Itgc review of the foods fantastic company

Itgc polish up of the foods hazardous comp bothSeveral months ago, you started running(a) at a large universal accounting firm as an IT staff analyzeor. You ar flowingly working on your graduation exerciseborn as stigmament, an ITGC follow of the Foods Fantastic Comp severally (FFC). FFC is a publicly traded, portional grocery store chain, headquartered in Mason, Maryland, and accepts 50 stores located in the mid-Atlantic argona. The centralized data nerve center(a) is in Mason. FFC relies on an interconnected suite of practise programs that take on state-of-the-art computing machine software to manage swap replenishment, store- level sales forecasting, and point-of-sale data. For theoretical account, FFC relies on bar code scanners and assurance/debit card readers. To maintain its competitive edge in its marketplace area, FFC newly implemented a fingerprint bio-coding payment remains in entirely of its stores. This refreshing placements capital punish ment needed that FFC change several of its general-ledger application programs in particular, those link to its cash proceeds processing. FFC does not role whatsoever removed service organizations to erect its IT services.Sophie Ewing, the audit senior who heads up your squad, contumacious that because of FFCs complex and sophisticated IT processing, an IT superior general checker (ITGC) refresh is man- datory to meet SAS 109s encounter assessment procedures and SOX Section 404 guidance Assessment of home(a) Controls requirements. You know that an ITGC check out article is very classic because ITGCs provide the foundation for reliance on any financial information FCCs systems produce. Your evaluation will affect the financial auditor in assessing the risk of material misstatement in FFCs financials, and consequently, the audit plan. At your first team meeting, Sophie announced that your firms network credential measures specialists would review the technical iss ues related to FFCs indispensable run acrosss. They will evaluate FFCs operating systems, its telecommunications software, and its network configuration and firew tout ensembles.In preparation for the meeting, Sophie encouraged you to review the light upon provisions taked in SAS 109, SOX Section 404, applicable sections of PCAOB Auditing Standard No. 5, and your firms internal guidance, which hosts ITGCs into the following tail fin areas IT wariness, systems discipline, data gage, change management, and cable continuity planning (BCP).IT managements key concepts include ITs position within the organization, whether IT goals are aligned with the organizations strategic goals, the use of an IT guidance com- mittee, and whether the IT departments structure promotes seemly segregation of duties to protect the organizations as effects. Your primary concerns areDoes FFC endure an IT strategic plan? To whom does the antique schooling officer (CIO) report? What key responsi bility areas report to the CIO? Does FFC shit an IT steering committee? Is so, who are the members?Issues in report Education, February 2009Assessing education Techno lumbery General Control pretend An instructional fount 65Systems DevelopmentThe key concepts within systems development include the existence of a upstart systems implementation methodology, externalise management, pre- and post-implementation reviews, quality control, complete testing, and demonstrated compliance with the selected imple- mentation methodology. Based on this understanding, your teams primary concerns are Does FFC design, develop, and implement systems in a logical fashion? Does the organization affect internal controls as an integral part of systems designor does it retrofit them after implementation? To what extent is FFCs Internal Audit department problematic in systems developmentactivities? Is it part of the project review team? Is it a voting member of the team? In particular, how w ell did FFC manage the development and implementation of itsnew fingerprint bio-coding payment system?Data certificationThe critical concepts within data bail include adherence to an established infor- mation security indemnity, door approval on a need-to-know solid ground, periodic whirling or change of admission price controls, monitoring, exception reporting, and incident response. Data security has both physiological and logical aspects. On the physical side, data security includes physical feeler and environmental controls over the data center information processing system manner. On the logical side, data security includes policies related to battle cry configuration, change, and chronicle re- strictions. Logical security similarly includes prompt review, modification, or removal of rise to power due to personnel department transfers, promotions, and terminations. Your teams primary concerns are How well does FFC control physical introduction to its data ce nter figurer room? Is FFCs electronic computer room adequately protected against environmental dangers, such asfire? Does FFC control logical access to its information systems? In particular, how does itcontrol the logical access of terminated or transferred employees? Does FFC have a current IT security form _or_ system of government? Does FFC produce access violation reports? Do FFC IT personnel adhere to IT indemnity and follow IT procedures? For example, do grant personnel review any access violation reports and take the prescribed action? veer focussing form Managements key concepts include enumerationed change procedures, drug user au- thorization and approval, separation of duties in implementing changes, management re- view, quality control, and adequate testing. Your audit teams primary concerns are Does FFC have (and follow) formal change management procedures? In particular, did FFC follow these procedures when making any demand changes to its current applica tion programs because of the new bio-coding payment system? For example Were the changes approved? Did the programmers adequately test the changes before putting them into takings? Did the application