Internal Audit Report

CONSUMER PRODUCTS AND RETAIL

COMPANY A

IT General Controls

Reference: 2015 Internal Audit Plan

Version: 0.1
Period of review: March 2015
Date of Field work: March 2015
Date of report: 21 April 2015
Sponsor: Audit Committee
Circulation: General Manager and Audit Committee

This report is intended solely for the information and use of the management of CONSUMER PRODUCTS AND RETAIL
COMPANY A and the Audit Committee and is not intended to be and should not be used by anyone other than the specified
parties. Ernst & Young therefore assumes no responsibility to any user of the report other than CONSUMER PRODUCTS AND
RETAIL COMPANY A. Any other persons who choose to rely on our report do so entirely at their own risk.

Powered by Global Markets - EY Knowledge

Internal Audit Report Page 1

LOGO DELETED

TABLE OF CONTENTS

Topic Page Number

1. EXECUTIVE SUMMARY 3

1.1 BACKGROUND 3
1.2 SCOPE & OBJECTIVE 3

2. DEFINITION OF RATINGS 3

3. SUMMARY OF FINDINGS 5

3. SUMMARY OF FINDINGS, CONT’D 6

4. DETAILS OF FINDINGS AND MANAGEMENT RESPONSES 7

4.1 IT ORGANIZATION STRUCTURE AND JOB DESCRIPTIONS 7

4.2 LACK OF FORMAL IT STRATEGY 10
4.3 IT POLICIES AND PROCEDURES 12
3.4 ABSENCE OF IT STEERING COMMITTEE 14
3.5 IT SECURITY FUNCTIONS ARE NOT ESTABLISHED 16
3.6 FORMAL RISK ASSESSMENT 18
3.7 PROGRAM CHANGE MANAGEMENT 19
3.8 USER ACCESS ADMINISTRATION 21
3.9 ACCESS VIOLATION LOGS REVIEW 23
3.10 PERIODIC REVIEW OF ACCESS PRIVILEGES 24
3.11 SECURITY AWARENESS 26
3.12 PASSWORD STANDARDS AND USAGE 27
3.13 PHYSICAL SECURITY 29
3.14 BACKUP AND DATA RETENTION 31
3.15 INCIDENT MANAGEMENT 33
3.16 BUSINESS CONTINUITY AND DISASTER RECOVERY 35
3.17 NETWORK MONITORING 37
3.18 INTERNAL SERVICE LEVEL AGREEMENTS 39
3.19 KEY PERFORMANCE INDICATORS 41
3.20 FORMAL HELP DESK FUNCTIONS 43
3.21 SYSTEM ADMINISTRATOR ACTIVITIES LOGGING AND REVIEW 44

Internal Audit Report Page 2

LOGO DELETED

1. Executive Summary

1.1 Background
CONSUMER PRODUCTS AND RETAIL COMPANY A is a public company founded in 1993 and its shares are
traded on the Saudi stock market. INFORMATION DELETED

1.2 Scope & Objective

No responsibility is taken for changes in CONSUMER PRODUCTS AND RETAIL COMPANY A IT general controls
after the review period and no obligation is assumed to revise this report to reflect any changes subsequent
to the above-mentioned review period.

Our work divided into three main stages: planning, fieldwork and report writing. In the planning stage, we
have prepared the audit program, in the fieldwork stage we started to confirm our understanding of the
processes with process owners and we have executed the work according to the audit program.

The scope and objective of the Internal Audit assignment covering CONSUMER PRODUCTS AND RETAIL
COMPANY A is to assess the effectiveness and efficiency of the key procedures and related key controls
currently in place for the Company IT general controls.

The internal audit tests and procedures carried out during the course of this review were designed to detect
any control weaknesses in the “CONSUMER PRODUCTS AND RETAIL COMPANY A” IT general controls, which
may have existed during the review period. However, there is no warranty that all process related weaknesses,
faults and irregularities have been highlighted during the course of the review. Management and the Audit
Committee are ultimately responsible for the Company’s system of Internal Control, including the Internal
Audit function, risk assessment, audit plan, and audit priorities.

This report list result of our Internal Audit review in the form of observations on the existing IT general controls
and suggested some appropriate recommendations to address them. Access to these observations by
examining the internal control systems and some document.

2. Definition of Ratings

Risk Rating Definition / Description

Issues that can seriously compromise the department/Company and/or the system of
High
internal control. These should be addressed immediately.
Issues that could negatively impact the department/Company and/or the system of
Moderate internal control and do not represent good practice. These should be addressed
promptly.
Issues likely to have a low impact on the department/Company and/or the system of
Low
internal control. These should be addressed in a timely manner.

