This website uses cookies to ensure you have the best experience. Learn more

It General Controls Risk Assessment Report

1551 words - 7 pages

IT General Controls Risk Assessment Report
Foods Fantastic Company
Thomas Woods

In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house.

...view middle of the document...

After reviewing the evidence collected during our walkthrough of FFC’s IT environment, we have assessed IT Management as a lower risk area for a number of reasons. First and foremost, FFC has a strategic plan, which outlines the specific strategies the information systems group will implement so as to be in line with FFC’s corporate strategic plan. A steering committee comprised of personnel from internal audit, information systems, and the finance department are involved in developing the policies of and reviewing the operations of the IT department. This cross-departmental committee helps align the goals of the IT department and the firm as a whole, and helps establish segregation of duties at the manager level so as to establish a culture of openness. Taking this idea of establishing segregation of duties at the managerial level, we find comfort in the fact that the Chief Information Officer (CIO) reviews the logs of the VP, Applications. It is also worthy to note that the IT department has 4 executives that are responsible for different areas of the department and which the CIO is ultimately responsible for reviewing. Although the CIO manages the IT department as a whole, there are 3 levels of management, as the CIO reports to the Chief Financial Officer (CFO) and thus mitigates the risk that oversights or fraudulent activities will be missed. IT Management is a very important area as this helps dictate the tone of the department and helps establish the policies that are in place, but through our review of this ITGC area, we find little risk associated with IT Management and have found evidence that the audit team can rely on the controls put in place.
We have also assessed Systems Development to be an area of lower risk. FFC has adopted Structured Systems Analysis and Design Methodology (SSADM) for its systems development and project management procedures. Per discussion with FFC’s CIO, we noted that SSADM is followed for all projects and the CIO periodically reviews project’s budget-to-actual reconciliation. Although internal audit only performs post-implementation reviews on projects greater than $2 million, because internal audit is a voting member of project teams, internal audit is well aware of developing projects and adds comfort to our assessment of low risk within the Systems Development area. Based on our interview with VP, Applications, we identified the new bio-coding payment system to have been tested in 3 parts across different user departments prior to the acceptance of the new system. This extensive amount of testing highlights the appropriate governance within Systems Development.
We found many issues with the Data Security ITGC area. Because the integrity of many of the IT systems and processes relies on the security of information and data, we have considered Data Security a higher risk area. Although the IT department has a security policy which addresses organizational security, the policy has not been...

Other assignments on It General Controls Risk Assessment Report

Accounting Systems Exam Review

3476 words - 14 pages and typically has a detrimental effect, such as corrupting the system or destroying data. * Antivirus software * Vulnerability assessment * Intrusion detection * Penetration testing General Control - AICPA Trust Services Principles categorizes IT controls and risks into five categories: a. Security b. Availability c. Processing integrity - System processing is complete, accurate, timely

Audit Essay

768 words - 4 pages standards. Audit Process Prevalent Audit Concerns Risk Assessment Process Definition of Internal Audit The audit process is generally a ten-step procedure as outlined below. Please click through the steps in order to better understand the process. 1. Notification 2. Planning 3. Opening Meeting 4. Fieldwork 5. Communication 6. Report Drafting 7. Management Response 8. Closing Meeting 9. Report


310 words - 2 pages know what they are, how likely they are, and what their impact might be. But project risk management is not limited to the identification and aggregation of risks, and it cannot be repeated too often that the point of risk assessment is to be better able to mitigate and manage the project risks. Additional effort is needed to develop and apply risk management. Strategies: Project risk management tools and methods, discussed in this report, can

It Infrastructure

310 words - 2 pages One of the most important first steps to risk management and implementing a security strategy is to identify all resources and hosts within the IT infrastructure. Once you identify the workstations and servers, you now must then find the threats and vulnerabilities found on these workstations and servers. Servers that support mission critical applications require security operations and management procedures to ensure C-I-A throughout. Servers

Lessons From Bearing Case

1026 words - 5 pages have strong ground to believe they are right; should ensure the book of account is complete two roles for internal audit: * to provide an independent assurance service to the board, audit committee and management, focusing on reviewing the effectiveness of the governance, risk management and control processes that management has put into place. * to provide advice to management on governance risks and controls, for example, the

Risk Management

6816 words - 28 pages also includes dredging, bank protection, berms, soil plugs, and other culvert structures. The report includes the project technical scope, estimates, and schedules as developed and presented by the St. Louis and New Orleans Districts. Consequently, these documents serve as the basis for the risk analysis. In general terms, the construction scope consists of the following: • • • • • • • • • • • • • Major project features

Safety Analysis Of A High Voltage Test Lab

5236 words - 21 pages to identify potential safety and health hazards within the lab and apply engineering controls, administrative controls and personal protective equipment to mitigate the hazard. This assessment was accomplished through the use of risk assessment, deviation analysis, job safety analysis, HAZOP and fault tree analysis following a five step method. Each hazard was quantified based on the consequence and the probability of occurring and classified

Corporate Responsibilities Of Sarbanes-Oxley Act Of 2002

4874 words - 20 pages authority to bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer. [7] The seventh title is Studies and Reports and it consists of five sections and requires the Comptroller General and the SEC to perform various studies and they also have to report their findings. Studies and reports include the effects of consolidation of public accounting firms, the

Acc 545

1408 words - 6 pages WEEK 4 –INDIVIDUAL ASSIGNMENT 5.3 What are the primary and secondary reasons for conducting an evaluation of an audit client’s internal control? A. The auditor has two primary reasons for conducting an evaluation of a company’s internal control. 1) First, Sarbanes-Oxley (SOX) requires an audit of management’s assessment of internal controls for publicly traded companies. This type of audit is an integrated part of the financial


4499 words - 18 pages * whatever the form of communication, it must clearly ask stakeholders for input, and invite them to assist in the identification of risk for this scenario. Your assessor will be looking for: * evidence that you analysed and identified the needs of the case study and have clearly reflected these in the risk report. Adjustment for distance-based learners * Complete assessment as per instructions, the only difference being that the meeting with


926 words - 4 pages | | | | |General Controls | | | | |Application Controls | | | |7.0 |APPLICATION OF CONTROLS IN SELECTED TRANSACTION CYCLES

Similar Documents

Checklist For Internals Essay

502 words - 3 pages ? 9. Does each department maintain their own risk assessment and is it reviewed by management? Control Procedures: 10. Does the organization have documentation of all procedures for each function? 11. Are all transactions recorded correctly and in a timely fashion? 12. Does management review the accounting reports and monitor/report any unusual transactions? Information and Communication: 13. Does the company have the right people working

Hipaa Essay

3778 words - 16 pages attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements

Understanding Nist 800‐37  Fisma Requirements  Essay

2451 words - 10 pages  according to potential impact of loss  Step 2 ‐ Select baseline (minimum) security controls to protect the information system; apply  tailoring guidance as appropriate  Step 3 ‐ Use risk assessment results to supplement the tailored security control baseline as  needed to ensure adequate security and due diligence  Step 4 ‐ Document in the security plan, the security requirements for the information system  and the security controls planned or in place

Capital Market Essay

9713 words - 39 pages riskmanagement system of an institution. The assessment of risk-management systems and controls may be performed in consideration of the type of risk, the type of instrument, or by function or activity. The examiner must become familiar with the institution’s range of business activities, global risk-management framework, risk-measurement models, and system of internal controls. Furthermore, the examiner must assess the qualitative and