Part A: Strengths and Weakness ITGC IT Management IT Management System Development Summary of Issue FFC has an IT strategic plan

FFC has an Executive Steering Committee FFCs Internal Audit Committee has a voting member of project team responsible for new project FFCs IT personnel adequately test new procedure before implementation. FFC has no documented business continuity or disaster recovery plan FFC has an Executive Steering Committee FFC has backup tapes stored offsite and backup every day FFC has no formalized security awareness programs related to data security FFC adopted Structured System Analysis and Design Methodology. Application programmer could not access the computer room unless the data center personnel have permitted them. FFC have formal procedure for change management FFC has an appropriate IT security policy that VP, IS could know every change on through reports FFC has environmental control at the computer room. FFC manage the development and implementation of its new system not well. FFCs application programmer only copy the source code, do not change it, test the changes but do not put test for production data. FFC do not have a formal business continuity plan Strength or Weakness Strength Strength Strength

Change Management

Strength

Business Continuity Planning

Weakness

IT Management Business Continuity Planning Data Security

Strength Strength Weakness

System Development

Strength

Data Security

Strength

Change Management Data Security

Strength Strength

Data Security System Development

Strength weakness

Change Management

Weakness

Business Continuity Planning

Weakness

IT Management

System Development Data Security

Change Management

Business Continuity Planning

System Development

Change Management

IT Management

Chief Information Officer reports to Chief Financial Officer and Executive Vice President The organization retrofit internal controls after implementation The system is designing to allow three attempts to access report for information security. FFC has a strict approve procedure for system change. Both the user and VP, Applications need to approve the change request form. No incident occurs that require recovering the system during the past year. VP, Application complied with SSADM requirements when implementing the new system. FFC followed its approved change management procedures. Vice Presidents of applications, operations, information security and database administration reports to Chief Information Officer.

strength

Weakness Strength

Strength

strength

Strength

Strength

strength

Part B: Risk Assessment for each ITGC area (indicate low, medium or high) ITGC Area IT management Systems Development Data Security Change Management Business Continuity Planning Risk Assessment Low Medium Medium Medium High

IT General Controls Risk Assessment Report Foods Fantastic Company Siqi Li Oct 29TH 2013

Foods Fantastic Company is a public company which mainly operating regional grocery store in Maryland. This Company relies on application programs, such as bar-code scanner, to entre sales to the system. The FFC majority depends on the computer system to run their business. Based on this situation, the Information General Controls review is necessary for this company as the reason that ITGC is the foundation of every categories of the internal control. To review the ITGC will help the audit committee to determine the risk assessment of the internal controls in the companys information system. The ITGC mainly classified by five areas, such as IT Management, Data Security, Change Management, System Development and Business Continuity Planning. The auditor need to review all the internal controls for this five area to define the risk assessment level in order to main and improve the companys information system. This will help the company keep operating their business by using their information system correctly and continuously. As I am one of the external auditor team for Foods Fantastic Company, we work to auditor the companys internal controls for the information technology general control respective. Our team first review the companys internal controls through five areas that I have talked above; and set up the key aspects for review, which we specialized to suit the FFC. Second, we took an overview of the companys organization cart, and then interview the CFO, Internal Audit, CIO and VP, HR, Applications, Operations, information Security. Those are all the key persons who responsible for the companys information system and internal controls. In addition, we need and already did observations ourselves without talking with anyone. We took notes and collect evidence for future review that could help us conclude our final report for the companys ITGC risk assessment levels. For the IT Management area, I put a low level of risk assessment. For the information technology management, the company has a specific IT strategic plan, which is consistent with the Companys strategic plan. In addition, based on the companys organization cart, I found out the company have a clear reporting and response system. The responsibility for chief information officer clearly classified to four parts, application, operation, information security and database administration. Above all the key aspects we take a review about IT management, the company have a good internal controls for it. There is unlikely happen a risk in this area. For the System Development, I define it as a medium level of risk assessment. The company did design, develop and implement new systems for a certain time or logical reason. However, the new system testing is not as well as we think. As the result, the new system does no perform well as we expected. Even though the company have involve the internal audit department for the new system

development, and the set them as part of the new project team to review the new project, which the team members are all been voting. They have a good process of development of new systems, but the new systems do not perform well. It will still result in a small probability of risk assessment. In general, I set a medium level of risk assessment to let the company consider about this issue. For the Data Security area, I define it as a medium level of risk assessment. The FFC have perfect controls procedures about physical access and logical access. They need to verify identification information and to be permitted by the data center personnel to access the data center. Moreover, the computer room has the protection of environmental controls and monitors to monitor daily activities. In addition, the company have a clearly IT security policy. All of these are good procedures for data security internal controls. This will help the company set up a high level of data security. However, as we observed, the clerk does not follow the rule and get into the computer room or data center easily. Even though the company set up good control procedures for data security, the staff does not follow it consistently. All these procedures will be useless. For the Change Management area, I define a medium level of risk assessment. The Company has formal change management procedures, and follows these procedures when making necessary changes. Those changes need to get approved before implement it. They have to fill the change request form and got sign for users, VP-Applications and CIO. In addition, the programmers do testing the changes before implement it. However, the programmers do not made the code changes and do not testing production module in FFC. As the result of this, it may causes the changes do not good enough to suit for the productions. That will give opportunity to happen a risk. For the Business Continuity Planning area, the risk assessment level is high. The company does not have any written BCP and disaster recovery plan. Even though they information backups every day. Based on the situation that, they did not happening any serious incidence, which will need to recover their data for the past fiscal year. The company loses their vigilance about business continuity problem. It is just lucky for the company do no happen anything serious about discontinued business. For a good internal control, the company has to well prepared about the business discontinuous problem. Based on this situation, I put a high-risk assessment level for the BCP area to notify the company makes a quick change about this part of internal controls. In conclusion, I define the FFC have an overall medium risk assessment based on the analysis of the five areas strength and weakness of Information Technology General Controls. To compare the relative importance about the five areas of ITGC, I think the data security, change management and system development is relatively more important than the other two. As all these three have a medium level of risk assessment, I conclude the overall risk assessment as a medium level. As long as the company set up a business continuity plan, this part of internal controls will not be a problem. In addition, according to the low level of IT Management, the company will have their internal controls for ITGC perspective for a medium level.