lOMoARcPSD|6047543

Test 2 2016, answers

Auditing 3A (University of KwaZulu-Natal)

StuDocu is not sponsored or endorsed by any college or university

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

PART A
Memorandum
To: Board of Directors
From: Internal Auditor
Date: xxx April 2016
Subject: General Control Systems
I have performed my observations of the company and have found the following deficiencies in your general
control systems:
Weakness Explanation
1. Control Environment: Participation by those 1.1. As a result of the poor participation on the
charged with governance is poor as the CEO CEOs part, this attitude will filter through the
who is responsible for the company has no company as employees at all levels look
interest in the financial and decision making as towards executive management to set the
he feels he can delegate all his responsibility to tone for the company.
his team. 1.2. This ultimately will have a negative effect on
the company as employees will not take the
controls of the company seriously.
2. Control Environment: there is no proper 2.1. Mr Slattery has too much power in the
Assignment of Authority and Responsibility as position that he is currently in and as a result
Mike Slattery does not report to the CEO on he can easily undermine controls and do as
any matters relating to the IT department. he pleases since he doesn’t report to the CEO
as a result he could commit fraud which will
go undetected.
3.1. Control Environment: Organisational Structure 3.1. As the IT staff may not have a financial
has not been developed adequately as the background and may not be familiar with the
staffs in the IT department are assisting the accounting this can result in incorrect data
employees from the revenue department being captured and errors being made thus
with capturing of the monthly debtors resulting in loss for the company.
transactions.
3.2. There is also no segregation of duties between
the user and the IT department as the IT
department staff assist the finance staff with
revenue processing.
4. Control Environment: HR Policies and 4. By not having a formal recruitment process,
procedures: there appears to be no HR policies the company has hired someone that has
being followed as Mike Slattery was hired been alleged to commit fraud and as such the
without any formal interview structure or company is being exposed to the risk of
background check being performed. fraudulent activities.
5.1. Access Control: Physical Access controls are 5. The poor access controls indicates that
weak as currently the other staffs are anyone can get into the building and cause
unaware of your appointment and you have harm in the form of theft of confidential
not acquired a visitor’s pass and to your information, theft of the laptops or
surprise you walk straight through the front destruction to hardware.
entrance of the building and make your way
to the 4th floor in which the IT department is
situated.

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

5.2. Access control: physical access controls –

remote workstations – there appears to be no
controls to secure laptops with the use of
security cables as I was able to pick up the
laptop at the visitors lounge.
6.1. Access Controls: Logical Access Controls- 6. With logical access to the computers and the
Passwords – Passwords are weak as the network any personnel or visitor can corrupt
passwords are not unique and consist of the files and cause harm or steal sensitive
letters only (not alphanumeric) and are quite information.
obvious.
6.2. Passwords are not kept confidential: You did
not have trouble accessing the computer
and the wireless network as you found a
note stuck on one of the drawers which
included the passwords and to your surprise
it gave you access to the computer.
7.1. Access Control: Security policy: There appears 7.1.
This is a major weakness in the system as it
to be no least privileged principle applied as indicates that staff has blanket access over all
the computer accessed belonged to the information which they can easily manipulate
admin clerk and she had access to all modules for their personal gain reducing isolation of
available. responsibility.
7.2. Access controls: Logical access control 7.2. Furthermore it is even more alarming that
(authorisation) is weak as the laptop in the people outside the company for example
visitors lounge also gave you access to all clients can also access this same information
modules to the company which indicates that which is detrimental to the company as they
the company is not making use of restricting could steal secure data and or delete date or
access to specific terminals. cause errors on the system.
8. Access Controls: Supplementary Controls are 8.1. This is poor controls as if personnel forget to
not in place as the company does not log off from their stations anyone else will be
maintain logs and does not find the need to able to access their computers and the
add on time-outs, and automatic lockouts to information stored on the network. The fact
their controls. that there is blanket access to all modules,
these supplements the risk that information
can easily be stolen or misused or changed.
8.2. By not maintaining logs the company has no
way to identify any access violations or any
unusual accesses to the system thus any
fraud may go undetected.
9. Access controls: Physical access controls are 9. By not having a separate office area or building,
weak as the IT department is situated in an increases the risk of unauthorised access.
open plan office together with other
departments.

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

10. Continuity Of Operations: Physical Access 10. The fact that the server is a major component
controls are weak as the company’s to a company and it is located in a general
mainframe servers are located together access room means that it is more prone to
with the printers and other utilities in a damage which will result in major loss for the
general access room and not in a dedicated company as their systems run via the server.
room.
11. Control environment: IT management 11. This position puts him in a position to do as he
philosophy and operating style: Mike pleases and since the CEO takes no interest in
Slattery’s is seen as controlling and the company it becomes easier for him to be
aggressive. able to gain and cover his tracks, this can easily
filter through lower levels of management.
If you have any other queries which you want to address please do not hesitate to contact me.
Kind Regards,
Candidate

PART B
From the scenario the following fraud risk factors relating to the misappropriation of assets are evident:
Incentives/ pressures:
 Mike Slattery has just gone through a divorce in which he has to pay large alimony and maintenance
payments to his ex-wife. As a result he is experiencing personal financial pressures.
 These personal financial pressures could also incentivise him to misappropriate assets from the
company.
Opportunities
There is opportunity based on the nature of the products sold by the company:
 As the company is an arms dealer that manufactures arms, the designs to the various products are
assets to the company.
 These designs are trade secrets and as such there is a readily available market as other arms
manufacturers would be interested in acquiring the designs.
 The designs are saved in electronic format which makes it easy to steal and sell to the highest bidder.

