Please help me answer this question

Background Veronese 81 Tiffany Inc. is a medium-sized business located in Elmira, Ontario. It sells designerjewelry to specialty stores through Canada as well as to individuals through its company website. Founded by close friends, Veronique Veronese and Tameka Tiffany almost 10 years ago, the company has grown rapidly and now has wellestablished brand recognition as well as a large following of loyal customers (direct and retail) across the country. Currently, Veronese & Tiffany Inc. products are carried in more than 2,500 boutique stores and online retailers. While Veronique focuses on sourcing material and design, Tameka spends most of her time managing the sales force, strengthening relations with retailers, and marketing to the company's online customer base. At the same time, due to lack of expertise and inclination, the owners have not spent much time investing in accounting and information systems. Automation of processes has been slow and ad-hoc to keep pace with the company's growth. Two years ago, the company hired Summer Sloan as their Chief Information Officer and tasked her with building an integrated information technology framework to support the business processes as well as maintaining a strong control environment. Given the state of business processes and limited resources allocated towards information technology, progress on this front has been painstakingly slow. Veronique and Tameka are also frustrated with the lack of progress or significant benefits from their investments in this endeavor. Consequently, they have engaged you to review their current process and systems to identify weaknesses and provide recommendations. The following sections describe the key people, processes, and technologies currently in place at Veronese 8: Tiffany Inc. Sales Order Processing For boutique retailers, the company employs a fleet of independent sales agents to sell its products for a commission based on the dollar value of sales. Once the sales agent finalizes the order with the boutique retailer, the order is placed by the sales agent via phone or email to the sales support analyst at Veronese & Tiffany Inc. Direct orders from individuals are received through their website. Upon receipt of the order, the sales support analyst enters the details in the organization's Enterprise Resource Management (ERP) system AviOnyx. For all new clients, the analyst creates and finalizes a new record in the Customer Relationship Management (CRM) module of AviOnyx. For existing customers, relevant details are already on the file and are pre-populated for the sales analyst during the process of completing the sales order. The system then creates a record of the transaction in the open sales order file. The warehouse team receives a phone call from the sales support analyst upon creation of a new sales order/ modification of an existing sales order with details around parts to be picked for shipping. Once the warehouse team picks the parts as instructed over phone, they create a hard copy of the stock release notification and send it to the shipping department along with the picked parts. The warehouse team also adjusts the inventory levels in the AviOnyx system once items are materials / parts are checked-out to be sent to the shipping department. Upon receipt of the stock release notification, the shipping department manually changes the status of the sales order from \"open" to "closed". At that time, the Financial Reporting module of AviOnyx automatically posts the transactions to the general ledger file impacting sales, inventory, and manufacturing costs. Upon receiving the stock release notification (and the parts from warehouse), the shipping department packages the parts and makes necessary arrangement for shipping (packaging, logistical arrangements, quality assurance, etc.). The shipping clerk issues a Bill of Lading (BoL) document along with the goods to be shipped to the transportation agent. An electronic copy of the BoL is also sent to the customer and to the Accounts Receivable (AR) department. Upon receiving the BoL, the AR analyst retrieves the corresponding hard copy stock release notification and the closed sales order to review the accuracy of type and quantity of parts shipped. Next, the system is triggered to generate a sales invoice by automatically retrieving the approved price, shipping charges, and tax rates. A copy of the invoice is electronically sent to the customer and a new AR record is automatically created in AviOnyx. Every day, the treasury department receives a report from the Bank indicating funds received from various parties. In addition to this report, the treasury department also reviews all payment notifications received from customers to prepare a remittance advice report. This report is sent to the AR analyst. The AR Analyst reconciles payments received against outstanding AR balances by customers. The AR balance is adjusted to reflect the payments received and the treasury department is informed accordingly. The treasury analyst posts the necessaryjournal entries to update the Cash balance based on the remittance advice report and feedback received from the AR analyst. Purchase Order Processing All purchases at Veronese & Tiffany Inc. are required to be routed through the centralized procurement function. Organization-wide, employees are required to fill in purchase requisitions, get it approved by their managers (purchases of $1,000 and below) or by the respective senior management executive (purchases over $1,000). Approved requisitions appear in a queue