Académique Documents
Professionnel Documents
Culture Documents
IT General Controls
This report is intended solely for the information and use of the management of CONSUMER PRODUCTS AND RETAIL
COMPANY A and the Audit Committee and is not intended to be and should not be used by anyone other than the specified
parties. Ernst & Young therefore assumes no responsibility to any user of the report other than CONSUMER PRODUCTS AND
RETAIL COMPANY A. Any other persons who choose to rely on our report do so entirely at their own risk.
TABLE OF CONTENTS
1. EXECUTIVE SUMMARY 3
1.1 BACKGROUND 3
1.2 SCOPE & OBJECTIVE 3
2. DEFINITION OF RATINGS 3
3. SUMMARY OF FINDINGS 5
1. Executive Summary
1.1 Background
CONSUMER PRODUCTS AND RETAIL COMPANY A is a public company founded in 1993 and its shares are
traded on the Saudi stock market. INFORMATION DELETED
No responsibility is taken for changes in CONSUMER PRODUCTS AND RETAIL COMPANY A IT general controls
after the review period and no obligation is assumed to revise this report to reflect any changes subsequent
to the above-mentioned review period.
Our work divided into three main stages: planning, fieldwork and report writing. In the planning stage, we
have prepared the audit program, in the fieldwork stage we started to confirm our understanding of the
processes with process owners and we have executed the work according to the audit program.
The scope and objective of the Internal Audit assignment covering CONSUMER PRODUCTS AND RETAIL
COMPANY A is to assess the effectiveness and efficiency of the key procedures and related key controls
currently in place for the Company IT general controls.
The internal audit tests and procedures carried out during the course of this review were designed to detect
any control weaknesses in the “CONSUMER PRODUCTS AND RETAIL COMPANY A” IT general controls, which
may have existed during the review period. However, there is no warranty that all process related weaknesses,
faults and irregularities have been highlighted during the course of the review. Management and the Audit
Committee are ultimately responsible for the Company’s system of Internal Control, including the Internal
Audit function, risk assessment, audit plan, and audit priorities.
This report list result of our Internal Audit review in the form of observations on the existing IT general controls
and suggested some appropriate recommendations to address them. Access to these observations by
examining the internal control systems and some document.
2. Definition of Ratings
Such ratings are not to be considered and do not represent a conclusion on the overall adequacy or
effectiveness of the controls. Only management can assess whether the controls it has implemented are
adequate to meet its strategic, operational, compliance, and financial reporting objective
3. Summary of Findings
A total of 50 issues have been raised in this report for IT general controls. The issues have been categorized
as High Risk, Moderate Risk and Low Risk. The breakdown of these issues in terms of their risk categorization
is summarized in the graphical presentation below.
Low 12%
Moderate 6%
High 76%
Based on our audit, we have classified our observations into 20 major domains as follows:
The following section of this report presents the detailed issues and management action plan
relating to the Information Technology general controls (ITGC):
Observation:
High
Moderate
4. The current IT organization structure doesn’t provide the highest level of the organization
5. Some of the developed job descriptions are high level (i.e. IT Support Technician) and some
Low
6. IT job descriptions are not unified as:
1. “Duties and Tasks” term is used in IT support technician job description while on
the other job descriptions (i.e. ERP specialist and System Analyst) “job
2. IT & ERP Manager job description is different than all other IT job descriptions as
it was defined as an objectives and classified into six sections (scope, method,
fulfil skills, …. Etc.) on the other hand other job descriptions classified into only
duplicates (i.e. 1.2 method and 1.3 Method in IT manager job description)
4. System analyst job description is part of the IT support technician job description
7. The current IT organization structure and job descriptions are not formally documented as:
2. The current IT roles and responsibilities are part of the policies and procedures
Risks:
Recommendations:
managament
descriptions
including IT staff
Management Response:
Observation:
2. No evidence of IT department detailed goals and objectives has been formally developed or
documented
Risk:
4. The IT organization may not be viewed as the provider of effective solutions to business
Recommendations:
address the technology infrastructure that is needed for successful systems including
business;
c. Progress in this area will have a positive impact on IT’s understanding of user
needs, and their ability to communicate these needs to the client’s management
team; and
Management Response:
Observation:
There are some developed high level policies and procedures for IT domain areas, however:
1. All IT high level policies and procedures developed are not following the IT leading practices
2. All the policies and procedures don’t have process flows as a detailed aspect of such policies
Risk:
2. Subject to various risks that could ultimately have an undesirable business impact
Recommendations:
1. It is highly recommended to review the operation of the IT department and then develop and
frameworks, standards, and leading practices such as COBIT, ISO 27001, ITIL, etc.
