Background: North Shore Playgrounds (NSP) manufactures playground equipment for customers all over the world. The company has two sales offices and a factory in Auckland's North Shore. NSP's revenues have steadily increased over the last few years, with new customers mainly from India, Indochina, and Indonesia. NSP uses various materials to make its playground equipment, such as rubber chips for playground floors (converted from old tires), nylon (for the ropes and swings), and steel bolts. NSP's business growth has led to difficulties in obtaining these materials, so NSP has bought two of its suppliers to improve its control over its supply chain. NSP's main competitor, Kumeu Play People (KPP), is also growing and focusing on New Zealand and the Pacific Islands. The key differentiator in the playground industry are playground equipment designs and KPP is very aggressive in protecting the copyright of its designs. Many of KPP's employees have moved over to NSP recently because they want to be able to travel overseas to install and service playgrounds for NSP's international customers. The company has an accounting system running on an IBM AS/400 server. The system was developed in-house and implemented ten years ago. The company uses a Windows Active Directory- based network that connects all employee desktop computers to the AS/400 system. However, the networks of the suppliers it has bought are not integrated with NSP's main network. These suppliers also use their own accounting and inventory management systems. NSP's ERP system is linked to these systems using middleware from an IT vendor based in Auckland's CBD. NSP's IT budget has also grown with the increase in business, and to manage costs, the manager of NSP's IT department, Ms. Rachel Brown, has proposed a move to Microsoft's Office 365, a suite of cloud-based applications that includes storage (OneDrive). However, when Ms. Brown announced the plan, she found out that many employees were already using Dropbox to share files and they were unwilling to move to OneDrive. Ms. Brown is also facing difficulties with NSP's accounting system, as it does not handle overseas operations (e.g. different currencies, rules for GST) well.

Audit Notes: 1) The server is located in a secure area on NSP's headquarters and access is controlled by a swipe card. All entries to the server room are logged and an automatic fire alarm system is tested regularly and operating well. 2) Ms Brown informed you that the security policy was based on a free template she had downloaded online, which she had modified and put up on NSP's intranet. Before putting up the policy, she asked the Human Resources Manager for his advice. She believes all employees are aware of this policy. 3) NSP has an IT strategic plan that is reviewed and evaluated every year by a steering committee made up of members from every functional department in the company. 4) Users need to have passwords that are at least eight characters long, containing a mixture of letters and numbers. Passwords have to be changed once a year. 5) NSP only buys laptops that are on sale at JB Hi-Fi, and Ms Brown prefers to buy Dell laptops. 6) Users' laptops automatically time out after 10 minutes of inactivity. A username and password are required to log back on to a laptop after it has "timed out" and is on a screensaver. 7) Ms Brown confirmed that when employees leave the company (because of resignation, retirement, etc), their user accounts are disabled immediately. However, two retired employees from the IT department still have active user accounts because they developed NSP's accounting system and no one knows it as well as them. Their accounts have been kept active in case they need to return to help NSP with some of the work they used to do. 8) Your analysis of employee records reveals that there has been a sudden increase in the number of part-time customer service staff in the last two years. When you asked Ms. Brown, she explained that because of the growth in its business, NSP needed many more employees but it could not hire enough permanent full-time staff. NSP thus began approaching retirees, students and stay-at-home mums to work part-time in these roles. Many of them use their own home laptops or tablets for their work. 9) IT purchase information is stored on a folder on a shared drive in the AS/400 server. Four employees handle purchases and payments to suppliers. Since they do each others' jobs, Ms. Brown decided to allow them to share the same user profile so that they can all access the shared folder containing purchase information. This procedure has allowed them to pay invoices and approve purchases even if only one of the four staff is available. 10) Ms. Brown's assistant, Mr Marc Jacobs, is responsible for assigning user rights to employees, which define what each employee can do in NSP's IT systems. All requests for changes in user rights come to Mr. Jacobs. He reviews the user access rights once a quarter and if something does not look right to him, he emails a query to Ms. Brown. He does not follow up with her to see if his queries have been resolved. 11) NSP has an expensive firewall and intrusion detection system (IDS) to protect its systems from hacking attempts. These systems have been rigorously tested by two members of the IT department, whom Ms Brown says are very experienced. 12) Any requests for changes to software used in NSP are first sent via e-mail to Mr. Jacobs. Mr. Jacobs then forwards the e-mail to Ms. Brown, who either approves or denies the change request by email. Mr. Jacobs saves a copy of each of these e-mails in a separate folder in his e-mail Inbox as evidence of the decision. This process usually works well. However, employees occasionally have emergency change requests that Mr. Jacobs has to process without Ms. Browns approval when she is absent or busy. 13) Mr. Bill Lee, the manager of the customer service department, has been given super-user status so that he can grant appropriate user rights to employees in his department. Ms. Brown approved Mr. Lees super-user status because the need to quickly hire new customer service staff was making it difficult for Mr. Jacobs to keep up with the requests for assigning user rights. 14) User accounts can be used to log on to any network (NSP's or the networks of the two companies it bought). 15) Besides the move to Office 365, Ms Brown informed you that she has also planned a project to consolidate NSP's IT systems, so that the same accounting and inventory management systems will be used across the company. She also wants to replace all the accounting systems and move to a cloud-based one, such as Xero. Her board has approved the project and she is about to start choosing a vendor. However, she is not sure whether she should manage the project internally or hire an IT consulting company to run it. Besides herself, the rest of her IT department lacks project management experience.

Identify the risks from the background and audit notes. What are the possible outcomes of these risks?