Deng Xiu IT General Controls Case PDF

Preview

Summary

...

Description

IT General Controls Case Food Fantastic Company IT General Controls Matrix Part A: Strengths and Weaknesses ITGC Area Summary of Issue Strength or Weakness IT Management IT Management

IT Management

IT Management Systems Development

Systems Development

System Development

System Development

Data Security

FFC has an IT strategic plan. Chief Information Officer reports to the Executive Vice President and Chief Financial Officer. The VP Applications, VP Operations, VP Information Security, and VP Database Administration reports to the CIO. FFC has an IT Steering Committee FFC designs, develop, and implement systems in a logical fashion by following the SSADM standard. Internal controls are considered and implemented by the VP of Applications as an integral part of systems design. FCC’s internal audit is a voting member for project teams of new systems development; it performs post-implementation reviews on projects over $2 million. Observations from the audit team found that the systems development process for the new bio-coding payment system confirms that the VP of Applications complied with SSADM requirements when implementing the new system. The data center computer room is locked at all times; application programmers, outside contractors, or

Strength Strength

Weakness

Strength Strength

Strength

Strength

Strength

Strength

Data Security

Data Security

Data Security

Data Security

Data Security

Change Management

Change Management

visitors do not have access until proper authorization and is escorted as all times by data center personnel. FFC’s computer room is adequately protected from environmental dangers through temperature controls, uninterrupted power supply, a backup generator, fireextinguishing equipment, and raised floor. FFC does control logical access to its information systems through a password authentication system; however, it lacks multifactor and multimodal identification. FFC has an IT security policy but it is outdated (revised in 2005). FFC does produce logical access violation reports on a daily basis FFC IT personnel does not adhere to IT policy and follow IT procedures; for instance, the VP of Information Security is supposed to review logical access violation reports on a monthly basis but the reports have not been reviewed during the past 6 months. FFC does have and follow formal change management procedures; the VP of Applications is responsible for change management. The audit team verified that the FFC did follow the approved change management procedures when making the bio-code payment-related changes to

Strength

Weakness

Weakness

Strength

Weakness

Strength

Strength

Change Management

Change Management

Business Continuity Planning

Business Continuity Planning

Business Continuity Planning

Business Continuity Planning

its cash receipts processing and other financial reporting application programs. The programmers/IT personnel adequately tested the new bio-coding payment system before implementation through integration testing, stress testing, and user acceptance testing. The application programmer who made the code changes will test the changes in the system’s development region before moving the changes to the system’s test region to be further tested by a second programmer; the tested changes are not put into production until the VP of Operations officially accepts the change. FFC has no documented business continuity or disaster recovery plan. Since FFC does not have a business continuity plan, it has no plan to test. FFC backs up its data and software each day; the data and software are stored at a company-owned offsite location. In the past fiscal year, no incidents has occurred so FFC did not have to recover its system through its backup tapes.

Strength

Strength

Weakness

Weakness

Strength

Strength

Part B: Risk Assessment for each ITCG area (Indicate Low, Medium, or High) ITCG Area IT Management Systems Development

Risk Assessment Low Low

Data Security Change Management Business Continuity Planning

High Low Medium

IT General Controls Risk Assessment Report Foods Fantastic Company Xiu Deng March 12, 2014 Background: Foods Fantastic Company (FFC) is a publicly traded, regional grocery store chain with locations across the mid-Atlantic area. Relying heavily on application programs to manage its information, FFC recently implemented a new finger-print bio-coding payment system to further its competitive edge. Such new systems implementation would need ITGC review to ensure FFC’s complex and sophisticated IT processing meets established criteria as well as SAS and SOX requirements. Purpose: The purpose of an ITGC review is to examine the controls of FFC’s information system to assess its compliance with internal controls. ITGC reviews are very important because these controls provide the foundation for reliance on financial information produced by FFC. Scope: To develop the risk assessments, the team first began the planning process by selecting five areas with the highest risk and threat factors, which includes IT management, systems development, data security, change management, and business continuity planning (BCP). Next, the team identifies the preventive, detective, or corrective controls for each area; to determine if controls are actually in place the team collects evidence through reviewing documentation of FFC’s policies and procedures (i.e. checking if policies actually state that the VP of Information Security needs to review keycard access reports once per quarter), discussing and interviewing FFC client personnel (i.e. verifying with Human Resources of who the Transfers and Terminations report is sent to), observing the company’s various operations and procedures related to its ITGCs (i.e. observing the VP of Applications putting the change management documentations in the fireproof vault), and performing physical examinations (i.e. visiting the data center computer room to see whether there is an uninterrupted power supply). Once a systems review is complete, the team tests the controls to verify if it is working properly or is weak (i.e. with logical access controls in place, the team tries to break into the system). After such risk assessment, each area and its control issues would be determined a level of risk (High, Medium, or Low). Findings: The overall risk assessment would be a “Medium” for the combined areas of IT Management, Systems Development, Data Security, Change Management, and Business Continuity Plan. Beginning with IT Management, the team provides an overall “Low” for its risk level because it addressed most of the concerns favorably. For the concern of if FFC has an IT strategic plan— the answer is yes, and the plan aligns with the corporate strategic plan, which is important for following management’s philosophies; the team has identified this control strength by setting an

