Question

Stan is an auditor for Cartman & Kenny, CPA. He has recently been assigned to a new private client called Southpark Services, a provider of Web management services. Southpark has clients throughout the United States. The company manages the clients’ Web sites, keeping them up to date, resolving problems, and doing any other programming or troubleshooting that their clients need.

The two Southpark owners are hands-on managers. They, along with three other employees, provide the Web site management services for their clients. Although they don’t have access to their clients’ books or bank accounts, they have the ability to alter the Web site, and any data that flows through the Web site before it goes to the company or the customer. Southpark has one office manager with an undergraduate accounting degree and one full-time bookkeeper.

In discussions with management, Stan learns that Southpark Services “doesn’t bother” to maintain any processes specifically directed toward good internal controls. When Stan asked why, management replied, “internal control is too expensive for us, and since we are not a public company and Section 404 does not apply to us, we don’t see any value internal control can offer our management.”

Required:

(a) Develop a list of concerns that Southpark’s clients might have based on management’s attitude. Classify those concerns into two lists—concerns that affect the business and concerns that might affect their productive output, and thus the client’s business operations. Some of the concerns you identify might end up on both lists.

(b) Suggest processes and controls that Southpark can implement to limit the risk of the items you listed in (a).

(c) How would Stan examine or test each of the processes and controls you list in (b)?

Answer 1

a.Cartman & Kenny Business practices concerns:
The most obvious concern is the lack of separation of duties between management and employee at C & K. The second concern is: how can a firm audit its own work? A third concern is the total lack of general controls over web design and access.

Clients’ concerns:
The lack of separation of duties at the audit firm; the lack of proper oversight of work performed by C & K; and the total access allowed to C & k personnel by Southpark Services. This is especially problematic if one or more of the managers from C & K becomes unable or unwilling to continue services the client.

b:Procedures to limit the risks cited above:
First, C & K must document all their work. Second, changes should be made to a prototype web site, not the actual, “production” site. Changes can be reviewed and approved by the client before the actual site is updated. Third, C & K personnel should not have access to client data servers or files. Indeed, the servers that house the data should be separate from the server that houses the web site and each server should have appropriate router and firewall controls.

c:How to audit?
First, the auditor should not be from the same firm that provides the service. That said, if this is allowed, then the auditor should report to someone who has no responsibility for maintaining the site. The auditor should review and test access controls; review changes to the web site; obtain a log of transactions in order to form an understanding of transaction origination, approval, and appropriateness; and document any unusual transactions. The auditor should perform detail tests of balances given the poor internal control system, especially over sensitive accounts such as cash and inventory. The auditor should require the client review transactions in detail and provide corroborating evidence for all unusual or unauthorized transactions.