IT General Controls Risk Assessment Report
Foods Fantastic Company
In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house.
After reviewing the evidence collected during our walkthrough of FFC’s IT environment, we have assessed IT Management as a lower risk area for a number of reasons. First and foremost, FFC has a strategic plan, which outlines the specific strategies the information systems group will implement so as to be in line with FFC’s corporate strategic plan. A steering committee comprised of personnel from internal audit, information systems, and the finance department are involved in developing the policies of and reviewing the operations of the IT department. This cross-departmental committee helps align the goals of the IT department and the firm as a whole, and helps establish segregation of duties at the manager level so as to establish a culture of openness. Taking this idea of establishing segregation of duties at the managerial level, we find comfort in the fact that the Chief Information Officer (CIO) reviews the logs of the VP, Applications. It is also worthy to note that the IT department has 4 executives that are responsible for different areas of the department and which the CIO is ultimately responsible for reviewing. Although the CIO manages the IT department as a whole, there are 3 levels of management, as the CIO reports to the Chief Financial Officer (CFO) and thus mitigates the risk that oversights or fraudulent activities will be missed. IT Management is a very important area as this helps dictate the tone of the department and helps establish the policies that are in place, but through our review of this ITGC area, we find little risk associated with IT Management and have found evidence that the audit team can rely on the controls put in place.
We have also assessed Systems Development to be an area of lower risk. FFC has adopted Structured Systems Analysis and Design Methodology (SSADM) for its systems development and project management procedures. Per discussion with FFC’s CIO, we noted that SSADM is followed for all projects and the CIO periodically reviews project’s budget-to-actual reconciliation. Although internal audit only performs post-implementation reviews on projects greater than $2 million, because internal audit is a voting member of project teams, internal audit is well aware of developing projects and adds comfort to our assessment of low risk within the Systems Development area. Based on our interview with VP, Applications, we identified the new bio-coding payment system to have been tested in 3 parts across different user departments prior to the acceptance of the new system. This extensive amount of testing highlights the appropriate governance within Systems Development.
We found many issues with the Data Security ITGC area. Because the integrity of many of the IT systems and processes relies on the security of information and data, we have considered Data Security a higher risk area. Although the IT department has a security policy which addresses organizational security, the policy has not been...