within the "Procurement Management\" module of AviOnyx every morning for the purchasing analyst to review and process further. Upon identifying all materials, parts, tools, supplies, etc. to be ordered and the purchasing analyst creates Purchase Orders (P05) and sends them to the respective vendors electronically. When ordered items are arrive at the receiving department (part of the warehouse tea m), the receiving staff files the Packing Slip (attached with the items received). The receiving staff also creates a goods receipt document in AviOnyx and changes the status ofthe PO from \"open" to \"closed\". Inventory levels and corresponding accounting entries are automatically updated by the system once items are received and the status of corresponding P0 is changed to \"closed\". Inventory, typically, comprises approximately 3,500 different items. The company employs a computerized batch processing system to maintain its perpetual inventory records. The system is run each weekend so that inventory reports are available on Monday morning for management use. The system has been functioning satisfactorily for the past four years, providing the company with accurate records and timely reports. When an item of inventory falls below a predetermined level, a record of the inventory items is written. This record can be used in conjunction with the supplier file to prepare the purchase orders. Exception reports are prepared during the update of the inventory and the preparation of the purchase orders. These reports list any errors or exceptions identified during the processing. In addition, the system provides for management approval of all purchase orders exceeding a specified amount. Any exceptions or items requiring management approval are handled by supplemental runs on Monday morning and are combined with the weekend results. Once the Accounts Payable (AP) department receives a vendor invoice, the AP analyst reconciles it with the corresponding "closed" PO and goods receipt document. The AP analyst will issue a cash disbursement order for the appropriate amount. On a daily basis, all cash disbursement orders are automatically converted to the payment instructions by AviOnyx and sent to the Bank for releasing the funds to the vendors. Due to a large number of voided cash disbursement orders caused by errors and/or rejections, the cash disbursement orders are not pren um bered by the system; rather, the AP analyst numbers them after each cash disbursement order is processed. The system keeps a log of all cash disbursement orders, so that the same number is not assigned to more than one cash disbursement order. On a weekly basis, the AP analyst postsjournal entries to update AP and Cash balances based on approved and numbered cash disbursement orders. Payroll Processing All Veronese & Tiffany Inc. employees are expected to complete a timesheet by 4 PM of Friday on a weekly basis in the timekeeping module of AviOnyx (except for the floor staff of the warehouse team}. The timesheets are consolidated in AviOnyx and available to the Payroll Analyst for processing. Function managers also notify the Payroll Analyst and the Workforce Manager of all changes in employee status (new hires, transfers, promotions, terminations, temporary movements, etc}. The Payroll analyst makes necessary adjustments to employee status based on notifications received from the functional managers prior to processing payroll. The Payroll Analyst reviews the consolidated timesheets and the payroll expense assigned to various cost centers by AviOnyx for appropriateness, accuracy, and completeness. Next, the Payroll Analyst finalizes the pay disbursement order for that week. Every two weeks, the Payroll Analyst sends the consolidated funds release instructions to the Bank. The warehouse team leader is responsible for the floor staff performing all materials movement activities. Individuals performing these tasks punch in their timecards upon entering and exiting the warehouse space. On a weekly basis, the warehouse team leader reviews and approves all timecards and prepares a summary ofthe hours worked by his team. This \"Hours Worked Summary Report" is submitted to the Payroll Analyst for processing. The Payroll Analyst manually enters the contents of the \"Hours Worked Summary Report" into the computerized payroll system. The system updates the payroll records and prints out the paycheques. The cheques are written on the regular chequing account; imprinted by a signature plate with the treasurer's signature; and sent to the warehouse team leader, who distribute them to the workers or hold them for absent workers to pick up later. Warehouse team leader notify data processing of new employees, terminations, changes in hourly pay rates, or any other changes affecting payroll. The workers also complete a job time ticket for each individual job they work on each day. These are collected daily and sent to cost accounting, where they are used to prepare a cost distribution analysis. The payroll function had not been operating smoothly for some time. The warehouse team leader would like a weekly report indicating worker tardiness, absenteeism, and idle time to determine the amount of productive time lost and the reasons for the lost time. The following errors and inconsistencies have been encountered the past few pay periods: 1. A worker was issued a cheque for $4,531.80 when it should have been $453.18. 2. One worker's paycheque was not written, and this error was not detected until the paycheques were distributed by the warehouse team leader. 