Food Fantastic Company

0 Comment

IT General Controls Risk Assessment Report Food Fantastic Company March 28, Background: Foods Fantastic Company is a publicly traded grocery chain with a chain of 50 stores in the US based in Mason, Maryland. The company has embraced technology to a great extent and uses state-of-the-art applications and devices to monitor inventory, process checkouts and maintain its accounting books. An ITGC review is necessary because of the degree to which the company is dependent on the data produced by its information systems for accounting and decision-making. Purpose: The purpose of an ITGC review is to ensure the reliability, consistency and security of an information system that is being used as a source of information and legal standing for accounting purposes. The idea behind an ITGC review is to check the data input streams for dependability as it will constitute a legal standing of the company. In addition, the review will cover aspects of fraud, security, back-dated entries and other loopholes that can be used for frauds or unauthorized access to confidential data. Scope: The scope of this audit and review is limited to the surface risk assessment of the controls used by FFC. In addition, it covers only the mainstream information system which is used for reporting and decision-making. Any other third-party systems are not covered in this review as long as they do not have any impact on financial reporting. Also, the review has been conducted in accordance with the guidelines defined and accepted as international best practices for ITGC. Findings: The information system control procedures at Foods Fantastic Company do not meet the standards of what can be termed as the best practices in the industry. From an IT management perspective, the company faces a Low risk assessment because the company has a strategic plan that provides its information systems processes a direction. The CIO of the company reports to the CFO which is fine because the CFO is also the Executive Vice President of the company. The CIO is a well-reported position gathering key data from applications, operations, information security and database administration VPs. This provides a well-rounded view of the IT processes and programs to the CIO who in turn delivers it to the CFO. However, the lack of an IT steering committee is a drawback – one which poses some risk to the organization – as it does not eliminate bias and collaborative fraud on part of the IT department of the organization. An independent team is needed to ensure unbiased proceedings of the entire IT department. The company has implemented its systems in a logical fashion and the involvement of the internal audit department of FFC suggests that the process was streamlined and followed the guidelines laid down by ITGC. Since internal controls were considered religiously to be part of system design, the risk level from a systems development perspective for FFC is Low. The availability of formal logs and prevention of unauthorized access to its data centres and workstation security policies are all good practices. Control via access cards and its current IT security policy are all encouraging measures at FFC. In spite of that, logs and review of access records is not carried out on a timely basis. This poses a significant risk to the company in terms of ex-employee frauds and collaborative fraud through misuse of access cards if knowledge of non-review of logs is prevalent amongst the employees. Also, the security of the data centre and location are not ideal in comparison to the best practices in managing data centres and controlling access to it – for example, a fraud by the VP would go undetected till it is too late to take any corrective actions. The company’s password policies are also weak and are highly prone to attack by miscreants. These factors render the risk level to be High from a data security perspective. The maintenance of change management documents in fireproof vaults is an encouraging sign. The lack of formal review of change management documents and procedures poses a Medium risk to the company from a change management perspective. The company’s implementation, testing and post-production review was nearly risk-free and any other risks fall within the low risk category too. There is a formal backup mechanism implemented at FFC however backup tapes are not tested nor checked for retrieval of data. In addition there has been no disaster recovery drill at the facility for the last six months. There are environmental controls in the server room which are tested every six months. Backup storage site is separate from the main office and the company’s backup maintenance policy is adequate. The combination of the above factors makes the business continuity plan risk level to be Medium for FFC. Conclusion: In our opinion, based on the overall risk assessment of the information systems controls in place at Foods Fantastic Company, I would set the level of ITGC risk at FFC as Medium. Individual risk assessment in different areas can be broken down into the following: ITGC Area Assessment IT Management Low Systems Development Low Data Security High Change Management Medium Business Continuity Plan Medium Works Cited Bines, J. 2002. A beginner’s guide to auditing the AS/400 operating system. Information Systems Control Journal, Volume 2, Available at: