0% found this document useful (0 votes)

63 views70 pages

SAMPLE IT Audit Report

The report provides a General IT Controls Assessment and IT Internal Audit for ABC Company, highlighting the need for confidentiality due to sensitive information regarding their IT security and controls. Key findings reveal weaknesses in IT security policies, lack of a Business Continuity Plan, and absence of an independent Internal Audit function. The report emphasizes the importance of addressing these risks to enhance ABC's IT control environment and outlines a benchmark analysis against industry standards.

Uploaded by

Mohammed Junaid Ali khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

63 views70 pages

SAMPLE IT Audit Report

Uploaded by

Mohammed Junaid Ali khan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 70

IT ADVISORY

ABC Company
General IT Controls Assessment and IT Internal Audit
1 May 2008
ADVISORY
Restriction on disclosure and use of information

• This report contains sensitive and confidential information about the security and controls framework in place at ABC Company
(ABC).
• The information contained in this report can be maliciously used to exploit vulnerabilities and weaknesses reported in the
present control environment at ABC. We, therefore, strongly recommend Management to treat this report as confidential and
restrict circulation accordingly. The distribution of this report should be limited to concerned and appropriate officials of ABC
only.
• This report is issued to inform the ABC’s Management of potential weaknesses and risks in the IT controls environment found
by the KPMG team and should not be used for any other purpose.
• This report is for ABC’s internal use only and cannot be shared with any third party without prior written consent of KPMG.

KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss
Cooperative.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 2
Contents

Executive Summary 4

Benchmark Analysis 8

Detailed Findings and Recommendations 23

IT Internal Audit Plan 39

Appendices 43

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 3
1. Executive Summary

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia.
4
1.1 Introduction

ABC Company (ABC) is committed to promote IT as an enabler for the business, and is on the forefront of the technological developments to
support its business operations. ABC places significant reliance on IT and has plans to replace its core ERP solution BaaN with SAP. ABC’s
Management is aware of technology risks, and has taken initiatives to address such risks by conducting a through IT Internal Audit.
The IT Internal Audit at ABC is divided into two stages:
• Stage A – General IT Controls Assessment and Preparation of IT Internal Audit Plan; and
• Stage B – Execution of IT Internal Audit Plan.
KPMG has executed the Stage A of the IT Internal Audit as specified below:

Stage A Stage B
General IT Controls and IT Internal Audit Plan Execute IT Internal Audit Plan

Developed General IT Risks Developed ABC to confirm Execute IT

Understanding of and Controls IT Internal Audit IT Internal Audit Internal Audit
IT Environment Assessment Plan timelines Plan

IT Budget Conducted workshop & Identified IT Assets

No. of IT personnel distributed Questionnaires & IT Processes
Received ABC’s Determined IT assets
Hardware
filled Questionnaires interdependency To be executed at a
Software Validated ABC’s responses Determined IT assets & process later stage by ABC
Databases & performed tests criticality & agreed with ABC
Operating Systems Identified weaknesses & Developed
Networks developed recommendations IT Internal Audit plan

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 5
1.2 Key Strengths

A summary of key strengths at ABC’s Information Technology environment are mentioned as follows:
• Clear vision of the Senior Management in terms of redefining the role of IT as an ‘Enabler’, rather than being a
support function.
• Emphasis on more integration between the Business and IT, with monthly operational meetings between IT and
Business Management.
• Periodic updates of key IT projects to the Senior Management.
• Formal IT budgeting process with detailed cost structure.
• IT ensures compliance with software licensing regulations.
• Formal IT staff planning for each project.
• Yearly IT staff appraisal based on the individual’s performance on each IT project.
• Detailed IT assets records and assets tracking.
• Monitoring and control of internet activity through the firewall and proxy software.
• Contracts with vendors for supply and maintenance of IT hardware.
• Adequate backup and recovery procedure with automated backup process.
• Management has taken initiative to conduct a thorough IT Internal Audit at ABC.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 6
1.3 Key Findings

A summary of key IT controls weaknesses identified as the result of General IT Overall Control Weaknesses
Controls Assessment is highlighted as follows:
• It is observed that certain IT security policies and guidelines are documented in Low
discrete policy documents and internal memorandums. However, a
Medium 0%
comprehensive Corporate IT Security Policy document is not compiled. Further,
certain important aspects of IT Security are not covered in the IT Security policies 36%
at ABC.
• The company does not have a Business Continuity Plan (BCP), or a Disaster
Recovery Plan (DRP).
• It is noted that a review of access rights over critical applications such as BaaN
and Route Master etc., has not been conducted. High
64%
• It is noted that there is no separate Quality Assurance or Release Management
function in place for authorizing the deployment of program changes in the
production environment. Programmers making the application changes, also
deploy the changes into the production environment.
• It is noted that the company does not maintain any documentation of technical We have classified the risks resulting from control
configuration of hardware, operating systems and applications. Further, there is weaknesses identified, into severity categories of
no formal procedure in place for changes in configuration, nor are there any ‘High’, ‘Medium’ and ‘Low’.
documents for such changes. This graph highlights overall risk severity percentages
• It is noted that there are no documented procedures for incident management, for identified control weaknesses.
incident handling and escalation procedures.
• It is noted that there is no independent Internal Audit function within the company
that performs independent assessment of IT risks and controls and performs
internal audit of IT systems. However, we appreciate the fact that management
has taken initiative towards IT Internal Audit.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 7
2. Benchmark Analysis

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia.
8
2.1 Summary

KPMG has conducted a benchmark of ABC’s Information Technology risk management capabilities.
The IT Risk Management Benchmarking (ITRMB) provides a means of benchmarking ABC’s key IT risks and controls against other
organizations in the related industry. It also provides an objective means of reviewing the risks faced by the company in relation to its use
of IT, and assesses whether they are being controlled or mitigated in an effective and efficient manner.
This benchmark measures the IT related risks and controls faced by ABC against eight (8) companies in the related industry (the
population) across the world.
Our work is comprised of interviews, discussions and review of documents. This enabled us to score the controls and risks that were
benchmarked against the organizations in the related industry.
The benchmark data demonstrates that, relative to the same industry sector, the greatest IT risks faced by ABC arise from:
• Dependence on IT; and
• Information assets.
The benchmark data also demonstrates that, relative to the same industry sector, IT controls at ABC which require the greatest
management attention are:
• Security of Information and Systems;
• Continuity of systems;
• Change management;
• IT Operations; and
• Control Assurance.
A detailed evaluation of all risks and controls can be found in sections 2.3 and 2.4.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 9
2.2 Interpreting the Graphs

The IT Risk Management Benchmark graph uses quartiles to demonstrate how ABC’s evaluation compares with the benchmarked
population.
The quartiles are calculated as follows:
• 1st quartile - Greater than the arithmetic average of the top 50% of scores.
• 2nd quartile - Between the average of the total scores and the arithmetic average of the top 50% of scores.
• 3rd quartile - Between the arithmetic average of the bottom 50% of the scores and the average of total scores.
• 4th quartile - Less than the arithmetic average of the bottom 50% of scores.
The risk quartiles can be interpreted as:
• 1st quartile – High Risk, indicates well above the industry average.
• 2nd quartile and 3rd quartile – Medium Risk, indicates comparable industry average.
• 4th quartile – Low Risk, indicates well below the industry average.
The control quartiles can be interpreted as:
• 1st quartile – Strong Control, indicates better than the industry average.
• 2nd quartile and 3rd quartile – Medium Control, indicates comparable to the industry average.
• 4th quartile – Weak Control, indicates worse than the industry average.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 10
2.3 IT Risk Assessment