Internal Audit Report Page 3

LOGO DELETED

Such ratings are not to be considered and do not represent a conclusion on the overall adequacy or
effectiveness of the controls. Only management can assess whether the controls it has implemented are
adequate to meet its strategic, operational, compliance, and financial reporting objective

Internal Audit Report Page 4

LOGO DELETED

3. Summary of Findings

A total of 50 issues have been raised in this report for IT general controls. The issues have been categorized
as High Risk, Moderate Risk and Low Risk. The breakdown of these issues in terms of their risk categorization
is summarized in the graphical presentation below.

Low 12%

Moderate 6%

High 76%

High Moderate Low

Internal Audit Report Page 5

LOGO DELETED
3. Summary of Findings, Cont’d
Based on our audit, we have classified our observations into 20 major domains as follows:
1. IT Organization Structure and Job Descriptions
► (Total of 7 Observations–3High, 2Moderate and 2Low Risks)
2. IT Strategy
► (Total of 3 Observations – 3High Risks)
3. IT Policies and Procedures
► (Total of 3 Observations – High Risks)
4. IT Steering Committee
► (Total of 1 Observation – High Risk)
5. IT Security Function
► (Total of 1 Observation – High Risk)
6. Formal Risk Assessment
► (Total of 1 Observation – High Risk)
7. Change Management
► (Total of 1 Observation – High Risk)
8. User Access Administration
► (Total of 2 Observations – High Risks)
9. Access Violation Log Review
► (Total of 1 Observation – High Risk)
10. Periodic Review of Access Privileges
► (Total of 1 Observation – High Risk)
Internal Audit Report
11. Security Awareness
► (Total of 1 Observation – High Risk)
12. Password Standards
► (Total of 4 Observations – Moderate Risks)
13. Physical Security
► (Total of 8 Observations – High Risks)
14. Backup and Retention
► (Total of 4 Observations – High Risks)
15. Incident Management
► (Total of 2 Observations –Moderate Risks)
16. Business Continuity and Disaster Recovery
► (Total of 3 Observation – High Risks)
17. Network Monitoring
► (Total of 3 Observations – Moderate Risks)
18. Internal Service Level Agreements
► (Total of 1 Observations – Moderate Risk)
19. Key performance Indicators
► (Total of 1 Observation – Moderate Risk)
20. Formal Help Desk Functions
► (Total of 1 Observation – Moderate Risk)
21. Sys. Admin. Activities Logging and Review
► (Total of 1 Observation – High Risk)
Page 6
LOGO DELETED

4. Details of Findings and Management Responses

The following section of this report presents the detailed issues and management action plan
relating to the Information Technology general controls (ITGC):

4.1 IT organization Structure and Job Descriptions

Observation:

High

1. No evidence of a formal approval of the organization structure by the top management

2. No KPIs developed for each role in IT department

3. No evidence of IT staff acknowledgment of neither the developed organization structure nor

the job descriptions.

Moderate

4. The current IT organization structure doesn’t provide the highest level of the organization

structure which highlight to whom the IT department should reports to

5. Some of the developed job descriptions are high level (i.e. IT Support Technician) and some

are detailed (i.e. System Analyst)

Internal Audit Report Page 7

LOGO DELETED

Low
6. IT job descriptions are not unified as:

1. “Duties and Tasks” term is used in IT support technician job description while on

the other job descriptions (i.e. ERP specialist and System Analyst) “job

responsibility” term is used

2. IT & ERP Manager job description is different than all other IT job descriptions as

it was defined as an objectives and classified into six sections (scope, method,

fulfil skills, …. Etc.) on the other hand other job descriptions classified into only

one section “job responsibilities”

3. IT & ERP manager job description numbering needs to be revisited as there is

duplicates (i.e. 1.2 method and 1.3 Method in IT manager job description)

4. System analyst job description is part of the IT support technician job description

as it is on the same page and there is no separators

7. The current IT organization structure and job descriptions are not formally documented as:

1. The current IT organization structure is a part of the IT policies and procedures

document as an appendix and not as a separate document within the formal

documentation of the organization structure

2. The current IT roles and responsibilities are part of the policies and procedures

document and not as a separate document within the formal documentation of

the job descriptions

Internal Audit Report Page 8

LOGO DELETED

Risks:

