ISCL Case Study 1

SuperTech - IT Risk Assessment in an ERP Setup

Introduction
The information technology (IT) function of a business organization is responsible for many aspects of the firm s computer! communication an" information processing systems# $ith respect to the latter! the IT "epartment plays a key role in (%) ensuring complete an" accurate processing of accounting transactions! (&) protecting an" maintaining security o'er one of the organization s most 'aluable resources (information) an" other "igital assets! an" (() assuring that rele'ant "ecision-making information is a'ailable to appropriate in"i'i"uals )hen nee"e"# *ecause most financial information is processe" an" maintaine" )ithin a company s IT en'ironment! the IT function is a critical focus area )hene'er a financial au"it is performe"# +any accounting firms ha'e "e'elope" specialize" practice areas that focus on assessing an" managing 'arious risks associate" )ith the IT function# The purpose of this case is to familiarize you )ith a number of risk an" control consi"erations relate" to an organization s IT en'ironment# Part I of this case is "esigne" to ac,uaint you )ith the case company (SuperTech P't# -t"#) an" to pro'i"e an o'er'ie) of the company s IT en'ironment# The case ,uestions at the en" of Part I are not necessarily specific to SuperTech P't# -t"#! as the risks an" controls you are aske" to consi"er are applicable to most business organizations. especially! the large corporate# The ne/t three parts of the case "ecompose the IT infrastructure of SuperTech P't# -t"#) into the net)ork an" operating system (Part II)! "atabase system (Part III)! an" application system (Part I0)# $hile the case ,uestions presente" at the en" of each of these sections are some)hat specific to the circumstances of SuperTech P't# -t"#! the issues an" consi"erations in'ol'e" are ne'ertheless applicable to IT functions in a )i"e array of profit! not-for-profit an" go'ernmental entities# 1ote that the IT function! often referre" to as the IT 2epartment ! may also be labele" the Information Systems (IS) 2epartment ! +anagement Information Systems (+IS) 2epartment ! an" 3omputer Information Systems (3IS) 2epartment ! among other similar terms#

Part I: Overview of the Organization

SuperTech P't# -t"#! locate" in 3hennai! South of In"ia! is the parent company for three subsi"iary organizations that sell 'ehicles# The subsi"iaries are locate" in 4olkata! +umbai an" 2elhi# SuperTech P't# -t"# manufactures 'ehicles at t)o plants5 one locate" in 1oi"a! an" the other in Ankalesh)ar# SuperTech P't# -t"# is preparing to issue an initial public offering (IP6) later this year. therefore! its financial statements for the past three years are being au"ite"# In accor"ance )ith the chosen Au"iting Stan"ar"s! the financial au"it team is properly complying )ith the stan"ar"s as they perform their au"it of SuperTech s financial statements# $hile preparing for the au"it! the team consi"ers the statement in the au"iting stan"ar" - a sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. The audit manager realizes that SuperTech Pvt.
Ltd. depends heavily on its IT function to capture and process the accounting information that is ultimately reported on the financial statements. Therefore, in order to obtain a sufficient understanding of internal control, an assessment of the company's risks surrounding the IT function must be performed. ssume that you are a staff member on the audit team and that you have the responsibility for conducting an IT risk assessment of SuperTech's computing environment. risk assessment is a process !hereby risks are identified and their potential effects are evaluated. "ou have been charged !ith revie!ing facts associated !ith the IT environment, identifying the general and specific risks !ithin the IT environment, determining the significance level that each risk poses to SuperTech's account balances and recommending appropriate internal controls designed to mitigate the identified risks.

IT Management SuperTech s IT "epartment is manage" by 2amo"aran (popular by his call name 22 )! 3hief 7inancial 6fficer (376) an" IT 2irector# 22 has been )ith the company for %8 years# 9is e"ucation an" e/perience are concentrate" primarily in the areas of accounting an" finance# 22 )as promote" to 376 t)o years ago# At that time! he also assume" the role of IT 2irector# 9e spen"s the 'ast ma:ority of his time in "ealing )ith 376 relate" issues! as his financial