Each risk area was evaluated on the basis of:

Impact
Potential effect on ABC should the threat from a risk
1st Quartile
materialize. Impact may be considered in terms of financial Business focus 2nd Quartile
loss or harmed reputation. 5 3rd Quartile
4th Quartile
Likelihood 4
Information Assets Dependence on IT
Probability that the potential sources of risk will actually 3 Prior Year
Client
manifest themselves. 2
It is important to note that the risks were evaluated without 1
Legislative & regulatory Dependence on IT Internal
considering associated controls. 0
environment Staff
The heavy black line on this diagram illustrates the levels of
gross IT risk.
The diagram shows that risk scores typically stand at 3. This
shows that ABC falls in second quartile in most of the risk Changes to IT Dependence on 3rd parties
areas and stands at average risk profile, when benchmarked
against the population.
Reliability of IT Systems
A detailed assessment of each risk area is given on the
following pages.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 11
2.3 IT Risk Assessment

Business Focus
Business requirements and user needs should be supported by the ABC’s IT functions and processes. There is a risk that the business
and user needs are not met by IT or that IT is not appropriately integrated into the company’s strategy and future plans. Losses can arise
from:
• inefficient practices, unnecessary interfaces and duplicate processing where IT systems do not meet user needs;
• inadequate management of IT risks due to a lack of understanding of those risks by business management; and
• wasted IT investments which do not support the company’s strategy or plans.
ABC lies in the first quartile, which indicates, the Business Focus risk that the company faces is higher than that of the population. This is
mainly because ABC is using latest available technology to support its core operations. For example, handheld devices are used by
frontline sales personnel, integrated ERP BaaN is used for managing Finance, Manufacturing and Warehousing. In the near future, ABC
has strategy to replace its current ERP with SAP, which is the highest rated ERP in the world. As technology becomes more complex
and widespread in the organization, the corresponding risk of Business Focus also increases.

Dependence on IT
Dependence on IT translates to the risk of disruption to the ABC’s operations arising from the complete/partial loss of the IT
environment. As the company becomes increasingly dependent on IT systems, the higher is the risk of potential loss. To illustrate this, a
loss can result from:
• business processes activities that cannot be performed until the IT systems are restored;
• ineffective electronic controls; and
• dissatisfied customers.
Dependence on IT is a common risk faced by the industry. This is evident from the quartile distribution in the risk assessment chart.
ABC lies in the second quartile, which indicates that the risk company faces is comparable to that of the industry average.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 12
2.3 IT Risk Assessment

Dependence on IT Internal Staff

This risk can lead to a loss of specialized knowledge or skills held by certain staff members, or inadequate skills being available within the
IT department.
We observed that the ABC is dependent on internal staff for core IT operations.
ABC lies between second and third quartile, which indicates that the risk ABC faces is comparable to that of the industry average.

Dependence on 3rd parties

There is a risk that the company will suffer a loss due to its dependence on third parties such as outsourcers, suppliers, contractors and
consultants. A loss can result from a reduction of key skills, lack of understanding of the business processes by third parties and issues
related to contractual terms.
We observed that all critical IT functions are managed in-house by ABC’s IT department.
ABC lies in the fourth quartile, which indicates that the risk ABC faces is lower than that of industry average.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 13
2.3 IT Risk Assessment

Reliability of IT systems
Unreliable IT systems expose company to a risk of inaccurate processing, loss of data integrity and remedial work coupled with
bottlenecks. Processing problems with a system supporting major business process would cause greater loss than if the business
process was less vital to the ongoing operation of the business.
We observed that company has implemented BaaN ERP which supports critical business processes. Through discussion we were
informed that ABC is planning to replace BaaN ERP with SAP as the current ERP does not address long term needs for all the functional
areas of the business, and is inconsistent with Pepsi Co. International strategy.
ABC is ranked in the second quartile, which indicates that the risk company faces is comparable to that of the industry average.

Changes to IT
Changes to the IT environment exposes ABC to the risk of:
• project mismanagement;
• application unreliability;
• loss of data integrity; and
• loss of productivity.
ABC is ranked in the second quartile, which indicates that the risk company faces is comparable to that of the related industry.
This is mainly because of planned phasing out of BaaN ERP. Further, programmers perform changes in the current ERP application to
generate customized reports.
Going forward, we anticipate the risk company faces from this area to increase.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 14
2.3 IT Risk Assessment

Information assets
Information assets refers to the risk of:
• information manipulation leading to fraud;
• internet attacks, such as risk of Trojans, Viruses and Worms entering the company’s network through internet; and
• data theft leading to compromise of sensitive information.
ABC lies in the second quartile, which indicates that the risk company faces is comparable to that of the related industry.

Legislative and regulatory environment

There is a risk that a lack of compliance with legislation relating to the processing, storage and use of information, leads to a financial or
reputation loss to the organization.
As legislative and regulatory environment varies from country to country, benchmark data is not available for this risk category.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 15
2.4 IT Controls Assessment

The graph shows the evaluation of the effectiveness of IT

controls currently in operation at ABC.
Each control is evaluated along three dimensions: 1st Quartile
2nd Quartile
Capability 3rd Quartile

An assessment of how good a control is, based on design and Management of IT 4th Quartile
5
operation. Prior Year
4 Client
Consistency
3 Project and Change
The consistency with which a control is applied. Control Assurance
2 Management
Management
1
An assessment of how a control is managed and the review
process it undergoes to ensure effective implementation. 0

The diagram shows that scores typically stand at 2. This

indicates that in most of the control areas, the company lies in
the fourth quartile. This shows that overall controls strength Continuity of Systems IT Operations
are lower than the population average. This is because at ABC,
in most of the areas, controls exist but management,
monitoring and reporting are lacking formality and consistency.
A detailed assessment of each control area is given on the Security of Information and
following pages. Systems

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 16
2.4 IT Controls Assessment – Management of IT

ABC is ranked in the second quartile. Hence, the overall

assessment for Management of IT at ABC is comparable to Management of IT
that of population average. 5
4

•
3 Project and Change
Formal staff performance measurement is performed, Control Assurance
2 Management

through which individual staff member can be assessed 1

on his/her performance throughout the year.

Continuity of Systems IT Operations

• There is low staff turnover and, although not assessed

formally, staff morale appears suitable. Security of Information and
Systems

• Key Performance Indicators (KPIs) are not identified for

measurement of the IT performance.
•
1st Quartile
Progress on major projects is discussed in the monthly Board / Senior Management 2nd Quartile
Involvement
operating meetings
3rd Quartile
4th Quartile
5
• IT management submits 'Executive Update of Key IT 4
Prior Year
Client
Projects' report to senior management every three (3) 3
months informing about the status of key projects, Manage Human Resources IT Strategy
2
actions and targets.
1
• Company has a strategy for replacing current ERP
0
application with SAP.
• A long term IT strategy is not in place. This is also
dependent on the final decision by business regarding Legal and Regulatory Compliance IT Cost and Investment Management
relocation of its facilities.
• IT costs are identified and classified. However, formal IT
investment plans linked to IT and business strategy are Management Reporting of IT
not available. Performance

• Software licenses are maintained by the IT management.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 17
2.4 IT Controls Assessment – Change Management

ABC lies in the fourth quartile. Hence, overall assessment for

Change Management area is lower than that of population Management of IT
average. 5
4

