IT General Controls Risk Assessment Report
Foods Fantastic Company
Background:
In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house.
Purpose:
We hope to gain comfort that FFC’s systems, IT practices, and risk management procedures are working properly and are operationally effective within a …show more content…
Per discussion with FFC’s CIO, we noted that SSADM is followed for all projects and the CIO periodically reviews project’s budget-to-actual reconciliation. Although internal audit only performs post-implementation reviews on projects greater than $2 million, because internal audit is a voting member of project teams, internal audit is well aware of developing projects and adds comfort to our assessment of low risk within the Systems Development area. Based on our interview with VP, Applications, we identified the new bio-coding payment system to have been tested in 3 parts across different user departments prior to the acceptance of the new system. This extensive amount of testing highlights the appropriate governance within Systems Development.
We found many issues with the Data Security ITGC area. Because the integrity of many of the IT systems and processes relies on the security of information and data, we have considered Data Security a higher risk area. Although the IT department has a security policy which addresses organizational security, the policy has not been revised for almost 8 years. There are strong physical security procedures in place, such as keeping the computer rooms locked and requiring escorts for all contractors and outside personnel. We found issues pertaining to environmental controls and on the logical side of Data Security. Environmental controls were only tested semi-annually which we