3. Some of the payroll register records were accidentally erased from the system when the Payroll Analyst tried to reorganize and rename the files in the hard drive. Data processing attempted to re-establish the destroyed portion from original source documents and other records. 4. One worker received a much larger paycheque than he should have. The Payroll Analyst had keyed 84 instead of 48 for hours worked. 5. Several paycheques issued were not included in the totals posted to the payroll journal entry to the general ledger accounts. This was not detected for several pay periods. Information Technology Services Management At Veronese 8! Tiffany Inc., Business IT Enterprises Services (BITES) is led by its CIO to actively support the organization structure by reviewing the overall business strategy and ensuring alignment as well as by following the Executive Management direction and tone on an annual basis. The security risk environment is dynamic and ever-cha nging. To properly manage security risks, Veronese 8! Tiffany Inc. establishes the tolerance of security risks by conduct security risk assessments every two years to identify unacceptable risks and determine what to do about them. While a standard set of policies and procedures are currently being developed, where IT roles (Le. DBA's, Infrastructure Systems Administrators) have a segregation of duties exposure (Le. access to both non-production and production environments), it is mitigated through compensating controls (e.g. separate Userle for DBAs operating in each environment). The set of policies currently being developed include key topics such as Enterprise Architecture, Information Management, Infrastructure Management, Privacy, Compliance, Business Continuity and Disaster Recovery, Crisis Management, Regulatory Compliance 8i Reporting, and IT Risk Management. Once finalized, the policies will be stored in a secure section of the company's intranet that is accessible by all executive management. Based on the results of the last functional security risk assessment as well as the progress made to-date on developing the set of policies and procedures, senior leadership within BITES have developed (under guidance from the CIO) the following processes to handle key IT operational functions such as change management, access management, security management, computer operations, and data centre management. System and Program Change Management Standard changes: A standard change management process is followed for change tickets to add new entities (customers, vendors, collaborators, etc.) to AviOnyx. These changes are routine in nature and are pre-approved by the business users. The change ticket is initiated by a member of the Application Management Services (AMS) based on the request received from the business. The implementer will review and approve the ticket once he/she has processed and implemented the change and update the status of the ticket to \"Completed\". User acceptance testing will not be required for these standard changes since these changes only involve update/change in the table which is routine and minimal risk. Data changes: The process for data corrections follows a similar process as the standard change management process described above. A change ticket is created for the Database Management team and the information about the data Sprlng 2023 (Professor: Amit M. Mehta) Page | 7 ACCT7404O Auditing Information Systems | Audit Programs & Reporting Assignments correction is captured with the change ticket. After the correction, the Database Management team validates the change and closes the ticket. Maintenance changes: Based on the decisions made during the weekly/monthly prioritization meetings between various business and the AMS team, the maintenance releases are scheduled. A service request ticket is created by the business support analyst (based on inputs received from the business owners) and authorizations are obtained within the request ticket. An application change request ticket is then generated by AMS team and assigned to the developer who makes changes in the development environment. Once the changes are developed, the system testing is performed by the testers in the development environment. User Acceptance Testing (UAT) is then performed and approvals are provided by the end users. Testing signoffs are retained within the associated change ticket. Upon successful completion of UAT, the Service Manager, on behalf of the functional user group signs offs in the change ticket. Once these signoffs are completed, the Technology Lead and Release Management will approve the promotion of the change to the System Integration Testing environment; where the changes are tested to see how they affects the system. The change is then approved by the Service Manager and Release Management and promoted to the Pre- production Staging environment, where deployments of the change are tested and back out procedures may be tested. Finally, the Production Control team will promote the changes to production during one of the regularly scheduled deployments. The Source Code Library Management (SCLM) contains the source code for AviOnyx, and developers have access to check out packets of code in order to make changes. The code can be checked out by the developer on their local drive for making changes and once changes are made to the code, only developers can check the code back in to be promoted to production by the production control team. If approvals described above have been completed, Production Control will promote the changes for AviOnyx. Emergency changes: An emergency application change