2.1. BackgroundVeronese& TiffanyInc. is a medium-sized business located in Elmira, Ontario. It sells designer jewelry to specialty stores through Canada as well as to individuals through its company website. Founded by close friends, Veronique Veroneseand TamekaTiffanyalmost 10 years ago, the company has grown rapidly and now has well-established brand recognition as well as a large following of loyal customers (direct and retail) across the country. Currently, Veronese& TiffanyInc. products are carried in more than 2,500 boutique stores and online retailers.While Veroniquefocuses on sourcing material and design, Tameka spends most of her time managing the sales force, strengthening relations with retailers, and marketing to the companys online customer base. At the same time, due to lack of expertise and inclination, the owners have not spent much time investing inaccounting and information systems. Automation of processes has been slow and ad-hoc to keep pace with the companys growth. Two years ago, the company hired SummerSloan as their Chief Information Officer and tasked her with building an integrated information technology framework to support the business processes as well as maintaining a strong control environment. Given the state of business processes and limited resources allocated towards information technology, progress on this front has been painstakingly slow. Veronique and Tameka are also frustrated with the lack of progress or significant benefits from their investments in this endeavor. Consequently, they have engaged you to review their current process and systems to identify weaknesses and provide recommendations. The following sections describe the key people, processes, and technologies currently in place at Veronese& TiffanyInc.2.2. PurchaseOrders ProcessingAll purchases at Veronese& TiffanyInc. are required to be routed through the centralized procurement function. Organization-wide, employees are required to fill in purchase requisitions, get it approved by their managers (purchases of $1,000 and below) or by the respective senior management executive (purchases over $1,000). Approved requisitions appear in a queue within the Procurement Management module of AviOnyx every morning for the purchasing analyst to review and process further. Upon identifying all materials, parts, tools, supplies, etc. to be ordered and the purchasing analyst creates Purchase Orders (POs) and sends them to the respective vendors electronically. When ordered items are arrive at the receiving department (part of the warehouse team), the receiving staff files the Packing Slip (attached with the items received). The receiving staff also creates a goods receipt document in AviOnyx and changes the status of the PO from open to closed. Inventory levels and corresponding accounting entries are automatically updated by the system once items are received and the status of corresponding PO is changed to closed.Inventory, typically, comprises approximately 3,500 different items. The company employs a computerized batch processing system to maintain its perpetual inventory records. The system is run each weekend so that inventory reports are available on Monday morning for management use. The system has been functioning satisfactorily for the past fouryears, providing the company with accurate records and timely reports.When an item of inventory falls below a predetermined level, a record of the inventory items is written. This record can be used in conjunction with the supplier file to prepare the purchase orders.

ACCT74040 Auditing Information Systems | Case StudyAnalysisSpring2022(Professor:Amit M. Mehta)Page | 4Exception reports are prepared during the update of the inventory and the preparation of the purchase orders. These reports list any errors or exceptions identified during the processing. In addition, the system provides for managementapproval of all purchase orders exceeding a specified amount. Any exceptions or items requiring management approval are handled by supplemental runs on Monday morning and are combined with the weekend results.Once the Accounts Payable (AP) department receives a vendor invoice, the AP analyst reconciles it with the corresponding closed PO and goods receipt document. The AP analyst will issue a cash disbursement order for the appropriate amount. On a daily basis, all cash disbursement orders are automatically converted to the payment instructions by AviOnyx and sent to the Bank for releasing the funds to the vendors. Due to a large number of voided cash disbursement orders caused by errors and/or rejections, the cash disbursement orders are not prenumbered by the system; rather, the AP analyst numbers them after each cash disbursement order is processed. The system keeps a log of all cash disbursement orders, so that the same number is not assigned to more than one cash disbursement order.On a weekly basis, the AP analyst posts journal entries to update AP and Cash balances based on approved and numbered cash disbursement orders.2.3. Information Technology Computer Operations Management At Veronese& TiffanyInc., Business IT Enterprises Services (BITES) is led by its CIO to actively support the organization structure by reviewing the overall business strategy and ensuring alignment as well as by following the Executive Management direction and tone on an annual basis.The security risk environment is dynamic and ever-changing. To properly manage security risks, Veronese& TiffanyInc. establishes the tolerance of security risks by conduct security risk assessments every two years to identify unacceptable risks and determine what to do about them.While a standard set of policies and procedures are currently being developed, where IT roles (i.e. Database Administrators, Infrastructure Systems Administrators) have a segregation of duties exposure (i.e. access to both non-production and production environments), it is mitigated through compensating controls (e.g. separate UserIDs for database administratorsoperating in each environment). The set of policies currently being developed include key topics such as Enterprise Architecture, Information Management, Infrastructure Management, Privacy, Compliance, Business Continuity and Disaster Recovery, Crisis Management, Regulatory Compliance & Reporting, and IT Risk Management. Once finalized, the policies will be stored in a secure section of the companys intranet that is accessible by all executive management.Based on the results of the last functional security risk assessment as well as the progress made to-date on developing the set of policies and procedures, senior leadership within BITES have developed (under guidance from the CIO) the following computer operations management process.Back-up of financial data: Back-up of financial data and retention of backed-up data is handled internally. The Infrastructure Support team within BITES maintains the infrastructure necessary to successfully backup up data; with Iron Mountain providing off-site storage. Backup tapes are picked up Iron Mountain daily. At that time, Iron Mountain also drops off the oldest set of tapes they have in storage. These tapes are used for backup rotation functions.

