- 20 Marks
Question
A new hotel opened for operations on February 1, 2016, in Abuja. The directors at their board meeting in September 2016 selected December as the hotel’s year-end. Also, from the conception of the hotel, it was decided to fully computerize the hotel and its operations. This will make the hotel stand out and attract clientele in the federal capital territory where there are many other hotels with strong competition.
The room doors are electronically operated and use electronic cards for opening. If a customer does not specify his/her duration and has the lock properly programmed, the door will lock at 12 noon, requiring the customer to go back to the reception for access. Furthermore, all accounting and other processes are computerized.
The IT company that handled the computerization agreed to leave a member of staff who will train the hotel’s staff for three months and ensure that the system operates efficiently. Management believes that the staff will familiarize themselves with the system within that period. The server handles all doors, accounting processes including billing, and the determination of room occupancy rate on a daily basis. Various units of the hotel have desktop units which key employees use in both ordering and communication between themselves. The server is located next to the operations manager’s office, who is responsible for overseeing it in addition to other duties.
The last quarterly report on the hotel activities was not consistent with expectations, and the occupancy rate did not match turnover. The management of the hotel approached your firm of chartered accountants to be engaged as auditors to the hotel. Your review and interactions as the leader of the audit team revealed the information disclosed above.
Required:
Evaluate and apply the relevant general and application controls necessary to be installed in the hotel’s information environment.
(Total 20 Marks)
Answer
General Controls
- Access Control:
- Physical Access: Secure access to the server room, which should be locked and restricted to authorized personnel only. Since the server is next to the operations manager’s office, implementing biometric or card-based access for additional security is advisable.
- Logical Access: Staff should be assigned unique usernames and strong passwords, with different access levels according to their roles. Only authorized personnel should access sensitive financial and occupancy data.
- Data Backup and Recovery:
- Regular backups of critical data, including guest information, financial transactions, and occupancy records, should be scheduled. Backups must be stored in a secure, off-site location to ensure recovery in the event of system failure.
- A disaster recovery plan should be established, outlining procedures for restoring data and systems after incidents such as server crashes or data breaches.
- Server and Network Security:
- Install firewalls and antivirus software to protect the server from external attacks and malware. The network should be segmented to prevent unauthorized access to sensitive data, isolating guest networks from staff networks.
- Regular vulnerability assessments and penetration testing should be performed to identify and mitigate security weaknesses in the system.
- Audit Trails:
- Enable logging and tracking of user activities within the system. This will help monitor access and detect unauthorized modifications to data or system settings.
- Audit logs should be regularly reviewed by IT management to identify suspicious activity and verify that data integrity is maintained.
- Training and IT Staff Support:
- Regular training sessions should be conducted to ensure that employees understand the importance of data security, access control, and how to use the computerized system effectively.
- The hotel should consider extending the IT support beyond the initial three-month period by either retaining a member of the IT company or hiring an in-house IT specialist to manage ongoing technical issues and provide support.
Application Controls
- Input Controls:
- Set up validation checks to ensure data accuracy during input. For example, customer check-in and check-out times should be automatically captured, and system prompts can verify the accuracy of billing entries.
- Develop controls to validate occupancy rates and ensure they align with the turnover figures. Any discrepancies should be flagged and investigated.
- Processing Controls:
- Implement controls that verify calculations within the billing and occupancy systems. For instance, room rates, taxes, and service charges should be automatically calculated, minimizing human error in financial data.
- Automated reconciliation of room occupancy with billing records should be established to identify inconsistencies in occupancy rates and revenue data.
- Output Controls:
- Generate periodic reports on occupancy rates, revenue, and customer billing, which should be reviewed by management for accuracy and consistency with expectations.
- Develop exception reports that highlight unusual transactions or discrepancies in financial and occupancy data, enabling timely investigation.
- User Interface and Navigation Controls:
- Ensure that the system interface is user-friendly and that employees can easily navigate functions without confusion. Clear on-screen prompts and messages should guide employees through tasks to prevent errors.
- Limit access to certain system functions based on user roles. For example, only accounting staff should be able to access financial reports, while front desk staff may only view check-in and check-out details.
- Error Handling and Recovery:
- Set up automatic error-detection mechanisms within the system. For example, if a room occupancy rate does not match the recorded revenue, an error message should prompt the user to investigate and correct the issue.
- Ensure that error logs are maintained for management review, identifying frequent system errors that may indicate a need for further training or system adjustments.
Summary of Controls Implementation
Implementing these general and application controls will enhance the hotel’s system security, data accuracy, and operational efficiency. With strong access, data security, and processing controls in place, the hotel can ensure that financial records and occupancy data are reliable. Additionally, these controls will help mitigate risks associated with IT system reliance, ensuring compliance with accounting and auditing standards, and addressing any discrepancies between occupancy rates and revenue figures in a timely manner.
- Topic: Auditor’s Legal Liability
- Series: MAY 2018
- Uploader: Dotse