Problem 10-21
Friggle Corp. is a leasing and property management company located in Alberta. It provides financing to
organizations wishing to purchase equipment or property and manages apartments and condominium properties.
The company decided that it was time to upgrade its local area network. It decided to also purchase new
accounting software but wanted to retain its old unit maintenance software, which, although 10 years old, had an
easy-to-use interface that allowed maintenance personnel to track the maintenance work that they did in each
unit. The controller, Joe, decided that the company should purchase the software from Midland Computers,
which was owned by his brother-in-law, Tom. The prices were comparable with those of other computer
networks that he priced, and Midland happened to be close by. Using materials from industry magazines, Joe
decided that the best property management software to buy would be from Quebec; the software had received
rave reviews about being easy to use.
The implementation was scheduled for the weekend after the June month-end close so that systems could
be up and running by the following Monday. To Joe’s horror, when he arrived at work on Monday, computers
were still being unpacked and installed. Tom had difficulty following the installation instructions for the accounting
software, which was not up and running until the end of the week. General ledger details had to be manually
entered, since the software could not handle the structure of the old accounts. At the end of two weeks, Joe had
the old system put back up so that Friggle could catch up on transactions and get some work out the door. It
took three months of 12-hour days for all accounting staff to get the new system operational. Unfortunately, the
old maintenance systems would not work with the new operating system, and a new maintenance system had to
be evaluated and purchased.
Required
Assess the IT governance at Friggle Corp. For weaknesses that you identify, provide recommendations for
improvement.
Governance Solutions-1
Solution to 10-21
There appears to be no information technology governance at all (assessed as “low”) for Friggle
Corp. Following are specific weaknesses, with recommendations for improvement in brackets:
1.The controller was able to have a network installed by a relative, a clear conflict of interest.
– All new acquisitions should be approved by an executive committee, and required
independent tenders.
2.Software was purchased without a clear understanding of the organization’s needs
– Any software should be purchased only after documenting the organization’s needs
and matching the needs to the software
3.The old system could not function with the new operating system, so it could not be used
– technical issues should be independently verified before purchasing new software
4.Software purchases and information systems acquisitions were not linked to the business
strategy of the organization
– develop an information systems strategy that is linked to the business strategy of the
organization
Governance Solutions-2
Problem 10-22
Turner Valley Hospital plans to install a database management system, Hosp Info, that will maintain patient
histories, including tests performed and their results , vital statistics, and medical diagnoses. The system will
also manage personnel and payroll, medical and non-medical supplies, and patient and provincial health-care
billings. The decision was taken by the board of the hospital on the advice of a consultant who was a former
employee of Medical Data Services Inc., the developer of Hosp Info.
Turner Valley Hospital’s chief information officer has come to your accounting firm to ask for advice on what
general controls she should ask Medical Data Services Inc. to install to preserve the integrity of the information in
the system and to deal with privacy issues.
The system would permit data about patients to be entered by doctors, nurses, and medical technologists.
Required
a) Describe in general terms the controls you would suggest for the system as a whole.
b) Considering the nature of Turner Valley Hospital, describe the potential risks the hospital should be
concerned about with respect to Hosp Info.
c)
What are the advantages of such a database management system?
d) How would the quality of general controls at the hospital affect your audit?
Governance Solutions-3
Solution to Problem 10-22
a.
Following is a representative example of controls that could be put in place:
–
–
–
–
–
–
–
–
–
–
–
–
–
access to information such as payroll, medical records and medical data, personnel records,
suppliesespecially medical, accounts receivable, and accounts payablelimited by multiple and/or single
passwords or access codes
each department with a password or access code and each person who has access to restricted files with their
own password or code
the computer program automatically recording who accessed the file and when
access codes or passwords ceasing on termination of employment
access codes or passwords periodically changed
inability to alter or delete patient medical information without proper authorization, once it is entered and saved
programming that accepts only valid healthcare numbers
healthcare numbers that are used more than a certain number of times flagged and brought to someone’s
attention
daily back-ups of all data
back-ups stored off site
segregation of duties, staff who enter data different from those who receive or issue payments
virus detection software
number all receivable and payable transactions, the system must identify missing or duplicated numbers
Governance Solutions-4
b.
Following is a representative example of risks:
–
–
–
–
–
–
c.
Advantages include:
–
–
–
–
–
–
–
d.
contamination of confidential files from unauthorized access
viruses destroying or altering files
theft of supplies, especially medicine, due to altered or contaminated data files
unauthorized access to confidential patient medical information or accidental altering of information
fraudulent or expired healthcare numbers being used, which would result in incurred expenses with no
financial compensation
fraudulent cheques being issued through the payroll system
information quickly and easily accessible to authorized personnel
large amounts of data kept organized and functional
paperless data storage and retrieval
efficient billing system that would result in speedier revenue collection
if the internal controls are adequate, decreased losses through theft or error
decreased costs to collect and maintain accurate information
If the quality of general controls are good, then the auditor may also be able to rely upon a number of
controls that improve the quality of data and potentially the quality of the application controls. Examples of
good general controls that would promote a lower control risk include: segregation of duties in information
technology, well organized and documented systems development and maintenance process and access
being enforced using well-organized password systems.
Governance Solutions-5