•
3 Project and Change
Technical changes are performed on ad-hoc basis. On Control Assurance
2 Management

one occasion we noted, that password policies were 1

defined by system administrator without formal approval

from the management. Continuity of Systems IT Operations

• Changes are initiated or requested by using IT Security of Information and

Systems
project/task request forms. However, complete and
descriptive information is not always recorded.
• There is no provision to record technical specifications, Development Methodology
5
program version control, roll-back procedures etc.
• Documentation of application changes is also not 4

maintained consistently. Technical change management 3

Project Management

• Only minor changes related to report generation are 2

1st Quartile
2nd Quartile
performed by the programmers in current applications. 3rd Quartile
1 4th Quartile
• There is no formal system development methodology Prior Year
used at ABC to structure the approach to developing and 0 Client

maintaining systems.
Business Change Process User participation
• Existing end-user policies are not updated to effectively
address the changing technology environment, for
example policy for the usage of handheld devices is not
defined.
• Users’ departments are not formally involved at all stages Documentation End User Computing
of application development/change.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 18
2.4 IT Controls Assessment – IT Operations

ABC lies in the fourth quartile. As the graph suggests, overall

assessment of controls in IT Operations area is lower than the Management of IT
population average. 5
4

•
3 Project and Change
There is no formal process to ensure that all configuration Control Assurance
2 Management

items are recorded, maintained and regularly reviewed. 1

• Helpdesk software is implemented. Continuity of Systems IT Operations

• Incident and problem management procedures are not

Security of Information and
formally documented. Systems

• HP Diagnostics tool is used for the performance

monitoring of servers.
Manage Third Party Services
• Formal capacity forecasting and monitoring is not 5
performed, however HP Diagnostic tool is used for
4
monitoring available capacity.
3
• Service contracts comprehensively cover service delivery Capacity Management Service Level Management
requirements, timelines, costs, terms and conditions and 2
warranty provisions etc.
1st Quartile
1 2nd Quartile

•
3rd Quartile
Systematic monitoring of the quality of IT services is not 0 4th Quartile
performed as Key Performance Indicators (KPI’s) are not Prior Year
developed. Client

• Inter-departmental Service Level Agreement is

documented and communicated to user departments. Configuration Management Incident and Problem management
However, it is not formally implemented.

Operations Management

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 19
2.4 IT Controls Assessment – Security of Information

ABC is ranked in the fourth quartile. Hence, the overall

assessment of controls in Security of Information at ABC is Management of IT
lower than that of population average. 5
4

•
3 Project and Change
Main aspects of end user policies are documented and Control Assurance
2 Management

communicated in the form of discrete policies and internal 1

memorandums.
Continuity of Systems IT Operations

• A comprehensive Corporate IT Security Policy document

is not compiled; Security of Information and
Systems

• Formal procedure exists for providing logical access to

systems and applications. Security Policy
• Logical access controls are implemented.
5 1st Quartile
2nd Quartile
• Review of user access rights over critical applications has 4 3rd Quartile
4th Quartile
not been conducted. 3
Prior Year
• Connection of company's internal network to outside 2 Client
network is secured by using a hardware based firewall.
1
• Network security and access controls are implemented.
However, management and monitoring is informal. External Communications 0 Security Administration

• Compliance with internet access policy is monitored.

• Daily review for all attacks, spam, viruses and security
violation is performed.
• Procedures for emergency access to production
environment by development staff are not documented.

Logical Access Control Facilities

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 20
2.4 IT Controls Assessment – Continuity of Systems

ABC lies between third and fourth quartile. Hence, the overall
assessment of controls in Continuity of Systems is lower than Management of IT
that of population average. 5
4

•
3 Project and Change
ABC does not have Business Continuity and Disaster Control Assurance
2 Management

Recovery plans. 1
0

• Purchasing contract is in place with two suppliers to Continuity of Systems IT Operations

provide required hardware when required.

•
Security of Information and
Backup policies and procedures are documented and Systems

implemented.
• Daily, weekly and monthly backup of data is maintained.
Backup of Data and Systems
• Backup media is stored at an offsite location. 5 1st Quartile

•
2nd Quartile
Periodic testing of backup is conducted, but the logs/ 4 3rd Quartile
records evidencing testing of backup are not signed off. 4th Quartile
3
• Physical access to company's premises is controlled by 2
Prior Year
Client
security guards.
• Basic physical security and environmental protection 1
controls are in place at the head office data center. Protection of the Environment 0 Continuity Planning
• Implementation of physical security and environmental
controls are currently weak at branch data centers
• Access logs to data center are not adequately
maintained.

Physical Access Control

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 21
2.4 IT Controls Assessment – Controls Assurance

ABC lies in the fourth quartile. Hence, the overall assessment

of Controls Assurance is lower than that of population average. Management of IT
5

• There is no independent Internal Audit function within the 4

3 Project and Change
company, that performs independent assessment of IT Control Assurance
2 Management

risks and controls, and performs internal audit of IT 1

systems.
Continuity of Systems IT Operations

• There is no systematic risk assessment framework, and

Risk Assessment is performed informally. Security of Information and
Systems

• Management has taken initiative to perform a

comprehensive Internal Audit of IT.
Risk Management
5
1st Quartile
2nd Quartile
4 3rd Quartile
4th Quartile
3
Prior Year
2 Client

Assessment of Control Adequacy 0 Audit of IT

Quality and Project Assurance

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 22
3. Detailed Findings and Recommendations

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia.
23
3. Detailed Findings and Recommendations

This section of the report presents our detailed findings. The detailed finding are organized in the matrix format presenting our observations,
resulting business risks, severity of risks and recommendations to mitigate identified risks.
Severity levels of risks are depicted using traffic light convention as shown below:

High Medium Low

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 24
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.1 IT Security Policy If not guided by appropriate policies, We recommend that Management should
procedures and standards, end-users conduct a thorough review of its IT
It is observed that certain aspects of IT
may be unaware of their responsibilities, Security policies, and address areas that
Security policies and guidelines are
organizational policies and standards. As are not covered in the policies.
documented in discrete policy
the result the company may be exposed
documents and internal memorandums. We further recommend that all IT Security
to the following risks:
However, a comprehensive Corporate policies and guidelines should be
IT Security Policy document is not • compromised system security; compiled in one IT Security policy
compiled which contains all IT Security document. The IT Security policy
policies at ABC.
• potential loss of data integrity;
document should be kept on the Intranet
Further certain important aspects of IT
• business disruption; for easy access by end-users. A summary
of such policy document can also be
Security are not covered in the IT • inadequate security awareness;
communicated to the end-users in the
Security policies of the company. These and
form of IT Security Policy handbook for all
include:
• ad hoc practices due to lack of IT users.
• IT Security organization and standardization.
allocation of responsibilities;
Further, If policies are not compiled in
• IT assets management and one place, a single source of policies and
control; guidelines for end-users would not be
available. Hence, there is a risk that
• physical and environmental
users may not follow certain aspects of
security policy;
IT Security policies which may be
• data ownership and confidentiality scattered or unavailable.
policy;

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 25
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

• information sensitivity
classification policy;
• policy on destruction of obsolete
information;
• remote access policy;
• policy on incident management
and escalation procedures;
• software development and
change control management
policy;
• policies on disaster recovery and
business continuity management;
• policies on usage of peripheral
and external storage devices.
• policy on access to third parties
on corporate IT resources; and
• policy on disciplinary procedures
in case of security breaches etc.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 26
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.2 Business Continuity Plan and In the absence of a formally approved We recommend that comprehensive
Disaster Recovery Plan and tested Business Continuity and Business Continuity and Disaster
Disaster Recovery plans the organisation Recovery plans be developed,
It is noted that the company does not
may be exposed to the following risks in documented and periodically tested to
have Disaster Recovery and Business
an event of a disaster: ensure the continuity of critical application
Continuity plans.
and data processing services in an event
We understand that the company has a
• inability to continue business
of a disaster.
operations by adopting alternative
redundant server for its core sales
procedures; The Business Continuity plan should
application “Route Master” at each
contain detailed documentation of
location. However, in case of a disaster, • inability to recover critical IT
procedures for continuing operations by
both servers may be affected being on services within tolerable
adopting alternative procedures.
the same location, causing disruption in timeframe;
business operations and information The Disaster Recovery plan should include
processing.
• excessive system downtime; and
the following:
• financial loss.
• Business Impact Analysis
(considering various disaster
scenarios);
• prioritization of systems;
• emergency procedures;
• roles and responsibilities of disaster
recovery teams;

