Although Change Management is viewed as less of a priority than many of the other ITGC areas, there is still a serious level of risk that can be attributed to this area if the processes are not managed properly.
The VP grants access to the system to new hires. The VP, Applications also reviews the documentation prior to implementing any new or changed program to ensure that the documentation is adequate.
Documentation of the systems development process for the new bio-coding payment system confirms that the VP of Applications complied with SSADM requirements when implementing this new system. Taking this idea of establishing segregation of duties at the managerial level, we find comfort in the fact that the Chief Information Officer CIO reviews the logs of the VP, Applications.
A Change Request form initiates all application software changes, including required software upgrades.
FFC has an IT strategic plan, which is consistent with its corporate strategic plan. The VP, Applications assigns a project manager and develops an initial time and dollar budget for each new development project.
A steering committee comprised of personnel from internal audit, information systems, and the finance department are involved in developing the policies of and reviewing the operations of the IT department.
The programmer tests the change first within the affected module and then within the entire application. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house.
Appropriate maintenance staff tests these controls semi-annually. We have decided to identify this area as higher risk. How well does FFC control physical access to its data center computer room.
The system generates a logical access violation report on a daily basis. FFC does not use any outside service organizations to provide its IT services.
The applications programmer copies the source code from the systems production region to its development region and makes the change.
Business Continuity Planning Key concepts of BCP are managements expectations regarding a timely recovery of processing capabilities, the existence of a written plan, the currency of the plan, off-site storage of both the plan and data files, and testing of the plan.
FFC has no documented business continuity or disaster recovery plan. The VP reviews the request form for proper approvals and then either approves or denies the request.
Did the programmers adequately test the changes before putting them into production. Environmental controls are in place in the computer room i. The VP, IS has not reviewed the unauthorized system access report in the last 6 months but he is supposed to review this report monthly.
Although VP, IS is responsible for maintaining user profiles and authorization reports and the CIO is responsible for the user audit, the VP, IS performed the most recent user audit showing us a lack in the segregation of duties. Based on the above evidence and on the fact that Data Security is a vital part of any organization, it is clear to us that the financial audit team should not place a high degree of reliance on the controls in place for Data Security as we have found many deficiencies with these controls.
Notes from meetings with the VP, Human Resources: It stores its most recent daily backup once a week at a company-owned off-site location, along with the most recent version of its software.
Aside from the security policy, management does not provide any formalized security awareness programs related to data security.
This new systems implementation required that FFC change several of its general-ledger application programs, in particular, those related to its cash receipts processing.
All outside contractors or visitors must first contact the data center manager for entry into the computer room. If the third attempt is unsuccessful, the user ID is automatically disabled. These modifications that are solely made by the VP, IS are not done in conjunction with department managers and therefore shows a lack in the segregation of duties.
Company policy requires the VP, IS to review the unauthorized system access report on a monthly basis to check for unusual activity e. FFC would use these files to recover its systems. Notes from meetings with the VP, Applications:.
This case helps students assess overall ITGC risk within an organization’s information systems. Students identify speciﬁc strengths and weaknesses within ﬁve ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of.
Background: In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC.
Foods Fantastic Company is a public company which mainly operating regional grocery store in Maryland. This Company relies on application programs, such as.
Transcript of ITGC Risk Assessment. Foods Fantastic Company: Assessing Information Technology General Control Risk Background Food Fantastic Company Publicly traded, regional grocery store chain Complexity and sophistication of FFC's IT processing requires ITGC review.
Transcript of Foods Fantastic Company: ITGC Risk Assessment. Foods Fantastic Company: IT General Control Risk Assessment Background Foods Fantastic Company Publicly traded, regional grocery store chain Complexity and sophistication of FFC's IT processing requires ITGC review. Foods Fantastic Company is a public company which mainly operating regional grocery store in Maryland.
This Company relies on application programs, such as .Itgc review of the foods fantastic company