programmer(s) that made thecode changes, test the changes, and/or put them into production? tune tenacity PlanningKey concepts of BCP are managements expectations regarding a timely recovery of processing capabilities, the existence of a written plan, the currency of the plan, offsiteIssues in Accounting Education, February 200966 Norman, Payne, and Vendrzykstorage of both the plan and data files, and testing of the plan. Your audit teams main concerns areDoes FFC have a written BCP plan? Is it current? When is the last time FFC tested its plan? Does FFC back up its software and data? How often? Where do they store the mounts? Did FFC need to recover its systems victimization its backups during the former(prenominal) fiscal course? data Collected During the ITGC Review to a lower place Sophie Ewings direction, you and early(a) members of the audit team worked very diligently reviewing FFCs policies and procedures, interviewing FFC client personnel, and sight FFCs various trading operations and procedures related to its ITGCs. First, your team created an organization chart to document the FFCs management structure (see Ex- hibit 1). queer 2 reflects the information your team hoard from interviews, observations, and reviews of corroborating documentation related to FFCs ITGCs. expose 1 Foods Fantastic troupe makeup ChartExecutive Vice President and Chief Financial incumbent (CFO)Senior Vice President and ControllerSenior Vice President, Internal AuditSenior Vice President and Chief Information incumbent (CIO)Senior Vice President and TreasurerVice President, ApplicationsVice President, trading operationsVice President, Information SecurityVice President, Database Administration (Currently V acant)Issues in Accounting Education, February 2009Assessing Information Technology General Control Risk An instructional Case 67EXHIBIT 2 Foods Fantastic Company IT General Control (ITGC) Review NotesNotes from meetings with the Chief Financial Officer (CFO) Foods Fantastic Company (FFC) implemented a new bio-coding payment system in in all of its stores this foregone tense fiscal year. FFCs IT Executive Steering Committee develops IT policies and reviews the general operations of the IT department. The voting members of the committee are1. the Senior Vice President (SrVP) and Chief Information Officer (CIO) 2. the VP, Applications 3. the VP, Data Base Administration (DBA) 4. the VP, Operations5. the VP, Information Security (IS) 6. the Executive Vice President and Chief Financial Officer (CFO) 7. the SrVP, Internal Audit The IT Executive Steering Committee revised FFCs security policy in 2005. The policy addresses all organizational security issues including IT. FFC has no documented business continuity or disaster recovery plan. Manage ment believes such a plan is cost-prohibitive for an organization of its size and FFC has never experienced any major business disruption. In case of disaster, the data center passenger vehicle would retrieve the roughly recent backup tapes that are stored offsite. FFC would use these files to recover its systems.Notes from meetings with the SrVP, Internal Audit FFCs Internal Audit Department is involved as a voting member of the project teams responsible for design, development, and implementation of new projects. Internal audit performs post- implementation reviews on all projects over $2 million. The new bio-coding payment system was 25 percent over its sign time budget and 40 percent over its initial dollar budget.Notes from meetings with the CIO The VP, Applications is currently responsible for the DBA function. However, the CIO reviews the logs that show the actions of the Application VPs user ID. FFC has an IT strategic plan, which is consistent with its corporate strategi c plan. The IT strategic plan outlines the objectives and strategies that the information systems group will implement to assist FFC in meeting its overall business objectives. FFC adopted Structured Systems Analysis and Design Methodology (SSADM), an industry- recognized received for systems development and project management. All projects (buy or build) follow the applicable SSADM phases. The CIO sporadically reviews each projects required budget-to-actual reconciliation. FFCs security policy states that the VP, IS is to conduct a user audit on a quarterly basis. The appropriate department manager reviews electronically submitted reports that list each users profile, note changes on the reports, and return the reports to the VP, IS. The VP and so makes the appropriate modifications ground on the returned reports. The VP maintains the reports, and initials and dates the report after completing all modifications.Notes from meetings with the VP, Human Resources FFC is currently i nterviewing individuals to assume the DBAs responsibilities and hopes to hire someone within the succeeding(a) sextet to eight months. Aside from the security policy, management does not provide any formalized security awareness programs related to data security. from each one month, the Human Resources department onward a Transfers and Terminations report to the VP, IS.(continued on undermentioned page)Issues in Accounting Education, February 200968 Norman, Payne, and VendrzykEXHIBIT 2 (continued) Notes from meetings with the VP, Applications The VP, Applications assigns a project manager and develops an initial time and dollar budget for each new development project. IT personnel adequately tested the new bio-coding payment system prior to its implementation. This testing included integration testing, stress testing, and user word sense testing. user depart- ments corroborated their testing and acceptance of the new system. Application programmers do not have access to the computer room unless escorted by data center personnel (e.g., an operator). FFC instituted formal procedures for change management. The VP, Applications is responsible for change management and maintains all documentation in a fireproof vault in his office. A tack Request form initiates all application software changes, including required software up- grades. A user completes the