Department of Auditing

INTERNAL AUDITING 721 EXAMINATION 9 NOVEMBER 2010

Internal examiner: Mr R du Bruyn External examiners: Mrs GP Coetzee (internal/external) Mr H Fourie (NMMU) (external/external)

INSTRUCTIONS: Maximum time: 3 hours (180 minutes) Maximum marks: 120

PLEASE READ THE FOLLOWING PAGE FOR IMPORTANT INFORMATION

IMPORTANT INFORMATION
1 The results for second and third year, as well as postgraduate students will be available on the MTN line and Intranet. Results will be mailed to individual candidates after the examination period. Results will be available at telephone number 083 123 1111 and on the Intranet address: http://www.up.ac.za, students online. LECTURERS AND ADMINISTRATIVE STAFF WILL NOT PROVIDE CANDIDATES WITH THEIR RESULTS PERSONALLY OR OVER THE TELEPHONE. 2 3 4 Supplementary examinations are not granted automatically, but are subjected to current departmental policy. Candidates that qualify for a supplementary examination will be contacted by the Department for further arrangements. Perusal of examination scripts Perusal implies the students' right to verify their results and that the framework of the memorandum be made available to them for perusal. Lecturers will not debate the allocation of marks with students, but will obviously be prepared to correct possible marking errors. On the perusal date students must present a valid student card before the script and a copy of the evaluation framework, used during the marking process, will be handed over to them. 5 Re-marking of examination scripts Regulation G.14 After conclusion of the examinations departments provide feedback to students concerning the framework used by examiners during examinations. The head of the department concerned determines the manner in which such feedback is provided. Students may apply for the re-marking of examination scripts after perusal of such scripts and within 14 days after the commencement of the lectures of the ensuing semester, and after payment of the prescribed fee. The examiner will be appointed by the head of the department concerned. The following procedure is followed: The Application for Re-mark of Examination Script(s) (available at Faculty Administration) must be completed. The prescribed fee must be paid and the form together with proof of payment must be handed in at the relevant department. Date and venue for perusal Day Friday Date 26 November 2010 Time 09:00 - 11:00 Venue EMS 2-89

MULTIPLE CHOICE QUESTIONS REQUIRED:

(20 marks)

For each sub-section of this question, select only ONE alternative that you consider to be appropriate. Please answer these questions on the multiple choice answer sheet, SIDE 1. 1 A critical function of a firewall as part of an organisations information technology environment is to act as a: a b c d 2 special router that connects the Internet to a local area network (LAN). device for preventing authorised users from accessing the LAN. server used to connect authorised users to private trusted network resources. proxy server to increase the speed of access to authorised users.

Which of the following manages the digital certificate life cycle to ensure that adequate security and controls exist in the digital applications related to an organisations use of e-commerce with its suppliers and customers? a b c d Registration authority. Certificate authority. Certification relocation list. Certification practice statements.

Which of the following represents the greatest potential risk in an electronic data interchange (EDI) environment? a b c d Transaction authorisation. Loss or duplication of EDI transmissions. Transmission delays. Deletion or manipulation of transactions prior to or after establishment of applications controls.

In a risk-based audit approach, in addition to risk, you will also have to consider which of the following? a b c d The availability of computer assisted audit tools and techniques (CAATTs). Managements representations. Organisational structure and job responsibilities. The existence of internal and operational controls.

Which of the following techniques or tools would assist an information systems (IS) auditor when performing a statistical sampling of financial transactions maintained in a financial management information system? a b c d Spreadsheets. Parallel simulation. Generalised audit software. Regression testing.

Which of the following is a detective control? a b c d Physical access controls. Segregation of duties. Backup procedures. Audit trails.

The IS department of an organisation wants to ensure that the computer files, used in the information processing facility, are adequately backed-up to allow for proper recovery. This is an example of a/an: a b c d control procedure. control objective. corrective control. operational control.

An IS auditor conducting a review of software usage and licensing discovers that numerous personal computers (PCs) contain unauthorised software. Which of the following actions should the IS auditor take? a b c d Personally delete all copies of the unauthorised software. Inform the auditee of the unauthorised software, and follow up to confirm deletion. Report the use of the unauthorised software to auditee management and emphasise the need to prevent recurrence. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.