2. It is highly recommended that the developed policies and procedures should be formally
Management Response:
Observation:
IT Steering Committee has not been set up to monitor IT performance and to ensure that IT
resources and activities are effective for both current and future operating needs of the
company.
Risk:
2. Ineffective IT resources and activities for both current and future operating needs
3. Increased risk of ineffective use of CONSUMER PRODUCTS AND RETAIL COMPANY A’s
information system resources and inability to meet the needs of top management.
Recommendations:
2. It is highly recommend to activate IT Steering Committee role and activities which would act
as the major planning advisory body for future IT expansion, new system acquisitions, major
3. The Committee could comprise of representatives from IT, user departments, Internal Audit,
4. The committee’s primary function should be IT strategic planning. In addition, other functions
Management Response:
Observation:
The IT Department does not have a formal IT security function and dedicated staff for
Risk:
Recommendations:
function in order to establish control over the security and integrity of the systems and
Management Response:
Observation:
There is no evidence for a formal Risk Assessment carried out for IT environment
Risk:
1. Difficult for management to assess the possible impact on the organization to a failure of a
particular part and then to apply appropriate controls to address the risk.
Recommendations:
1. It is highly recommended to consider carrying out a risk assessment for their IT environment.
A formal Risk Assessment identifies the inherent risks in the IT systems. A Risk Assessment
helps the company to evaluate the importance of each risk, the current controls in place and
the exposure levels. It also identifies the critical areas which need to be addressed by the
management immediately.
2. It is recommend that the assessment be conducted periodically to assess the status and
Management Response:
Observation:
There are no developed formalized Policies and Procedures relating to all elements of Change
Management. Current system Change Management high level procedure does not provide
detailed procedural steps for change management. Also there is no detailed guidance provided
for:
3. Performing analysis
4. Development of a change
5. UAT
6. Development
8. Configuration management
9. Migration to production
Risk:
2. Lack of documentation
Recommendations:
Management policies & procedure, these policies and procedures should be based on
internationally recognized frameworks, standards, and leading practices such as COBIT, ISO
2. It is highly recommended that the developed policies and procedures should be formally
In addition, IT department should review list of changes on periodic basis for all their applications
Management Response:
Observation:
1. User access administration policy and procedure is not formally developed and documented
2. Current access control policy and procedure is high level and it is not covering all user
Risk:
Recommendations:
User Access & Revocation Policy and Procedures relating to this policy. This should be
implemented across the company. In addition the assignment of the access should be
Management Response:
Observation:
There is no formal evidence is being maintained for the regular review of access violation logs
Risk:
Recommendations:
It is highly recommended that operating system and critical business applications should be set
up to generate access violation logs, these logs should be reviewed by the security function on a
periodic basis, evidence of this review, and follow up actions should be documented and
maintained.
Management Response:
Observation:
There is no clear and predefined criteria defined for the periodic checks to be carried out to
ensure that employees' current system-level access is appropriate with their job responsibilities
and no changes to their positions/roles conflicting with provided access has been granted.
