Kristie Rose Liswid

BS Accountancy V

MODULE 1: INTRODUCTION TO AUDITING IN A COMPUTER INFROMATION

SYSTEM ENVIRONMENT

POST ASSESSMENT

A. The purpose of each of the four controls are as follows:

 Authorization of transactions
It is required to adequately safeguard assets against fraud and illegal
transactions and provide a level of internal control. A formal system of
transaction authorizations ensure that all company activities adhere to
established guidelines and in accordance with management goals and
objectives. Transactions must be executed according to the terms of their
general or specific authorizations, by responsible personnel acting within
the scope of their prescribed authority and responsibility.

 Complete and Accurate record keeping

It provides prompt, timely, and precise evidence that the financial
statements are accurate. Companies must make and keep books,
records, and accounts that, in reasonable detail, accurately reflect the
transactions and dispositions of assets. In addition, the recording of
transactions must in conformity with GAAP.

 Physical controls
These are controls over the company’s assets, documents, and records to
prevent their, destruction, loss or even alteration. These control activities
may include electronic or mechanical controls (such as a safe, employee
ID cards, fences, cash registers, fireproof files, and locks) or computer-
related controls dealing with access privileges or established backup and
recovery procedures.

 Internal verification
It helps ensure the reliability of accounting information and the efficiency
of operations. It refers to the independent review of the accuracy and
propriety of another party’s work, and the testing of the recorded
accountability for assets as compared to existing assets at reasonable
time.

Auditing in a CIS Environment

Kristie Rose Liswid
BS Accountancy V

B. Violation and It’s Proposed Correction

VIOLATION PROPOSED CORRECTION

The sale of long-term securities  Implement additional formalized
based on the president’s approval procedures reinforcing the policy
when the board of directors’ approval that only the board of directors
is required violates authorization can authorize long-term security
procedures purchases, and sales.
There is no entry made in the cash  All checks should be designated
receipts book since all dividend and to the personnel that normally
interest checks are received by the opens, stamps, and logs
treasurer and forwarded immediately incoming checks, and the checks
to the accounting department. should be recorded in the cash
Therefore, it is not possible to receipts book at the time of
determine whether all interest and receipt.
dividend checks have been received  The interest and dividend checks
and deposited. should be reconciled by the
accounting department to the
monthly broker’s statements.
These statements should be kept
on file to assure that all checks
have been received, deposited,
and accounted for.
The balance in the accounts as of the  The accounting department
end of the month closely must undertake the
approximated the amounts shown on reconciliation of the differences
the broker’s statements. and implement appropriate
procedures to assure that the
accounts and the brokerage
statements are reconciled
monthly.
The treasurer has the authority to  Strengthen internal control so
buy and sell securities, receives that the treasurer does not have
revenue, and makes journal entries conflicting duties.
related to securities.
Access to short-term securities is  The short-term securities should
unrestricted in the accounting be placed in a restricted facility
department. such as bank safe deposit box or
a company safe.
 Access to short-term securities
should be limited to a few
responsible personnel and two

Auditing in a CIS Environment

Kristie Rose Liswid
BS Accountancy V

people should be present each

time the securities are accessed.
Additionally, a log book should
be maintained to record any
disposition of securities.

Auditing in a CIS Environment

Kristie Rose Liswid
BS Accountancy V

MODULE 2: AUDITING IT GOVERNANCE CONTROL

POST ASSESSMENT

a. Describe the computer security weaknesses present at Gleicken Corporation that

made it possible for a disastrous data loss to occur.

The computer security weaknesses present at Gleicken Corporation that made it

possible for a disastrous data loss to occur include:

 Housing the data processing facility in a building with exposed wooden beams
and a wooden-shingled exterior rather than one constructed of fire retardant
materials
 Absence of a sprinkler (Halon) system and a fire suppression system under a
raised floor and no fire doors
 An online system with infrequent (weekly) tape backups. Backups, with

checkpoints and restarts, should be performed at least daily. Grandfather and

father backup files should be retained at a secure off-site storage location.

 Poor data storage. Data and programs should have been kept in a library
separate

from the data processing room, with the library area constructed of fire
retardant

materials.

 Lack of a written disaster recovery plan with arrangements in place to use an

alternate off-site computer center in the event of a disaster or an extended

service

interruption.

 A phone list of DP personnel without assigned responsibilities for specific

actions

to be taken when needed.

 Lack of complete systems documentation outside the data processing area.

b. List the components that should have been included in the disaster recovery plan at
Gleicken Corporation to ensure computer recovery within 72 hours.

The components that should have been in the disaster recovery plan at Gleicken
Corporation in order to ensure computer recovery within 72 hours include:
 Development of a written disaster recovery plan, with review and approval by

Auditing in a CIS Environment

Kristie Rose Liswid
BS Accountancy V

senior management, data processing management, end-user management, and

internal auditors.
 Backup of data and programs stored at an off-site location that will be quickly
accessible in an emergency.
 Organization of a disaster recovery team. The company should select the
disaster
recovery manager, identify the tasks, segregate personnel into teams, develop
an
organizational chart for disaster procedures, match personnel to team skills
and
functions, and assign duties and responsibilities to each member.
The duties and responsibilities of the recovery team include
 Obtaining use of a previously arranged alternate data processing facility;
activating the backup system and network.
 Retrieving backup data files and programs, restoring programs and data,
processing critical applications, and reconstructing data entered into the
system subsequent to latest saved backup/restart point.

c. What factors, other than those included in the plan itself, should a company consider
when formulating a disaster recovery plan?

Factors, other than those included in the disaster recovery plan itself, to be
considered when formulating the plan include:
 Arranging business interruption insurance in addition to liability insurance.
 Ensuring that all systems and operations documentation is kept up to date and
is easily accessible for use in case of a disaster.
 Performing a risk/cost analysis to determine the level of expense that may be
justified to obtain reasonable, as opposed to certain, assurance that recovery
can be accomplished in 72 hours.

Auditing in a CIS Environment