Which of the following functions would be acceptable for the security administrator to perform in addition to his/her normal functions? a b c d Systems analyst. Quality assurance. Computer operator. Systems programmer.

10

Which of the following procedures would most effectively detect the loading of illegal software packages onto a network? a b c d The use of diskless workstations. Periodic checking of hard drives. The use of current antivirus software. Policies that result in instant dismissal if violated.

11

A database administrator is responsible for: a b c d maintaining the access security of data residing on the computers. implementing database definition controls. granting access rights to users. defining a systems data structure.

12

The database administrator has recently informed you of the decision to disable certain normalisation controls in the database management system (DBMS) software to provide users with increased query performance. This will most likely increase the risk of: a b c d loss of audit trails. redundancy of data. loss of data integrity. unauthorised access to data.

13

A major risk of using single sign-on (SSO) is that it: a b c d has a single authentication point. represents a single point of failure. causes an administrative bottleneck. leads to a lockout of valid users.

14

Which of the following types of transmission media provides the best security against unauthorised access? a b c d Copper wire. Twisted pair. Fiber-optic cables. Coaxial cables.

15

An offsite information processing facility equipped with electrical wiring, air conditioning and flooring, but no computer or communications equipment is a: a b c d cold site. warm site. dial-up site. duplicate processing facility.

16

A disaster recovery plan (DRP) for an organisation should: a b c d reduce the length of the recovery time and the cost of recovery. increase the length of the recovery time and the cost of recovery. reduce the duration of the recovery time and increase the cost of recovery. not affect the recovery time nor the cost of recovery.

The following information applies to questions 17 to 20 The chief information officer of ABC Limited has delegated the following four functions to his information technology (IT) personnel: i. user training and the development of training manuals. ii. IT customer care. iii. control and manage changes to developed systems. iv. determine the extent of human resources necessary to accomplish all IT tasks. 17 Under which one of the Control Objectives for Information Technology (Cobit) domains can the first function be classified? a. b. c. d. 18 Planning and organisation. Acquisition and implementation. Delivery and support. Monitoring.

Under which one of the Cobit domains can the second function be classified? a. b. c. d. Planning and organisation. Acquisition and implementation. Delivery and support. Monitoring.

19

Under which one of the Cobit domains can the third function be classified? a. b. c. d. Planning and organisation. Acquisition and implementation. Delivery and support. Monitoring.

20

Under which one of the Cobit domains can the fourth function be classified? a. b. c. d. Planning and organisation. Acquisition and implementation. Delivery and support. Monitoring.
[SOURCE: CISA adapted]

CASE STUDY INTRODUCTION

(100 marks)

You recently joined Stalpam Mining Limiteds (hereafter referred to as STALPAM) internal audit activity and was allocated responsibility for all information technology audit engagements of the division. STALPAM is one of the worlds largest platinum mining companies. STALPAM is listed on the JSE Limited with its headquarters situated in Johannesburg. Its operations consist of five different mines located in Limpopo and North West provinces. A logistics coordination centre (hereafter refered to as LCC) for the operational mines is situated in Rustenburg. The following support services are situated at the LCC serving the five operational mines: Internal Auditing Training Health & Safety Operational Risk Management Information Technology (IT) Support All other functions, such as human resources and finance have a division within each operational mine as well as representatives at the LCC, while senior management is stationed at the head quarters in Johannesburg. Activities such as finance and human resources are decentralised to the various operational mines which manage most aspects associated with their respective duties. However, these functions report detailed information to the LCC every two weeks, which includes information such as output reports, hours worked by wage earning employees, production statistics, et cetera. LCC has the responsibility to consolidate all the information received and prepare monthly reports that are submitted to headquarters in Johannesburg. All the various functions have at least one representative or executive at headquarters. Some of the functions, such as risk management and information technology, also have substantial representation at headquarters. The company employs more than 20 000 employees of which the majority is wage earners working at the various operational mines. All employees are paid via electronic fund transfer (EFT), leaving the possibility of appointing undocumented, illegal or under aged workers very low. However, the media recently reported incidents of xenophobia amongst workers at some of the companys operational mines. STALPAM is under severe pressure from stakeholder groups to improve their corporate governance processes and structures. They have a poor reputation in the corporate environment due to their high production cost per ounce of platinum produced, excessive payroll expenses, and a poor health and safety record. The audit committee and remuneration committee are both chaired by executive directors. The internal audit division is understaffed as people do not want to relocate to Rustenburg. The information technology support division reports directly to the chief financial officer (CFO) as the company still has not appointed a chief information officer (CIO).

