The company (KIMBERLY INDUSTRIES LTD.) is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent units with differing markets and working practices. The Head Office has a large central information-systems function comprising central accounting functions and company-wide computer services. The computer-services department accounts for about half the cost of the central information-systems functions. The company operates throughout Canada.

Internal Audit

Two divisions, whose income is heavily cash based, have internal audit operations that carry out primarily cash and inventory checking activities. The Head Office computer audit department is responsible for computer audits across the company, liaison and assistance work for the external audit, and quality assurance for new computer developments.

Computer Policy

The IT Governance Committee is a sub-committee of the Corporate Governance Committee, established by the Board. The members of the IT Governance Committee consist of: three board members; Vice Presidents on the business side as well as Vice Presidents on the IT side; the chief financial officer; other stakeholders as appropriate. The administration of computer policy is the responsibility of the Vice President IT Management Framework of the central information-systems functions. He also has the responsibility to approve all information system developments below $500,000. A company-wide information system policy covers the preferred hardware and IT leases. Purchase-approval levels was approved by the IT Governance Committee. Any major IT capital expenditures or computer system development that exceed $500,000 have to be approved by the IT Governance Committee and then the Board of Directors for approval.

Computer resources are made up:

• A centralized mainframe (IBM mainframe) operating as an internal service bureau for the whole company.
• A mainframe (IMB mainframe) dedicated to one company within the group.
• Remotely placed minicomputers with operations on-site and all systems controlled from the centre.
• Independent specialist minicomputers, each servicing a single site with specialist applications. (The major problem lies with the latter category.)

Independent Minicomputers

Each site using a specialist minicomputer has the base package installed and is supported by the central computer services department. Operational control lies with the site management. The composition of this package is as follows:

Site Programming and Password Security

Pressure to reduce central costs has resulted in increasing delays in meeting site requests for system changes and new systems. As a result, the local sites have started to complete to do computer programing on their own minicomputers. The general quality of the sites' systems and program development carried out is below that of central computer standards. Site Data Processing managers have access to all files and programs. The two weaknesses, substandard programming and password security, have raised a concern from the external auditor as to the degree of reliance that could be placed on the accounting information produced by site computers.

Audit Methods

Each site and the central-development department are reviewed each year by the external auditor and the internal audit department (computer audit) assists the external auditor.

A review was carried out as part of the evaluation and the testing of internal controls in order to determine the reliance that could be placed on the information in the accounting records, It was determined that reliance could be placed the application controls applied by the computer systems and reliance could be placed on the controls over the processing of data at the computer centres.

The review concentrated on five main areas:

1. Organization.
2. Systems development.
3. Computer processing.
4. File access.
5. Program maintenance.

The conclusion each year has been that audit could not place reliance on the information produced through the computer. This, in practice, meant only that the external audit teams placed reliance on the manually produced controls; i.e., auditing around the computer. Weaknesses found were reported to management each year in the form of external audit management's letters and internal audit reports.

The possibility of loss arising from this lack of reliance was not raised with senior management so that central computer management or management could act effectively to correct the control weaknesses. Thus, the concerns of internal audit were largely ignored by management until a recent quantifiable loss resulted from faulty site-based system development.

Revised Audit Approach

After that loss, computer audit was given wider responsibility that included developing, introducing, and enforcing development standards at the various sites. These standards comprised of:

• Authorization procedures.
• Guidance on project control.
• Technical standards.
• Training procedures.
• Enforcement procedures by the internal audit department.

All sites' systems and program development report to the computer audit department to enable them to gain an overall assessment of the impact of new developments and system changes in general at each site and to provide a means for selecting certain system changes and site modifications (coordination) into the company-wide software platform, thus providing guaranteed central support.

The password security was revised to remove the concentration of responsibility from the sites' computer-development sections. The segregation of responsibilities was achieved as shown in Appendix A and B. Security logging was introduced to provide a means of audit verification of the use of compilers and computer program on-site.

This security log notes accesses to compilers and password updates. The file is encrypted to reduce the possibility of tampering with records that are sequentially numbered to prove continuity. The computer audit department analyzes the file as part of its review of authorization of access during each audit.

Audit Program

The elements described above were put into a concise computer audit program. Each site was visited each year by the computer audit department in order to establish reliance and adherence to the standards.

Results

The new procedures and checks provide a basis for confidence and highlight any errors of possible concern at an early point. There are, however, major problems in gaining positive commitment of site management to implement these controls. It requires a continuing sales effort and a continued high level of technical knowledge in order to retain confidence in respect to each site's Data Processing department and management.

Required

1. The review that was made by the computer audit section covered five areas: (1) organization, (2) systems development, (3) computer processing, (4) file access, and (5) program maintenance.
   1. In the area of file access, evaluate the controls of the Resource Security Matrix (Appendix A) and of the Master Secured Program (Appendix B). What are your observations, their impact, and your recommendations to rectify the control weaknesses. Support your answer with four (4) points. Use the following table format for your answer. (8 marks)

Weakness	Impact	Recommendation

Appendix A

Resource Security Matrix

USERS GROUP		DATA FILES USED BY BASE SYSTEM	DATA FILES CREATED BY LOCAL SITE	CENTRALLY MAINTAINED ENHANCEMENT LIBRARY	CENTRALLY MAINTAINED PRODUCTION LIBRARY	LOCALLY CREATED PRODUCTION LIBRARY	DATA AND PROGRAM UTILITIES
USER	MSO		EFFECTIVELY HAS FREE ACCESS TO EVERYTHING
	SO	OWNER	OWNER	NO ACCESS	EXECUTE	EXECUTE	NO
	WS	OWNER OR CHANGE	OWNER OR CHANGE	NO ACCESS	EXECUTE	EXECUTE	NO
CENTRE DP	SO	READ	READ	READ*	READ*	READ	YES
LOCAL DP	SO	READ	OWNER	READ	READ	OWNER	YES
	OP	READ	OWNER OR CHANGE	READ	READ	OWNER OR CHANGE	YES
	OP+	OWNER	OWNER	CHANGE	OWNER	CHANGE	NO

* OWNER status may be temporarily invoked by MSO for emergencies.

+ This user should be set up for use only for implementing local or central enhancement -- probably from the system console.

MSO -- Master security officer.

SO -- Security officer.

WS -- Work Station.

OP -- Operator.

Appendix B

Master Secured Program

Master Security Officer^[1]

(Responsible Senior User)

Security Officers[2] (Responsible DP Officer)		Security Officers2 (Central Data Processing Coordinator)		Security Officers2 (Responsible User)

SYSTEM AND SUBCONSOLE OPERATORS		WORK STATION OPERATORS
Access to data and program utilities.	Access to Device Firmware Upgrade (DFU), Security Enhancement Upgrade (SEU), Report Generator (RPG)	No access to data and program utilities.
Access to data files secured against all access except for read access	Access to all data files secured against all access except for read.
Access centrally maintained libraries secured.	Access to production libraries secured.	Effectively run from Menus and procedures.
One user not to have access to DFU, SEU, and RPG but to have access to production libraries for implementing enhancements only.	Access removed temporarily by MSO (master security officer) when required.	Access to production libraries set to EXECUTE.

[1] May select and remove resource security.

[2] May select resource security.