Question

1. Assume that, when conducting procedures to obtain an understanding of Benson Seed Company's internal controls, you checked “No” to the following internal control questionnaire items:

• Does access to online files require specific passwords to be entered to identify and validate the terminal user?

• Does the user establish control totals prior to submitting data for processing? (Order entry application subsystem.)

• Are input control totals reconciled to output control totals? (Order entry application subsystem.)

Required: Describe the errors and frauds that could occur because of the weaknesses indicated by the lack of IT controls.

2. The following are brief stories of actual employee thefts and embezzlements perpetrated in an IT environment.

a. An accounts payable terminal operator at a subsidiary entity fabricated false invoices from a fictitious vendor and entered them in the parent entity's central accounts payable/cash disbursement system. Five checks totaling $155,000 were issued to the “vendor.”

b. A bank provided custodial and record-keeping services for several mutual funds. A proof-and-control department employee substituted his own name and account number for those of the actual purchasers of some shares. He used the accounting information system to conceal and shift balances from his name and account to names and accounts of the actual investors when he needed to avoid detection because of missing amounts in the investors' accounts.

c. The university's accounting information system was illegally hacked. Vandals changed many students' first names to Susan, student telephone numbers were changed to the number of the university president, grade point averages were modified, and some academic files were completely deleted.

d. A computer operator at a state-run horse race betting agency set the computer clock back three minutes. After the race was completed, he quickly telephoned bets to his girlfriend, an input clerk at the agency, gave her the winning horse and the bet amount, and won every time!

Required: What type of control procedure that might have prevented or detected the fraud was missing or inoperative?

Answer 1

Question 1:

Does access to online files require specific passwords to be entered to identify and validate the terminal user? Unauthorized access may be obtained to programs or data resulting in the loss of assets or other entity resources through theft or fraud.

Does the user establish control totals prior to submitting data for processing? Sales transactions may be lost in data conversion or processing or errors made in data conversion or processing.

Are input totals reconciled to output control totals? Control totals are not useful unless they are reconciled to equivalent totals determined following processing. As a result, audit teams would fail to detect errors made in the input or processing of data.

Question 2:

a.         Identify the type of input controls that should exist in this environment.

·Authorization and data entry (record-keeping) functions appropriately separated.

.Receipt (receiving report) matched or independently coded.

·There is an approved master file of authorized vendors for matching payees to authorized vendors.

·There are range checks or limit or reasonableness tests if the check amounts were large (average of $31,000 in the entity).

b.         In developing test data to evaluate the operating effectiveness of the client’s automated controls, the auditor should have incorporated these error conditions into the test data:

·Separation of employee accounts from investors’ accounts for control group review of activity.

·Failure to log employee investor transfer transactions that would detect this type of manipulation.

c.         In this case, password access controls were not established or operating properly.

d.         In this case, the time in the system was not checked against the actual time.