be explained to him
why he has to be involved. (If he
doesnt want to, he must appoint a
senior person to the company.)


Back up of files should be
regular, thorough and planned, Peter
Preemar should ensure that this is
Backups should be secured in (at
least) fire proof lockable locations.

Control environment

Peter Preemars lack of interest in

accounting matters will have to
10.1 He is the most senior staff
member and must lead by example
especially where the accounting
function has poor division of duties.


Conversion (part of system


The proposed simultaneous

conversion of all accounting records
could cause, inter alia, the
destruction or muddling of data
especially if it is carried out by Peter
Preemar and Sarah de Wet.


The help of our computer services

department should be sought to
ensure that the conversion is dealt
with as a proper conversion project.
proper existing data
proper selection of data
conversion method e.g.
phasing in
control over preparation and
entry of existing data onto
the system and
proper post-implementation

QUESTION 10 Graded Questions on Auditing 2011: 14.24


Batch controls


When Maria Mathews removes the order from the order book she should
perform a sequence check, noting the sequence of numbers e.g. 3327 to
3391, and count the documents.

enter the sequence numbers and number of documents received from

each of the representatives in a suitably designed register e.g. date,
name, etc. This will ensure that the orders from all of the 15
representatives are accounted for each week.


require that the sales representative sign the schedule to acknowledge

the details that have been recorded.


Maria Mathews should then check the last number in the sequence of orders
presented by each sales representative the previous week to ensure there is no
gap in sequence. (Note: this procedure could also be done by the computer at a
later stage.)


Maria Mathews should perform tests on the orders, ensuring that they have been
correctly and accurately completed, initialing the orders to acknowledge her


She should then divide the orders into workable batches (by sales representative
would probably be the most practical) and for each batch, complete a pre-printed
sequenced batch control sheet by entering:
a unique batch number and batch identification e.g. batch 10 of 15, week
ending Friday 3 July, orders
control totals

Document count

Hash total, e.g. total quantity of items ordered


Maria Mathews should then enter the identification details and control totals into
a batch register and sign it.


Nicholas Zondi should count the number of batches he receives from Maria
Mathews, acknowledge receipt of the batches by signing the batch register.


Nicholas Zondi should key in the details and control totals of each batch (before
entering the date of the individual orders) to create a batch header label.


The data off each order should be keyed in (subjected to validation checks, see
below) and the computer should calculate the same control total but based upon
what has been keyed in e.g. document count.


The computer generated totals should then be compared to the totals on the
header label; where there are discrepancies, the batch should be rejected and

Data entry access control (invalid order entry)


Simple physical access controls to the terminals used by Nicolas Zondi should be
in place as appropriate, e.g. terminal lock.


Access to the revenue application should be restricted to only the terminals of

those employees who need access to the application to fulfill their functional


Once access to the revenue application has been obtained through an

authorised terminal, access to specific modules within the application should be
restricted to specified individuals (least privilege) by the use of user identification
passwords and access tables, e.g. Nicholas Zondi would have access to the
create picking slip module but not to the debtors masterfile amendments


There should be a full range of password controls e.g.

no group passwords i.e. Nicholas Zondi has his own
changed regularly, not obvious,
not displayed or listed anywhere, kept confidential.


There should be terminal time out and automatic shutdown in the face of access
these should be logged and frequently reviewed by IT.

Data entry program checks and screen aids


Once the create picking slip module has been accessed, the screen should be
formatted in such a manner
that it resembles the hard copy picking slip which will be produced and
it facilitates the easy capture of data off the order (accuracy)


The program should require the minimum keying in of data off the order form,
entry of the inventory code should bring up the description and price
entry of the account number should bring up the customers details.
(Nicholas Zondi should only have to key in account number, order
number, inventory item, quantity ordered and the sales representatives


There should be mandatory field checks; in this case all fields are important and
Nicholas Zondi should not be able to proceed to the next order until he has
entered data in all fields.


There should also be appropriate screen dialogue and prompts e.g. before
Nicholas Zondi moves to the next order he should be asked if all items on the
order have been correctly entered?


There should be program checks e.g.



verification check the customer account number is validated against the

debtors masterfile
alpha numeric check e.g. only numerics in the quantity field
range or limit check on quantity field
sequence check on order numbers (within a batch).


When the sales representatives return to the office on a Friday they

should be given an up to date printout which lists each customer they will
visit in the following week:

balance owing
credit limit and
available credit


Before accepting an order, the sales representative should work out the
value of the order and compare it to the available balance. If the
available balance is exceeded the order should be reduced/tailored to fall
within the available credit, and the matter discussed with the customer
where the order cannot be tailored/reduced to fall within the
available credit, application should be made to Rishi Patel to
increase the credit limit before the order is finalised. Rishi Patel
should only increase the credit limit after conducting thorough
creditworthiness checks.


In addition, the application software should be enhanced by introducing a

control which identifies situations where a sale which pushes the debtor
beyond his limit will be identified before the picking slip is printed.
when the order is entered by Nicholas Zondi the computer should
calculate the value of the sale, add it to the balance on the debtors
account and compare it to the credit limit.
if the credit limit is exceeded, a hold should be placed on the
printing of the picking slip.
this hold can either be overridden by Rishi Patel (only) or the
details of the order written to a file for follow up and only acted
upon (picking slip printed) once the matter has been


Changes to credit limits should only be made after the customers

payment performance has been evaluated by Rishi Patel and the change
agreed with the financial manager.


All changes should be recorded on a (preprinted sequenced) masterfile

amendment form, cross referenced to any supporting documentation and
signed by Rishi Patel and the financial manager.



Write access to the masterfile amendment module of the revenue and

receipts application should be restricted to Rishi Patels section
terminal identification
user identification, passwords


All masterfile amendments should be sequentially logged by the



Rishi Patel and the financial manager should review the log, tracing from
the log to the supporting documentation.