You are senior on the audit of Rexxon (Pty) Ltd, a medium sized wholesaler of stationery and supplies. All of the company's financial systems are computerized and you have been asked to assist in the evaluation of the company's general controls. One of the other trainees on the audit has prepared some notes on the company's general controls and has presented these to you. Background Rexxon (Pyt) Ltd, runs its accounting applications on local area network. Terminals on the network are located on users' desks in various departments (e.g stores, wages), whilst the network servers are located in a room (referred to by staff as the "Techno Room") in which other office equipment used by the company is housed e.g printers, the facsimile machine and the office photocopier. Staff wishing to make use of the fax and photocopier or wishing to collect hard copy output must go to the techno room. Staff enjoy this arrangement as it allows them the opportunity to have a cup of coffee or tea from the drinks machine which is also located in the Techno Room and socialize with other staff members. It also contributes to the relaxed and casual atmosphere at the company which Zak Kruger and the other managers try to maintain so that employees enjoy coming to work. Network administrator The company's network is managed and maintained by Dion Reddy, the network administrator, Page 13 of 20 FACULTY OF COMMERCE, MANAGEMENT AND LAW and his four assistants. The IT section reports to Zak Kruger the financial manager. However, Zak Kruger does not get involved (nor does the financial director) leaving all aspects of the company's computer requirements to Dion Reddy and his staff. Dion Reddy has sole responsibility for the purchase of new computer equipment, appointment of computer personnel and, with staff, also has responsibility for technical problem-solving programmed maintenance and password authorization. Dion Reddy and his staff are technically very knowledgeable but do not know much about accounting systems and related internal controls. All employees at the company (approximately 80 in total) are given access to the network even though they may not require it to fulfil their functions. For example, warehouse personnel (packers, pickers etc) can get onto the network via three terminals in the warehouse's administration office. These staff only have access to internet facilities and a selection of computer games resident on the network for all employees to enjoy. To get onto the network an employee can enter his user identification and personnel password at any terminal. At this point a menu will appear which lists all of the applications available on the network e.g wages, inventory control, games etc, and the employees simply "clicks" on the application he requires. Once access has been gained to the selected application e.g the wages application, a menu of modules within the application is displayed. If an employee wishes to access a module, he "clicks" on the desired module and the computer checks the user profile that employee before granting (or denying) access. Dion Reddy has implemented the following requirements for personal passwords. They must - be six digits of which the first three digits must be the first three letters of the department in which the employee works and the last three must be numeric e.g WAG123 would be an employee in the wages department; - be changed on the 2nd January each year; and - be authorized by Dion Reddy (or one of his staff) to ensure that the same password is not chosen by more that one employee in the same department. If an employee leaves the company his password is given to the new employee (it will only be Page 14 of 20 FACULTY OF COMMERCE, MANAGEMENT AND LAW changed on 2nd January) Dion Reddy is also responsible for creating and maintaining user profile on the system. If any employee wishes to change any details on his profile, e.g "read only" access to a "read and write" access, a written request (on the standard document) signed by the employee must be submitted to Dion Reddy who will make the change. At the end of every second month Dion Reddy's four assistants back up the data files and programmes on all terminals in the accounting department by coping the files onto external hard drives. The external hard drives are labelled and given to Dion Reddy who locks them in a drawer in his desk. YOU ARE REQUIRED TO: a) distinguish between general controls and application controls. (3) b) Identify the weaknesses in the general controls at Rexxon (Pyt) Ltd based on the information provided above. For each weakness you have identified explain why it is a weakness. You are only required to consider the following categories of general control: 1. Control environment 2. Access controls (10) 3. Continuity of operations (9)