Question

Identify which IT Application Controls would best mitigate the threats outlined. Expand upon your answer to analyze the relationship among risk/opportunity/control. Also consider how these scenarios could be detected by an audit internal or external.

Which types of input controls would mitigate the following threats?

1. Posting the amount of a sale to a customer account that does not exist.
2. A Customer entering too many characters into the five-digit zip code while making an online purchase, causing the server to crash.
3. An intern’s pay rate was entered as $150 per hour, not $15 per hour.
4. Approving a customer order without the customer’s address so the order was not shipped on time.
5. Entering the contract number of a critical contract as 13688 instead of 16388, which is a serious mistake for the company.

Answer 1

A. Posting to customer account that does not exist-

Preventive control prohibiting creation of customer account without approval based on the ALM.

Detective control- sending customer confirmation at period end to confirm transactions and closing balance

Preventive control- Requiring approved customer agreement at the time of entering the sales and requiring approver's name from Company to be selected so that a mail gets triggered to the approver intimating about the transaction. Approver to either confirm or refute the transaction.

B. A Customer entering too many characters

Preventive control- Allow only numeric inputs in Pin Code

C. Intern's pay rate-

Preventive control- Requiring to select one of the 3/4 standard pay rate

Detective- Performing Month to Month Analytics

Detective- Completeness check by multiplying standard rate with the number of intern's

D.  Approving a customer order without the customer’s address so the order was not shipped on time

Preventive- Order cannot be placed without completing mandatory fields and address is one of them

Prevenitve- Mandatory requirement to input Pin Code

E. Entering the contract number of a critical contract as 13688 instead of 16388, which is a serious mistake for the company

Preventive- Maker - Checker seperation so that every input is reviewed and approved before transaction gets accounted