SeneTech Inc. is a retail and wholesale business focusing on IT hardware. Its head office is located in Bangkok, Thailand. SeneTech has 20 branches located all over Bangkok. The centralized data center is in Bangkok. SeneTech has more than 20,000 product items. SeneTech implemented a new Warehouse Management System to improve the efficiency of its warehouse operations and a new Mobile Store System to increase its competitive advantage and support the significant increase of sales transactions. Both the Warehouse Management System and the Mobile Store System are integrated with the Enterprise Resource Planning (ERP) system. The Warehouse Management System was implemented to assist SeneTech to control the movement and storage of its inventory and related processes such as shipping, receiving, fulfillment, and packing. The Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech sales employees. This means that a customer does not have to wait in line to pay at a cash register.

IT Organization
During an interview with the IT manager, you noted that there are two divisions – the Operations Division and the Application & Change Development Division.
The job descriptions for each division are as follows.

Operations Division:
o Back up applications, database, operating systems, and configurations
o Restore data based on user request
o Manage and maintain user profiles and authorizations

Application & Change Development Division:
o Develop and test applications
o Transfer applications from the test environment to production environment
o Coordinate with IT vendors
o Manage and maintain databases
o Assign database access authority to users
o Review and set up security configurations

Your review of the long- and short-term IT plans showed that SeneTech has three major projects – Enterprise Resource Planning System (ERP) project, Warehouse Management System project, and Mobile Store System project. In the past, SeneTech used accounting software and a point-of-sale system, but both were not integrated with each other. When a customer purchased a product, a salesperson recorded a sales transaction into the point-of-sale system and printed a sales invoice and a receipt for the customer. The next morning, the salesperson submitted an original sales invoice and a copy of the receipt to accounting personnel. Accounting personnel then recorded the sales transactions in the accounting software. Due to the increased number of sales transactions, it became impossible for the accounting staff to re-key all the sales transactions into the accounting system. SeneTech decided to implement a new ERP system to increase its competitive advantage and provide accurate and timely information to management. Since the current point-of-sale system could not integrate with the new ERP system, SeneTech decided to change the current point-of-sale system to a Mobile Store System. A Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech salespeople and at the cash registers. With this system, SeneTech can reduce congestion at cash registers and a customer does not have to wait in line to pay. If customers wish to pay on the sales floor instead of at the cash registers, they must pay by either credit or debit card.
SeneTech decided to implement the Warehouse Management System due to its numerous product items and to assist it in controlling the movement and storage of inventory and processes such as shipping, receiving, fulfillment, and packing.
Both the long- and short-term IT plans are reviewed and approved by the IT manager and top management. The IT manager has to report the progress of major projects to top management every quarter.

Information Security
SeneTech established an IT security policy which required all personnel to attend an IT security training class. SeneTech also implemented a domain controller to ensure that users are authenticated before they access the systems.
The password policy states as follows:

• Passwords should be established for individual users to maintain accountability
• The minimum password length is 6 characters
• Passwords should be changed every 90 days
• Passwords should consist of letters (a-Z), numbers (0-9), and other special characters (such as “?”, “#”, “$”, or “%”)

The security configurations for domain controller, ERP, Warehouse Management System, and Mobile Store System are as follows:

Configuration	Domain Controller	ERP	Warehouse Management System	Mobile Store System
Password Length	8	8	8	8
Password Expiration	120	120	-	-
Password Complexity	Y	Y	N	N
Failed Login Attempt	3	-	-	-
Time-out facility	N	Not Supported	Not Supported	Not Supported

The assistant IT manager of operations is responsible for maintaining user profiles and authorization lists. To request a new user, termination of a user account, or a user’s authorization modification, a requester must fill out a user request form and submit it to the requester’s department manager for approval. The approved form is then submitted to the assistant IT manager of operations. The manager creates, changes, or deletes a user account only after the approved user request form has been received. Since SeneTech does not have an authorization matrix for each position, the assistant IT manager of operations sets up the authorization based on the requirements in the user request form.

Upon reviewing the IT security policy, you learned that the failed login log of the domain controller must be reviewed by the assistant IT manager of operations on a monthly basis. However, you found that an IT operations staff reviewed the failed login attempts in the domain controller at the end of each month, signed off as a preparer, and submitted it to the assistant IT manager of operations for final review. You noticed that the assistant IT manager of operations did not sign off as a reviewer, although he indicated that he reviewed this report every month.

The IT security policy states that each department manager should review the list of current users and their authorization at least once a year. You noted during your interview of the assistant IT manager of operations that the list of current users and their authorization would be reviewed in the fourth quarter. You learned that the human resource manager was currently responsible for reviewing the list of current users and their authorizations on behalf of all the department managers. In addition, you noted that the administrator user names and passwords for every system are shared among the IT manager, assistant IT manager of application and change, and assistant IT manager of operations.

When you visited the data center, you noticed that a finger scan system was implemented in front of the SeneTech data center so that only authorized IT employees are allowed access to the data center. All visitors to the data center are required to sign their names in the visitor log book and be escorted by an authorized IT employee. Your review of the visitor log book showed that the visitors wrote their names, the dates of their visit, time in, time out, company name, and the purposes of their visits in the visitor log book. The authorized IT employee escorting the visitor also signed his or her name in the visitor log book. When you visited the data center, an authorized IT employee escorted you at all times. Your review of the list of authorized IT employees showed that all IT staff could access the data center. When observing the data center, you noted that the data center is located on the second floor of SeneTech building and the area of data center is about 25 square meters. Two smoke detectors, a fire alarm, a fire suppression machine and two air conditioners were in the data center. The temperature was 22 degrees Celsius during your visit. However, you noted that uninterrupted power supplies for all the servers and IT equipment were not installed.

Case Requirements

SeneTech is a new client of your audit firm. Your audit manager assigned you to identify weaknesses in the IT general controls. Write a memo to document all the IT general control issues you have identified.