4 (20 Marks) You are a senior on the audit of Rexxon (Pty) Ltd, a medium sized wholesaler of stationery and office supplies. All of the companys financial systems are computerised and you have been asked to assist in the evaluation of the companys general controls. One of the other trainees on the audit has prepared some notes on the companys general controls and has presented these to you. Background Rexxon (Pty) Ltd runs its accounting application on a local area network. Terminals on the network are located on users desks in the various departments (e.g. stores, wage), whilst the network servers are located in a room (referred by staff as the Techno Room) in which other office equipment used by the company is housed e.g. printers, the facsimile machine and the office photocopier. Staff wishing to make use of the fax and photocopier or wishing to collect hardcopy output must go to the Techno Room. Staff enjoy this arrangement as it allows them the opportunity to have a cup of coffee or tea from the drinks machine which is also located in the Techno Room and socialise with other staff members. It also contributes to the relaxed and casual atmosphere at the company which Zak Kruger and other managers try to maintain so that employees enjoy coming to work. Network administrator The companys network is managed and maintained by Dion Reddy, the network administrator and his four assistants. The IT section reports to Zak Kruger, the financial manager. However, Zak Kruger does not get involved (nor does the financial director), leaving all aspects of the companys computer requirements to Dion Reddy and his staff. Dion Reddy has sole responsibility for the purchase of new computer equipment, appointment of computer personnel and, with his staff, also has responsibility for technical problem solving, programme maintenance and password authorisation. Dion Reddy and his staff are technically very knowledgeable but do not know much about accounting systems and related internal controls. 5 DN Access All employees at the company (approximately 80 in total) are given access to the network even though they may not require it to fulfil their functions. For example, warehouse personnel (packers, pickers etc.) can get onto the network via three terminals in the warehouses administration office. These staff only have access to Internet facilities and a selection of computer games resident on the network for all employees to enjoy. To get onto the network an employee can enter his user identification and personal password at any terminal. At this point a menu will appear which lists all of the applications available on the network e.g. wages, inventory control, games etc., and the employee simply clicks on the application he requires. Once access has been gained to the selected application, e.g. the wages application, a menu of the modules within the application is displayed. If an employee wishes to access a module he clicks on the desired module and the computer checks the user profile for that employee before granting (or denying) access. Dion Reddy has implemented the following requirement for personal passwords. They must: Be six digits of which the first three digits must be the first three letters of the department in which the employee works and the last three must be numeric e.g. WAG123 would be an employee in the wages department. Be changed on the 2nd January each year, and Be authorised by Dion Reddy (or one of his staff) to ensure that the same password is not chosen by more than one employee in the same department. If an employee leaves the company his password is given to the new employee (it will only be changed on 2nd January). Dion Reddy is also responsible for creating and maintaining user profiles on the system. If an employee wishes to change any details on his profile, e.g. change a read only access to a read and write access, a written request (on the standard document) signed by the employee must be submitted to Dion Reddy who will then make the change. At the end of every second month Dion Reddys four assistants back up the data files and programmes on all terminals in the accounting department by copying the files onto external hard drives. The external hard drives are labelled and given to Dion Reddy who locks them in a drawer in his desk. REQUIRED Critically evaluate the information provided above and identify the weaknesses in general controls at Rexxon (Pty) Ltd. For each weakness identified provide an explanation of the associated risk/s. Consider only the following general controls: 4.1 Control environment (6 marks) 4.2 Access controls (8 marks) 4.3 Continuity of operations (6 marks)