ITGC Risk Assessment

• Publicly traded, regional grocery store chain

• 50 stores located throughout Mid-Atlantic region

• Implementation of new fingerprint bio-coding payment system in all stores

VP, Applications issues current system documentation to programmer

Integration, stress, and user acceptance testing before implementation

Programmer tests the infected module first, then the entire application

Initial analysis and feasibility study to determine development hours

Comply with SSADM

User departments corroborate their testing

Most recent user audit was eight months ago

VP Applications only stores backup documents in a fireproof vault

VP, Applications is the only one who reviews the approved change form

25% over the time budget and 40% over the dollar budget

The user forwards the change request form to the VP, Applications

Change log contains requested change & status only

After terminations & transfers reports, no modifications were made to the data until 3 weeks later

VP of IS maintains and initials reports, after completing modifications

VP of Applications keep the change documents in fire proof vault only

Changes are tested prior to implementation, and recorded in a log

User completes change request form and dept. manager approves it

Change log lists all requested changes & the status of each

Formal Change Management Procedures in place

VP, Applications sends the changes to the VP of Operations

Department manager and user both review & accept

FFC has no documented business continuity plan or disaster recover plan

Stores it's most recent backups once a week at a company owned off site location along with most recent versions of software

FFC has not tested their backup tapes in the past year and has no plan to test tapes in the future

Scope

Data Security - Weaknesses

Conclusion

• Evaluated the strengths and weaknesses of each control area

• Stack-ranked by category in each area

• Assessed and assigned risk level by control area

• Questions

• Comments

• Feedback

(1)No date security awareness training

2) No have a disaster recovery plan.

3) The Steering Committee last revised the IT Security Policy in 2005.

4 Human Resources only forwards these transfers and terminations each month

5) Has not and does not plan to test these back-ups

6) Data centers on the first floor

7) The VP, IS has the vendor default password, which can be easily guessed.

9) Requires user to change passwords twice a year

(10)security software does not display log in information

11) The VP, IS has many functions relating to keycard access. Not only does he grant access to the computer room, but he receives a keycard access report and determines authorization issues.

12) control testing and tape review, which are both currently semi-annually. (13) It is also recommended that systems documentation is stored electronically on- and off-site in addition to the fireproof vault.

Food Fantastic Company

Thank you for your time!

Systems Development - Strengths

Purpose

Background

6

7

8

9

10

11

Conclusion

• Purpose of ITGCs: Provide foundation for reliance on information produced

• ITGC control areas:
• IT Management
• System Development
• Data Security
• Change Management
• Business Continuity Planning

Systems Development - Strengths

1

2

3

4

5

IT adequately tests bio-coding payment system prior to implementation

Set time and dollar budget for new bio-coding project

Programmers use test data instead of real data to test system

CIO reviews logs of VP, Applications actions as form of supervision

A second programmer tests the system before implementation

Foods Fantastic Company:

Assessing Information Technology General

Control Risk

Data Security - Strengths

Purpose

(1)The fact that an IT Security Policy exists is a strength.

(2)The computer room is always locked and all visitors must contact the data center manager for entry and bring an official ID, sign a visitor log and be escorted at all times.

(3) The application programmer must also be escorted at all times to access the data center computer room.

(4) 24/7 video monitoring for all doors of the computer room.

(5) Environmental controls including temperature controls, uninterrupted power supply, a backup generator, fire-extinguishing equipment, and a raised floor, are all in place, which is adequate for the data center.

(6) password standards are enforced by security software, password lengths of 6-9 characters, no double digits and no repeat characters. Access to these passwords are limited as they are not displayed on terminals or reports. The system allows for three access attempts before locking the system. This is a proper control in place for hacking-type situations.

(7) The VP, Applications has a unique password

(8) encryption of all user IDs and passwords.

(9) Proper segregation of duties is displayed through FFC’s management in regards to reviews and approvals of electronically submitted data and report modification. (10) Files are backed up to an off-site location in case of loss or destruction of information on at the data center.

IT Management - Weaknesses

Background

• Understanding how ITGCs interact and affect an auditor’s risk assessment is important

• Accountants are involved in helping their organizations comply with SOX-related internal control requirements

• Deficiencies in ITGCs indirectly cause or contribute to application control deficiencies

• New bio-coding system requires FFC to change several of it's general ledger application programs

• Complexity and sophistication of FFC's IT processing requires ITGC review

• Evaluation will affect the financial auditor in assessing the risk of material misstatement in FFC’s financials, and consequently, the audit plan.

1

2

3

4

5

6

7

VP, IS is vendor default password

VP, IS has not review key card access reports for unauthorized access attempts 6 months

VP, Internal Audit is involved as a voting member of the project teams responsible for design development and implementation of new projects

VP, Operations has not reviewed tapes in computer room in 6 months

User audit is done quarterly

Internal audit performs post-implementation reviews for projects over $2 million

CIO reports to CFO

Systems Development - Weaknesses

Change Management-Strengths

1

2

3

4

5

1

2

3

4

5

6

Findings

IT Management - Strengths

• Evaluation of ITGC review notes formatted by strengths and weaknesses coupled with risk level

1

2

3

Strategic Plan, which is consistent with corporate strategic plan

Follows SSADM

CIO reports to CFO

Conclusion

Overall risk assessment of Medium to High

Business Continuity Planning-Strengths

Change Management-Weaknesses

Change Management-Strengths

1

2

FFCs computer room is locked at all times

FFC backs up their data daily

Business Continuity Planning- Weaknesses

1

2

3

4

A second programmer performers a quality review of the changes

VP of applications reviews documentation prior to implementation

VP application reviews user approved request form

The CIO reviews the project budgets to actual results

Internal Auditor reviews all changes

VP of applications follows up on changes not completed in allotted time

7

8

9

10

11

12

1

2

3