Foods Fantastic Company’s IT processing is very complex and sophisticated, therefore according to the SAS 109’s risk assessment procedures and SOX Section 404 Management Assessment of Internal Controls, an IT General Control review is required. The purpose of an ITGC review is to provide the foundation for reliance on any financial information Foods Fantastic Company produce. Although an ITGC review does not directly result in misstated financial statements or material control weaknesses, it can indirectly cause application control deficiencies, and affect the financial auditor in assessing the risk of material misstatement in FFC’s financial statements. For the risk assessment my team performed at Foods Fantastic, first, we wrote down some questions and concerns for each ITGC area. Then, we looked at the company’s organization chart and had a meeting with the head of each department, and took notes from the meetings. We also observed the audit team. After that we wrote down the strengths and weaknesses, and decide the level of risk assessment for each area. First of all, in the area of IT Management, the risk assessment is medium. They have a strategic plan, which is a strength, because a strategic plan will help FFC to meet its business goals by outlining the objectives and strategies for the information system group.
In addition, FFC has an IT steering committee, which is also a strength, because the committee develops and revises IT and security policies, and reviews the operations of the IT department. However, there are a couple of weaknesses in the area of IT Management. For instance, their Chief Information Office only reports to their Chief Financial Officer. According to the Sarbanes-Oxley Act, the company’s chief executive officer and chief financial officer are requires to include an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. In addition, the Vice President of Applications, Vice President of Operations, Vice President of Information Security, and Vice President of Database Administration reports only to Chief Information Officer Second, there are quite a few strengths in their Systems Development area, they design, develop, and implement systems in a logical fashion, which all the duties are segregated. In addition, the organization consider internal controls as an integral part of systems design, and the IT personnel adequately tested the new bio-coding payment system prior to its implementation, so we determined the risk assessment in this area is low.
However, FFC’s Internal Audit Department is involved as a voting member of the project teams. Internal audit performs post-implementation reviews on all projects over $2 million. Internal Audit should be independent, and should not be involved in the project ream. Third, the risk assessment in the area of Data Security is high. Although they have high control on the physical access to their data center computer room, but they have low control on the logical access. In order to control the physical access, FFC’s computer room within its data center is locked at all times. All outsiders must first contact the data center manager in order to enter the computer room. Each must bring an official picture ID, sign a visitors’ log, and be escorted at all times by data center personnel during the visit. They also have environmental control in the computer room and are tested semi-annually.
However, the Human Resources Department only forward the Transfers and Terminations report each month, and not immediately after the employee is transferred or terminated. The security policy is not current and was revised in 2005. The system generates a logical access violation report daily, but the company police only requires the Vice President of Information System to review the unauthorized system access report once a month.
Finally, the risk assessment in Change Management area is low, but the risk management in the Business Continuity Planning area is high. Although they have no incidents occurred that required them to recover their systems, a company should always have a business continuity plan. They did not document any business continuity or disaster recovery plan, nor they did test the backup tapes during the past years, which they have no intention to test the tapes in the future. FFC backs up all of the data daily, but only store them once a week at a company-owned offsite location. They should store the data daily.
Overall, I set FFC’s assessed level of ITGC risk as high because of their data security and business continuity planning. Data is the most important elements of an organization. Without data, the organization will not be able to operate. The fact that FFC does not have a business continuity plan because they believe that is cost prohibitive for an organization of its size is wrong. Every organization should have a business continuity plan in case there is a natural disaster. In addition, FFC should do a better job in control of logical access because hacker don’t necessary have to gain access to the organization’s data physically.