Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

The company ( KIMBERLY INDUSTRIES LTD.) is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent

The company (KIMBERLY INDUSTRIES LTD.) is divided into five autonomous divisions, each carrying out distinct types of business. Within each division there are independent units with differing markets and working practices. The Head Office has a large central information-systems function comprising central accounting functions and company-wide computer services. The computer-services department accounts for about half the cost of the central information-systems functions. The company operates throughout Canada.


Internal Audit

Two divisions, whose income is heavily cash based, have internal audit operations that carry out primarily cash and inventory checking activities. The Head Office computer audit department is responsible for computer audits across the company, liaison and assistance work for the external audit, and quality assurance for new computer developments.


Computer Policy

The IT Governance Committee is a sub-committee of the Corporate Governance Committee, established by the Board. The members of the IT Governance Committee consist of: three board members; Vice Presidents on the business side as well as Vice Presidents on the IT side; the chief financial officer; other stakeholders as appropriate. The administration of computer policy is the responsibility of the Vice President IT Management Framework of the central information-systems functions. He also has the responsibility to approve all information system developments below $500,000. A company-wide information system policy covers the preferred hardware and IT leases. Purchase-approval levels was approved by the IT Governance Committee. Any major IT capital expenditures or computer system development that exceed $500,000 have to be approved by the IT Governance Committee and then the Board of Directors for approval.


Computer resources are made up:

  • A centralized mainframe (IBM mainframe) operating as an internal service bureau for the whole company.
  • A mainframe (IMB mainframe) dedicated to one company within the group.
  • Remotely placed minicomputers with operations on-site and all systems controlled from the centre.
  • Independent specialist minicomputers, each servicing a single site with specialist applications. (The major problem lies with the latter category.)


Independent Minicomputers

Each site using a specialist minicomputer has the base package installed and is supported by the central computer services department. Operational control lies with the site management. The composition of this package is as follows:






Site Programming and Password Security

Pressure to reduce central costs has resulted in increasing delays in meeting site requests for system changes and new systems. As a result, the local sites have started to complete to do computer programing on their own minicomputers. The general quality of the sites' systems and program development carried out is below that of central computer standards. Site Data Processing managers have access to all files and programs. The two weaknesses, substandard programming and password security, have raised a concern from the external auditor as to the degree of reliance that could be placed on the accounting information produced by site computers.


Audit Methods

Each site and the central-development department are reviewed each year by the external auditor and the internal audit department (computer audit) assists the external auditor.


A review was carried out as part of the evaluation and the testing of internal controls in order to determine the reliance that could be placed on the information in the accounting records, It was determined that reliance could be placed the application controls applied by the computer systems and reliance could be placed on the controls over the processing of data at the computer centres.


The review concentrated on five main areas:

  1. Organization.
  2. Systems development.
  3. Computer processing.
  4. File access.
  5. Program maintenance.


The conclusion each year has been that audit could not place reliance on the information produced through the computer. This, in practice, meant only that the external audit teams placed reliance on the manually produced controls; i.e., auditing around the computer. Weaknesses found were reported to management each year in the form of external audit management's letters and internal audit reports.


The possibility of loss arising from this lack of reliance was not raised with senior management so that central computer management or management could act effectively to correct the control weaknesses. Thus, the concerns of internal audit were largely ignored by management until a recent quantifiable loss resulted from faulty site-based system development.


Revised Audit Approach

After that loss, computer audit was given wider responsibility that included developing, introducing, and enforcing development standards at the various sites. These standards comprised of:

  • Authorization procedures.
  • Guidance on project control.
  • Technical standards.
  • Training procedures.
  • Enforcement procedures by the internal audit department.


All sites' systems and program development report to the computer audit department to enable them to gain an overall assessment of the impact of new developments and system changes in general at each site and to provide a means for selecting certain system changes and site modifications (coordination) into the company-wide software platform, thus providing guaranteed central support.


The password security was revised to remove the concentration of responsibility from the sites' computer-development sections. The segregation of responsibilities was achieved as shown in Appendix A and B. Security logging was introduced to provide a means of audit verification of the use of compilers and computer program on-site.