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

There is opportunity based on the internal controls at the company:

 Mike Slattery has super user access which allows him to access sensitive information.
 The lack of supplementary controls such as logs of logins increase the risk of fraud via unauthorised
access.
 The poor control environment in which Mike does not report to the CEO on any IT matters also
increases the risk of fraud.
 The poor access (both logical and physical) controls over the system increases the risk of unauthorised
access.
 The IT staff are not supervised adequately thereby increasing the risk of fraud.
 As the CEO is not involved in the daily operations and relies on the IT director it creates an opportunity
for fraudulent behaviour as there is in ineffective monitoring.
Attitude and Rationalisation
 As there is a poor control environment at The Last Ship (Pty) Ltd It would be easy for employees to
rationalise their behaviour.
 As Mike Slattery is controlling and aggressive, he could easily rationalise his behaviour especially since
he needs to supplement his finances after his divorce.
 There is a history of allegations of fraudulent behaviour against Mike Slattery.

Part C
I would be concerned that fraud is potentially being committed and would be concerned that the company
potentially has a reportable irregularity that I would need to report.
I would determine if the definition of a reportable irregularity has been met or not as follows:
1) Any unlawful act or omission
 Mike Slattery has divulged trade secrets to a competitor and has gained in the process. The
divulging of the blue-print to the competitor is a direct breach of his employment contract.

 As his contract is a legally binding document, the breach is an unlawful act.

2) Committed by any person responsible for management of an entity
 Mike Slattery is the IT director and is therefore considered to be management.
3) Has caused or is likely to cause financial loss to the entity, its partner, member, shareholder, creditor
or investor:
 As Mike has divulged the blue prints for the company’s major revenue contributor, he has leaked
sensitive information which will result in a loss of sale to the company as they will no longer have
their competitive edge.
4) Or is fraudulent or amounts to theft:
 The leaking of trade secrets to a competitor could be deemed to be fraudulent as he has
breached his employment contract and has been financially rewarded by the competitor.
 The designs of the warhead belong to the company as such Mike has committed theft by
leaking the designs to a competitor.

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

5) Or Represents a material breach of fiduciary duty owed by such a person to the entity or any
partner, member, shareholder, creditor or investor of the entity under any law applying to the
entity or the conduct of management thereof:
 As Mike Slattery is a director of the company, his divulging of trade secrets has results in a breach
of his fiduciary duty to the company as he has not acted in the best interest of the company.
Thus, if I was the external auditor of the company, I would have concluded that a reportable irregularity
has taken place and I would need to consider how to proceed in terms of S45 of the Auditing Profession
Act.
PART D
 As I am just the internal auditor, I am not bound by the Auditing Profession Act and as such I cannot
report a reportable irregularity to IRBA.
 Neither am I performing an independent review as such I cannot report the reportable irregularity to
the Commission (CIPC).
 As a Chartered Accountant, I am bound by the SAICA Code of Professional conduct which states that
I need to act with integrity, objectivity, confidentiality, professional competence and due care and in
a professional behaviour and that I need always maintain these principles.
 As I have uncovered fraudulent activities at my employer, I cannot ignore the matter as I would be
condoning the unlawful behaviour and would thus not be acting with integrity.
 I am still bound by confidentiality as such, I cannot divulge the information obtained to any 3rd parties.
 As Mike Slattery is also a chartered accountant, I cannot openly criticise him but I cannot condone his
behaviour.
 Therefore I need to approach Commander Chandler as he is next most senior person with the
information that I have obtained and notify him of the fraud that is taking place so he can take
corrective action.
PART E – Audit Plan
Nature
 As the company is highly computerised and has one of the largest IT Departments, (01 Mark) the
external auditors would have to consider if they can adopt a combined approach by performing tests
of controls as well as substantive tests.
 However, as Mike Slattery has used his super user access to access restricted information for his own
advantage reflects that he lacks integrity and since he is also responsible for managing the finance
department there is a greater risk that the financial statements may me materially misstated at both
a financial statement and assertion level.
 As such the external auditors would not want to place much reliance on controls as Mike may have
used his power of position to override controls that may be in place.
 The overall control environment at the company is also questionable as noted in part A above as such
it would make more sense for the auditors to perform a fully substantive audit.
 In determining whether to perform tests of details or analytical review, the external auditors would
have to determine which provides more audit comfort.
 As there are only 6 customer’s tests of details would probably be selected for revenue testing as
opposed to analytical review.

Downloaded by NM NM (vansphoto2017@gmail.com)
 lOMoARcPSD|6047543

Auditing 3A – Test 2 (Solution) 2016

PART F
 Income Tax Act.
 Customs and excise Act.
 Exchange control regulations as they sell to foreign customers.
 PFMA – Supply chain management.
 Any South African laws relating to Arms Dealing such as the National Conventional Arms Committee.
 VAT Act.
Explanation
 The non-compliance with laws & regulations may also potentially be a reportable irregularity as such
the external auditors would have to be aware of the potential risk.
 The external auditor would have to understand what requirements need to be met in order for the
company to comply so they can assess if there has been any non-compliance.
 The auditor would have to understand the consequence of non-compliance as there may be a financial
impact in the form of fines and penalties. (01 Mark)The materiality of these fines and penalties would
have to be taken into account as they may impact the audit opinion.
 By understanding the laws & regulations applicable, the external auditor can assess the risk attached
to non-compliance and can therefore develop an audit plan to address the risk.
Note to Marker – award a maximum of 5 for identification of the legislation/regulation.

Downloaded by NM NM (vansphoto2017@gmail.com)