Question
The company ( KIMBERLY INDUSTRIES LTD.) is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent
The company (KIMBERLY INDUSTRIES LTD.) is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent units with differing markets and working practices. The Head Office has a large central information-systems function comprising central accounting functions and company-wide computer services. The computer-services department accounts for about half the cost of the central information-systems functions. The company operates throughout Canada.
Internal Audit
Two divisions, whose income is heavily cash based, have internal audit operations that carry out primarily cash and inventory checking activities. The Head Office computer audit department is responsible for computer audits across the company, liaison and assistance work for the external audit, and quality assurance for new computer developments.
Computer Policy
The IT Governance Committee is a sub-committee of the Corporate Governance Committee, established by the Board. The members of the IT Governance Committee consist of: three board members; Vice Presidents on the business side as well as Vice Presidents on the IT side; the chief financial officer; other stakeholders as appropriate. The administration of computer policy is the responsibility of the Vice President IT Management Framework of the central information-systems functions. He also has the responsibility to approve all information system developments below $500,000. A company-wide information system policy covers the preferred hardware and IT leases. Purchase-approval levels was approved by the IT Governance Committee. Any major IT capital expenditures or computer system development that exceed $500,000 have to be approved by the IT Governance Committee and then the Board of Directors for approval.
Computer resources are made up:
- A centralized mainframe (IBM mainframe) operating as an internal service bureau for the whole company.
- A mainframe (IMB mainframe) dedicated to one company within the group.
- Remotely placed minicomputers with operations on-site and all systems controlled from the centre.
- Independent specialist minicomputers, each servicing a single site with specialist applications. (The major problem lies with the latter category.)
Independent Minicomputers
Each site using a specialist minicomputer has the base package installed and is supported by the central computer services department. Operational control lies with the site management. The composition of this package is as follows:
Site Programming and Password Security
Pressure to reduce central costs has resulted in increasing delays in meeting site requests for system changes and new systems. As a result, the local sites have started to complete to do computer programing on their own minicomputers. The general quality of the sites' systems and program development carried out is below that of central computer standards. Site Data Processing managers have access to all files and programs. The two weaknesses, substandard programming and password security, have raised a concern from the external auditor as to the degree of reliance that could be placed on the accounting information produced by site computers.
Audit Methods
Each site and the central-development department are reviewed each year by the external auditor and the internal audit department (computer audit) assists the external auditor.
A review was carried out as part of the evaluation and the testing of internal controls in order to determine the reliance that could be placed on the information in the accounting records, It was determined that reliance could be placed the application controls applied by the computer systems and reliance could be placed on the controls over the processing of data at the computer centres.
The review concentrated on five main areas:
- Organization.
- Systems development.
- Computer processing.
- File access.
- Program maintenance.
The conclusion each year has been that audit could not place reliance on the information produced through the computer. This, in practice, meant only that the external audit teams placed reliance on the manually produced controls; i.e., auditing around the computer. Weaknesses found were reported to management each year in the form of external audit management's letters and internal audit reports.
The possibility of loss arising from this lack of reliance was not raised with senior management so that central computer management or management could act effectively to correct the control weaknesses. Thus, the concerns of internal audit were largely ignored by management until a recent quantifiable loss resulted from faulty site-based system development.
Revised Audit Approach
After that loss, computer audit was given wider responsibility that included developing, introducing, and enforcing development standards at the various sites. These standards comprised of:
- Authorization procedures.
- Guidance on project control.
- Technical standards.
- Training procedures.
- Enforcement procedures by the internal audit department.
All sites' systems and program development report to the computer audit department to enable them to gain an overall assessment of the impact of new developments and system changes in general at each site and to provide a means for selecting certain system changes and site modifications (coordination) into the company-wide software platform, thus providing guaranteed central support.