is required when there is an immediate and material requirement to address the root cause of high-severity level incidents. When responding to this incident timely restoration ofthe service is critical. Therefore, it is appropriate to complete the requirements of the Emergency Change Process without updating the Emergency Change ticket until after the incident is resolved. An Emergency Application Change Request is created by the Change Manager that identifies the severity of incident being addressed as well as how the change will effectively mitigate the underlying risk and its impact. Next, development, testing and staging of the application change is completed. The Change Manager for AviOnyx validates that the application change meets the organization's standards are met and is ready for deployment. He / She will also revisit the Emergency Application Change Request Ticket and ensure that all prerequisites have been met, and then approve the ticket. The Change ticket will be updated once the implementation is completed. Testing is conducted following the implementation to verify that the application change is delivering the desired results. The Change Manager will login into the Emergency Application Change Request Ticket and ensure that all information is attached, and the ticket is complete. After this validation is complete the ticket will be closed. Monitoring of system and data changes: Before a change ticket can be closed, the release coordinator must complete a post-implementation interview with the business requestor, which includes filling out a checklist. However, due to lack of sufficient resources and bandwidth, this process has not been consistently followed on changes implemented to-date. While a recruiting plan exists to provide additional support to the resource coordinator, the post-implementation review has been conducted in approximately 15% of the changes implemented in the last 18 months. Access and Security Management In order to access AviOnyx, users must log into the network, and then log into AviOnyx. To do so, users must input a seven-character user ID. AviOnyx passwords are not synchronized with the network password. Access to griviieged functions: Authority to make changes to application security privileges including roles/profiles is restricted to security administrators for AviOnyx. All security administrators are a part of the IT Security group. Changes to application security configuration (including turning off security) are restricted to designated authorized personnel with appropriate Business management request and approval. Access to system resources and utilities is limited to the appropriate individuals within the IT department. Granting access to new users: In order to grant a user access to AviOnyx, the IT Security Administration guidelines require that users require approval from the system owner. After the required approvals are received. the workflow moves the request (Security Authorization Form) to the Security Team, who is responsible for setting up access for new users through an automated workflow. All new users are required to review and sign the Company's Code of Conduct, to stimulate both awareness and compliance. While signed copies are required to be maintained in the personnel files in Human Resources (HR), most users end up sending the signed forms to the Security Team. The Security Team hasn't been diligently forwarding the signed forms to HR. Ugdating access of transferred users: Transferred users follow the same process as the new users. Upon transfer of the employee, the Security Team will review and edit the Security Authorization Form of the employee based on the new job role. After the cha nging/updating of the form, it will follow the same process as that of the new user process in which the business system owners will approve the access request workflow initiated by the Security help desk team based on the verbal request received from the transferred employee's manager. Terminated users: Terminations are initiated by a request from a user's manager to the business administrator to submit the Security Authorization form to terminate the user. The request is then forwarded to the Security Team where they process the request by the effective termination date. Once the termination is complete a system generated notification is sent to the user's manager. Security Team prepares the HR termination reports on a weekly basis (Monday morning) to ensure that accesses are removed for all personnel who left the company in the previous week. The reports are compared to the Security Authorization forms for users for whom termination was initiated in that week. Physicai access: BITES is responsible for allowing access into the data centers. The approval process requires two levels of approval, first a request from the business manager requesting access as well as from Corporate Services team. Access to the data center is monitored and reviewed on a monthly basis by the CIO. Monitoring user access: On a yearly basis, the applicable Department Managers perform a review of the appropriateness of the access levels of employees in their teams. The Security Administration team sends an e-mail to Department Manager of each user for a review the access granted to the user as per the Security Authorization form. The Department Manager will either confirm the current level of access or inform the security help desk for any changes to be made to the employee's access. The evidence of review can be seen in the Change History Section of the Security Authorization Form. A five-week window