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 27
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

• phone numbers and addresses of

emergency services (such as
ambulance and fire crew), hardware
and software vendors and Disaster
Recovery team;
• servers and system configurations;
• recovery strategies;
• training and maintenance
procedures; and
• periodic test plans.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 28
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.3 Review of Access Rights In the absence of formal review of We recommend that Management should
access rights, the company may be conduct a thorough of review access
We noted that a formal review of user
exposed to the risk of compromised data rights over critical applications such as
access rights over critical applications
confidentiality and integrity due to the BaaN, and take actions for resolution of
such as BaaN and Route Master etc.
following reasons: exceptions to ensure that:
have not been carried out.
Through discussions, we are informed
• many people may have been • segregation of duties is maintained
provided access to powerful ids amongst critical application
that access rights are informally
which may not be controlled; processing functions;
reviewed on ad-hoc basis.
• unauthorized or unnecessary • access rights of outgoing employees
access rights may not be detected are revoked;
and revoked;
• temporary access rights such as
• temporary access may not be vendors’ access to the company’s
revoked, after the temporary systems are revoked on a timely
access is no longer needed; and basis after the need for the access
no longer exists; and
• access profiles and rights of
outgoing employees may remain • access to power ids and profiles are
active in the system. restricted to authorized users.
Management may also consider engaging
a third party to perform a thorough
independent review of access rights over
business applications.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 29
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.4 Change Management The company may be exposed to the We recommend that programmers should
following risks: be restricted from deploying changes in
It is noted that there is no separate
the production or live environment.
Quality Assurance or Release • program changes not meeting
Management function which formally business requirements; leading to Adequate Quality Assurance or Release
reviews the program changes and extra costs and efforts; Management procedures should be
authorizes the release of program performed by an authorised individual
changes for deployment into the
• unauthorized and/or unwarranted
independent of programming functions.
program changes in the production
production environment. The
system and/or database; The individual with Quality Assurance
programmers responsible for making
responsibilities should also ensure that:
the program changes deploy changes • deployment of untested and/or
into the production environment. unapproved program changes in • adequate documentation is
the production environment; produced for program changes; and
Further, the change management form
does not contain fields to enable IT • loss of system and data integrity; • only properly tested and approved
staff to capture information on technical program changes are deployed into
design specification, program version
• Inadequate documentation of
the production environment.
program changes leading to
control and program roll back
inability to address technical issues Further, the change management form
procedures.
pertaining to change management; should contain fields to prompt the
and change management personnel to furnish
important documentation, such as,
• Inability to restore
technical design specifications, program
version controls and program roll back
procedures etc.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 30
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.5 Configuration Management The company may be exposed to the We recommend that adequate
following risks: configuration management procedures
It is noted that the company does not
should be developed and implemented.
maintain any documentation of • the company may face difficulty in
These include:
technical configuration of hardware, recovering its systems in case of a
operating systems and applications. disaster or contingency, because • Management should put a process
Further, there is no formal procedure in the desired configuration of in place to ensure that all
place for changes in configuration and production systems would not be configuration items are recorded,
documentation of such changes. available; maintained and regularly reviewed;
• unauthorized or untested changes • a configuration database should be
in configuration may be setup to support the configuration
implemented in production management process, and should
systems, such as untested be regularly updated to contain
operating system patches, which complete and accurate information
may lead to reduced system based on a well defined
performance and/or processing configuration library;
errors.
• procedure should be in place to
ensure only authorized and tested
configuration changes are
implemented.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 31
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.6 Incident Management In the absence of defined incident We recommend that adequate incident
management procedures, adequate management procedures should be
It is noted that there are no
action may not be taken in a timely developed which should include the
documented procedures for incident
manner in case of a security incident. following as a minimum:
management, incident handling and
This may expose the company to
escalation procedures.
security breaches and losses.
• most common problems and
procedures to be followed;
• definition of security incidents and
severity;
• contact information of designated
individuals for dealing with a
particular type of problem or
incident; and
• incident escalation procedures to
adequate management authority
when routine procedures cannot
resolve an incident.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 32
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.7 Internal Audit In the absence of internal audit of IT, We recommend that an Internal Audit
the company may be exposed to the function should be established within the
It is noted that there is no independent
following risks: company which should cover IT Audit as
Internal Audit function within the
part of overall scope of Internal Audit. The
company that performs independent • undetected vulnerabilities may
scope of IT Internal Audit function should
assessment of IT risks and controls and exist in systems, communication
include:
performs internal audit of IT systems. infrastructure and business
However, we appreciate the fact that that
applications which may expose • periodic preparation and execution IT
the company to risk of Internal Audit plans;
management has taken initiative towards
compromising data security and
IT Internal Audit.
confidentiality;
• independent review of IT risks;

• IT risks will not be independently

• independent assessment of IT
internal controls;
assessed and addressed by
Management on a timely basis by • IT risks versus controls assessment
adopting adequate IT risk and determination of residual risks;
management methodologies;
• providing recommendations to
• adequacy and strength of IT Management for adoption of
controls will not be periodically adequate IT risk management
reviewed by a party independent strategies;
of IT function, and control
weaknesses would not be
• periodic assessment of
infrastructure and applications
highlighted for control actions by
security;
Management;
• periodic review of users access
rights on business applications; and

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 33
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

• users access rights on business • review of compliance with the

applications would not be company’s IT security policies and
periodically reviewed, leading to procedures etc.
risks of unauthorised access to
systems and compromise of data
integrity and confidentiality; and
• compliance with company’s
policies and procedures may not
be monitored.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 34
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.8 IT Key Performance Indicators In the absence of IT KPI’s management We recommend that Management should
may not be able to adequately measure develop specific IT KPI’s to address each
It is noted that there are no IT Key
IT’s performance. As the result the measurable aspect of IT performance,
Performance Indicators (KPI’s) for IT
business may not be able to properly such as:
performance measurement and
measure the benefits derived from IT
evaluation.
investment.
• response time;
• problem resolution time;
• system availability;
• number processing errors and
reruns;
• number of virus incidents etc.
We further recommend that a formal
procedure should be in place to assess IT
performance periodically by obtaining
feedback from user departments, on the
basis of agreed KPI’s.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 35
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.9 IT Operations and Helpdesk In the absence of adequately We recommend that proper
documented procedures for IT documentation should be maintained for
It is noted that no documented
operations and helpdesk function, there IT operations and helpdesk procedures.
procedures are available for IT
is a risk that IT may not be able to
operations and helpdesk. We also recommend that adequate
provide adequate level of support to the
problem tracking capabilities should also
Further, The current help desk system business in day to day activities.
be built in the helpdesk application.
is limited in capability to generate time-
In the absence of adequate reporting
based tracking and problem resolution Reports should be available indicating the
capabilities to track problem resolution
status reports. time frame within which a problem is
status in the helpdesk application,
resolved. Reporting function should also
Management may not be able to monitor
include exception reporting for
and resolve problems on a timely basis.
outstanding problems.
This may eventually lead to excessive
number of long outstanding problems, These reports should be periodically
which may hinder smooth operation of reviewed by IT management and
the business functions. exceptions should be followed-up with
responsible individuals.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 36
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.10 Physical Security and Environmental The data centers may be exposed to We recommend that efforts should be
Controls risks of: expedited by Management to ensure that
all branch data centres are equipped with
As the result of a high level review of • damage to IT equipment from risk
adequate physical and environmental
physical security and environmental of flooding;
security measures.
controls, we noted that following controls
are not implemented at company’s
• destruction of IT equipment from
We further recommend that periodic
fire; and
branch offices’ data centres: testing and maintenance contracts should
• Raised floors;
• lack of monitoring controls for be in place for ensuring the continued
server room access, leading to adequacy of fire suppression system at all
• automatic fire suppression unauthorized access. locations.
mechanism; and
In the absence of contract for periodic
• Closed Circuit Television (CCTV) maintenance of fire suppression
systems. system, there is a risk that the system
may malfunction or may not work
Further, periodic maintenance contract
effectively in an event of a fire.
for fire suppression system at main data
centre at the ABC head office does not
exist.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 37
3. Detailed Findings and Recommendations