The password security was revised to remove the concentration of responsibility from the sites' computer-development sections. The segregation of responsibilities was achieved as shown in Appendix A and B. Security logging was introduced to provide a means of audit verification of the use of compilers and computer program on-site.
This security log notes accesses to compilers and password updates. The file is encrypted to reduce the possibility of tampering with records that are sequentially numbered to prove continuity. The computer audit department analyzes the file as part of its review of authorization of access during each audit.
Audit Program
The elements described above were put into a concise computer audit program. Each site was visited each year by the computer audit department in order to establish reliance and adherence to the standards.
Results
The new procedures and checks provide a basis for confidence and highlight any errors of possible concern at an early point. There are, however, major problems in gaining positive commitment of site management to implement these controls. It requires a continuing sales effort and a continued high level of technical knowledge in order to retain confidence in respect to each site's Data Processing department and management.
Required
- The review that was made by the computer audit section covered five areas: (1) organization, (2) systems development, (3) computer processing, (4) file access, and (5) program maintenance.
- In the area of file access, evaluate the controls of the Resource Security Matrix (Appendix A) and of the Master Secured Program (Appendix B). What are your observations, their impact, and your recommendations to rectify the control weaknesses. Support your answer with four (4) points. Use the following table format for your answer. (8 marks)
Weakness | Impact | Recommendation |
Appendix A
Resource Security Matrix
USERS GROUP | DATA FILES USED BY BASE SYSTEM | DATA FILES CREATED BY LOCAL SITE | CENTRALLY MAINTAINED ENHANCEMENT LIBRARY | CENTRALLY MAINTAINED PRODUCTION LIBRARY | LOCALLY CREATED PRODUCTION LIBRARY | DATA AND PROGRAM UTILITIES | |
USER | MSO | EFFECTIVELY HAS FREE ACCESS TO EVERYTHING | |||||
SO | OWNER | OWNER | NO ACCESS | EXECUTE | EXECUTE | NO | |
WS | OWNER OR CHANGE | OWNER OR CHANGE | NO ACCESS | EXECUTE | EXECUTE | NO | |
CENTRE DP | SO | READ | READ | READ* | READ* | READ | YES |
LOCAL DP | SO | READ | OWNER | READ | READ | OWNER | YES |
OP | READ | OWNER OR CHANGE | READ | READ | OWNER OR CHANGE | YES | |
OP+ | OWNER | OWNER | CHANGE | OWNER | CHANGE | NO |
* OWNER status may be temporarily invoked by MSO for emergencies.
+ This user should be set up for use only for implementing local or central enhancement -- probably from the system console.
MSO -- Master security officer.
SO -- Security officer.
WS -- Work Station.
OP -- Operator.
Appendix B
Master Secured Program
Master Security Officer[1]
(Responsible Senior User)
| |||||
|
| ||||
Security Officers[2] (Responsible DP Officer) | Security Officers2 (Central Data Processing Coordinator) | Security Officers2 (Responsible User) | |||
SYSTEM AND SUBCONSOLE OPERATORS | WORK STATION OPERATORS | |
Access to data and program utilities. | Access to Device Firmware Upgrade (DFU), Security Enhancement Upgrade (SEU), Report Generator (RPG) | No access to data and program utilities. |
Access to data files secured against all access except for read access | Access to all data files secured against all access except for read. | |
Access centrally maintained libraries secured. | Access to production libraries secured. | Effectively run from Menus and procedures. |
One user not to have access to DFU, SEU, and RPG but to have access to production libraries for implementing enhancements only. | Access removed temporarily by MSO (master security officer) when required. | Access to production libraries set to EXECUTE. |
[1] May select and remove resource security.
[2] May select resource security.
Step by Step Solution
3.46 Rating (149 Votes )
There are 3 Steps involved in it
Step: 1
Rectify control weakness To check all the system accounts and dismantle any account that cannot rela...Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Document Format ( 1 attachment)
61b0568e125d9_85803.docx
120 KBs Word File
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started