Foods Fantastic Company Essay

Foods Fantastic Companys IT processing is very complex and sophisticated, thence according to the SAS 109s risk of exposure assessment procedures and SOX Section 404 Management Assessment of Internal Controls, an IT General Control review is required. The purpose of an ITGC review is to provide the insertion for reliance on any monetary information Foods Fantastic Company produce. Although an ITGC review does not directly result in misstated financial statements or strong control weaknesses, it can indirectly causeapplication control deficiencies, and affect the financial auditor in assessing the risk of material misstatement in FFCs financial statements. For the risk assessment my team performed at Foods Fantastic, first, we wrote down some questions and concerns for each ITGC bea. Then, we looked at the companys organization chart and had a meeting with the spike of each department, and took notes from the meetings. We also observed the audit team. After that we wrote down t he strengths and weaknesses, and decide the level of risk assessment for each area. First of all, in the area of IT Management, the risk assessment is medium. They hand a strategic plan, which is a strength, because a strategic plan will help FFC to meet its business goals by outlining the objectives and strategies for the information clay group.In addition, FFC has an IT steering committee, which is also a strength, because the committee develops and revises IT and security policies, and reviews the operations of the IT department. However, there are a couple of weaknesses in the area of IT Management. For instance, their Chief culture Office only reports to their Chief Financial Officer. According to the Sarbanes-Oxley Act, the companys chief executive officer and chief financial officer are requires to accommodate an assessment of the operating effectiveness of their internal control structure over financial reporting when issuing the annual report. In addition, the frailty President of Applications, Vice President of Operations, Vice President of nurture Security, and Vice President of Database Administration reports only to Chief Information Officer Second, there are quite a few strengths in their Systems Development area, they design, develop, and implement systems in a logical fashion, which all the duties are segregated. In addition, the organization consider internal controls as an inherent part of systems design, and the IT personnel adequately tested the new bio-coding payment system prior to its implementation, so we determined the risk assessment in this area is low.However, FFCs Internal Audit Department is involved as a voting member of the project teams. Internal audit performs post-implementation reviews on all projects over $2 million. Internal Audit should be independent, and should not be involved in the project ream. Third, the risk assessment in the area of Data Security is high. Although they sport high control on the physical ac cess to their data center computer room, however they restrain low control on the logical access. In order to controlthe physical access, FFCs computer room within its data center is locked at all times. All outsiders must first affect the data center manager in order to enter the computer room. Each must bring an official picture ID, sign a visitors log, and be escorted at all times by data center personnel during the visit. They also have environmental control in the computer room and are tested semi-annually.However, the Human Resources Department only forward the Transfers and Terminations report each month, and not immediately after the employee is transferred or terminated. The security policy is not sure and was revised in 2005. The system generates a logical access violation report daily, but the company police only requires the Vice President of Information System to review the unauthorized system access report once a month.Finally, the risk assessment in Change Managem ent area is low, but the risk management in the Business Continuity Planning area is high. Although they have no incidents occurred that required them to recover their systems, a company should always have a business continuity plan. They did not document any business continuity or disaster recovery plan, nor they did test the backup tapes during the past years, which they have no intention to test the tapes in the future. FFC backs up all of the data daily, but only store them once a week at a company-owned offsite location. They should store the data daily.Overall, I set FFCs assessed level of ITGC risk as high because of their data security and business continuity planning. Data is the closely important elements of an organization. Without data, the organization will not be able to operate. The fact that FFC does not have a business continuity plan because they believe that is woo prohibitive for an organization of its size is wrong. Every organization should have a business co ntinuity plan in case there is a subjective disaster. In addition, FFC should do a better job in control of logical access because hacker dont necessary have to educe access to the organizations data physically.