ACCT74040 Auditing Information Systems | Case StudyAnalysisSpring2022(Professor:Amit M. Mehta)Page | 5The Infrastructure team utilizes EzPzBackUp as the backup tool for AviOnyx and supporting infrastructure components (databases and operating systems). Quarterly full backup jobs (runs on Friday) are scheduled to run during the evening on backup devices and servers at various times.Disaster Recovery Testing: The Infrastructure Support team plans to perform a disaster recovery exercise every two years to ensure their technology and business data can be recovered within the timeframe required by business. The disaster exercise also provides them the opportunity to test disaster recovery plans and train staff to respond to a significant disaster that could impact our business. This exercise utilizes a warm site data center disaster recovery strategy. The strategy involves the production environment being recovered at the warm site by restoring the production operating systems and the business data from back up storage media.Job Scheduling Management: Automated scheduling software (EzPzScheduler) manages the production job scheduled for AviOnyx. Permanent changes to the production job schedule are requested, approved and implemented through the EzPzScheduler. The requester submits the change, which is then reviewed, approved and implemented by the AMS team. AMS confirms the change, which results in automatic implementation into the job schedule. Due to system limitations and licensing cost constraints, only one user ID is configured in EzPzScheduler. The password to this user ID is shared by the AMS team. All ad hoc jobs are approved by the AMS team and are added to the production job schedule via the EzPzScheduler panel. Data Center Management: Veronese& TiffanyInc. installed a backup data center at its Sarnia, ON office three months ago. The center is used for testing and development work with full capabilities to handle complete backup processing in the case of a failure of the company's primary computer center in Kitchener, ON. The new data center consists of a large IBM mainframe, 15 tape drives, 20 disk drives, and network communications equipment to link the center to the company's primary network. Approximately, three employees work to cover the center's three shifts (one per shift) that provide functions of scheduling, security, software support, operations support, and library facilities.The center is designed to operate 24 hours per day 365 days per year. An automatic fire suppression system was installed last month. At that time, the Data Center Manager held a meeting for all three data center employees to verbally instruct them as to their responsibilities in the event of a fire emergency. A security officer was hired prior to the start-up of the computer center to administer security procedures for the protection of the facility. The officer reports directly to the morning shift employee. Devices were installed at entrance and exit points of the computer facility to detect magnetic items (tapes and/or disk packs) passing through. This was done to prevent the unauthorized removal of tapes or disks.Due to budgetary constraints (and the limited number of current users accessing the facility), the project to restrict entry to and exit from the data center via proximity cards is currently put on hold. Currently, access is restricted via use of a pin pad lock. The correct combination of the pin pad lock is known to the Data Center Manager, three shift employees, and the security officer only. Lastly, the Data Centre Manager proudly announced to his team in this months communication that the next fiscal years budget Veronese& TiffanyInc. has an approved placeholder for a project to install security cameras within and outside the data center

Detailed Findings and Recommendations Table

#	Finding Title	Underlying Risk	Control Gap / Finding	Recommendations	Accountabilities
01
02
03