The information technology support services at the LCC is resourced with three employees, two local area network administrators and a computer analyst that has some experience in database management and hardware. In the absence of a data base administrator, the analyst performs most of the duties normally performed by a database administrator. INFORMATION TECHNOLOGY ENVIRONMENT STALPAM has been in business for more than 30 years. For their different information requirements they have developed various stand-alone application systems over the years. These stand-alone systems have been refined over time with STALPAM achieving most of their IT objectives using these systems, until approximately five years ago. Senior management and the Board of Directors have noted their concerns over the past few years that the process of obtaining and consolidating information for strategic decision-making are becoming more challenging and time consuming. STALPAM recently had to postpone the announcement of their interim results as a result of a delay in consolidating information from the five mines and an unexpected problem with the database kept at the LCC. During the last Board meeting, it was proposed that a substantial amount be budgeted to either improve or redevelop the companys information technology systems. One of the companys non-executive directors who, after studying the King Report on Governance for South Africa 2009 (King III), first raised the lack of proper information technology governance with the Board. The different application programs used by the different functions within the company are linked to the individuals assigned with the responsibilities to further process the information at LCC. The LCC receives the information in the format of the respective application, uses the same format as the application to consolidate the data for the five mines, and then sends the consolidated information to head office in Johannesburg. Each division is responsible for their own consolidation and for the back-up of their own data and information, which is done on external hard drives and kept at the LCC. After information is backed-up, the information is stored on their allocated part of the database. The data is, however, stored on the database in different formats (based on the application program) and there is no cross functional access between different division and their data. As a qualified Certified Internal Auditor (CIA) and Certified Information Systems Auditor (CISA), you regard this as an opportunity to add value and recommend substantial improvements to assist STALPAM in addressing their IT challenges. One of your first actions was to purchase a comprehensive generalised audit software (GAS) package for the internal audit activity. You have extensive experience in continuous auditing from your previous employer, and was quite disappointed to find that STALPAM uses a fragmented stand-alone application environment and batch processing for most of its data requirements, and as such does not utilise continuous auditing at all.

Your first engagement involves the auditing of the wages system (described on the next few pages). Senior management and the Board have also consulted you on various aspects associated with the allocation of the proposed new IT budget. WAGES SYSTEM Two years ago STALPAM implemented a payroll application system for the processing of wages. The application known as WAGECALC is exclusively used for the processing of hourly wages and functions independently from the application program used to process payment to salaried employees. The WAGECALC application at each of the operational mines is directly linked with STALPAMs access control system for wage workers. The access control system is based on biometric technology and security gates that allow only one person to pass through at a time (turnstiles) with fences for physical security. The biometric based system verifies the identity of a person by comparing one of his unique biological features (in this case fingerprint recognition) with the previously stored data before access is granted. The employees fingerprint is linked to his / her unique employee number and wage category. The access control system records the time of entry and departure of all staff as they have to use their fingerprints to gain access and leave the premises of the different operational mines. The time recorded by the access system is used to calculate hourly wages. Each of the operational mines sends the hours worked by wage employees to the LCC every two weeks from where wage payments are processed. Various files are used in processing employee wages from the information captured by the access control system and received from the mines. As part of your audit engagement, you requested the files kept at the LCC in electronic format to allow you to apply your GAS software. The head of payroll directed you to the central copy room in the building where you found unlocked cupboards with stickers listing the different divisions on them. You opened the cupboard indicating PAYROLL AND HUMAN RESOURCES BACK-UPS and found neatly stacked external hard drives, with external file labels and dates. You experienced no problems in downloading some of the files onto your laptop computer. Amongst the files you downloaded were the following: Employee standing data master files; Payroll transaction files; and Payroll payments transaction files. The employee standing data master file contains the employees personal and appointment data that is used to calculate the payroll every two weeks and to generate a payslip. These files were backed-up once a month and you copied the employee standing data master files for the past 24 months. The file includes, inter alia, the following fields: Employee number (primary key). Surname. Name(s). Identity number.