Page # of $

ISCL Case Study 1

management skills are e/cellent# 22 has "e'elope" his IT kno)le"ge on the :ob # 22 has a staff of %; employees# The corporate office is supporte" by f'e IT personnel! inclu"ing 1et)ork A"ministration an" Support! 3omputer 6perations! Programming an" Testing! an" Support functions# A""itionally! there are fi'e IT personnel (Site Support Engineers) )ho support the regional IT systems locate" at the three sales subsi"iaries an" t)o manufacturing sites# The organization chart (see 7igure %) illustrates the personnel structure of the IT "epartment# IT Strategy and Other Critical IT Policies SuperTech s ma:or applications run on SAP. ho)e'er! as an organization! they "o not ha'e a formal IT strategy! but inten" to incorporate IT upgra"es an" enhancements into their o'erall corporate gro)th strategy as time an" resources permit# 7ormal policies an" proce"ures e/ist for general user interaction )ith each soft)are application! such as logging into an application or ,uerying a "atabase! but policies an" proce"ures "irectly a""ressing IT functions! such as application "e'elopment an" maintenance! "o not e/ist# 9o)e'er! proce"ures for these functions are informally follo)e"# A""itionally! a formalize" business contingency plan "oes not e/ist! although some informal proce"ures ha'e been establishe"#

7igure % 6rganizational 3hart of the Information Technology 2epartment#

Backup and Recovery SuperTech performs )eekly incremental backups of its ser'ers an" monthly full system backups# Incremental backups sa'e all files that ha'e been up"ate" since the last incremental backup# A full backup sa'es all "ata# T)o copies of the backup tapes are ma"e# 6ne copy is maintaine" in a fireproof 'ault in the corporate offices an" the secon" copy is sent 'ia courier to the sales "ealership at 4olkata# 7urthermore! the 4olkata ser'er can be use" as a backup ser'er in the e'ent one of the corporate ser'ers becomes una'ailable#

Application Development and Maintenance 2e'elopment of ne) applications an" changes to e/isting applications are submitte" to 2amo"aran (22)# 22 re'ie)s the re,uests for appropriateness an" compliance )ith corporate IT strategies! then for)ar"s the re,uests to Partho (the programmer)# $hen making mo"ifications to e/isting programs! Partho first copies the applicable source co"e from the pro"uction en'ironment! mo"ifies the co"e 'ia his "esktop computer an" then sen"s the mo"ifie" source co"e to the test ser'er# 6nce in the test ser'er! Partho an" <anesh (Testing an" Support) compile the mo"ifie" co"e an" test

Page % of $

ISCL Case Study 1

the co"e for functionality an" processing integrity# 6nce the co"e has been teste" an" appro'e"! Partho copies the mo"ifie" source co"e into the pro"uction en'ironment an" compiles the source co"e into ob:ect co"e# As a result! the ne) changes take effect imme"iately# 6n a monthly basis! 22 re'ie)s co"e changes ma"e the pre'ious month for appropriateness# $ith respect to ne) application "e'elopment! the same basic processes take place# That is! Partho )rites the co"e! Partho an" <anesh test the co"e! Partho places the ne) application into pro"uction an" 22 re'ie)s ne) applications each month# Server Room Arranggement and Setup SuperTech maintains its critical computing e,uipment! namely its ser'ers an" routers! in a separate ser'er room# The ser'er room! )hich is locate" along a main hall)ay on the secon" floor of SuperTech s hea",uarters! is not locke"! but the "oor is usually close" by the "ata entry clerk )hose "esk is also locate" in the ser'er room# The floors in the ser'er room are not raise" an" there are no )ater "etection "e'ices# +ost ser'ers are store" abo'e the floor on racks! but some are sitting on the floor# SuperTech s management "oes not feel that )ater "etection "e'ices or raise" floors are necessary since the ser'er room is on the secon" floor of the buil"ing# An automatic fire suppression system has not been installe" because han"hel" fire e/tinguishers are locate" in the ser'er room# Also! all of the net)ork e,uipment is plugge" into outlets along the ser'er room )alls! )ith no 'isible signs of po)er surge protection# There is an uninterruptible po)er supply (=PS) system that pro'i"es &; min of alternati'e po)er to the ser'ers in the e'ent the main po)er supply is una'ailable# 9o)e'er! Tina 2 Souza (Ser'er Room 6perations) is not sure )hether the =PS pro'i"es surge protection! an" if it "oes! she is not sure that it is a"e,uate for the ser'ers an" routers#

Part I: Discussion Points

*ase" on the facts presente"! your first ob:ecti'e is to assess an" e'aluate general IT risks associate" )ith SuperTech s IT en'ironment# 7ocus your responses on the pre'iously "escribe" areas of (%) IT management! (&) IT strategy an" policies! (() backup an" reco'ery! (8) application "e'elopment an" maintenance an" (>) computer room security#

%# What are the inherent risks associated with Super Tech's IT environment?
%. Ideally, what controls would you recommend to mitigate each inherent risk just identified? (# What are the control risks associated with Super Tech s IT en!ironment?

8#
&.

ow wou!d "ou test the effectiveness of e#isting contro!s surrounding SuperTech's IT environment?
What specific control changes and impro!ements would you recommend to manage the residual risk associated with SuperTech s IT en!ironment?

Page $ of $