Problem#1.

In reviewing the processes, procedures, and internal controls of one of your audit clients, Steeplechase Enterprises, you notice the following practices in place. Steeplechase has recently installed a new computer system that affects the accounts receivable, billing, and shipping records. A specifically identified computer operator has been permanently assigned to each of the functions of accounts receivable, billing, and shipping. Each of these computer operators is assigned the responsibility of running the program for transaction processing, making program changes, and reconciling the computer log. In order to prevent any one operator from having exclusive access to the tapes and documentation, these three computer operators randomly rotate the custody and control tasks every two weeks over the magnetic tapes and the system documentation. Access controls to the computer room consist of magnetic cards and a digital code for each operator. Access to the computer room is not allowed to either the systems analyst or the computer operations supervisor.

The documentation for the EDP system consists of the following: record layouts, program listings, logs, and error listings. Once goods are shipped from one of Steeplechase’s three warehouses, warehouse personnel forward shipping notices to the accounting department. The billing clerk receives the shipping notice and accounts for the manual sequence of the shipping notices. Any missing notices are investigated. The billing clerk also manually enters the price of the item, and prepares daily totals (supported by adding machine tapes) of the units shipped and the amount of sales. The shipping notices and adding machine tapes are sent to the computer department for data entry.

The computer output generated consists of a two copy invoice and remittance advice and a daily sales register. The invoices and remittance advice are forwarded to the billing clerk, who mails one copy of the invoice and remittance advice to the customer and files the other copy in an open invoice file, which serves as an accounts receivable document. The daily sales register contains the total of units shipped and sales

amounts. The computer operator compares the computer generated totals to the adding machine tapes.

Required:

Identify the control weaknesses present and make a specific recommendation for correcting each of them.

 

Problem#2. Internal Control

Gustave, CPA, during its preliminary review of the financial statements of Comet, Inc., found a lack of proper segregation of duties between the programming and operating functions. Comet owns its own computing facilities. Gustave, CPA, diligently intensified the internal control study and assessment tasks relating to the computer facilities. Gustave concluded in its final report that sufficient compensating general controls provided reasonable assurance that the internal control objectives were being met.

Required:

What compensating controls are most likely in place?

  

Problem # 3. Physical Security

Avatar Financials, Inc., located on Madison Avenue, New York City, is a company that provides financial advice to individuals and small to mid-sized businesses. Its primary operations are in wealth management and financial advice. Each client has an account where basic personal information is stored on a server within the main office in New York City. The company also keeps the information about the amount of investment of each client on a separate server at its data center in Bethlehem, Pennsylvania. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities.

In the last few years, larger commercial banks have started providing such services and are competing for the same set of customers. Avatar, which prides itself in personal consumer relations, is now trying to set up additional services to keep its current customers. It has recently upgraded its Web site, which formerly only allowed clients to update their personal information. Now clients can access information about their investments, income, and tax liabilities that is stored at the data center in Pennsylvania.

As a result of previous dealings, Avatar has been given free access to use the computer room of an older production plant. The company feels believes that this location is secure enough and would keep the data intact from physical intruders. The servers are housed in a room that the production plant used to house its legacy system. The room has detectors for smoke and associated sprinklers. It is enclosed, with no windows, and has specialized temperature-controlled air ducts.

Management has recently started looking at other alternatives to house the server as the plant is going to be shut down. Management has major concerns about the secrecy of the location and the associated measures. It wants to incorporate newer methods of physical data protection. The company’s auditors have also expressed a concern that some of the measures at the current location are inadequate and that newer alternatives should be found.

Required:

1. Why are the auditors of Avatar stressing the need to have a better physical environment for the server? If Avatar has proper software controls in place, would that not be enough to secure the information?

2. Name the six essential control features that contribute directly to the security of the computer server environment.