Question

John Exchanging Integrated (JEI), is a subsidiary of Elegance. JEI is a securities trading firm specializing in debt and equity securities transactions mostly traded on the NASDAQ. JEI is listed on NASDAQ. Also, at the request of their customers, JEI will charge a fee to receive or place money transfers from or to accounts all over the world. The minimum fee is $10 for buying or selling stock and $25 for money transfers. The maximum fee is $500,000 for stock transactions and 2% for money transfers. A minimum fee of $100 is also charged for redemptions. To become a customer, simply complete an on-line application and deposit a minimum of $10,000. Customers begin trading immediately. Yong Wei is the CEO of JEI. Yong does not serve on the audit committee of JEI. In January of 2015, Crystal Lee, Director of JEI’s internal audit department, completed an audit of various functions of the company. Part of the audit involved a review of internal controls for the sales, payable and payroll functions including the controls over the authorization of transactions, accounting for transactions, and the protection of assets. The director reported the following issues to Yong Wei:

1. The petty cash custodian confesses to having “borrowed” $9,010 over the last two years. The custodian promises to repay every penny, with interest, as soon as possible.

2. An employee in accounts payable maintains the accounts payable subsidiary ledger.

3. In June of 2015, JEI was notified that their proprietary information would be broadcast on the Internet if they did not pay a $17 million fee. The hacker was caught by the FBI before any damage was done.

4. In November of 2015, JEI customers were notified by e-mail that their accounts had been compromised and were being restricted unless they re-registered using an accompanying hyperlink to a Web page that had JEI’s logo, home page design, and internal links. The form had a place for them to enter their credit card data, ATM PINs, Social Security number, date of birth, and their mother’s maiden name. Due to the diligent efforts of Tommy Lew, JEI customer information was not breach, according to internal sources.

5. When entering a large credit sale, the clerk typed in the customer's account number as 45982 instead of 45892. That account number did not exist. The mistake was not caught until later in the week when the weekly billing process was run. Consequently, the customer was not billed for another week, delaying receipt of payment.

6. A batch of 73 time sheets was sent to the payroll department for weekly processing. Somehow, one of the time sheets did not get processed. The mistake was not caught until payday, when one employee complained about not receiving a paycheck.

7. Attackers broke into the company’s information system through a wireless access point located in one of its trading branches. The wireless access point had been purchased and installed by an office manager without informing central IT or security.

Answer 1

1. Petty cash misappropriation:

Step-A:

Internal control weakness identified:

• The unit does not have the practice of tallying cash as per books and physical cash on daily basis and ensuring the same deposited immediately.
• The company does not have the practice of keeping fixed petty cash amount at the day end and depositing the remaining cash in the bank.

Step-B:

Recommended internal control:

• Petty cash impress fund should be created.
• Petty cash should be replenished only after submission of documents how the petty cash utilized.
• Daily basis the cash in hand and documented received matches the total petty cash fund.

2. Employee in payable maintains accounts payable subsidiary ledger:

   Step-A:

Internal control weakness identified:

• There is no segregation of duties with respect to maintenance of accounts payable ledger.
• The person who is having access to subsidiary ledgers should not be having access to his account payable subsidiary ledger.
• Further it will lead to entering of mere book entries without actual transaction in his personal ledger.

Step-B:

Recommended internal control:

• The person who maintains the accounts payable subsidiary ledger should not give access to his personal accounts ledger.
• The updating of his account should be done by some higher authority to control the fraud transactions that can take place in the ledger.

3. Identification of hackers:

Internal control strengths noted:

• The company having strong internal controls to ensure identification of any outsiders calls that will lead to bad reputation to company.
• Further the management maintains proper controls that should not reveal confidential proprietary information.

4. Identification of mails sent by unauthorized personnel.

Internal control strength identified:

• The company having strong internal controls to find the mails send by unauthorized personnel to his customers believing as the same was sent by the company.
• This type of hacking will lead to leakage of confidential information of the customers by way of sending spam mails.

5. Wrong posting to another account number:

Step-A:

Internal control weakness identified:

• There is no control exist to notify any posting to wrong account number.
• Further there is no control that will not allow the posting to account number that is not in existence.
• The unit does not have the reconcile daily basis to ensure all the credit sales has been booked to correct account.

Step-B:

Recommended internal control:

• The unit should implement strong internal controls to identify the posting or billing to wrong account numbers or otherwise it should not allow to post to the account number that was not in existence.
• Further on daily basis unit should cross check the billing and customers to whom we billed.

6. Payroll processing:

Step-A:

Internal control weakness identified:

• The unit does not have the controls like count checking to ensure all the pages has been processed.
• The unit should send serially numbered payroll sheets to ensure all the payroll sheets received and properly updated all the employee’s salary details as per the list.

Step-B:

Recommended internal control:

• The company should implement count or head controls to ensure all the employee has been reported in payroll sheets has been uploaded in the system.
• Any difference of count between the payroll sheets and payroll processed list should have reflected in the audit log.

7. Intruder in the company’s information systems:

  Internal control weakness identified and recommended controls:

• The procurement of IT information system should be done by central purchase committee and the vendor from whom we are buying should be appropriately evaluated in all securities aspects.
• Further the wireless information systems installed in branches should be properly secured through security passwords.
• The company should put restriction on procurement of IT information systems by the branches without authorization of central IT department.