is established for this review to be performed. All feedback received during Spring 2023 (Professor: Amlt M. Mehta) Page | 9 ACCT7404O Auditing Information Systems | Audit Programs 8: Reporting Assignments this five-week window is implemented by the Security Administration team within 24 hours of receiving the feedback. Upon completion ofthe review, the CIO signs off on an attestation that the annual access review exercise is complete and submits it to Vinnie and Trisha for reference. Security Management: Windows operating system's in-built security settings provide security for the hosted application (AviOnyx). System administration functions are restricted to the Security team. AviOnyx application owner reviews role assignments of privileged users to ensure they remain appropriate and request any necessary changes. A comparison of actual versus expected security parameters settings was last performed six years ago. Firewaiis and Remote Access Management: Commercial firewalls protect connectivity to Veronese & Tiffany Inc's Local Area Network (LAN) from external sources. For ease of use and flexibility, firewall administrative functions can be performed by everyone in the BITES function. Remote access to the network is controlled through an encrypted virtual private network (\"VPN") by two-factor authentication, using internal certificates and the em ployee's enterprise credentials. VPN access is granted and revoked using the User Access Management process, as described above. performed by everyone in the BITES function. Remote access to the network is controlled through an encrypted virtual private network (\"VPN\") by two-factor authentication, using internal certificates and the em ployee's enterprise credentials. VPN access is granted and revoked using the User Access Management process, as described above. Threat and Vulnerability; Management: The company subscribes to a vendor-alerting and intelligence service to receive vendor vulnerability alerts for operating systems. The vendor also provides security intelligence on current and emerging threats and vulnerabilities. Due to lack of sufficient resources, the CIO has tasked a tech-savvy analyst from the Finance department to assess these alerts and propose appropriate action (e.g., patch, antivirus update). The CIO personally reviews the recommendations and directs necessary steps to be taken based on the threat-level ofthe alerts, recommendations proposed, and the underlying costs. The CIO takes pride in the success of this initiative as reflected by the fact that there has not been a single breach to-date in the company's security of its data and systems. Anti-virus Protection Management: The Security team also maintains anti-virus software on PCs and Windows servers. Anti-virus signatures and engines are updated with the latest vendor releases using automated software. Regular updates are applied centrally and then pushed to Windows servers and personal computers. Every three years, IT Security conducts penetration tests of its internal and external infrastructure. An internal team of security specialists, along with an external security consulting company, conducts these tests. Computer Operations Management Back-up of financial data: Back-up of financial data and retention of backedup data is handled internally. The Infrastructure Support team within BITES maintains the infrastructure necessary to successfully backup up data; with Iron Mountain providing off-site storage. Backup tapes are picked up Iron Mountain daily. At that time, Iron Mountain also drops off the oldest set of tapes they have in storage. These tapes are used for backup rotation functions. The Infrastructure team utilizes EszBackUp as the backup tool for AviOnyx and supporting infrastructure components (databases and operating systems). Quarterly full backup jobs (runs on Friday) are scheduled to run during the evening on backup devices and servers at various times. Disaster Recovery Testing: The Infrastructure Support team plans to perform a disaster recovery exercise every two years to ensure their technology and business data can be recovered within the timeframe required by business. The disaster exercise also provides them the opportunity to test disaster recovery plans and train staff to respond to a significant disaster that could impact our business. This exercise utilizes a warm site data centre disaster recovery strategy. The strategy involves the production environment being recovered at the warm site by restoring the production operating systems and the business data from back up storage media. Job Scheduling Management: Automated scheduling software (EszScheduler) manages the production job scheduled for AviOnyx. Permanent changes to the production job schedule are requested, approved and implemented through the EszScheduler. The requester submits the change, which is then reviewed, approved and implemented by the AMS team. AMS confirms the change, which results in automatic implementation into thejob schedule. Due to system limitations and licensing cost constraints, only one user ID is configured in EszScheduler. The password to this user ID is shared by the AMS team. All ad hocjobs are approved by the AMS team and are added to the production job schedule via the EszScheduler panel. Data Center Management: Veronese & Tiffany Inc. installed a backup data center at its Sarnia, ON office three months ago. The center is used for testing and development work with full capabilities to handle complete backup processing in the case of a failure ofthe company's primary computer center in