Problem 10-21 Friggle Corp. is a leasing and property management company located in Alberta. It provides financing to organizations wishing to purchase equipment or property and manages apartments and condominium properties. The company decided that it was time to upgrade its local area network. It decided to also purchase new accounting software but wanted to retain its old unit maintenance software, which, although 10 years old, had an easy-to-use interface that allowed maintenance personnel to track the maintenance work that they did in each unit. The controller, Joe, decided that the company should purchase the software from Midland Computers, which was owned by his brother-in-law, Tom. The prices were comparable with those of other computer networks that he priced, and Midland happened to be close by. Using materials from industry magazines, Joe decided that the best property management software to buy would be from Quebec; the software had received rave reviews about being easy to use. The implementation was scheduled for the weekend after the June month-end close so that systems could be up and running by the following Monday. To Joe’s horror, when he arrived at work on Monday, computers were still being unpacked and installed. Tom had difficulty following the installation instructions for the accounting software, which was not up and running until the end of the week. General ledger details had to be manually entered, since the software could not handle the structure of the old accounts. At the end of two weeks, Joe had the old system put back up so that Friggle could catch up on transactions and get some work out the door. It took three months of 12-hour days for all accounting staff to get the new system operational. Unfortunately, the old maintenance systems would not work with the new operating system, and a new maintenance system had to be evaluated and purchased. Required Assess the IT governance at Friggle Corp. For weaknesses that you identify, provide recommendations for improvement. Governance Solutions-1 Solution to 10-21 There appears to be no information technology governance at all (assessed as “low”) for Friggle Corp. Following are specific weaknesses, with recommendations for improvement in brackets: 1.The controller was able to have a network installed by a relative, a clear conflict of interest. – All new acquisitions should be approved by an executive committee, and required independent tenders. 2.Software was purchased without a clear understanding of the organization’s needs – Any software should be purchased only after documenting the organization’s needs and matching the needs to the software 3.The old system could not function with the new operating system, so it could not be used – technical issues should be independently verified before purchasing new software 4.Software purchases and information systems acquisitions were not linked to the business strategy of the organization – develop an information systems strategy that is linked to the business strategy of the organization Governance Solutions-2 Problem 10-22 Turner Valley Hospital plans to install a database management system, Hosp Info, that will maintain patient histories, including tests performed and their results , vital statistics, and medical diagnoses. The system will also manage personnel and payroll, medical and non-medical supplies, and patient and provincial health-care billings. The decision was taken by the board of the hospital on the advice of a consultant who was a former employee of Medical Data Services Inc., the developer of Hosp Info. Turner Valley Hospital’s chief information officer has come to your accounting firm to ask for advice on what general controls she should ask Medical Data Services Inc. to install to preserve the integrity of the information in the system and to deal with privacy issues. The system would permit data about patients to be entered by doctors, nurses, and medical technologists. Required a) Describe in general terms the controls you would suggest for the system as a whole. b) Considering the nature of Turner Valley Hospital, describe the potential risks the hospital should be concerned about with respect to Hosp Info. c) What are the advantages of such a database management system? d) How would the quality of general controls at the hospital affect your audit? Governance Solutions-3 Solution to Problem 10-22 a. Following is a representative example of controls that could be put in place: – – – – – – – – – – – – – access to information such as payroll, medical records and medical data, personnel records, suppliesespecially medical, accounts receivable, and accounts payablelimited by multiple and/or single passwords or access codes each department with a password or access code and each person who has access to restricted files with their own password or code the computer program automatically recording who accessed the file and when access codes or passwords ceasing on termination of employment access codes or passwords periodically changed inability to alter or delete patient medical information without proper authorization, once it is entered and saved programming that accepts only valid healthcare numbers healthcare numbers that are used more than a certain number of times flagged and brought to someone’s attention daily back-ups of all data back-ups stored off site segregation of duties, staff who enter data different from those who receive or issue payments virus detection software number all receivable and payable transactions, the system must identify missing or duplicated numbers Governance Solutions-4 b. Following is a representative example of risks: – – – – – – c. Advantages include: – – – – – – – d. contamination of confidential files from unauthorized access viruses destroying or altering files theft of supplies, especially medicine, due to altered or contaminated data files unauthorized access to confidential patient medical information or accidental altering of information fraudulent or expired healthcare numbers being used, which would result in incurred expenses with no financial compensation fraudulent cheques being issued through the payroll system information quickly and easily accessible to authorized personnel large amounts of data kept organized and functional paperless data storage and retrieval efficient billing system that would result in speedier revenue collection if the internal controls are adequate, decreased losses through theft or error decreased costs to collect and maintain accurate information If the quality of general controls are good, then the auditor may also be able to rely upon a number of controls that improve the quality of data and potentially the quality of the application controls. Examples of good general controls that would promote a lower control risk include: segregation of duties in information technology, well organized and documented systems development and maintenance process and access being enforced using well-organized password systems. Governance Solutions-5