You are the audit partner on the audit of Criss Cross Ltd for the year ended 30 June 2022, who operates a number of retail stores that sell skiing equipment in various locations across Australia. You are informed that each new employee is given a unique staff ID and a general password. This password has to be changed upon first login and has to be 9 characters long, contain at least one number, capital letter and symbol, it also cannot contain their name. The system requires each employee to change their password every 30 days.

Each store maintains its own payroll and the payroll records are kept on the in-house computer system. This can only be accessed on the local computer in the manager's office. Only the store manager and payroll manager have a key to this office. The payroll application on this computer is password protected at several levels, and only the payroll manager can access the application. When entering payroll data, the system checks that the employee number entered is a valid employee on the system, and tests are applied during processing to ensure that the hours worked are within predefined limits and that only one payment is processed for each employee based on the employee number.

During initial inspections and conversations with management, you take note of the following:

• Due to restricted space availability, the store's inventory is often stowed in the store manager's back office. As a result, the manager often leaves their door open so that staff have easy access to get things like skiing boots in instances where a customer needs a different size to the one available on the shop floor.
• When speaking to the payroll manager about the login process to the payroll system, he laughs and says "...you know, the password requirements make it really difficult to remember my password, so I've had to write it on a sticky note which I leave under my keyboard".
• Almost all sales staff work on a casual basis, and there are a lot of shift changes among staff. As a result, the roster at the end of the week rarely matches the original in the system.

Required:

(a) Identify and assess two general IT controls put in place at Criss Cross Ltd [4 marks]

(b) Identify and assess two application controls for the payroll system at Criss Cross Ltd [4 marks]

(c) Explain how one application control identified in b) can be tested by the auditor [2 marks]

(d) Based on your assessment in a) and b), what is your recommended strategy when auditing the IT environment of Criss Cross Ltd? [2 marks]