EXERCISE TOPIC 2

QUESTION 1

Preventive controls are passive techniques designed to reduce the frequency of occurrence of

undesirable events. Meanwhile, detective controls are devices, techniques, and procedures

designed to identify and expose undesirable events that elude preventive controls. Moreover,

corrective controls are actions taken to reverse the effects of errors detected. Statement on

Auditing Standards (SAS) No. 109 is the current authoritative document for specifying internal

control objectives and techniques. It is based on the COSO framework.

QUESTION 2

A. (i) General Authorization

(ii) Independent Verification

(iii) Access Controls

(Iv) Specific Authorization

(v) Supervision

(vi) Segregation of Duties

(iv) Accounting Records

B. The objectives of internal control in AIS:

(i) To safeguard the assets of the firm

(ii) To ensure the accuracy and reliability of accounting records and information

(iii) To promote efficiency in the firm’s operations

(iv) To measure compliance with management’s prescribed policies and procedures

 C. The control environment components of the Committee of Sponsoring Organization

(COSO) Internal Control framework.

(i) Role of the board of directors and senior management – IC importance &

expectation (tone at the top)

(ii) Integrity and ethical values of management

(iii) Management’s policies and philosophy

(iv) Organizational structure - responsibility and authority

(v) Policies and practices managing human resources – competent individuals –

hiring, compensating, training, evaluating, promoting, etc.

(vi) Performance evaluation measures – rigour incentives and rewards

(vii) External influences—regulatory agencies – MASB, SC

QUESTION 3

Six categories of general controls:

Segregation of duties within the systems Clearly divided the authority and

responsibility among the following functions:

System administration, Network management,

Security management, Change management,

Users, System analysis, Programming.

Computer operations, Information system

library, data control

Physical access control  Place computer equipment in locked

rooms and restrict access to authorized

 personnel

 Have only one or two entrances to the

computer room

 Require proper employee ID

 Require that visitors sign a log

 Use a security alarm system

 Restrict access to private secured

telephone lines and terminals or PCs.

 Restrict access of off-line programs,

data and equipment

 Locate hardware and other critical

system components away from

hazardous materials.

 Install fire and smoke detectors and

fire extinguishers that do not damage

computer equipment

Logical access control  Passwords

 Physical possession identification

 Biometric identification

 Compatibility tests

Data storage controls  Primary storage - data in random

access memory (RAM) and other

 "built-in" devices.

 Secondary storage - data on hard disk,

tapes, and other external devices.

Data transmission controls  Data encryption (cryptography)

 Routing verification procedure

 Adding parity

 Message acknowledgement techniques

Internet controls and e-commerce  Passwords

 Encryption technology

 Routing verification procedures

 Install a firewall, hardware and

software

 that controls communications between

a company's internal network (trusted

network) and an external network.

 Electronic envelopes - protect e-mail

messages

QUESTION 4

(a) Employee Fraud

 Fraud committed by non-management employee

 Directly convert cash/other assets to the employee’s personal benefit

 Employee circumvents company’s internal control for personal gain

 Usually involve three steps: stealing something of value, converting the assets to usable

form (cash), and conceal the crime to avoid detection

Management Fraud

 Perpetrated at management level and above and usually involves the manipulation of

financial statement

 More insidious than employee fraud as it always escapes detection until the

organization has suffered loss/damage

 Involves using of financial statements to misrepresent the health status of the

organization

 The nature of fraud involves complicated transactions and involved third parties.

(b) Give THREE (3) examples of input control procedures.

 Check digits for transcription and transposition errors

 Missing data check identifies blank fields or incomplete input fields

 Numeric-alphabetic check identifies data in the wrong form.

 Limit checks identify field values that exceed authorized limits

 Range checks verify that all amounts fall within an acceptable range

 Reasonableness checks verify that amounts that have based limit and checks are

reasonable

 Validity checks compare actual fields against acceptable values

(c)