IT General Controls Risk Assessment Report

Category: Internal Control
Last Updated: 20 Apr 2022
Pages: 6 Views: 901

Background: In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house.

Purpose: We hope to gain comfort that FFC’s systems, IT practices, and risk management procedures are working properly and are operationally effective within a well-controlled IT environment and to meet the requirements that are outlined in SAS 109 and SOX Section 404 Management Assessment of Internal Controls. Considering that the FFC IT environment has a direct impact on the account balances and financial statements, it is imperative that we provide assurance over IT controls prior to the financial statement audit and assess the risk of material misstatement in the different areas of the IT environment.

Scope: Our team initially reviewed key provisions included in SAS 109, SOX Section 404, PCAOB Auditing Standard No.5, and FFC policies. To provide the financial auditors with a complete and accurate review of the critical ITGC areas, we reviewed FFC’s IT and security procedures, interviewed relevant FFC client personnel, and observed FFC operations and procedures related to its ITGCs. Upon review of all relevant evidence and data collected through our walkthrough of FFC, we developed our risk assessment of each ITGC area and an associated assessment of the strengths and weaknesses of each ITGC area documented in Exhibit 3, parts A &B.

Order custom essay IT General Controls Risk Assessment Report with free plagiarism report

feat icon 450+ experts on 30 subjects feat icon Starting from 3 hours delivery
Get Essay Help

Findings: After reviewing the evidence collected during our walkthrough of FFC’s IT environment, we have assessed IT Management as a lower risk area for a number of reasons. First and foremost, FFC has a strategic plan, which outlines the specific strategies the information systems group will implement so as to be in line with FFC’s corporate strategic plan. A steering committee comprised of personnel from internal audit, information systems, and the finance department are involved in developing the policies of and reviewing the operations of the IT department. This cross-departmental committee helps align the goals of the IT department and the firm as a whole, and helps establish segregation of duties at the manager level so as to establish a culture of openness. Taking this idea of establishing segregation of duties at the managerial level, we find comfort in the fact that the Chief Information Officer (CIO) reviews the logs of the VP, Applications.

It is also worthy to note that the IT department has 4 executives that are responsible for different areas of the department and which the CIO is ultimately responsible for reviewing. Although the CIO manages the IT department as a whole, there are 3 levels of management, as the CIO reports to the Chief Financial Officer (CFO) and thus mitigates the risk that oversights or fraudulent activities will be missed. IT Management is a very important area as this helps dictate the tone of the department and helps establish the policies that are in place, but through our review of this ITGC area, we find little risk associated with IT Management and have found evidence that the audit team can rely on the controls put in place. We have also assessed Systems Development to be an area of lower risk. FFC has adopted Structured Systems Analysis and Design Methodology (SSADM) for its systems development and project management procedures.

Per discussion with FFC’s CIO, we noted that SSADM is followed for all projects and the CIO periodically reviews project’s budget-to-actual reconciliation. Although internal audit only performs post-implementation reviews on projects greater than $2 million, because internal audit is a voting member of project teams, internal audit is well aware of developing projects and adds comfort to our assessment of low risk within the Systems Development area. Based on our interview with VP, Applications, we identified the new bio-coding payment system to have been tested in 3 parts across different user departments prior to the acceptance of the new system. This extensive amount of testing highlights the appropriate governance within Systems Development. We found many issues with the Data Security ITGC area. Because the integrity of many of the IT systems and processes relies on the security of information and data, we have considered Data Security a higher risk area.

Although the IT department has a security policy which addresses organizational security, the policy has not been revised for almost 8 years. There are strong physical security procedures in place, such as keeping the computer rooms locked and requiring escorts for all contractors and outside personnel. We found issues pertaining to environmental controls and on the logical side of Data Security. Environmental controls were only tested semi-annually which we deemed too high of a frequency considering the importance of the integrity of the equipment that is housed in the computer room. Although policy password parameters are strong, no formal review of access violation reports was ever mentioned during our walkthrough. The VP, IS has not reviewed the unauthorized system access report in the last 6 months but he is supposed to review this report monthly.

Also, the profile of VP, IS has unlimited access and can sign-on multiple times even though it is company policy for ID’s to have limited access and authorization to sign into one session at a time. Although VP, IS is responsible for maintaining user profiles and authorization reports and the CIO is responsible for the user audit, the VP, IS performed the most recent user audit showing us a lack in the segregation of duties. The recent terminations and transfers reports, which the VP, IS is supposed to make modifications to in a timely fashion, have been delayed approximately 3 weeks. These modifications that are solely made by the VP, IS are not done in conjunction with department managers and therefore shows a lack in the segregation of duties. Based on the above evidence and on the fact that Data Security is a vital part of any organization, it is clear to us that the financial audit team should not place a high degree of reliance on the controls in place for Data Security as we have found many deficiencies with these controls. Although Change Management is viewed as less of a priority than many of the other ITGC areas, there is still a serious level of risk that can be attributed to this area if the processes are not managed properly. Through inquiry and observation, we have assessed a very limited amount of risk with regards to FFC’s Change Management processes and reviews.

We verified that FFC has followed approved change management procedures with the bio-coding payment system and other financial reporting applications that have a material effect on the financial statements. There are many layers to the change management process with many different levels of approvals and reviews. Not only are there multiple levels of approvals, but change testing is performed multiple times by multiple types of personnel. Changes are tested only with test data and never with production data and although VP, Applications approves the changes, the VP, Operations is the person that ultimately accepts the change. We have taken great comfort in the detailed and well-designed change management process that is in place at FFC and would recommend the financial audit team to place a high degree of reliance on this area of ITGC. Due to the lack of a Business Continuity Plan (BCP) and a plan to test backup tapes, we assessed the area of BCP to be risky.

Although backups are done daily, backup tapes are stored offsite, and there haven’t been incidents in the past year where FFC has had to recover its systems with the use of backup tapes, a lack of a BCP plan offers us little comfort because personnel have no guidelines to follow when performing BCP procedures. And although the priority of BCP is low and incidents are rare, it is essential that a company have policies in place for when incidents do occur because the integrity of the firm as a whole can be at risk if systems were to fail and no reliable backup tapes are available. We have decided to identify this area as higher risk.

Cite this Page

IT General Controls Risk Assessment Report. (2018, Mar 31). Retrieved from https://phdessay.com/it-general-controls-risk-assessment-report/

Don't let plagiarism ruin your grade

Run a free check or have your essay done for you

plagiarism ruin image

We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy

Save time and let our verified experts help you.

Hire writer