No. Observation Business Risk Severity Recommendation

3.11 Data Centre Access Logs The company may not be able to track We recommend that logging feature of
unauthorized access to the data centre. TIME SPACE system should be
It is noted that electronic access logs for
This may lead to lack of accountability reactivated, so that adequate electronic
ABC Head Office data centre are not
for any intentional or inadvertent logs for access to the server room are
being maintained in the TIME SPACE
damage to the servers and/or other maintained.
system. The only electronic logs available
equipment in the data centre. This
through the system pertain to the period Further, manual logs should also be
would result in disruption in data
of November 2005, and no logs are maintained for personnel who are
processing and financial loss to the
available after this period. The manual escorted to the server room by company’s
business.
logs for access to the data centre are also personnel.
not maintained consistently.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 38
4. IT Internal Audit Plan

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia.
39
4.1 IT Internal Audit Plan - Introduction

The IT Internal Audit plan contains all IT assets and processes prioritized for execution of the IT Internal Audit.
We used the following approach for preparation of the IT Internal Audit plan:

Determine and agreed

Determined Developed
Identified IT Assets and IT IT Assets and
IT Assets IT Internal Audit
processes Processes Criticality
Interdependency Plan
with ABC

At first, we identified all IT assets and processes at ABC. We then determined the interdependence of the IT assets. For example, for BaaN ERP,
we identified BaaN servers, Oracle database, Windows 2003 operating system and network as related assets. This implies that, if we were to
audit BaaN, we would also have to audit the dependent IT assets.
We then assessed the criticality of IT assets, and rated the assets in terms of Confidentiality, Reliability and Availability according to the following
5 ratings, which were also agreed with ABC:
• Critical – The loss of these IT assets and processes will threaten the continuance of business operations;
• Major – The loss of these IT assets and processes is likely to threaten seamless day to day business operations;
• Very important – The loss of these IT assets and processes will result in significant loss, but business viability would not be threatened;
• Important – The loss of these IT assets and processes will cause losses and budget variances; and
• Not important – These IT assets are discontinued and not in active use at ABC. None of the IT processes appear in this category.
Based on the priority of assets, we prepared list of assets to be audited. We prepared an estimated timeframe for execution of the audit in
section 4.3 ‘IT Internal Audit Plan’.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 40
4.2 Analysis of IT Assets and Processes

The overall percentage distribution of IT assets and processes in terms of criticality classifications are mentioned below:

IT Assets Criticality IT Processes Criticality

Not Important, Very Important, Important, 7%

3% 7%
Critical, 36%
Critical, 50%
Important, 28%

Major, 50%
Very Important,
13%
Major, 6%

This chart indicates the audit priority of IT Assets in This chart indicates the audit priority of IT Processes
terms of their criticality. For detailed list of IT Assets in terms of their criticality. For list of IT Processes
refer Appendix A. refer Appendix C
Interdependency of IT Assets is shown in Appendix B.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 41
4.3 IT Internal Audit Plan

Duration (Business days)

Area Criticality Month 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month 7
IT Assets Categories*
Route Master Critical 45
BAAN Critical 25
Network Critical 25
Microsoft Exchange - Server Critical 10
Veritas Backup Software Critical 10
Business Objects (BO) Critical 10
McAfee Antivirus Software Major
Fire Suppression System Major
RAT Very Important
SIPCO Time Management Tool Very Important
Helpdesk Applications Very Important
Data Centre Equipment Very Important
PA Tool Important
End-user Computers & Equipment Important
* For interrelated assets please refer Appendix B
IT Processes
IT Strategy and Planning Critical 4
Backup and Recovery Process Critical 4
Network Management Critical 4
Users and Logical Access Management Critical 4
IT Security Management and Administration Critical 6
IT Budgeting, Cost and Investment Management Major
IT Performance Management Reporting Major
IT Purchasing Process - CAPEX Major
IT Purchasing Process - Consumables Major
IT Change Management/New Project Handling Proce Major
Configuration and Patch management Major
Incident and Problem management Major
Capacity Management Very Important
System Development Important
Note: Only critical assets and processes are included in the audit plan.

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 42
Appendices

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia.
43
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

Applications
1 Route Master (Ver. 1.0.1241) Sales and Distribution application (back A1 Critical
office)

2 RP32 (Ver. 3.0.5) Sales and Distribution application for A1 Critical

hand helds (front office)

3 Baan IV (Ver. C4) Core ERP application (Manufacturing, A2 Critical

Human Resources, Logistics)

4 M&W RAT (Ver. 1.6.1) Production performance improvement A3 Very Important

5 M&W PA Tool Supply chain management application A4 Important

6 ABC Time Management System (Ver. 3.00.e) Timecard readers and software A5 Very Important

7 Business Objects (Ver. 6.5.1) Business Intelligence tool on top of A6 Critical

BaaN and S&D application, and used
for reporting.

8 Help Desk Application Web-based helpdesk application A7 Very Important

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 44
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

Other applications and software

9 Office 2000 Office automation tool F1 Important

10 Office 2003 Office automation tool F1 Important

11 Microsoft Exchange - Client Email software at client machines B1 Critical

12 Microsoft Exchange - Server Email software at exchange server B1 Critical

13 McAfee Antivirus McAfee antivirus (Corporate antivirus B2 Major

software for servers and clients)
14 Veritas - Backup and Recovery, Scheduling Backup, scheduling and recovery tool. B3 Critical

15 ASTARO firewall software Firewall, VPN and Proxy software C1 Critical

16 Internet Explorer 6.X Web browser F1 Important

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 45
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

Operating Systems
Server Operating Systems

17 Windows NT 4 Windows NT operating systems A1 Critical

running on servers

18 Windows 2003 Windows 2003 operating systems A1, A2, A3, A5, Critical
running on servers. A6, B1, B2, B3,
C1
Client Operating Systems
19 Windows 2000 Operating systems at client computers F1 Important

20 Windows XP Operating systems at client computers F1 Important

Hardware and Equipment

Servers

21 ABC-SERVER (HP) Jeddah Head Office PDC Server B3,C1 Critical

22 ABCEMAIL (HP) Jeddah Head Office ADC Exchange B1 Critical

2003 Server

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 46
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

23 HQNT2 (Compaq) Old BaaN Server (Used for HR module A2, A5 Critical
of BaaN)
24 HQBaan1 (HP) New BaaN Server (All modules of A2 Critical
BaaN except HR)
25 BOServer (HP) Replication Server (For Replication of A6 Critical
data from all branches and reporting
through Business Objects application.
26 RAT (DELL) RAT Server (RAT application and A3 Very Important
database)