Risk:
Employees at CONSUMER PRODUCTS AND RETAIL COMPANY A may leave and others may
transfer. As well, their roles and responsibilities may change as their job requirements and
contributions evolve. As such, roles are added and others are altered or deleted. Without a
periodic review, an overall assurance cannot be achieved that privileges are strictly confined to
job roles and responsibilities at all times. Furthermore, if such excess of privileges exist, the
manipulation.
Maintaining a clean profile is a structured approach of assigning and revoking application roles.
Recommendations:
1. It is highly recommended that IT department clearly defines periodic review of access privileges
on a report that lists users’ responsibilities and access that generated from all applications by
3. This list should be reviewed by the user department heads on a periodic basis to ensure these
4. Appropriate plans should be set and proper resources should be allocated. This should appear
Management Response:
Observation:
There is no a formal security awareness exercise has been conducted by the IT department
Risk:
In the absence of security awareness exercise, the organization may find it difficult to educate
users about relevant security issues and convey the consequence for breach of confidentiality
or security.
Recommendations:
Management Response:
Moderate
3.12 Password Standards and Usage
Observation:
applications, however,
1. There is no formal policy and procedure developed related to password standards and usage
applications
3. There is no evidence of clear and predefined control policy and procedures of invalid
Risk:
1. Weak password standards and its inconsistent implementation increase the risk of
2. Passwords, if unchanged for a long period of time will tend to lose their effectiveness and
their confidentiality thereby enabling an unauthorized user to gain access to the system. This
may compromise the confidentiality and integrity of data maintained on the computer
systems.
Recommendations:
2. A periodic review by the security function should be conducted to ensure that the password
changed immediately if they become known to others, or if an employee with knowledge of one
is terminated.
Management Response:
Observation:
During our audit through CONSUMER PRODUCTS AND RETAIL COMPANY A data center, it
2. There are no adequate temperature and humidity monitoring arrangements in the server
room.
5. Entry/ Exit logs of visitors visiting the server room are not being maintained.
6. The server room is secured with a standard lock and the key is kept in the door.
8. There is no evidence of a periodic review of personnel who have access to the data centre
Risk:
1. Unauthorized access to the data centre cannot be detected, which may result in serious
implications due to loss of system or data. This problem is further escalated, due to
2. In case of a fire, IT equipment and data located in the server room are at risk of being
3. Lack of control on humidity and inadequate air conditioning in the data center may degrade
Recommendations:
2. A periodic review by the security function should be conducted to ensure that the physical
3. It is highly recommended that physical security logs and other approved procedure to be
4. Physical access to the Data Centre should be controlled using electronic locks or access cards.
5. Proper fire detection and suppression systems should be installed and regularly maintained.
6. CCTV cameras should also be installed to monitor the activities of any individual entering the
room
c) date of access;
e) Purpose of visit.
Management Response:
Observation:
1. The backup media are not stored in an offsite location. Currently, backup are kept with IT
manager personally
4. The current Backup and retention policy is too detailed and technical in some areas and on
the other areas such as restore and retention is too high level which may not be clear
Risk:
1. Subject to various risks that could ultimately have an undesirable business impact
4. In the absence of testing of backups, the effectiveness, accuracy and completeness of the
backups that are taken cannot be assured. Without periodically checking to ensure they
actually contain a readable version of the data, there is a risk that backup will not be
5. In the absence of logs or reports for the restoration testing on backups, there may be lack of
control over the function and that may increase the risk of recovery failure of the back-up tapes
Recommendations:
1. It is highly recommended to review the Backup and retention operations and then develop and
implement comprehensive Backup Policies and Procedures for the effective operations of
backup and retention. This policy and procedure should be based on internationally recognized
management should consider selecting and implementing a suitable off-site backup storage
location which is at a suitable distance away from the primary datacenter and geographic
location. Such locations should be secure, heat and humidity controlled. Access to such off-
1. It is recommended that the backup logs should be well maintained on daily basis and
3. The back-up media should be reviewed on a periodic basis to ensure that no errors have
occurred and that the backup tapes are recoverable and the test results should be documented
and maintained and the reports should be reviewed by the IT manager periodically.
