KIMBERLY INDUSTRIES LTD.

Background

The company is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent units with differing markets and working practices. The Head Office has a large central information-systems function comprising central accounting functions and company-wide computer services. The computer-services department accounts for about half the cost of the central information-systems functions. The company operates throughout Canada.

Internal Audit

Two divisions, whose income is heavily cash based, have internal audit operations that carry out primarily cash and inventory checking activities. The Head Office computer audit department is responsible for computer audits across the company, liaison and assistance work for the external audit, and quality assurance for new computer developments.

Computer Policy

The IT Governance Committee is a sub-committee of the Corporate Governance Committee, established by the Board.The members of the IT Governance Committee consist of: three board members; Vice Presidents on the business side as well as Vice Presidents on the IT side; the chief financial officer; other stakeholders as appropriate. The administration of computer policy is the responsibility of the Vice President IT Management Framework of the central information-systems functions. He also has the responsibility to approve all information system developments below $500,000.A company-wide information system policy covers the preferred hardware and IT leases. Purchase-approval levels was approved by the IT Governance Committee.Any major IT capital expenditures or computer system development that exceed $500,000 have to be approved by the IT Governance Committee and then the Board of Directors for approval.

Computer resources are made up:

A centralized mainframe (IBM mainframe) operating as an internal service bureau for the whole company.

A mainframe (IMB mainframe) dedicated to one company within the group.

Remotely placed minicomputers with operations on-site and all systems controlled from the centre.

Independent specialist minicomputers, each servicing a single site with specialist applications. (The major problem lies with the latter category.)

Independent Minicomputers

Each site using a specialist minicomputer has the base package installed and is supported by the central computer services department.Operational control lies with the site management.The composition of this package is as follows:

Site Programming and Password Security

Pressure to reduce central costs has resulted in increasing delays in meeting site requests for system changes and new systems. As a result, the local sites have started to complete to do computer programing on their own minicomputers. The general quality of the sites' systems and program development carried out is below that of central computer standards. Site Data Processing managers have access to all files and programs. The two weaknesses, substandard programming and password security, have raised a concern from the external auditor as to the degree of reliance that could be placed on the accounting information produced by site computers.

Audit Methods

Each site and the central-development department are reviewed each year by the external auditor and the internal audit department (computer audit) assists the external auditor.

A review was carried out as part of the evaluation and the testing of internal controls in order to determine the reliance that could be placed on the information in the accounting records, It was determined that reliance could be placed the application controls applied by the computer systems and reliance could be placed on the controls over the processing of data at the computer centres.

The review concentrated on five main areas:

1.Organization.

2.Systems development.

3.Computer processing.

4.File access.

5.Program maintenance.

The conclusion each year has been that audit could not place reliance on the information produced through the computer. This, in practice, meant only that the external audit teams placed reliance on the manually produced controls; i.e., auditing around the computer. Weaknesses found were reported to management each year in the form of external audit management's letters and internal audit reports.

The possibility of loss arising from this lack of reliance was not raised with senior management so that central computer management or management could act effectively to correct the control weaknesses. Thus, the concerns of internal audit were largely ignored by management until a recent quantifiable loss resulted from faulty site-based system development.

Revised Audit Approach

After that loss, computer audit was given wider responsibility that included developing, introducing, and enforcing development standards at the various sites. These standards comprised of:

?Authorization procedures.

?Guidance on project control.

?Technical standards.

?Training procedures.

?Enforcement procedures by the internal audit department.

All sites' systems and program development report to the computer audit department to enable them to gain an overall assessment of the impact of new developments and system changes in general at each site and to provide a means for selecting certain system changes and site modifications (coordination) into the company-wide software platform, thus providing guaranteed central support.

The password security was revised to remove the concentration of responsibility from the sites' computer-development sections. The segregation of responsibilities was achieved as shown in Appendix A and B. Security logging was introduced to provide a means of audit verification of the use of compilers and computer program on-site.

This security log notes accesses to compilers and password updates. The file is encrypted to reduce the possibility of tampering with records that are sequentially numbered to prove continuity. The computer audit department analyzes the file as part of its review of authorization of access during each audit.