form, which the users department manager approves. The user forwards the put across form to the VP, Applications, who logs each request in a diverseness Request Log. The VP performs an initial analysis and feasibility study and estimates the required devel- opment hours. The Change Request log is a listing of all requested changes and the situation of the change request. The VP, Applications uses this log to track open items and follow up on changes not completed within the original time estimate. The VP, Applications assigns the change request to an applications programmer and issues the current system s documention to the programmer. The applications programmer copies the source code from the systems production region to its development region and makes the change. The pro- grammer works in the systems development region utilize test data. The programmer tests the change first within the affected faculty and then within the entire application. Changes are never tested against production data. The programmer updates the necessary systems documentation. The applications programmer migrates the code to the systems test region. A insurgent programmer performs systems integration testing, volume testing, and user acceptance testing, again development test files. The second programmer then performs a quality review of the change, including a source- compare analysis, and reviews the updated systems documentation. Upon completion of testing, the user who requested the change and the appropriate department manager review the test results and accept the change by signing the original request form. The VP, Applications reviews the user-approved request form on which the department manager has indicated that s/he is satisfied that the program is ready for implementation. The VP, Applications also reviews the documentation prior to implementing any new or changed program to crack that the documentation is adequate. The VP, Applications approves the change, initials the change request form, and transfers the change to the VP, Operations, who officially accepts the change. The VP, Applications then updates the Change Request log and returns the revised systems documentation to the fireproof vault.Notes from meetings with the VP, Operations FFCs computer room, within its data center, is locked at all times. All outside contractors or visitors moldiness first contact the data center manager for inlet into the computer room. Each must bring an official picture ID, sign a visitors log, and be escorted at all times by data center personnel during the visit. In 2002, FFC installed video cameras on all doors immersion the computer room to record activity 24/7. Building management staff, who report to the facilities manager, are responsible for main- taining these tapes. The VP, Operations has not needed to review these tapes for at least sixer months since no unathorized access take ons have been reported. environmental controls are in place in the computer room (i.e., temperature controls, uninter- rupted baron supply, a backup generator, fire-extinguishing equipment, and raised floor). Appro- priate maintenance staff test these controls semi-annually. FFC backs up all of its data each day. It stores its most recent daily backup once a week at a company-owned offsite location, along with the most recent version of its software. FFC did not test backup tapes during the past year and has no plan to test these tapes in the future. The VP, Operations assigns IT operations personnel the task of placing new or changed appli- cations programs into pro duction after the VP, Applications has approved the work.(continued on adjacent page)Issues in Accounting Education, February 2009Assessing Information Technology General Control Risk An Instructional Case 69EXHIBIT 2 (continued) Notes from meetings with the VP, Information Security The VP, IS grants keycard access to the computer room. The VP, IS receives a keycard access report for the computer room on a monthly basis. The VP, IS determines if an self-appointed access attempt into the computer room has occurred. word of honors are not displayed on terminals or reports. Password standards are enforced by security software. FFC requires a minimum password length of six alphanumeric or special characters and a level best length of nine alphanumeric or special characters. The software prevents the equivalent character from being used more than once in a password and prevents numbers from being used next to each other in a password. The security software forces users to change the ir pass- words double each year. The security software maintains a history of two preliminary passwords and does not permit employees to reuse their two most recent passwords. The security software does not display statistics regarding employees sign-on information. For example, there is no infor- mation regarding a users sign-on attempts (such as date and time of last sign-on), number of invalid sign-on attempts since last boffo sign-on, or number of days prior to password expiration. The system allows 3 access attempts. If the third attempt is unsuccessful, the user ID is automatically disabled. The user must contact the VP, IS to reset the user ID. The system gen- erates a logical access violation report on a daily basis. User access is limited to workstations within the corresponding responsibility area. For example, users with access to the Accounts account payable staff can only log in from workstations located in the Accounts Payable area. A workstation can stand idle for up to 60 legal proceeding before the user is logged off. The VP, IS is responsible for maintaining user profiles and authorization lists. The VP grants access to the system to new hires. The appropriate department manager completes a computerized form that specifies the proper level of access. The VP reviews the request form for proper approvals and then either approves or denies the request. If approved, the VP issuesthe necessary ID and initial password with the requested access via encrypted email. Normal users may have multiple IDs. Each