AFM341 Study Guide - Final Guide: Internal Control, Risk Assessment, Process Control

Which of the following is not a type of security control?

Directive Controls

Effective Controls

Preventive Controls

Corrective Controls

FIPS Publication 199 requires agencies to categorize their information system as

Low-impact

Medium-impact

High-impact

All of the above

Based on the FIPS PUB 200 The minimum security requirements cover -----------security -related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems

17

3

12

5

Federal agencies will have up to -----------year(s) from the date of final NIST Special Publication 800-53to fully comply with the changes but are encouraged to initiate compliance activities immediately.

Four

Three

Two

One

Security awareness

Is the same a professional education

Is the same as background checks and verifying education

Makes it easy to find out who is a security risk

Begins the first day of employment

Base on the NIST Special Publication 800-30, integration of Risk Management into the SDLC consist of ------------phases

10

5

3

6

Base on the NIST Special Publication 800-30, The risk assessment methodology encompasses -------- primary steps

A. Five

B. Eight

C. Nine

D. Two

Base on the NIST Special Publication 800-30, integration of Risk, the control categories for both technical and nontechnical control methods can be further classified as:

A. Preventive and detective

B. preventive and defensive

C. defensive and detective

D. preventive and supportive

Which of the following is not a risk mitigation method?

A. Risk Assumption

B. Risk avoidance

C. Risk study

D. Risk limitation

The risk assessment process is usually repeated at least every ------ years for federal agencies, as mandated by OMB Circular A-130

six

five

four.

Three

Based on the MITRE Corporation’s Trusted Systems Concepts, A combination of hardware, software, and firmware that implements the Reference Monitor concept is called

Assurance system

Reference validation mechanism

Trusted computing systems

Trusted computing mechanism

The Biba model was developed to protect which of the following?

Availability

Integrity

Confidentiality

Access control

The Bell-LaPadula model was developed to protect which of the following?

A. Availability

B. Integrity

C. Confidentiality

D. Access Control

Which model is concerned with who is authorized to give access to file and folders to other users?

A. Clark-Wilson

B. Bell LaPadula

C. Biba

D. Take-Grant

The following is a list of 12 control plans from this chapter:

Control Plans

A. Batch sequence check

B. Confirm input acceptance

C. Programmed edit checks

D. Manual agreement of batch totals

E. Online prompting

F. Cumulative sequence check

G. Electronic approvals

H. Document design

I. Procedures for rejected inputs

J. Compare input data with master data

K. Turnaround documents

L. Digital signatures

The following is a list of 10 system failures that have control implications:

System Failures

1. At Holeriver Company, customer orders are received in the mail in the sales department, where clerks enter individual orders online and then file the completed orders. For each order, the customer should receive an acknowledgement. When the customer fails to receive an acknowledgement, the customer calls to inquire. Inevitably, the sales clerk will find the customer’s order filed with other customer orders that had been entered into the computer.

2. At Prairie Inc., data entry clerks receive a variety of documents from many departments throughout the company. In some cases, unauthorized inputs are keyed and entered into the computer.

3. The tellers at Dixie Bank have been having difficulty reconciling their cash drawers. All customer transactions such as deposits and withdrawals are entered online at each teller station. At the end of the shift, the computer prints a list of the transactions that have occurred during the shift. The tellers must then review the list to determine that their drawers contain checks, cash, and other documents to support each entry on the list.

4. Data entry clerks at Courage Company use networked PCs to enter batches of documents into the computer. Recently, a number of errors have been found in key numeric fields. The supervisor would like to implement a control to reduce the transcription errors being made by the clerks.

5. At Dulce Inc., clerks in the accounting offices of Dulce’s three divisions prepare prenumbered general ledger voucher documents. Once prepared, the vouchers are given to each office’s data entry clerk, who keys them into an online terminal. The computer records whatever general ledger adjustment was indicated by the voucher. The controller has found that several vouchers were never recorded, and some vouchers were recorded twice.

6. Purchase orders at Etronics Corp. are prepared online by purchasing clerks. Recently, the purchasing manager discovered that many purchase orders are being sent for quantities far greater (i.e., incorrect quantities) than would normally be requested.

7. At David Brothers, Inc., a clerk on the trading floor mistakenly entered the dollar amount of a trade into the box on the computer screen reserved for the number of shares to be sold and then trans-mitted the incorrect trade to the stock exchange’s computer.