Audit Program

The elements described above were put into a concise computer audit program.Each site was visited each year by the computer audit department in order to establish reliance and adherence to the standards.

Results

The new procedures and checks provide a basis for confidence and highlight any errors of possible concern at an early point. There are, however, major problems in gaining positive commitment of site management to implement these controls. It requires a continuing sales effort and a continued high level of technical knowledge in order to retain confidence in respect to each site's Data Processing department and management.

Required

1.The review that was made by the computer audit section covered five areas: (1) organization, (2) systems development, (3) computer processing, (4) file access, and (5) program maintenance.

b)In the area of file access, evaluate the controls of the Resource Security Matrix(Appendix A) and of the Master Secured Program (Appendix B).What are your observations, their impact, and your recommendations to rectify the control weaknesses.Support your answer with four (4) points.Use the following table format for your answer.

Weakness

Impact

Recommendation

1 1 1 . 12 .1 3: 14 1 1 Appendix A Resource Security Matrix FILES AND DATA FILES CENTRALLY CENTRALLY LOCALLY LIBRARIES DATA FILES CREATED MAINTAINED MAINTAINED CREATED USED BY BASE BY LOCAL ENHANCEMENT PRODUCTION PRODUCTION USERS SYSTEM SITE LIBRARY LIBRARY HERARY GROUP MSO EFFECTIVELY HAS FREE ACCESS TO EVERYTHING USER SO OWNER OWNER NO ACCESS EXECUTE EXECUTE NO WS OWNER OR OWNER OR NO ACCESS EXECUTE EXECUTE NO CHANGE CHANGE CENTRE SO READ READ READ* READ. READ YES DP SO READ OWNER READ READ OWNER YES LOCAL DP OP READ OWNER OR READ READ OWNER OR YES CHANGE CHANGE OP4 OWNER OWNER CHANGE OWNER CHANGE NO " OWNER staris may be temporarily invoked by MISO for emergencies. + This user should be set up for use only for implementing local or central enhancement -- probably from the system console. MSO -- Master security officer. 30 -- Security officer. WS -- Work Station OP -- Operator.? " - B X Kimberly Industries Lid Case B(1) (1) - Word Nasrin Merchant MAILINGS REVIEW VIEW ACROBAT HOME INSERT DESIGN PAGE LAYOUT REFERENCES 1 Find Cut Times New Ro - 10 - A A Aa - AaBbCcI AaBbCcI AaBbC AaBbCCC Adb AaBbCCD AaBbCCD AaBbCCD 41 4 x "ac Replace a Copy 1 Normal 1 No Spac... Heading 1 Heading 2 Title Subtitle Subtle Em... Emphasis Format Painter B I U - abe X, X' A - y - A- As Select Styles Editing Clipboard Font Paragraph 1 1 . 1. 1 2 1 . 3 . 1 4 1 . 5 1 6 1 7 1. 8 1 . 9 1 10 1 11 1 12 1 13 1 14. 1 . 15 1 16 ( 17 1 18 19 1 20 Appendix B Master Secured Program Master Security Officer I (Responsible Senior User) Security Officers' Security Officers Security Responsible DP (Central Data Processing Officers Officer) Coordinator) Responsible User) SYSTEM AND SUBCONSOLE OPERATORS WORK STATION OPERATORS Access to data and program utilities. Access to Device Firmware No access to data and program utilities. Upgrade (DFU), Security Enhancement Upgrade (SEU), Report Generator (RPG) Access to data files secured against all Access to all data files secured access except for read access against all access except for read. Access centrally maintained libraries Access to production libraries Effectively run from Menus and secured. secured procedures. One user not to have access to DFU, Access removed temporarily by Access to production libraries set to SEU, and RPG but to have access to MSO (master security officer) EXECUTE production libraries for implementing when required. enhancements only ESE 6 OF 6 1614 WORDS ENGLISH (UNITED STATES) + Type here to search O 18 A ENG 6:49 PM 2021-06-02