interview with the CIO and testing it by comparing the IT strategic plan outline with that of the corporation’s. Similarly, the concerns of segregation of duties and an organization structure (preventive controls) are also a strength in the IT management area as the VPs of Applications, Operations, Information Security, and Database Administration report to the CIO, the CIO reports to the Executive VP & CFO, and there is an existence of a steering committee; these information were collected through reviewing the company’s policies manual and verifying with human resources. Lastly, the only weakness is the current vacancy of a VP for Database Administration, which may be a flaw in methods of assigning authority and responsibility and segregation of duty; but discussions with the CIO has identified that the VP of Applications currently covers the DBA function and HR hopes to hire someone within six to eight months. But since the prior strengths compensates this one weakness, the overall risk assessment for IT management is a “Low”. Next, in terms of System Development, the team provides an overall “Low” risk level because all individual concerns had control strengths. For example, FFC has strength in designing, developing and implementing systems in a logical fashion based on the company’s SSADM standards. With information collected from interviewing the VP of Applications and documentations of the process confirmed, when a new system is requested to be implemented, the VP of Applications assigns a project manager and the IT personnel also thoroughly tests the new bio-coding payment system prior to its implementation—examples of these tests include integration testing, stress testing, and user acceptance testing, which the user departments then verify the tests and accepts the new system. Thus, these actions reflect that internal controls are an integral part during systems design as a standard is followed (i.e. SSADM), thorough testing are implemented by multiple parties, and approval is determined by users. As with the internal audit department’s involvement in systems development, it acts as a voting member of audit teams and only performs post-implementation reviews on projects over $2 million. This control maintains objectivity by having the auditor perform independent evaluations and not directly be involved in system development. With strengths in all issue areas, System Development is thus a “Low” in risk level. In the area of Data Security, the overall risk level is a “High” because the security controls of policies and procedures are not being followed by the VP of Information Security and there are weaknesses in multiple controls concerns. Although FFC restricts physical access to its data center computer room by locking the room at all times, having data center personnel escort programmers, contractors, and visitors, the IT security policy is outdated (revised in 2005) and lacks a disaster recovery plan. Additionally, although there is restrictions on logical access, it only uses one type of preventive control—password authentication, which lacks further multifactor and multimodal identifications when accessing the information system. Although the computer room is protected against environmental dangers (i.e. raised floor) and FFC produces access violation reports, the VP of Information Security has not reviewed unauthorized system access reports as well as keycard access reports in 6 months. With weaknesses in multiple issue areas, Data Security is ranked a “high” in risk level. In regards to Change Management, an overall risk level of “Low” is given because there are strengths in all the concern issues where FFC does follow a formal change management procedure putting the VP of Applications responsible for this process. An observation and visit to

the test regions and the VP of Application’s office has identified that he maintains all documentations in a fireproof vault, uses change logs to keep track and follow up on changes, reviews user-approved request forms, have changes thoroughly tested by the application programmer at the development and test regions (where changes are never tested against the production data), and tested changes are not put into production until the VP of Operations officially accepts the change. These controls are all properly followed and in terms of the biocoding payment system, the audit team verified that the FFC does also follow the approved change management procedures when making changes to the system’s cash receipts processing and other financial reporting application programs. Therefore an overall “Low” risk assessment is scored for Change Management. With the area of Business Continuity Planning, an overall risk level of “Medium” is assessed due to the non-existence of a BCP Plan and disaster recovery plan. Since a plan does not exist, the company is exposing itself to vulnerabilities to restoring its IT capabilities in the event of disasters due to the lack of such preventive and availability controls. Meeting and interviewing the CFO, findings conclude that there is no documentations of such plans, however, a compensating control is that FFC backs up its data and software each day with the data and software stored at a company-owned offsite location. Additionally, in the past fiscal year, no incidents has occurred thus this can be another level of assurance. Although plans for BCP and disaster recovery is not there, a strong off-site backup center compensates leaving an overall “Medium” risk assessment for the area of BCP. Conclusion: Overall, FFC’s assessed level of ITGC risk would be scored a “Medium”. The reasons for this overall score is because after analyzing the five areas of IT Management, Systems Development, Data Security, Change Management, and Business Continuity Planning, each area has a risk level that outweighed and compensated for each other. There are three low risk levels for IT Management, Systems Development, and Change Management, reflecting that the IT management fosters a culture of segregation of duties and aligning with corporate strategic goals; proper procedures for Systems Development and Change Management also reflects a formal and controlled method of updating and implementing new and existing systems. These strengths of a controlled System would fairly compensate the “High” risk in Data Security and the “Medium” risk in Business Continuity Planning. FFC appears to be lacking in its safety and continuity department, thus recommendations of a more rules-abide VP of Information Security will be needed as well as the need for a BCP and disaster recovery plan. Otherwise, such weaknesses could put FFC at risk for losing its confidential and privacy data thus indirectly affecting the financial reporting of the company (i.e. decreased assets such as the data center or intellectual properties, decreased revenues and net income due to potential disasters, and the like). REFERENCES Bines, J. 2002. A beginner’s guide to auditing the AS/400 operating system. Information Systems Control Journal, Volume 2. Available at: http://www.isaca.org. Center for Public Company Audit Firms. 2004. A Framework for Evaluating Control Exceptions and Deficiencies, Version No. 3. Available at: http: / / cpcaf.aicpa.org.

Public Company Accounting Oversight Board (PCAOB). 2007. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 5. Washington, D.C.: PCAOB. U.S. House of Representatives. 2002. The Sarbanes-Oxley Act of 2002. Public Law 107-204 [H. R. 3763]. Washington, D.C.: Government Printing Office. See also: http: / /www.sarbanesoxley. com....