27 HQVM1 (HP) Route Master Server (Route Master A1 Critical

Database of Jeddah Head Office)
28 Helpdesk (HP) Helpdesk Server (Help desk A7 Very Important
application)
29 HQNT4 (Compaq) Route Master Application (Route A1 Critical
Master Application server for Jeddah
Head Office)
30 SUS (HP) McAfee Server (McAfee Antivirus B2 Major
server)

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 47
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

31 ABC2SERVER (HP) ADC Exchange 2003 Server for ABC 2 B1 Critical

location in Industrial Area Jeddah.
32 JED2VM1 (Compaq) PDC+Route Master Server application A1 Critical
and database server at Industrial Area
Jeddah
33 TAIF (Compac) PDC+Route Master Server application A1 Critical
and database server at Taif

34 MAKKAH (Compac) PDC+Route Master Server application A1 Critical

and database server at Makkah

35 YANBU (Compaq) PDC+Route Master Server application A1 Critical

and database server at Yanbu
36 TABOUK (Dell) PDC+Route Master Server application A1 Critical
and database server at Tabouk
37 MEDINAH (Compaq) PDC+Route Master Server application A1 Critical
and database server at Madinah

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 48
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

38 RABEGH (HP PC) PDC+Route Master application and A1 Critical

database server at Rabegh
Personal Computers

39 Compaq Compaq PCs A4,F1 Important

40 HP HP PCs A4,F1 Important

41 Dell Dell PCs A4,F1 Important

Laptop Computers

42 Dell Dell laptops F1 Important

43 HP HP laptops F1 Important

44 Toshiba Toshiba laptops F1 Important

Printers

45 Network printers Network printers F1 Important

46 HP HP printers F1 Important

47 Lexmark Lexmark printers F1 Important

48 Epson Epson printers F1 Important

49 Fujitsu Fujitsu F1 Important

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 49
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

PDAs
50 imate (PDA 2 and Jam) imate Pocket PCs F1 Important

Handhelds
51 Intermec Intermec hand-held devices running A1 Critical
Windows Pocket PC 2003.
Other Equipment
52 Storage Tech Robotic Tape library device B3 Critical

53 APC UPS UPS for head office and branches D1 Very Important
54 Smoke detector Smoke detector at Head Office data E1 Major
centre
55 Fire suppression mechanism FM200 Gas fire suppression E1 Major
mechanism at head office data centre.
Network Hardware

56 Cisco Routers Network routers C1 Critical

57 Cisco Switches Network switches C1 Critical

© 2008 KPMG Al Fozan & Al Sadhan is the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Saudi Arabia. 50
Appendix A – List of IT Assets

No. IT Assets Description Category Ref. Business

in Appendix B Criticality/Priority

58 Vanguard Routers Network routers C1 Critical

59 ASTARO firewall ASTARO firewall device C1 Critical

Databases
60 Oracle 9i Database Management System A1, A2, A3 Critical

61 SQL Database Database for helpdesk system A7 Very Important

62 Data Flat File The Flat File updates the Oracle 9i A5 Very Important
database of Oracle.
Discontinued Assets
63 Customer Contract Management Internally developed application for Not Important
managing customer contacts.
64 Appex PI tool for asset tracking and control Not Important

No. IT Assets / Categories No. of Description Business Related No. of Description Business
users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity

A Business Applications
A1 Route Master (Ver. 65 for Sales and Critical HQVM1 1 Route Master Critical
1.0.1241) backoffice Distribution (HP) Server (Route
application (back Master
office) Database of
Jeddah Head
Office)
HQNT4 1 Route Master Critical
(Compaq) Application
(Route
Master
Application
server for
Jeddah Head
Office)
Windows 3 Operating Critical
2003 Server systems on
Operating Servers
System HQVM1,
HQNT4 and
RABEGH

No. IT Assets / Categories No. of Description Business Related No. of Description Business
users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity

Windows 6 Operating Critical

NT systems on
Operating servers
System JED2VM1,
TAIF,
MAKKAH,
YANBU,
TABOUK and
MEDINAH
Oracle 9i 1 Database for Critical
Route Master
application.

JED2VM1 1 PDC + Route Critical

(Compaq) Master
application
and database
server at
Industrial
Area Jeddah
TAIF 1 PDC + Route Critical
(Compac) Master
application
and database
server at Taif

No. IT Assets / Categories No. of Description Business Related No. of Description Business
users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity

MAKKAH 1 PDC + Route Critical

(Compac) Master
application
and database
server at
Makkah

YANBU 1 PDC + Route Critical

(Compaq) Master
application
and database
server at
Yanbu
TABOUK 1 PDC + Route Critical
(Dell) Master
application
and database
server at
Tabouk
MEDINAH 1 PDC + Route Critical
(Compaq) Master
application
and database
server at
Madinah

No. IT Assets / Categories No. of Description Business Related No. of Description Business
users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity

RABEGH 1 PDC + Route Critical

(HP PC) Master
application
and database
server at
Rabegh
RP32 (Ver. 300 Sales and Critical
3.0.5) salesmen Distribution
using application for
RP32 hand helds
(front office)

Intermec 350 Intermec Critical

hand helds hand-held
(including devices
Docks for running
data upload Windows
to Route Pocket PC
Master) 2003.
Network 1 Network Critical
connectivity
to the
servers.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
A2 Baan IV (Ver. C4) 57 Core ERP application Critical Oracle 9i 1 Database for Critical
(Manufacturing, BaaN
Human Resources, application
Logistics, Financials)

HQNT2 1 BaaN Critical

(Compaq) application
and database
server used
for HR
module.
HQBaan1 1 BaaN Critical
(HP) application
and database
server for All
modules of
BaaN except
HR.
Windows 2 Operating Critical
2003 Server systems for
Operating HQBaan1 and
System HQNT2
servers.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Network 1 Network Critical
connectivity
to the BaaN
servers.

A3 M&W RAT (Ver. 15 Production Very Important RAT (DELL) 1 RAT Server Very Important
1.6.1) performance (RAT
improvement application
and database)

Oracle 9i 1 Database for Very Important

M&W RAT
application.

Windows 1 Operating Very Important

2003 Server system for
Operating RAT Server.
System

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Network 1 Network Very Important
connectivity
to the RAT
server.

A4 M&W PA Tool 5 MS Excel based Important PCs of - The Product Important

Supply Chain Product Availability
management Availability tool is run on
application for department. machines of
determining product product
availability. availability
department
Network Network used Important
for accessing
the Product
Availability
tool.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
A5 ABC Time 400 Timecard readers Very Important HQNT2 1 Server Very Important
Management System and software (Compaq) residing the
(Ver. 3.00.e) Timecard
Reader
application

Windows 1 Operating Very Important

2003 Server system for
Operating accessing the
System application.

Data Flat 1 The Flat file Very Important

File. updates the
Oracle 9i
database of
Oracle.

Network 1 Network Very Important

connection to
the server

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
A6 Business Objects 25 Business Critical BOServer 1 Replication Critical
(Ver. 6.5.1) Intelligence tool on (HP) Server (For
top of BaaN and Replication of
S&D application, and data from all
used for reporting. branches and
reporting
through
Business
Objects
application.
Windows 1 Operating Critical
2003 Server System on
Operating BOServer.
System

Network Network for Critical

accessing
Business
Objects

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
A7 Help Desk Application 345 Web-based helpdesk Very Important Helpdesk 1 Helpdesk Very Important
application (HP) Server (Help
desk
application)

SQL 1 Database for Very Important

Database helpdesk
application.