This security log notes accesses to compilers and password updates. The file is encrypted to reduce the possibility of tampering with records that are sequentially numbered to prove continuity. The computer audit department analyzes the file as part of its review of authorization of access during each audit.


Audit Program

The elements described above were put into a concise computer audit program. Each site was visited each year by the computer audit department in order to establish reliance and adherence to the standards.


Results

The new procedures and checks provide a basis for confidence and highlight any errors of possible concern at an early point. There are, however, major problems in gaining positive commitment of site management to implement these controls. It requires a continuing sales effort and a continued high level of technical knowledge in order to retain confidence in respect to each site's Data Processing department and management.


Required

  1. The review that was made by the computer audit section covered five areas: (1) organization, (2) systems development, (3) computer processing, (4) file access, and (5) program maintenance.
    1. In the area of file access, evaluate the controls of the Resource Security Matrix (Appendix A) and of the Master Secured Program (Appendix B). What are your observations, their impact, and your recommendations to rectify the control weaknesses. Support your answer with four (4) points. Use the following table format for your answer. (8 marks)


Weakness

Impact

Recommendation















Appendix A

Resource Security Matrix





USERS

GROUP



DATA FILES

USED BY BASE

SYSTEM

DATA FILES

CREATED

BY LOCAL

SITE

CENTRALLY

MAINTAINED

ENHANCEMENT

LIBRARY

CENTRALLY

MAINTAINED

PRODUCTION

LIBRARY

LOCALLY

CREATED

PRODUCTION

LIBRARY


DATA AND PROGRAM

UTILITIES


USER



MSO


EFFECTIVELY HAS FREE ACCESS TO EVERYTHING


SO

OWNER

OWNER

NO ACCESS

EXECUTE

EXECUTE

NO

WS

OWNER OR CHANGE

OWNER OR CHANGE

NO ACCESS

EXECUTE

EXECUTE

NO

CENTRE DP

SO

READ

READ

READ*

READ*

READ

YES


LOCAL

DP


SO

READ

OWNER

READ

READ

OWNER

YES

OP

READ

OWNER OR CHANGE

READ

READ

OWNER OR CHANGE

YES

OP+

OWNER

OWNER

CHANGE

OWNER

CHANGE

NO


* OWNER status may be temporarily invoked by MSO for emergencies.

+ This user should be set up for use only for implementing local or central enhancement -- probably from the system console.

MSO -- Master security officer.

SO -- Security officer.

WS -- Work Station.

OP -- Operator.


Appendix B

Master Secured Program





Master Security Officer[1]

(Responsible Senior User)






Security Officers[2] (Responsible DP Officer)

Security Officers2

(Central Data Processing Coordinator)

Security Officers2 (Responsible User)










SYSTEM AND SUBCONSOLE OPERATORS

WORK STATION OPERATORS

Access to data and program utilities.

Access to Device Firmware

Upgrade (DFU), Security

Enhancement Upgrade (SEU),

Report Generator (RPG)

No access to data and program utilities.

Access to data files secured against all access except for read access

Access to all data files secured against all access except for read.


Access centrally maintained libraries secured.

Access to production libraries secured.

Effectively run from Menus and procedures.


One user not to have access to DFU, SEU, and RPG but to have access to production libraries for implementing enhancements only.

Access removed temporarily by MSO (master security officer) when required.

Access to production libraries set to

EXECUTE.


[1] May select and remove resource security.

[2] May select resource security.


Step by Step Solution

3.46 Rating (149 Votes )

There are 3 Steps involved in it

Step: 1

Rectify control weakness To check all the system accounts and dismantle any account that cannot rela... blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Document Format ( 1 attachment)

Word file Icon
61b0568e125d9_85803.docx

120 KBs Word File

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Principles Of Cost Accounting

Authors: Edward J. Vanderbeck

15th Edition

978-0840037039, 0840037031

More Books

Students also viewed these Finance questions