4
PAPER 1
QUESTION 2 50 marks
You are the external auditor of ABC Ltd, a business offering consultancy services, that is highly
dependent on its computer systems. In view of the 11 September attacks on the World Trade Center
in New York, management is concerned that, as the companys operations are concentrated in a
prominent building, the business may be vulnerable to a disaster. The spate of biochemical threats,
such as Anthrax attacks, that have the potential to cause severe illness and to require the immediate
evacuation of buildings, are particularly disturbing. Therefore the management of ABC Ltd performed
a rigorous test of the companys disaster recovery plan by simulating a full-scale disaster.
The technical Information Technology (IT) aspects of the plan worked adequately and the computer
systems were restored within the expected, albeit lengthy, timeframe. However, the simulation
indicated a potential for breakdowns in the operation of normal financial controls during such a
disaster situation. In view of these findings, the managing director is concerned that financial
administration procedures have not been appropriately considered in the disaster recovery plan.
The managing director has accordingly asked you to make recommendations to improve internal
financial controls that would be operating during a disaster. To assist him in his assessment of the
significance of the risks involved, he has also asked that you provide him with a financial analysis and
comments on the financial consequences relevant to a disaster situation.
You have held discussions with various officials of ABC Ltd. They have provided you with information
on the recent disaster simulation and their understanding of the financial implications of a real-life
disaster. Your notes from these discussions are set out in the attachment on pages 57.
REQUIRED
Write a letter to the managing director, in which you discuss the following:
(a) The potential weaknesses, and your recommendations for improvements, in internal financial
controls relevant to a disaster. (35)
(b) The potential financial risks and implications thereof facing ABC Ltd in the event of a disaster.
(10)
(c) Your recommendations for improvements to the disaster recovery plan of ABC Ltd in respect
of the financial accounting systems. (5)
PLEASE REFER TO THE ATTACHMENT ON PAGES 57 FOR INFORMATION
GATHERED FROM MANAGEMENT REGARDING
DISASTER RECOVERY PLANNING
5
ATTACHMENT
INFORMATION GATHERED FROM MANAGEMENT
REGARDING
DISASTER RECOVERY PLANNING
Background information on ABC Ltd
The company has approximately 300 employees, the majority of whom are highly skilled. The
executives who were interviewed consider people and the firms reputation to be the companys
key assets.
ABC Ltd had R2 million in its bank account according to the most recent bank statement.
The company maintains an investment portfolio of approximately R36 million, most of which is
invested in money market securities in order to ensure sufficient liquidity to meet operational
demands for cash. The related bearer scrip is held in safe custody on the companys premises.
These investments are managed by the financial director, who is responsible for all treasury
activity in the company. The investment strategy is determined jointly by the financial and
managing directors.
The companys computer application software runs on Microsoft® NT server hardware located
at its offices. As the computer hardware is standard equipment in widespread use, management
has not considered it necessary to make special arrangements for a backup site or for a
preferential supply arrangement with the hardware supplier. However, the company does
maintain backup copies of all its software and recent data in a fireproof safe at its offices.
An abridged income statement for the 12 months ended 31 December 2002 is as follows:
R000
Fee income 301 245
Interest and investment income 4 379
Administration expenses (86 893)
Staff costs (202 749)
Net profit before taxation 15 982
Clients generally pay on completion of service delivery.
Information on financial controls
All payments must be authorised by two company officials whose names appear on an approved
list of signatories. Creditor and salary payments are normally made by means of electronic
transfer facilities provided by the companys bank. Company policy requires that one of the two
6
signatories should always be either the financial director or the managing director. The
company maintains a chequebook for emergencies, although this has not been used for a
considerable period.
Purchase orders must be placed on official company order stationery and signed in authorisation
by the appropriate business line head. An inventory of pre-numbered order stationery is
maintained at the companys office premises.
Monthly payroll processing is performed by the human resources department, which is also
responsible for maintaining personnel records and keeping track of changes in the employee
base. The company also makes use of temporary staff, sourced from various agencies, to
supplement its permanent workforce. Transactions with these agencies are treated as normal
purchases.
The accounting records are maintained by a team of two bookkeepers who use financial
accounting software generally available in the market. As financial accounting is not considered
critical to the survival of the business in the event of a disaster, this software is not addressed
by the companys disaster recovery plan. One of the bookkeepers is responsible for preparing
the bank reconciliation on a monthly basis, while the other is responsible for payment
processing. The finance department also maintains a small petty cash fund for incidental
expenses.
Information on the disaster simulation
The disaster simulation was designed to be as realistic as possible. A key assumption was that
the business would have to evacuate its offices following a biochemical attack and that the
company could not rely on the availability of key staff members.
During the simulation management therefore had to take ad hoc decisions on such matters as
where to relocate its staff and how to enable them to resume normal business operations as
soon as possible.
Furthermore, due to the loss of certain key staff in the disaster, decisions would often have
to be taken quickly by employees who under normal circumstances would not be making such
decisions.
The following are examples of problems that were experienced and decisions that were taken
during the simulation:
· The IT manager mentioned that when the company placed orders to replace a significant
proportion of its server hardware, the supplier quoted premium prices and penalties because
of the urgent delivery deadlines. The cost of this hardware would amount to R2 million.
· Management relocated to a temporary crisis centre at the residence of the managing
director for the duration of the simulation. Fortunately the house had an ISDN phone line
and separate fax line, which enabled initial telecommunications. However, a decision was
7
taken to allow all staff involved in the simulation to communicate primarily by means of
cellular telephones.
· Management could not establish who had visited the companys offices immediately prior to
the disaster and, in any event, was uncertain of the period during which the biochemical
agent could infect its clients and staff. Accordingly, it decided to reimburse the cost of
medical examinations and advice incurred by its staff, clients and suppliers.
· The disaster simulation was timed to coincide with the monthly processing of the salary
payments. The human resources manager mentioned that, as a result of the evacuation of
the offices, the payroll staff was unable to access the salary records and payroll application
software. This would have rendered the company unable to pay its employees for the
month. In the absence of accurate salary information, management decided to provide
employees with short-term loans on an interest-free basis to cover their living expenses.
These loans would be for a standard amount of R30 000. However, management could be
approached for additional loans in the case of financial hardship. In addition, employees
would be requested to provide details of any third party commitments normally deducted
from their salaries and paid on their behalf, so that the company could continue to make
these payments on a timely basis.
· In order to meet a higher demand for ad hoc payments in the aftermath of the disaster,
the managing director arranged for an additional supply of cheque books from the companys
bank. His plan was to have the second signatory sign the blank cheques in advance so that
he could make emergency payments as and when required.
The disaster recovery plan focused on re-establishing those business lines and related
processes that made critical contributions to the companys revenue. The recovery strategy
included the use of loss-of-profits insurance to cover the period during which these business
lines could not operate. The insurance policy requires any claim to be supported by accurate
cost records.
The disaster simulation indicated that sufficient IT infrastructure could be re-established
within three days to enable resumption of critical business operations and thus consultancy
services. This would enable the company to generate approximately 60% of its normal revenue.
The remaining business operations, together with the administrative functions, could take much
longer to restore. Business line heads would be responsible for informing affected employees
that they should remain at home until required. The disaster recovery plan does not address
whether this enforced absence is regarded as leave. Management estimate that this could
initially represent 50% of the workforce. However, in order to maximise revenue and improve
cash flow during such a crisis period, staff members would be encouraged to work from home as
far as possible and to continue to sell services to the companys clients. These employees would
also be allowed to prepare manual invoices for consultancy work performed during this period on
company letterheads and to attempt to obtain payment for work completed.
Offcanvas menu