Foods Fantastic Company Essay

Foods antic Comp whatsoevers IT processing is very complex and sophisticated, wherefore according to the SAS 109s risk legal opinion procedures and SOX Section 404 Management judging of intimate Controls, an IT General Control review is required. The purpose of an ITGC review is to issue the foundation for reliance on any financial information Foods Fantastic Company produce. Although an ITGC review does not directly result in misstated financial statements or squ ar examine weaknesses, it can indirectly cause coat control deficiencies, and affect the financial auditor in assessing the risk of material misstatement in FFCs financial statements. For the risk assessment my team performed at Foods Fantastic, first, we wrote down some questions and concerns for each ITGC cranial orbit. Then, we looked at the companys institution chart and had a meeting with the head of each department, and took notes from the meetings. We also observed the audit team. After that we wrote down the strengths and weaknesses, and decide the level of risk assessment for each area. First of all, in the area of IT Management, the risk assessment is medium. They bugger off a strategic plan, which is a strength, because a strategic plan allow help FFC to meet its business goals by outlining the objectives and strategies for the information system group.In addition, FFC has an IT steering committee, which is also a strength, because the committee develops and revises IT and trade protection policies, and reviews the operations of the IT department. However, in that respect are a couple of weaknesses in the area of IT Management. For instance, their Chief cultivation Office only reports to their Chief Financial Officer. According to the Sarbanes-Oxley Act, the companys chief executive officer and chief financial officer are requires to include an assessment of the operating effectiveness of their internal control social system over financial reporting when issuing the annua l report. In addition, the transgression President of Applications, viciousness President of Operations, Vice President of Information Security, and Vice President of Database Administration reports only to Chief Information Officer Second, there are quite a few strengths in their bodys Development area, they design, develop, and consume systems in a reasonable fashion, which all the duties are segregated. In addition, the brass section consider internal controls as an integral part of systems design, and the IT personnel adequately tested the new bio-coding payment system prior to its implementation, so we indomitable the risk assessment in this area is low.However, FFCs Internal inspect part is involved as a voting member of the cypher teams. Internal audit performs post-implementation reviews on all tasks over $2 million. Internal Audit should be independent, and should not be involved in the project ream. Third, the risk assessment in the area of Data Security is high . Although they shit high control on the physical access to their data warmheartedness computer manner, besides they have low control on the logical access. In align to controlthe physical access, FFCs computer room within its data center is locked at all times. All outsiders must(prenominal) first contact the data center manager in order to enter the computer room. Each must bring an official encounter ID, sign a visitors log, and be escorted at all times by data center personnel during the visit. They also have environmental control in the computer room and are tested semi-annually.However, the Human Resources Department only forward the Transfers and Terminations report each month, and not immediately subsequently the employee is transferred or terminated. The security policy is not current and was revised in 2005. The system generates a logical access violation report daily, unless the company police only requires the Vice President of Information System to review the unauthorized system access report once a month.Finally, the risk assessment in Change Management area is low, but the risk management in the Business Continuity Planning area is high. Although they have no incidents occurred that required them to recover their systems, a company should of all time have a business doggedness plan. They did not document any business continuity or disaster recovery plan, nor they did test the living tapes during the past years, which they have no intention to test the tapes in the future. FFC backs up all of the data daily, but only store them once a week at a company-owned offsite location. They should store the data daily.Overall, I lop FFCs assessed level of ITGC risk as high because of their data security and business continuity planning. Data is the most important elements of an arrangement. Without data, the organization impart not be able to operate. The fact that FFC does not have a business continuity plan because they believe that is cos t prohibitive for an organization of its size is wrong. Every organization should have a business continuity plan in case there is a natural disaster. In addition, FFC should do a better job in control of logical access because hacker dont necessary have to kick upstairs access to the organizations data physically.