8. At Jefferson Company, clerks in the cash applications area of the accounts receivable office open mail containing checks from customers. They prepare a remittance advice (RA) containing the customer number, invoice numbers, amount owed, amount paid, and check number. Once prepared, the RAs are sent to a clerk who keys them into the computer. The accounts receivable manager has been complaining that the RA entry process is slow and error-prone.

9. Rudolf Company enters shipping notices in batches. Upon entry, the computer performs certain edits to eliminate those notices that have errors. As a result, many actual shipments never get recorded.

10. Jamie the hacker gained access to the computer system of National Bank and entered the data to transfer funds to his bank account inthe Turks and Caicos Islands.

Match the 10 system failures with a control plan that would best prevent the system failure from occurring. Because there are 12 control plans, you should have two letters left over.

Background
You are a junior auditor working for Forrest Gump & Co. (theFirm), an international chartered
accounting firm.
Your client, Wellness Pty Ltd (Wellness) operates the world-famousWellness Health Resort,
located in the Whitsunday Islands of northern Queensland.
While revenue from accommodation is an important factor in thefinancial success of Wellness
Health Resort, its profits are predominantly driven by the uptakeof additional services and
facilities by guests during their stay (e.g. use of the spa andwholistic health facilities, patronage
of the five restaurants and bars within the resort, and partakingin other fee-paying activities).
Wellness maintains its own website which allows guests to bookaccommodation at the resort
directly. This online booking system is monitored by thereservations team at Wellness which
consists of two full-time and three casual staff.
When a booking is made over the internet, an email is sent to thereservations team informing
them that a booking has been made. The resort’s booking system isautomatically updated at this
time. The reservations team is responsible for manually confirmingthe availability of the
accommodation, verifying the guest’s credit card details, issuingthe guest with an invoice, and
passing on the payment receipts to the accounts department. Theaccounts department then
processes the sale into the general ledger.
On a weekly basis, the junior accounts clerk in the accountsdepartment reconciles the payment
receipts, sent by the reservations team, to Wellness’s bankstatements. The bank statements are
emailed to Wellness in PDF form each week.
Any cancellations received by the reservations team are referred tothe accounts department
which organises for the guest’s payment to be refunded in full (or50% for cancellations made
within seven days of the guest’s anticipated arrival date).

Since the internet booking system is not technically up to date,Wellness intends to engage an IT
specialist to completely upgrade the system and eliminate the needfor manual checking of
details by the reservations staff.
Based on its discussions with the previous auditors, Wellnesschanged its revenue-recognition
policy prior to the current year audit. Previously, all revenuesearned were brought to account
when bookings were made (including internet bookings). Now,Wellness recognises:
 50% of the accommodation at the time of booking (put to the‘Deferred revenue:
accommodation’ account)
 50% of the accommodation seven days prior to the guest arriving(in accordance with
Wellness’s cancellation policy) which is immediately recognised as‘Revenue:
accommodation’ since this portion of the revenue is no longerrefundable to the guest.
You are currently in the planning stage of the 2014 audit.
Based on the review of the previous year’s audit files and theinformation gathered by the
Forrest Gump & Co. audit team during the planning stage, thehead of the audit team tells you
that he intends to adopt a combined audit approach for the 2014Wellness audit.
His expectation is that all controls at Wellness are operatingeffectively. He tells you that he
intends to place a high level of reliance on the controls atWellness as he does not expect there
will be any deviations.
He has now asked you to assist with the review of the internetbooking system at Wellness.

Required:
(a) Identify and explain two (2) key risks to the financial reportassociated with the internet booking system that may lead tomaterial misstatements being undetected and/or uncorrected. Note:For the
purpose of this question, disregard any risks arising from theinterface between the internet booking system and the generalledger system.

(b) For each risk identified in (a) above, identify whether it isan inherent risk or a control risk. Explain your answer.

(c) For each risk identified in (a) above, identify one (1) keyaccount balance at risk of material misstatement as a result of therisk (i.e. two (2) account balances in all).

(d) For each account balance identified in (c) above, identify andexplain one (1) key assertion that may be affected by the risk youidentified in (a) above.

(e) Based on your understanding of the control environmentsurrounding the internet booking system, describe one (1) keycontrol that you would seek to rely on in the conduct of the 2014audit of Wellness.

(f) For the control you identified in (e) above, design anappropriate procedure to test that control.

(g) For the procedure you described in (f) above, outline theresult you would expect if you determined that the control was notreliable.