user ID can log on to one sign-on session at a time. The VP, IS, who has unlimited access, can log in from any workstation and have multiple sign-on sessions. The VP, IS is responsible for modifying and/or disabling user IDs for personnel whose job dutieschange because of promotions, transfers, and/or terminations based on the Transfers and Ter- minations report. The VP, IS maintains the report, and initials and dates the report when the V P, IS has made all of the modifications.Notes from meeting with the facilities manager, who reports to the VP, Human Resources agree to the facilities manager, no one asked to view the computer room video tapes during the past six months.Observations of the audit team Documentation of the systems development process for the new bio-coding payment system confirms that the VP, Applications complied with SSADM requirements when implementing this new system. The data center is on the first floor of FFCs building. The data center manager reports to the VP, Operations. Company policy requires the VP, IS to review the keycard access report at least once per quarter. During the past six months, the VP has not reviewed the report for any unauthorized access attempts. The team discover no instances in which application programmers were in the computer room without a proper escort. The team observed no instances in which visitors or outside contractors were in the computer room without a pro per escort.(continued on next page)Issues in Accounting Education, February 200970 Norman, Payne, and VendrzykEXHIBIT 2 (continued) Documentation of the computer room environment controls test results for the last 18 months shows no irregularities. These files are in the CIOs office. If someone attempts to enter the computer room without authorization, company policy requires that the VP, Operations review the video tapes from the computer room cameras within 24 hours. The FFC security policy requires each employee to sign an acknowledgment that s/he read thecurrent policy. A review of the personnel files of a assay of employees found no exceptions. A review of the selected user profiles and passwords revealed the followingUser Vice President, Applications Vice President, Information SystemsPassword 7LiAcOf QSECOFR1Note The acronym QSECOFR looks familiar. Remember to review A Beginners Guide to Auditing the AS/400 Operating System (Bines 2002). During the past six months, the dat es of the modifications were about three weeks after the VP, IS received the HRs Transfers and Terminations report. The VP, IS performed the most recent user audit eight months ago. Company policy requires the VP, IS to review the unauthorized system access report on a monthlybasis to check for unusual activity (e.g., multiple violations, changes to the authorization lists, etc.). During the past six months, the VP, IS has not reviewed the report for any unauthorized access attempts. The audit team verified that FFC followed its approved change management procedures when making the bio-code payment-related changes to its cash receipts processing and other financial reporting application programs. In the past fiscal year, no incidents occurred that required FFC to recover its systems using its backup tapes.Case RequirementsSophie Ewing assigned your team the following tasks1. For each ITGC area, identify the control issues and elucidate them as strengths or weak- nesses, using Exhi bit 3 to document your work. Exhibit 3 will be part of the audit teams work papers.2. narrow down the level of risk (High, Medium, or Low) that you believe is present in each particular ITGC area.3. Assess the overall risk of the organizations ITGCs, taking into consideration the volt separate risk assessments that you just made (task 2 above), and their relative impor- tance to internal controls over FFCs financial reporting.4. Prepare a report that documents and appropriately supports your overall IT risk as- sessment (task 3), using the guidance Sophie provided in Exhibit 4. You must include a statement explicitly stating your overall risk assessment in the reports concluding section and attach your completed ITGCs matrix.Issues in Accounting Education, February 2009Assessing Information Technology General Control Risk An Instructional Case 71EXHIBIT 3 Foods Fantastic Company IT General Controls Matrix diverge A Strengths and helplessnessesITGC Area Summary of Issue Strength o r WeaknessIT Management FFC has an IT strategic plan StrengthPart B Risk Assessment for each ITGC area (Indicate Low, Medium or High)ITGC AreaIT Management Systems Development Data Security Change Management Business Continuity PlanningRisk AssessmentIssues in Accounting Education, February 200972 Norman, Payne, and VendrzykEXHIBIT 4 piece GuidanceIT General Controls Risk Assessment Report Foods Fantastic Company Students Name DateBackground Write a short description of Foods Fantastic Company (FFC) and why the ITGC review is necessary (2-3 sentences).Purpose Briefly describe the purpose of an ITGC review and why it is important (2-3 sentences). Scope Provide a short description of the work your team performed at Foods Fantastic to developyour risk assessment (3-4 sentences).Findings Elaborate on the key finding(s) that influenced your overall risk assessment. Discuss the key control strengths and weaknesses you place within each of the five ITGC areas and its corresponding risk a ssessment. Provide enough detail to support your assessment. Include specific examples from the information your team hive away (interviews, observations, and reviews of corrob- orating documentation). Your arguments need to be consistent with your risk assessment for the five different areas, as well as your overall risk assessment (4-5 paragraphs). shutdown Provide a statement of your overall risk assessment. For example, I set FFCs assessed level of ITGC risk as (Low, Medium, or High) because of . Summarize the primary reasons that contributed to your assessment. restrain in mind the relative im- portance of each of the five ITGC areas in autocratic FFCs financial reporting (3-4 sentences).