Appointment date. Cost centre code (mine). Termination date (if applicable). Rate per hour. Provident fund member number. Tax number. Medical aid member number. Bank account number. Annual normal leave balance. Annual sick leave balance. Details of all new appointments made at the five operational mines are send to the LCC for updating the employee standing data master file. Timekeeping and wage processing All hours worked as captured by the access systems at the five mines are send to the LCC every two weeks. The payroll transaction file imports these hours worked for the past two weeks from the five access files received. Normal working hours per week are limited to 40. Hours worked in excess of the normal hours are classified as overtime hours paid at the employees pay rate (as imported from the employee standing data master file) times 1.5 (time and a half). The files imported from the access system automatically totals hours per 7 day week for the two week period before summarising the total normal and overtime hours for the two weeks. Deductions in the file only include the employees portion of deductions. The following rules apply to fringe benefits: Provident fund: The employee contributes 7.5% of normal remuneration to the companys provident fund, while the employer also contributes 7.5%. Medical aid: The employee pays 75% of his/her medical aid membership contributions, while the company pays the other 25%. The employees monthly medical aid contribution is divided by two to determine the amount to be deducted during each of the two payroll runs per month. Fields in this file include: Employee number. Normal hours worked. Overtime hours worked. Normal remuneration. Overtime remuneration. Total gross remuneration. Provident fund. Tax. Unemployment Insurance Fund (U.I.F.). Medical aid. Nett remuneration.

10

U.I.F. contributions are deducted for all employees working more than 24 hours a week at a rate of 1% of normal remuneration. The company also contributes an additional 1% towards the fund. Recording and payment of wages The WAGECALC system is used to update the general ledger with the gross amount being debited to wages and the credit amounts to the different clearing accounts (imprest accounts), that is, Net wages, U.I.F., SARS, Medical aid, Provident fund, et cetera, on a two-weekly basis. The WAGECALC system also creates the EFT requests for the net wages and the statutory and other deductions. After the EFT requests are approved by STALPAMs financial manager, the net wages are transferred to a separate bank account from where the individual workers are paid. After wage payments are made, the imprest bank account should have a zero balance. In cases where the account did not clear, a follow-up investigation is done by the financial manager. Net wages paid are recorded in the payroll payments transaction file (thus all payroll payments to employees from the payroll imprest bank account are recorded). The file only consists of the following fields: Employee number. Amount paid. Date paid.

11

REQUIRED: QUESTION 1 (10 marks)

Prepare a report to the Board of Directors in which you discuss the disadvantages of the current use of stand-alone applications by STALPAM and recommend an alternative that could be implemented when the new information technology (IT) budget is tabled. QUESTION 2 (25 marks)

Fully discuss the Board of Directors responsibilities with regard to Principle 5.6 in the King Report on Governance for South Africa 2009 (King III) that states: The board should ensure that information assets are managed effectively, and identify instances of non-compliance with this principle by STALPAM. QUESTION 3 (30 marks)

Fully discuss the various forms of back-up and recovery that can be used by STALPAM for their database environment and recommend one alternative to the Board (you need to thoroughly motivate your recommendation with reference to the benefits and disadvantages of each possible method). QUESTION 4 (30 marks)

Formulate procedures to verify that no fictitious employees exist in the wages system by explaining how you will utilise generalised audit software (GAS) to assist you in selecting transactions from the files described in the wages system for testing. QUESTION 5 (5 marks)

Discuss the advantages and disadvantages related to continuous auditing as a computer assisted audit technique (CAAT) that can be applied by internal auditors.

12