From: A Candidate < Ay.Candidate@acaaudit.

com >

Subject: Re: Preparation for progress meeting with Zester

To: Lisa Neumann < Lisa.Neumann@acaaudit.com >

Hi Lisa,

Please see responses below:

Control deficiencies:

General IT controls:

• MC5 – ability to migrate changes to the production environment is appropriately restricted. IT specialists have
concluded MC5 is not operating effectively, as server logs show that a developer has access to the production
server and thus can make changes to the live version of the PlusBooks.
• LA1 – formal process for granting, modifying and removing access is in place. The IT specialists concluded LA1
is not operating effectively, as the user access profiles for five employees show that they have IT systems access
which is incompatible with their department and role.

The IT specialists performed additional direct testing relating to both of these deficiencies and found no exceptions.
Therefore, our conclusion was that, on an overall basis, the GITCs support the effective functioning of ITACs for
PlusBooks.

Significant control deficiencies:

I have reviewed the guidance in ISA 265 Communicating Deficiencies in Internal Control to Those charged with
Governance Management and have concluded that none of the control deficiencies noted is a significant deficiency.

Control improvement recommendations:

• Recommend that the year-end revenue accrual journal be reviewed by the CFO in addition to the accountant
given the potential for error or fraud.
• Recommend improving the precision and robustness of the CFO’s monthly review of management accounts by
clearly defining a ‘large’ variance and documenting steps undertaken to investigate and resolve the variances.
The review should also be undertaken at year end due to its impact on financial statements.

Please let me know if you have any questions.

Regards,
A. Candidate

1
© 2022 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.