Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


ITGC Risk Assessment

No description

Kristin Parks

on 6 May 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ITGC Risk Assessment

Foods Fantastic Company:
Assessing Information Technology General
Control Risk Background Food Fantastic Company Publicly traded, regional grocery store chain

50 stores located throughout Mid-Atlantic region

Implementation of new fingerprint bio-coding payment system in all stores Understanding how ITGCs interact and affect an auditor’s risk assessment is important

Accountants are involved in helping their organizations comply with SOX-related internal control requirements

Deficiencies in ITGCs indirectly cause or contribute to application control deficiencies Change Management-Strengths IT Management - Strengths Findings Evaluation of ITGC review notes formatted by strengths and weaknesses coupled with risk level Systems Development - Strengths Background New bio-coding system requires FFC to change several of it's general ledger application programs

Complexity and sophistication of FFC's IT processing requires ITGC review

Evaluation will affect the financial auditor in assessing the risk of material misstatement in FFC’s financials, and consequently, the audit plan. Thank you for your time! IT Management - Weaknesses Systems Development - Weaknesses Most recent user audit was eight months ago

VP Applications only stores backup documents in a fireproof vault

VP, Applications is the only one who reviews the approved change form

25% over the time budget and 40% over the dollar budget

The user forwards the change request form to the VP, Applications Change Management-Weaknesses Purpose Purpose Purpose of ITGCs: Provide foundation for reliance on information produced

ITGC control areas:
IT Management
System Development
Data Security
Change Management
Business Continuity Planning Scope Evaluated the strengths and weaknesses of each control area

Stack-ranked by category in each area

Assessed and assigned risk level by control area Conclusion Business Continuity Planning-Strengths Conclusion Business Continuity Planning- Weaknesses Data Security - Weaknesses Data Security - Strengths Conclusion Questions


Feedback IT adequately tests bio-coding payment system prior to implementation

Set time and dollar budget for new bio-coding project

Programmers use test data instead of real data to test system

CIO reviews logs of VP, Applications actions as form of supervision

A second programmer tests the system before implementation

Strategic Plan, which is consistent with corporate strategic plan

Follows SSADM

CIO reports to CFO VP, IS is vendor default password

VP, IS has not review key card access reports for unauthorized access attempts 6 months

VP, Internal Audit is involved as a voting member of the project teams responsible for design development and implementation of new projects

VP, Operations has not reviewed tapes in computer room in 6 months

User audit is done quarterly

Internal audit performs post-implementation reviews for projects over $2 million

CIO reports to CFO (1)No date security awareness training
2) No have a disaster recovery plan.
3) The Steering Committee last revised the IT Security Policy in 2005.
4 Human Resources only forwards these transfers and terminations each month
5) Has not and does not plan to test these back-ups
6) Data centers on the first floor
7) The VP, IS has the vendor default password, which can be easily guessed.
9) Requires user to change passwords twice a year
(10)security software does not display log in information
11) The VP, IS has many functions relating to keycard access. Not only does he grant access to the computer room, but he receives a keycard access report and determines authorization issues.
12) control testing and tape review, which are both currently semi-annually. (13) It is also recommended that systems documentation is stored electronically on- and off-site in addition to the fireproof vault. Changes are tested prior to implementation, and recorded in a log

User completes change request form and dept. manager approves it

Change log lists all requested changes & the status of each

Formal Change Management Procedures in place

VP, Applications sends the changes to the VP of Operations

Department manager and user both review & accept Change log contains requested change & status only

After terminations & transfers reports, no modifications were made to the data until 3 weeks later

VP of IS maintains and initials reports, after completing modifications

VP of Applications keep the change documents in fire proof vault only FFCs computer room is locked at all times

FFC backs up their data daily FFC has no documented business continuity plan or disaster recover plan

Stores it's most recent backups once a week at a company owned off site location along with most recent versions of software

FFC has not tested their backup tapes in the past year and has no plan to test tapes in the future 1






7 Systems Development - Strengths VP, Applications issues current system documentation to programmer

Integration, stress, and user acceptance testing before implementation

Programmer tests the infected module first, then the entire application

Initial analysis and feasibility study to determine development hours

Comply with SSADM

User departments corroborate their testing 6





11 1




5 1



4 Change Management-Strengths A second programmer performers a quality review of the changes

VP of applications reviews documentation prior to implementation

VP application reviews user approved request form

The CIO reviews the project budgets to actual results

Internal Auditor reviews all changes

VP of applications follows up on changes not completed in allotted time 7





12 1


3 1

2 1


3 Overall risk assessment of Medium to High (1)The fact that an IT Security Policy exists is a strength.
(2)The computer room is always locked and all visitors must contact the data center manager for entry and bring an official ID, sign a visitor log and be escorted at all times.
(3) The application programmer must also be escorted at all times to access the data center computer room.
(4) 24/7 video monitoring for all doors of the computer room.
(5) Environmental controls including temperature controls, uninterrupted power supply, a backup generator, fire-extinguishing equipment, and a raised floor, are all in place, which is adequate for the data center.
(6) password standards are enforced by security software, password lengths of 6-9 characters, no double digits and no repeat characters. Access to these passwords are limited as they are not displayed on terminals or reports. The system allows for three access attempts before locking the system. This is a proper control in place for hacking-type situations.
(7) The VP, Applications has a unique password
(8) encryption of all user IDs and passwords.
(9) Proper segregation of duties is displayed through FFC’s management in regards to reviews and approvals of electronically submitted data and report modification. (10) Files are backed up to an off-site location in case of loss or destruction of information on at the data center. 1




5 1





Full transcript