Network 1 Network Very Important

connectivity
to the
helpdesk
server.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
B Other Software
B1 Microsoft Exchange - 250 Email software at Critical Microsoft 200 Email Critical
Server exchange server Exchange - software at
Client client
machines

Windows 2 Operating Critical

2003 Server systems on
Operating ABCEMAIL
System and
ABC2SERVER

ABCEMAIL 1 Jeddah Head Critical

(HP) Office ADC
Exchange
2003 Server

ABC2SERVE 1 ADC Critical

R (HP) Exchange
2003 Server
for ABC 2
location in
Industrial
Area Jeddah.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Network 1 Network Critical
connectivity
for email.

B2 McAfee Antivirus 345 McAfee antivirus Major SUS (HP) 1 McAfee Major
(Corporate antivirus Server
software) (McAfee
Antivirus
server)

Windows 1 Operating Major

2003 Server system on
Operating SUS server
System hosting the
McAfee
Antivirus.

McAfee - McAfee Major

Antivirus antivirus on
(Clients) client
computers.

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Network 1 Network Major
connectivity
to the server)

B3 Veritas - Backup and N/A Backup, scheduling Critical ABC- 1 PDC server at Critical
Recovery, Scheduling and recovery tool. SERVER Head office
hosting the
Vertias
application

Windows 1 Operating Critical

2003 Server system on
Operating ABC-SERVER
System.

Storage 1 Robotic Tape Critical

Tech library device

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
C Network
C1 ASTARO firewall 345 Firewall and proxy Critical ASTARO 1 ASTARO Critical
software, Proxy software firewall firewall
server software) device device.

Vanguard 6 Network Critical

Routers routers

CISCO 30 Combination Critical

Switches of 24 and 48
port switches
in Head
Office and
branches
network.
Cisco 6 Network Critical
Routers routers

ABC- 1 Jeddah Head Critical

SERVER Office PDC
(HP) Server

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Windows 1 Operating Critical
2003 Server system on
Operating ABC-SERVER
System.

D Data Center Equipment

D1 APC UPS N/A UPS for head office Very Important
and branches

E Environmental Controls
E1 Fire Suppression N/A FM 200 Gas fire Major Smoke 1 Smoke Major
System suppression Detector detector at
mechanism at head Head Office
office data centre. data centre

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
F End-user Computing
F1 Windows 2000 10 Operating systems Important Personal
Operating System at client computers Computers

F2 Windows XP 345 Operating systems Important Compaq 16 Compaq PCs Important

Operating System at client computers
HP 228 HP PCs Important
Dell 32 Dell PCs Important
Laptop
Computers
Dell 45 Dell laptops Important
HP 5 HP laptops Important
Toshiba 29 Toshiba Important
laptops
Printers
Network 5 Network Important
printers printers
HP 148 HP printers Important

No. IT Assets / No. of Description Business Related No. of Description Business

Categories users/ Criticality/Priority Assets users/ Criticality/Priority
Quantity Quantity
Lexmark 1 Lexmark Important
printers
Epson 35 Epson Important
printers
Fujitsu 1 Fujitsu Important
PDAs
imate (PDA 5 imate Pocket Important
2 and Jam) PCs
Software
Office 2000 45 Office Important
automation
tool
Office 2003 150 Office Important
automation
tool
Internet 355 Web browser Important
Explorer 6.X

No. IT Processes Description Criticality

1 IT Strategy and Planning The process of IT Strategy formulation and IT Strategic Critical
planning including strategy and planning long projects.

2 Backup and Recovery Process The process of scheduling and execution of backup and Critical
recovery procedures.
3 Users and Logical Access Management The process of users creation and deletion and Critical
assignment of logical access rights.
4 IT Security Management and Administration The process of defining, managing and monitoring of all Critical
aspects of IT security, including deployment of IT
security policies, physical security, Logical access
security and network security and protection against
viruses etc.
5 Network Management The process of configuration, management and Critical
monitoring of networks.
6 IT Budgeting, Cost and Investment Management The process of planning and monitoring of IT budgeting Major
and IT investment.

7 IT Performance Management and Reporting The process of management of IT performance and Major
reporting of IT's performance to the top management.

8 IT Purchasing Process - CAPEX The process of managing IT Capital Expenditure. Major

9 IT Purchasing Process - Consumables The process of managing IT expenditure of consumable Major
items.
10 IT Change Management Process/ New Project The process of IT change management process. Major
Handling process

No. IT Processes Description Criticality

11 Configuration and Patch management The process of management of hardware and software Major
configuration including operating systems and
application patch management.
12 Incident and Problem management The process of managing and resolving problems and Major
incidents.
13 Capacity Management The process of anticipating, monitoring and managing Very Important
the capacity.
14 System Development The process for management of in-house development. Important