Management Response:
Observation:
2. No evidence for proper maintaining an incident log for service and security-related incidents.
Risk:
1. Without a detailed incident policy, procedure and log, CONSUMER PRODUCTS AND
2. Furthermore, IT management may not be able to track trends and monitor statistics
Recommendations:
1. It is highly recommended to establish incident management policy and procedure and it has to
2. It is highly recommended to maintain incident logs that cover at least the information listed
below:
a) Reference Number
c) Type of Incident
i) Incident Status
k) Incident Impact
l) Incident Urgency
n) Recommended/Implemented solution
Alternatively, an incident management solution can be designed and implemented that will enable
incidents.
Management Response:
Observation:
1. Even though there is a developed very high level disaster recovery procedure, this procedure
Risk:
1. In absence of documented DR and BC Plan, staff will not be aware of the functions to be
2. Absence of a comprehensive DR and BC Plan increases the risk that the organization will not
3. Unavailability of business systems and applications would lead to loss of business revenue
Recommendations:
1. It is highly recommended that IT should develop a formally documented and approved DRP
2. It is highly recommended that the DRP and BCP developed should be periodically tested and
3. It is recommended that the results of the BCP and DRP testing should be regularly reviewed
and analysed to ensure that all essential aspects of critical business operations, including
logistical issues, have been adequately covered and that relevant individuals are fully aware
Management Response:
Observation:
3. No evidence for network monitoring tool in place to detect information security breaches on
the network
Risk:
4. Without adequate monitoring and reporting on network performance, its performance may
Recommendations:
It is highly recommend that IT should ensure that the proper network monitoring mechanism is in place that
should provide for:
a) The use of network analysis/monitoring tools should be restricted to authorized
users only
c) The results of monitoring activities should be reviewed by the network ‘owner’ and
provided.
Management Response:
Observation:
The IT Department, which is the IT service provider for CONSUMER PRODUCTS AND RETAIL
COMPANY A, does not have a detailed Service Level Agreement (SLA) with the company’s
user departments.
Risk:
In the absence of a documented SLA, the objective set for the services provided by the IT for
maintaining the software, hardware and network of the users may not be clear.
The users may not be aware of the normal expected criteria for completion of their tasks.
Additionally, the IT may not have a benchmark to refer to, for monitoring the quality and speed
of their service.
Recommendations:
It is recommended that IT may consider establishing a clearly documented SLA with user
departments to establish better control over the quality and timeliness of service to the users.
d) Costs applicable,
f) A process for reviewing the SLA at periodic intervals to ensure the user community
Management Response:
Observation:
Risk:
In the absence of formal KPIs, it will be difficult for IT management to assess, quantitatively or
qualitatively, the IT process performance. This will help management to better plan and forecast
IT needs.
Recommendations:
It is highly recommended to develop and approve formal Key Performance Indicators (KPIs) that
track predefined activities and are management tools to aid IT. Their purpose has many
components including:
a) Monitoring of IT resources
requirements
strategic plan.
Management Response:
Observation:
IT does not have a formal Help Desk for reporting IT problems and tracking their resolution.
Additionally, IT does not utilize any software to aid in problem reporting and resolution
management.
Risk:
In the absence of formal help desk, the following impacts are involved:
a) Problems are not resolved more quickly because the absence of the escalation
d) Help desk allows the IT to avail itself of some of the more modern help
Recommendations:
It is recommended that IT consider formalizing the help desk function through the utilization of
Management Response:
Observation:
Activities of the system administrator of the application, operating systems and database are not
Risk:
The system administrator has access to all system files, utilities, security etc. and has the ability
to change the system’s operating characteristics. In the absence of a formal independent and
timely review, any unauthorized changes to the system may not be detected.
Recommendations:
It is highly recommended that that all the system administrators’ activities should be logged and
reviewed by the Security functions. Justification for all changes should be investigated and
documented. Further, the access of the system administrator’s log should only be available with
Management Response: