ABCD

Transitional
Paper-Based Audit
General Risk Assessment
International FSA
(11/10)

2.6.10 Understanding of IT
Document key elements of understanding of the entity's IT environment(s). Such
documentation includes elements which are related to the identification and
assessment of risks and to the design of further audit procedures. Consider the
guidance in the i-button. [i-button: I_FSA_2_6_10_a]

Key elements of understanding

The IT Department is led by IT Manager, which is directly
subordinated to the Chief Executive Officer. The IT Division is divided
in four main departments: Applications Development, Applications
Administration and Infrastructure. The total number of IT employees
is 100, please see the IT Organizational Chart.
Job descriptions, signed by the employees, were implemented at the
Company in order to ensure clear reporting lines and proper
segregation of duties within the IT Department. Please find an
example of job description for an IT employee. The Company has set
up an IT Security Officer whose role and responsibilities are clearly
described throughout its job description.
The IT Director is highly involved in the recruitment process for the
IT staff. Whenever a position is vacant within the IT Department, a
request is sent to the Human Resources Committee for the approval
of the headcount increase.
The Human Resources Department performs the first level of
recruitment activities (e.g. job announcement, review of CVs
received, etc.) based on the job profile received from the IT
Department and selects the candidates for the second level
interviews. The IT Director interviews the candidates selected by the
HR Department and takes the final employment decision together
with the HR Committee.
The turnover of the staff within IT Department is low. In the first half
of 2013, one employee left the IT Department and two new
employees were hired.

Indicate
significant
account(s)
and/or
disclosure(s),
if applicable

ABCD

Transitional
Paper-Based Audit
General Risk Assessment
International FSA
(11/10)

Formal evaluation of the IT personnel is performed at the Company

on a yearly basis. The evaluation templates are discussed and filled
in by the employee and the direct manager of the employee and
approved by the Director/ Head of Department to whom the
manager reports.
Computer systems are distributed across multiple locations and
technology environments (there are several branches connected to
the Companys headquarters). The Company relies on external
connectivity, including the Internet, in order to ensure
communication between sites. The telecommunication services are
based on formal contracts that include service level agreements
(SLAs).
The Company relies on the services provided by the following
technology partners:

Orange Romania VPN and data services

HP hardware maintenance.
These services are based on formal contracts that include service
level agreements (SLAs). Accomplishment of the service level
agreements defined in the contracts is monitored by the IT
employees from the IT Department. According to the IT Manager,
there were no significant issues with the service suppliers in 2013.
The Company uses the following IT applications.
A formal IT Strategy was implemented at the Company for 2013.
The IT Strategy covers the following issues: IT Management,
Strategic Information Technology Plan, Technological Direction and
Information Architecture. Please see an extract from the IT Strategy.
The IT Director prepares the IT Budget for the Company. The IT
Budget is included in the general budget of the Company and
approved by the Board of Directors and by the Top Management at
Group Level. The monitoring of expenses is performed by Adrian
Radu, from the Budget and SLA Department. Please refer for an
extract from the IT Budget and expenses monitoring.
Transactions are subject to calculations or other manipulations using
data or formula. Reliability of processing is achieved via built in
application controls together with related manual controls.
The Company finalized the implementation of the new core
Company system at the beginning of 2013.

ABCD

Transitional
Paper-Based Audit
General Risk Assessment
International FSA
(11/10)

Changes are usually performed with respect to the operating system

patches and packaged application upgrades.
Access controls are focused on logical and physical access to the
network and relevant IT applications. Database technology used is
maintained through the application tools and interfaces and access
its restricted to relevant personnel. Access controls are monitored
through IT operations and/or Information Security Officer.
Computer operations consist of the following processes:
- Job processing (EOD/SOD);
- Backup and restoration;
- Incident management;
- Antivirus control.
A formal backup, retention, and storage of critical financial data and
programs is in place. Backup media is stored at a secured location.
Backup media is periodically tested for re-usability.
A formal process is established for reporting, escalating, prioritizing
and solving IT incidents. Mechanisms are established for
communication to different levels of management, based upon
urgency.
The Company implemented antivirus solutions for protecting
workstations and servers against virus infections.
The Company has an Internal Audit department and one person is
specialized in performing IT audits. According to the IT Manager,
various tests were performed by the IT Auditor in 2013, as part of
the internal audit engagements executed in accordance with the
yearly Audit Plan approved at the Company.
Document the procedures performed to gain an understanding
Procedures
Inquire with key personnel from the Company and review relevant
documentation in order to evaluate the key elements of
understanding.
Deliverable review

Done by and
date

ABCD

Transitional
Paper-Based Audit
General Risk Assessment
International FSA
(11/10)

Were any control deficiencies noted? [i-button: I_FSA_2_6_10_e]

No

If yes, document the control deficiency in the Summary of Control Deficiencies

Work Paper.

Has a significant risk / financial statement level risk been

identified? [i-button: I_FSA_2_6_10_j]

No

If yes, document the significant risk / financial statement level risk in activity 4.5.4
Summary of risks in the Summary of Risks and Other Matters Work Paper.

Based upon our general understanding of IT above and the

nature of risk related to IT, do we expect to rely on application
controls (i.e. automated controls and manual controls with an IT
component)? [i-button: I_FSA_2_6_10_j]

Yes

If no, do not select automated controls or manual controls with an IT component for
testing. This selection is made in the following activities; 2.11.2 Relevant controls in
the Preparation of Financial Statements Work Paper, 2.11.2 Relevant controls in
the Journal Entries Work Paper, 2.10.1 Relevant higher level controls in the Higher
Level Controls Work Paper, and/or 2.11.2 Relevant controls in the Audit Program.

If yes to the question above, do we expect to rely on the relevant

general IT controls to support the consistent operation of
application controls during the period? [i-button:
I_FSA_2_6_10_t]

Yes

If no, you cannot rely on relevant general IT controls when testing automated controls
or manual with automated component. The decision to rely is made in the control
description accessible in the following activities: 2.11.2 Relevant controls in the
Preparation of Financial Statements Work Paper, 2.11.2 Relevant controls in the
Journal Entries Work Paper, 2.10.1 Relevant higher level controls in the Higher
Level Controls Work Paper, and/or 2.11.2 Relevant controls in the Audit Program.

If yes, will we document the test of operating effectiveness of

relevant general IT controls in the General IT Controls Work
Paper ? [i-button: I_FSA_2_13_1_a]

Yes

If yes, complete the General IT Controls Work Paper.

If no, document our rationale for not completing the General IT Controls Work
Paper and the audit evidence over the design and implementation and the operating
effectiveness of relevant general IT controls.