\fI What key responsibility areas report to the C10? Is there proper segregation of duties betwem critical roles? ' I Does FFC have an IT steering committee? ls so, who are the members? ' Programeystems Development ' The key concepts Within systems development include the existence ofa new systems implementation methodology, project management, pre and postiimplementatron reviews, quality control, adequate testing, and demonstrated compliance with the selected implanentation methodology. Based on this understanding, your teanfs primary concerns are:- ' I Does FFC design, develop, and implement systans in a logical fashion? ' I Does the organization consider internal controls as an integral part ofsystems design or does it retrot them aer implementation? ' I To what extent is FFC's Internal Audit department mvolt'ed n1 systans development activities? Is it part of the project renew team? Is it a voting member of'the team? ' I In particular, how well did FFC manage the development and implementation of its new ngerprint biocoding payment system? ' Data Security (Access to programs and data controls) ' The critical concepts Within data security include adherence to an established information security policy, access approval on a needitoilmow basis, periodic romtion or change of access controls, monitoring, exception reporting, and incident response, Data security has both physical and logical aspects, On the physical side, data security includes physical access and environmental controls over the data center computer room, On the logical side, data security included policies related to password conguratiom change, and history restrictions, Logical security also includes prompt review, modication, or removal ofaccess due to personnel transfers, promotions, and terminations. Your team's primary concerns are: ' I How well does FFC control physical access to its data center computer room? ' I Is FFC's computer room adequately protected against mvironmental dangers, such as re? ' I Does FFC control logical access to its information systems? hi particular, how does it control the logical access of terminated or transferred employees? ' I Does FFC have a current IT secunty policy? ' I Does FFC produce access violation reports? ' I Do FFC IT personnel adhere to IT policy and follow lT procedures? For example, do appropriate personnel review any access violation reports and take the prescribed action? ' Change Management ' Change Managemenfs key concepts include documented change procedures, user authorization and approval, separation of duties in implementing changes, management renew, quality control, and adequate testing, Your audit team=s primary concerns are:- ' I Does FFC have (and follow) formal change management procedures? ' I In particular, did FFC follow these procedures when making any necessary changes to its current apphcation programs because of the new hiorcodrng payment system? For example: \"Were the changes approved? Did the programmers adequately test the changes before putting them into production? Did the application programmer(s) that made the code changes, test the changes, anchor put them into production? ' Computer Operationszusiness Continuity Planning- ' \f