ITGC Checklist - COBIT 2019 Framework Part4
No ratings yet
ITGC Checklist - COBIT 2019 Framework Part4
13 pages
IT General Controls Checklist
No ratings yet
IT General Controls Checklist
34 pages
COBIT Design and Implementation Exam Valid Questions
No ratings yet
COBIT Design and Implementation Exam Valid Questions
8 pages
Oracle: Question & Answers
100% (1)
Oracle: Question & Answers
36 pages
IT Governance Information Security Governance
No ratings yet
IT Governance Information Security Governance
57 pages
NIST CSF 2.0 Maturity Assessment Template Ver 1.0
No ratings yet
NIST CSF 2.0 Maturity Assessment Template Ver 1.0
314 pages
Auditing Itgc Examples
No ratings yet
Auditing Itgc Examples
16 pages
It Governance According To Cobit
No ratings yet
It Governance According To Cobit
67 pages
CISA+Domain+4+Cyvitrix+ +updated+2024
No ratings yet
CISA+Domain+4+Cyvitrix+ +updated+2024
104 pages
Information Risks: Whose Business Are They?: Itgovernance Domainpracticesandcompetencies
100% (1)
Information Risks: Whose Business Are They?: Itgovernance Domainpracticesandcompetencies
23 pages
CISA Training Domain 1 Study Notes
No ratings yet
CISA Training Domain 1 Study Notes
24 pages
13 Fraud Risk Assessment
No ratings yet
13 Fraud Risk Assessment
9 pages
Cisa 2
No ratings yet
Cisa 2
9 pages
Jurnal IS - Audit - Process
50% (2)
Jurnal IS - Audit - Process
4 pages
CGEIT CPE Policy
No ratings yet
CGEIT CPE Policy
10 pages
CISA Chapter 3 - Info Systems Acquisition, Development, Implementation - Quizlet
No ratings yet
CISA Chapter 3 - Info Systems Acquisition, Development, Implementation - Quizlet
7 pages
CV 1
No ratings yet
CV 1
2 pages
CISA Domain (Simplilearn) Simulation
No ratings yet
CISA Domain (Simplilearn) Simulation
69 pages
Domain 4 - PPT Slides
No ratings yet
Domain 4 - PPT Slides
70 pages
EDM01 Ensure Governance Framework
No ratings yet
EDM01 Ensure Governance Framework
13 pages
Test 1
No ratings yet
Test 1
121 pages
Cgeit Qae Item Development Guide
100% (1)
Cgeit Qae Item Development Guide
16 pages
COBIT 2019 Demo
No ratings yet
COBIT 2019 Demo
4 pages
ISCA Notes by Vipin Nair
50% (2)
ISCA Notes by Vipin Nair
130 pages
P-U-01 Unauthorised, Irregular, Fruitless and Wasteful Expenditure Policy
No ratings yet
P-U-01 Unauthorised, Irregular, Fruitless and Wasteful Expenditure Policy
22 pages
ISO27k Information Security Program Maturity Assessment Tool
No ratings yet
ISO27k Information Security Program Maturity Assessment Tool
19 pages
Digital Trust & COBIT
No ratings yet
Digital Trust & COBIT
56 pages
CISA Task Statements
0% (2)
CISA Task Statements
3 pages
Mapping CGEIT and COBIT
No ratings yet
Mapping CGEIT and COBIT
47 pages
Select The Correct Answer
100% (1)
Select The Correct Answer
25 pages
COBIT 2019 Design Toolkit With Description - Group X.XLSX - DF5
No ratings yet
COBIT 2019 Design Toolkit With Description - Group X.XLSX - DF5
6 pages
S15 IT Controls 14nov07 PDF
No ratings yet
S15 IT Controls 14nov07 PDF
3 pages
Test 2 PDF
No ratings yet
Test 2 PDF
134 pages
System Availability? Select The Correct Answer
No ratings yet
System Availability? Select The Correct Answer
17 pages
CobIT AI06 Change Management
No ratings yet
CobIT AI06 Change Management
5 pages
Test 5
No ratings yet
Test 5
111 pages
Combining ITIL
No ratings yet
Combining ITIL
12 pages
COBIT Mission Framework Governance and Controls
100% (1)
COBIT Mission Framework Governance and Controls
15 pages
Cag It Audit
No ratings yet
Cag It Audit
90 pages
GTAG 8 Application Control Testing
No ratings yet
GTAG 8 Application Control Testing
13 pages
Cobit, Coso
100% (1)
Cobit, Coso
4 pages
Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To
0% (1)
Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To
2 pages
Material para Examen - Ejemplo Examen COBIT 2019 - Respuestas
No ratings yet
Material para Examen - Ejemplo Examen COBIT 2019 - Respuestas
5 pages
Cisa Notes 2010
No ratings yet
Cisa Notes 2010
26 pages
CISA Simulation-3
No ratings yet
CISA Simulation-3
20 pages
GENERAL - COBIT - 2019 - FAQ - v1.1 110718
No ratings yet
GENERAL - COBIT - 2019 - FAQ - v1.1 110718
4 pages
COBIT 2019 FOUNDATION COURSE Ffhgffkfhyuoliu
No ratings yet
COBIT 2019 FOUNDATION COURSE Ffhgffkfhyuoliu
4 pages
CGEIT
No ratings yet
CGEIT
2 pages
Use of The Balanced Scorecard For ICT Performance Management
No ratings yet
Use of The Balanced Scorecard For ICT Performance Management
14 pages
COBIT - A Key To Success As An IT Auditor
No ratings yet
COBIT - A Key To Success As An IT Auditor
3 pages
Information System and Control Audit For Ca Final
No ratings yet
Information System and Control Audit For Ca Final
157 pages
Extreme Programming For Safire Solutions
100% (1)
Extreme Programming For Safire Solutions
4 pages
IT Governance - Why A Guideline
No ratings yet
IT Governance - Why A Guideline
3 pages
Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in
No ratings yet
Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in
5 pages
Insurance Sector in India
No ratings yet
Insurance Sector in India
4 pages
Archana G Servicenow Admin: Incident Management, CMDB, Asset Etc. Actions, UI Policies, Client Scripts Etc.)
No ratings yet
Archana G Servicenow Admin: Incident Management, CMDB, Asset Etc. Actions, UI Policies, Client Scripts Etc.)
4 pages
TM A1000sw 117
No ratings yet
TM A1000sw 117
44 pages
Use of COBIT As A Risk Management & Audit Framework For Access Compliance
No ratings yet
Use of COBIT As A Risk Management & Audit Framework For Access Compliance
76 pages
Cobit Casestudy TIBO
No ratings yet
Cobit Casestudy TIBO
22 pages
PMSAU Final Paper
No ratings yet
PMSAU Final Paper
78 pages
CPQ Ebook
No ratings yet
CPQ Ebook
14 pages
Getting Started Tutorial: Welcome
No ratings yet
Getting Started Tutorial: Welcome
46 pages
JD - Silent Infotech
No ratings yet
JD - Silent Infotech
7 pages
Chalk Production Processe
No ratings yet
Chalk Production Processe
17 pages
47 - Kevin Fernandes
No ratings yet
47 - Kevin Fernandes
93 pages
Mulesoft Course & Exam Catalog: Training Delivery Methods
No ratings yet
Mulesoft Course & Exam Catalog: Training Delivery Methods
7 pages
Management of Innovations Notes Gateway School of Business
No ratings yet
Management of Innovations Notes Gateway School of Business
187 pages
4.1 Operations Management - Production of Goods and Services
No ratings yet
4.1 Operations Management - Production of Goods and Services
4 pages
Tech On Performance
No ratings yet
Tech On Performance
41 pages
Cambridge O Level: Commerce 7100/23 May/June 2022
No ratings yet
Cambridge O Level: Commerce 7100/23 May/June 2022
21 pages
AML For Cross Border Payment
No ratings yet
AML For Cross Border Payment
21 pages
Company Profile Askari Tech
No ratings yet
Company Profile Askari Tech
21 pages
DM02 - Agus Mardianto - Heroleads - Digital Content - Web Analytics
No ratings yet
DM02 - Agus Mardianto - Heroleads - Digital Content - Web Analytics
28 pages
My Resume & Portfolio
No ratings yet
My Resume & Portfolio
18 pages
Method Park by UL Solutions - Taking Process To The Next Level - The Stages Roadmap
No ratings yet
Method Park by UL Solutions - Taking Process To The Next Level - The Stages Roadmap
13 pages
Psychology and Marketing - 2023 - Youssofi - Designing The Digitalized Guest Experience A Comprehensive Framework and
No ratings yet
Psychology and Marketing - 2023 - Youssofi - Designing The Digitalized Guest Experience A Comprehensive Framework and
20 pages
Altimeter - Data and Artificial Intelligence 2021 - EN
No ratings yet
Altimeter - Data and Artificial Intelligence 2021 - EN
19 pages
Industrial Information Security Management System: Internal Audit Checklist
No ratings yet
Industrial Information Security Management System: Internal Audit Checklist
13 pages
TrackWise Digital Quality Suite
No ratings yet
TrackWise Digital Quality Suite
4 pages
HardikResume Dev
No ratings yet
HardikResume Dev
2 pages
InnovationCenter - The Original.
No ratings yet
InnovationCenter - The Original.
8 pages
ULMA Packaging
No ratings yet
ULMA Packaging
4 pages
Flowchart
No ratings yet
Flowchart
12 pages
Malek Ben Hmida: Tunis Business School Alumni Major: It, Minor: Finance
No ratings yet
Malek Ben Hmida: Tunis Business School Alumni Major: It, Minor: Finance
2 pages
Actuals General Journal Entry Template
No ratings yet
Actuals General Journal Entry Template
1 page
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
From Everand
Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle Management
Carl A. Bolton
No ratings yet
IT Service Management: ISO/IEC 20000 1:2018 - Introduction and Implementation Guide - Second edition
From Everand
IT Service Management: ISO/IEC 20000 1:2018 - Introduction and Implementation Guide - Second edition
Dolf van der Haven
No ratings yet
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
From Everand
EC|Council Disaster Recovery Professional Exam Practice Questions and Dumps Exam Guidebook and Updated Questions for DRP
Byte Books
No ratings yet
ISO 38500 Complete Self-Assessment Guide
From Everand
ISO 38500 Complete Self-Assessment Guide
Gerardus Blokdyk
2/5 (1)