Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
ITGC Risk Assessment
Transcript of ITGC Risk Assessment
Assessing Information Technology General
Control Risk Background Food Fantastic Company Publicly traded, regional grocery store chain
50 stores located throughout Mid-Atlantic region
Implementation of new fingerprint bio-coding payment system in all stores Understanding how ITGCs interact and affect an auditor’s risk assessment is important
Accountants are involved in helping their organizations comply with SOX-related internal control requirements
Deficiencies in ITGCs indirectly cause or contribute to application control deficiencies Change Management-Strengths IT Management - Strengths Findings Evaluation of ITGC review notes formatted by strengths and weaknesses coupled with risk level Systems Development - Strengths Background New bio-coding system requires FFC to change several of it's general ledger application programs
Complexity and sophistication of FFC's IT processing requires ITGC review
Evaluation will affect the financial auditor in assessing the risk of material misstatement in FFC’s financials, and consequently, the audit plan. Thank you for your time! IT Management - Weaknesses Systems Development - Weaknesses Most recent user audit was eight months ago
VP Applications only stores backup documents in a fireproof vault
VP, Applications is the only one who reviews the approved change form
25% over the time budget and 40% over the dollar budget
The user forwards the change request form to the VP, Applications Change Management-Weaknesses Purpose Purpose Purpose of ITGCs: Provide foundation for reliance on information produced
ITGC control areas:
Business Continuity Planning Scope Evaluated the strengths and weaknesses of each control area
Stack-ranked by category in each area
Assessed and assigned risk level by control area Conclusion Business Continuity Planning-Strengths Conclusion Business Continuity Planning- Weaknesses Data Security - Weaknesses Data Security - Strengths Conclusion Questions
Feedback IT adequately tests bio-coding payment system prior to implementation
Set time and dollar budget for new bio-coding project
Programmers use test data instead of real data to test system
CIO reviews logs of VP, Applications actions as form of supervision
A second programmer tests the system before implementation
Strategic Plan, which is consistent with corporate strategic plan
CIO reports to CFO VP, IS is vendor default password
VP, IS has not review key card access reports for unauthorized access attempts 6 months
VP, Internal Audit is involved as a voting member of the project teams responsible for design development and implementation of new projects
VP, Operations has not reviewed tapes in computer room in 6 months
User audit is done quarterly
Internal audit performs post-implementation reviews for projects over $2 million
CIO reports to CFO (1)No date security awareness training
2) No have a disaster recovery plan.
3) The Steering Committee last revised the IT Security Policy in 2005.
4 Human Resources only forwards these transfers and terminations each month
5) Has not and does not plan to test these back-ups
6) Data centers on the first floor
7) The VP, IS has the vendor default password, which can be easily guessed.
9) Requires user to change passwords twice a year
(10)security software does not display log in information
11) The VP, IS has many functions relating to keycard access. Not only does he grant access to the computer room, but he receives a keycard access report and determines authorization issues.
12) control testing and tape review, which are both currently semi-annually. (13) It is also recommended that systems documentation is stored electronically on- and off-site in addition to the fireproof vault. Changes are tested prior to implementation, and recorded in a log
User completes change request form and dept. manager approves it
Change log lists all requested changes & the status of each
Formal Change Management Procedures in place
VP, Applications sends the changes to the VP of Operations
Department manager and user both review & accept Change log contains requested change & status only
After terminations & transfers reports, no modifications were made to the data until 3 weeks later
VP of IS maintains and initials reports, after completing modifications
VP of Applications keep the change documents in fire proof vault only FFCs computer room is locked at all times
FFC backs up their data daily FFC has no documented business continuity plan or disaster recover plan
Stores it's most recent backups once a week at a company owned off site location along with most recent versions of software
FFC has not tested their backup tapes in the past year and has no plan to test tapes in the future 1
7 Systems Development - Strengths VP, Applications issues current system documentation to programmer
Integration, stress, and user acceptance testing before implementation
Programmer tests the infected module first, then the entire application
Initial analysis and feasibility study to determine development hours
Comply with SSADM
User departments corroborate their testing 6
4 Change Management-Strengths A second programmer performers a quality review of the changes
VP of applications reviews documentation prior to implementation
VP application reviews user approved request form
The CIO reviews the project budgets to actual results
Internal Auditor reviews all changes
VP of applications follows up on changes not completed in allotted time 7
3 Overall risk assessment of Medium to High (1)The fact that an IT Security Policy exists is a strength.
(2)The computer room is always locked and all visitors must contact the data center manager for entry and bring an official ID, sign a visitor log and be escorted at all times.
(3) The application programmer must also be escorted at all times to access the data center computer room.
(4) 24/7 video monitoring for all doors of the computer room.
(5) Environmental controls including temperature controls, uninterrupted power supply, a backup generator, fire-extinguishing equipment, and a raised floor, are all in place, which is adequate for the data center.
(6) password standards are enforced by security software, password lengths of 6-9 characters, no double digits and no repeat characters. Access to these passwords are limited as they are not displayed on terminals or reports. The system allows for three access attempts before locking the system. This is a proper control in place for hacking-type situations.
(7) The VP, Applications has a unique password
(8) encryption of all user IDs and passwords.
(9) Proper segregation of duties is displayed through FFC’s management in regards to reviews and approvals of electronically submitted data and report modification. (10) Files are backed up to an off-site location in case of loss or destruction of information on at the data center. 1