Kitchener, ON. The new data center consists of a large IBM mainframe, 15 tape drives, 20 disk drives, and network communications equipment to link the center to the company's primary network. Approximately, three employees work to cover the center's three shifts {one per shift) that provide functions of scheduling, security, software support, operations support, and library facilities. The center is designed to operate 24 hours per day 365 days per year. An automatic fire suppression system was installed last month. At that time, the Data Center Manager held a meeting for all three data centre employees to verbally instruct them as to their responsibilities in the event of a fire emergency. A security officer was hired prior to the start up of the computer center to administer security procedures for the protection of the facility. The officer reports directly to the morning shift employee. Devices were installed at entrance and exit points of the computer facility to detect magnetic items {tapes and/or disk packs) passing through. This was done to prevent the unauthorized removal of tapes or disks. Due to budgetary constraints (and the limited number of current users accessing the facility), the project to restrict entry to and exit from the data centre via proximity cards is currently put on hold. Currently, access is restricted via use of a pinpad lock. The correct combination of the pinpad lock is known to the Data Center Manager, three shift employees, and the security officer only. Lastly, the Data Centre Manager proudly announced to his team in this month's communication that the next fiscal year's budget Veronese & Tiffany Inc. has an approved placeholder for a project to install security cameras within and outside the data center. Appendix 1: Process Flowchart It is a standard practice within most audit firms or internal audit functions to reflect the auditee's processes in the form of a flowchart. This will take a bit of creativity on the team's part. Based on the business and IT process selected (from the case study scenario above), teams are required to develop a flowchart identifying the respective stakeholders, all three significant risk points (What Could Go Wrongs or WCGWs}, documents or artifacts generated, and any other relevant details as you see fit. Teams will be using the flow chart for the remainder of the assignment (development of the detailed audit program). Hence, your level of detail in the flowchart must be detailed enough to support subsequent discussions. Please aim to use only simple flowcharting symbols as shown below: -) Start / End An oval represents a start or an end point A A line is a connector that shows the direction and rrows relationships between the representative shapes / Input / Output A parallelogram represents an input or an output A rectangle represents a process, sub-process, or Process _ . activity _ _ A diamond indicates a decision point showing DeCiSion _ _ V alternative ch0ices Appendix 2: Audit Program Leadsheet Selected Process This would be either a business or an IT process selected by the group. Process Objective Describe an overall audit objective while reviewing the selected business or IT process. Key Risks Choose between 3 - 5 most important risk faced by the auditee in the selected process. Control Objectives For each risk identified above, formulate a corresponding control objective. Key Technologies List all relevant systems being used by the auditee in the selected process. Preparer(s) Group members names Approver(s) Instructor name Key Artifacts List all relevant evidences (documents) to be reviewed as a part of the audit programAppendix 3: Detailed Audit Program Control Objective 01 Bring in each control objective from the table above in Appendix 3 Bring in each key risk from the table above in Appendix 3 Control Activity Identify appropriate 1 7 3 control activities (processes) that would support each control objective Control Activity Attributes State the frequency and nature of each control activity Audit Criteria For each control activity, state the criteria (what) that needs to be evaluated as a part of your audit procedure Audit Procedures For each criteria identified in the previous column, propose an audit procedure that includes the following four aspects: A. Extent of sampling, B. Evidence gathering technique(s) being used, Specific evidence(s] to be reviewed, and Auditor's actions as a part of the audit procedure Marks Application Controls Audit Program (7.5%) due by 11:59 PM on Friday of Week 07 {100 marks) Prepare a cover sheet and a table of contents for all aspects (listed below) to be completed as a part of this 05 deliverable. Section 01 of the Audit Program: Develop a process flow chart for one business process from the three processes 20 provided in the case study. See Appendix 1 for more details. Section 02 of the Audit Program: Establish application control objectives, identify corresponding key risks, and 25 formulate the scope for the one business process selected in Section 01 above. See Appendix 2 for more details. Section 03 of the Audit Program: Develop a detailed audit program containing control activities, audit criteria, 40 and procedures for each identified control objective in Section 02 above. See Appendix 3 for more details. Spring 2023 (Professor: Amit M. Mehta) Page | 2 ACCT74040 Auditing Information Systems | Audit Programs & Reporting Assignments Marks Prepare all aspects of this deliverable in a manner that is logical, concise and persuasive. Submit the parts listed 10 above in a timely manner in the respective eConestoga dropbox