ACW2851 TUTORIAL QUESTIONS

1) Problem 9–14
For each of the following, identify the error or misstatement that would be prevented or detected by its use.

a. Duties segregated between the cash payments and cash receipts functions
To safeguard assets, i.e. cash receipts. To prevent the person that disburses cash from pocketing
cash receipts.

b. Signature plates kept under lock and key

Signature plates are used to authenticate cheques. Keeping them secure is a means of preventing
their unauthorised use.

c. Accounting department matches invoices to receiving reports or special authorizations before

payment
Matching the vendor invoice with a receiving report ensures payment for goods actually received
and paying for goods that are in good condition (always done with e below).

d. All cheques mailed by someone other than the person preparing the payment voucher.
Ensure payment only for legitimate obligations of the organization. To prevent the person preparing
the payment from mailing the payment to himself.

e. Accounting department matches invoices to copies of purchase order.

Ensure that payments are made only for authorised and correct purchases. Don’t pay for things that
the company did not order (always done with c above).

f. Keep the blank stock of cheques under lock and key

Pre-numbered documents (cheque blanks) have to be securely stored if this preventive control is to
be effective. Also, prevent theft of cheques.

g. Use imprest accounts for payroll

The imprest account is to limit the loss due to incorrectly printed (or altered) cheques associated
with each period’s total payroll. An imprest account is an account used for a specific purpose, eg
payroll, speculation investments etc.

h. Bank reconciliations performed by someone other than the one who writes cheques and handles
cash
Prevents one person from diverting cash and subsequently concealing the wrongdoing.
i. Use a cheque protector
Cheque protectors use a number of methods which make it difficult to change the cheque amount
successfully (e.g. words for amounts)

j. Periodically conduct surprise counts of cash funds.

Deter the unauthorised use of cash. Balance in the books must match the physical count.

k. The purchase orders are placed with approved vendors only.

Prevent unauthorised purchases, for example, purchases from vendors with family ties to
employees.

l. All purchases made by the purchasing department.

Minimise unauthorised purchases. Easier to control since only 1 department is tasked for
purchasing.
2) DQ 10-17.

a. A bank deposit transaction was accidentally coded with a withdrawal code

Bank transactions should be pre-coded with either a deposit code or withdrawal code. Transactions
encoded on different coloured paper may help.

b. The key entry operator keyed in the purchase order number as a nine-digit number instead of an
eight-digit number
Edit test of length

c. The date of a customer payment was keyed 2001 instead of 2013.

Edit test of reasonableness

d. A company employee was issued a cheque in the amount of $-500 because he had not worked for
2 weeks, but most of his payroll deductions were automatic each week.
This is a programming error. The program should also be tested first with test data. The program
should have a sign test.

e. A patient filled out her medical insurance number as 123465 instead of 123456.
A check digit control may initially catch this error at run time. A subsequent validation routine
(lookup) against the medical insurance customer master file would indicate that an invalid number
has been entered.

f. An applicant for the company stock option plan filled out her employee number as 84 6436. The first
two digits are a department code. There is no department 84.
The computer program which processes this form should compare the first two digits of the
employee number against a list of acceptable codes by performing an edit test.

g. A high school student was able to log onto the telephone company’s computer as soon as he
learned what telephone number to call.
Use passwords

h. The accounts receivable department sent 87 cheques to the computer centre for processing. No
one realized that one cheque was dropped along the way and that the computer only processed 86
cheques.
Batch control total; e.g. financial control total (value of each cheque), record count (# of cheques) or
hash total (customer # for each cheque)
3) Critical thinking: The Family Support Center is a small charitable organization. It has only four full-time
employees: two staff, an accountant, and an office manager. The majority of its funding comes
from two campaign drives, one in the spring and one in the fall. Donors make pledges over the
telephone. Some donors pay their pledge by credit card during the telephone campaign, but many
prefer to pay in monthly instalments by cheque. In such cases, the donor pledges are recorded during
the telephone campaign, and they are then mailed pledge cards. Donors mail their contributions directly
to the charity. Most donors send a cheque, but occasionally some send cash. Most donors return their
pledge card with their cheque or cash donation, but occasionally the Family Support Center receives
anonymous cash donations. The procedures used to process donations are as follows:

Sarah, one of the staff members who has worked for the Family Support Center for 12 years, opens all
mail. She sorts the donations from the other mail and prepares a list of all donations, indicating the
name of the donor (or anonymous), amount of the donation, and the pledge number (if the donor
returned the pledge card). Sarah then sends the list, cash, and cheques to the accountant.

The accountant enters the information from the list into the computer to update the Family Support
Center’s files. The accountant then prepares a deposit slip (in duplicate) and deposits all cash and
cheques into the charity’s bank account at the end of each day. No funds are left on the premises
overnight. The validated deposit slip is then filed by date. The accountant also mails an
acknowledgement letter thanking each donor. Monthly, the accountant retrieves all deposit slips and
uses them to reconcile the Family Support Center’s bank statement. At this time, the accountant also
reviews the pledge files and sends a follow-up letter to those people who have not yet fulfilled their
pledges.

Each employee has a computer workstation that is connected to the internal network.
Employees are permitted to surf the Web during lunch hours. Each employee has full access to
the charity’s accounting system so that anyone can fill in for someone else who is sick or on
vacation. Each Friday, the accountant makes a backup copy of all computer files. The backup
copy is stored in the office manager’s office.

