Question

Week 4 Question 1: "Classify the following control activities as preventive, detective or corrective and explain your reasoning,

(a) Employees have a password to gain access to the system.

(b) When sales are entered, the system retrieves customer details based on the customer number.

(c) A check is performed to identify if all cheques can be accounted for.

(d) Systems development is subject to sign-off by the CIO before it can take place.

(e) Virus definitions are updated daily.

(f) The sales manager must approve all discounts for items sold below their sticker price."

Question 2: "For each of the following risks suggest a control that could be used to reduce it."

(a) Entering negative values for order quantity in a sales order

(b) Selling to a customer with an overdue account

(c) Ordering from a non-existent supplier

(d) Paying for goods that have not been received

(e) Entering an alphanumeric customer ID when the business policy is for numeric customer IDs

(f) Misappropriation of goods by receiving staff, who also maintain inventory records

(g) Ordering too much of a product"

WEEK 4

Question 1 Could you kindly reconsider your reasoning if you have classified the control activities as either detective or corrective?

Question 2 a) Have you considered range restrictions?

b) Would a credit check help? Can a credit hold help address this risk?

c) Would this risk be minimised if the orders were generated from a supplier master list? Would you consider independent maintenance of a supplier master list to be useful?

d) What needs to be matched prior to payment authorisation? Still unsure? Would the matching of the purchase order, receiving report and invoice be sufficient?

e) Would you specify filed content as 'alphanumeric' or 'numeric'? (Hint: Please refer to the business policy)

f) Have you considered the likelihood of misappropriation of goods when duties are separated between personnel?

g) Have you thought about the reasonableness test? Would the approval of quantities to be ordered help minimize the risk? Can ordering policies be useful in this scenario?

Answer 1

1. (a) Employees have a password to gain access to the system. : This is an example of an access control that helps keep the system running properly by restricting access to the system to a unautorized users. It is information system wide and not specific to a process or appication. This activity is classified as a Preventive because this ia form of authentication that allows only duly authorized people access to the system.

(b) When sales are entered, the system retrieves customer details based on the customer number. : This is an example of a control operating as part of data input within the sales process. This activity is classified as Preventive because by retrieving customer details for the operator, it prevents data entry errors and also prevents the operator from making incorrect assumptions about the customer.

(c) A check is performed to identify if all cheques can be accounted for.: This control operates to check the complete and accurate recording pf cheques issued as part of making payments. This activity is classified as Detective because this control is only effective if an error or something serious has already occurred. A cheque has to be missing first before this control activity can detect the fact that it is missing.

(d) Systems development is subject to sign-off by the CIO before it can take place.: System development relates to the information system and its ability to continue to operate properly and meet the organization's needs. Such procedures apply across the entire organization and are not specific to a particular process . This activity is classified as Preventive because this control activity prevents unauthorized modifications.

(e) Virus definitions are updated daily.: Virus update procedures relate to the information system and its ability to continue to operate properly and meet the organization's needs. Such procedures apply across the entire organization and are not specific to a particular process . This control activity is Preventive , if something is deteced and the anti-virus application prevents the virus from doing anything. And the other hand, it is Detective ,if the virus definition deteced the presence of a virus that has already in the system, then it would be a detective control.