Question $4$

$(25$ marks$)$

PART A

In terms of ISA $315,$ the auditor is required to gain an understanding of the company's internal

control system. The statement suggests that this understanding can best be obtained by considering

the five components of internal control, namely:

The control environment;

The company's risk assessment procedures;

The information system;

Control activities; and

Monitoring of controls.

It therefore stands to reason that when the auditor considers each of the above components, the

auditor will need to consider the effect of the company's computerization on that component as well.

Controls in a computerized environment are categorized as either general controls or application

controls.

$4\mathrm{.}1$ Define the term "internal control".

$4\mathrm{.}2$ Define the term "general controls" and give two $(2)$ examples of general controls.

$4\mathrm{.}3$ Define the term "application controls" and give two $(2)$ examples of application

controls.

PART B

During your audit planning stage, while you are gaining an understanding of the company's internal

controls, including the client's computerized systems, you have a conversation with Joey Fisch, the

Chief Information Officer of the company. He tells you the following:

"I don't know if you know, but we are considering implementing a whole new accounting system

because our whole business strategy is changing. We need to keep up with the latest trends of the

industry. I believe most of our competitors are already providing internet sales to their customers;

we don't even have a website yet, let alone internet sales that are linked to our accounting package!

And their employees' can log in with staff cards and the system will automatically calculate their

wages for the day. Currently our payroll system is a manual process and is calculated by means of

spreadsheets and then journalized by the accountant to get the figures in the accounting records. We

are currently debating whether to develop our own software internally, and whether to buy a product

off the shelf."

Later during your discussion with Joey Fisch, it became evident that the company currently lacks a

disaster recovery plan. Also, when you asked him whether they are currently producing back$-$ups of

their data, he admitted that he can't recall when he last did a back$-$up of any data of the company.

YOU ARE REQUIRED TO:

$4\mathrm{.}4$ List $3($three$)$ advantages of buying packaged software.

$4\mathrm{.}5$ List $2($two$)$ disadvantages of buying packaged software.

$4\mathrm{.}6$ List $2($two$)$ controls that companies can implement to minimize potential disruption because of some disaster which prevents processing and$/$or destroys$/$corrupts programmes and data.

PART C:

$4\mathrm{.}7$ Unless the entire process of designing an in$-$house system

is carefully controlled, a list of detrimental consequences

may follow, including the information transferred from

the old system to the new system may be erroneous,

invalid or incomplete. Therefore, strict controls are

necessary at the conversion stage to ensure that

programmes and information taken onto the new system

are complete, accurate and valid.

You are required to describe such controls that need to be

in place upon conversion to the new system. Divide your

answer into the following categories:

$4\mathrm{.}7\mathrm{.}1$ Data cleanup

$4\mathrm{.}7\mathrm{.}2$ Conversion method

$4\mathrm{.}7\mathrm{.}3$ Preparation and entry

$4\mathrm{.}7\mathrm{.}4$ Post$-$implementation review