Identify three major control weaknesses in the Family Support Center’s cash receipts procedures. For
each weakness, you identify, suggest a method to correct that weakness. Your solution must be
specific—identify which specific employees should do what. Assume that no new employees can be
hired
(source: Romney, M. B., & Steinbart, P. J. (2017). Accounting information systems. 14th edition, Pearson.)

Three weaknesses below:

1. Weakness - Sarah opens all mail and prepares a list of donations (cash and cheques). Sarah
could misappropriate anonymous cash donations.
Control - Mail should be opened by both Sarah and the other staff member (segregation of
duties). The use of lockboxes would also eliminate this problem but would cost the charity
money to implement.

Sarah are the one that open mails and receive the cash from the donators, she will record the
amount and the information of donation. The weakeness of this is that sarah have the chance to
pocketing the cash that areand anonymous not record the informationof that particular donation.

Recommendation - Mail should be opened by both Sarah and another staff (segregation of
duties). The use of lockboxes would also eliminate this problem but would cost the charity
maney to implement.

2. Weakness - The donations and donation list are sent to the accountant for recording and to
prepare the bank deposit. Therefore, the accountant has custody of the donation and records
the donation.
Weakness - Bank reconciliation is performed by the accountant, who also makes the bank
deposit.
Control - The donations should be sent to the office manager for deposit and the donation list
sent to the accountant for recording (segregation of duties). This corrects both weaknesses.
 3. Weakness - Each employee has full access (create, read, update, delete) to the accounting
system.
Control - Only the accountant and the office manager should have full access to the accounting
system (segregation of duties).

4) Critical thinking: SBD is an e-commerce business that sells various clothing and footwear from its
website and mobile Android and IOS apps. SBD has a small IT staff that designs and codes SBD’S
customised website and mobile apps. SBD’s server and data centre are located on the ground floor of
its three storey building.

As SBD’s business has increased, and due to high turnover and lack of IT staff, data backups are only
done whenever time permits. The IT staff kept the data backup files in the same room as the server
and data centre. A week ago, due to the monsoon period, there were several days of heavy
thunderstorm. SBD’s building experienced flooding that destroyed the firm’s hardware, software and
on-site data. SBD was unable to restore its system for more than 2 weeks since the firm had to buy the
hardware, download all its software and re-enter the data again. This caused SBD to lose many
customers. It was later found that SBD kept backup hardware in the storeroom in the 3rd storey.

a) List four (4) weaknesses in the internal controls.

1. Data backups are done in the same site

2. There is no written disaster recovery plan.
3. Restoration of data and hardware backups are not tested.
4. Location of the computing facility on the ground floor increases the risk of damage due to flooding.
5. Location of the computing facility is the same as where their backups are stored
Discuss with students of are other acceptable answers

b) For each of the internal control weaknesses you identified, recommend and explain one internal
control plan that could mitigate the weakness.

1. Recommendation: Data backups should also be at off-site preferably using cloud-based backup solutions.

Explanation: In cloud based backup, the data resides in (or multiple) servers in servers in other (or
multiple) countries. Likewise, If data backups are uploaded to another location (off-site) when there is
any flooding to the current location, then it won’t affect the off-site / cloud data.

2. Recommendation: There should be a written disaster recovery plan.

Explanation: SBD should have a written disaster recovery plan. This plan would state where backup hardware
and data is stored. The plan should state who is responsible and how the process to restore the system. This
plan would prevent the chances of SBD not knowing they already have the backup hardware and not needing
to buy replacements.

3. Recommendation: Disaster recovery plan for data, software and hardware backups should be periodically
tested.

Explanation: Testing of disaster recovery plan periodically would help identify any issues or problems and
might identify the issues with no up-to date backup and the non-written backup procedures. In addition,
periodic testing would allow the employees be familiar and trained in disaster recovery plan.
 4. Recommendation: Location of the computing facility should be above ground floor to reduce the risk of
damage due to flooding.

Explanation: The flooding affects the ground floor and if the backup and computing facilities are located at the
higher floor then the floods may not affect those computing facilities.

Note: Accept this answer similar to location of computer facilities and backup at the SAME place.

5) For each of the following computer systems weaknesses or failures, recommend two (2) computer
controls that mitigate or prevent the weakness or failures.

a) A lecturer from Monash received an email purporting to be from a former colleague informing of
an important policy change. When he clicked on a link embedded in the email to view the new
policy, his computer was infected with a virus.

• Anti-spyware software that automatically checks and cleans all detected spyware on an employee's
computer as part of the logon process for accessing a company's information system.
• Security awareness training is the best way to prevent such problems. Lecturers should be taught
that this is a common example of a sophisticated phishing scam.
Is there any other acceptable answers besides the ones above?

b) Shoplikecrazy is an online shopping e-commerce website where its competitors are Lazada and
Shopee. Shoplikecrazy’s programming staffs are rushing to finish coding for the shopping cart on its
website and mobile apps. However, unbeknownst to the programmers, the code contained a
vulnerability in one of the fields that could be exploited when the customer typed in the ship-to
address.

• Make sure programs are thoroughly tested before being put into use. The testers must be
independent from the programmers.
• Management must support the commitment to secure coding practices, even if that means a delay
in completing, testing, and deploying new programs.
Is there any other acceptable answers besides the ones above?

c) Hackers attacked ArrowMal company’s networks during a weekend. The company network was
down for more than one hour before the IT staff was able to contact the IT network specialist to
respond to the attacks. It took another 3 hours before IT network specialist was able to bring the
network under control.

• Document all members of the CERT (Computer emergency response team) and their contact
information.
• CERT members should practice and review incident response plan periodically.
Is there any other acceptable answers besides the ones above?