1. Inadequate segregation of duties

2. Lack of formal and clear hierarchy

3. Lack of formal roles and responsibilities

4. High possibility of duties conflicts

5. Difficult to assess IT operations effectiveness

6. Inability to monitor IT performance

Recommendations:

1. It is highly recommended to consider approving a formal IT organization structure by top

managament

2. It is highly recommended to consider establishing a formal, precise and unified IT job

descriptions

3. It is highly recommended to establish a formal KPI for each IT role

4. It is highly recommended to communicate IT job descriptions to all concerned personal

including IT staff

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 9

LOGO DELETED

4.2 Lack of Formal IT Strategy High

Observation:

1. No IT strategy has been formally developed or documented

2. No evidence of IT department detailed goals and objectives has been formally developed or

documented

3. No evidence of IT strategic plan has been formally developed or documented

Risk:

1. IT strategy may not aligned with the business strategy

2. May not have clear direction and focus

3. Lack of appropriate resources and comp etitive advantage.

4. The IT organization may not be viewed as the provider of effective solutions to business

problems impacting systems productivity and user confidence.

Recommendations:

1. It is highly recommended to consider developing a formal IT strategy and IT strategic plan, to

address the technology infrastructure that is needed for successful systems including

standardization on a set of appropriate development tool, middle-ware and system software.

The plan should also designate development standards and policies.

2. It is highly recommended to then consider preparing an IT architecture based on the IT

strategy. However the success of an IT strategy depends on the following:

a. IT Strategy must be driven by Business Strategy - Business Strategy must be

communicated. Members of the IT department must be encouraged and

supported in their stated intention of expanding their understanding of the

business;

Internal Audit Report Page 10

LOGO DELETED

b. Active participation of IT executives in the business strategy development process;

c. Progress in this area will have a positive impact on IT’s understanding of user

needs, and their ability to communicate these needs to the client’s management

team; and

d. The proposed IT strategy should be cost effective.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 11

LOGO DELETED

4.3 IT policies and procedures High

Observation:

There are some developed high level policies and procedures for IT domain areas, however:

1. All IT high level policies and procedures developed are not following the IT leading practices

and the IT international standards

2. All the policies and procedures don’t have process flows as a detailed aspect of such policies

3. There is no process in place to communicate such policies and procedures

Risk:

1. Misguide to organization wide control over IT operations

2. Subject to various risks that could ultimately have an undesirable business impact

3. Loss of critical business information

4. Unauthorized manipulation of critical data

5. Failure of vital IT operations

6. Obstacles in enforcing management’s aims and directions.

Recommendations:

1. It is highly recommended to review the operation of the IT department and then develop and

implement comprehensive IT Policies and Procedures for the effective operations of IT

function. These policies and procedures should be based on internationally recognized

frameworks, standards, and leading practices such as COBIT, ISO 27001, ITIL, etc.

2. It is highly recommended that the developed policies and procedures should be formally

communicated to relevant staff.

Management Response:

Internal Audit Report Page 12

LOGO DELETED

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 13

LOGO DELETED

3.4 Absence of IT Steering Committee High

Observation:

IT Steering Committee has not been set up to monitor IT performance and to ensure that IT

resources and activities are effective for both current and future operating needs of the

company.

Risk:

1. Improper IT performance monitoring

2. Ineffective IT resources and activities for both current and future operating needs

3. Increased risk of ineffective use of CONSUMER PRODUCTS AND RETAIL COMPANY A’s

information system resources and inability to meet the needs of top management.

Recommendations:

1. It is highly recommended to establish and formulate IT steering committee

2. It is highly recommend to activate IT Steering Committee role and activities which would act

as the major planning advisory body for future IT expansion, new system acquisitions, major

system enhancements and in general, the IT performance.

3. The Committee could comprise of representatives from IT, user departments, Internal Audit,

and at least one representative from the top management.

4. The committee’s primary function should be IT strategic planning. In addition, other functions

that the committee could perform are:

a) Establishing the size and scope of the IT function.

b) Set clear focus and direction for the IT department

c) Approval of the IT Strategy for a period of 2 to 5 years

d) Setting priorities within these bounds

Internal Audit Report Page 14

LOGO DELETED

e) Providing a formal means of communication between IT and users

f) Monitoring the accomplishments of the computer installation

g) Measuring the results of IT projects in terms of Return on Investment.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 15

LOGO DELETED

3.5 IT Security Functions are not established High

Observation:

The IT Department does not have a formal IT security function and dedicated staff for

maintaining Information Security at CONSUMER PRODUCTS AND RETAIL COMPANY A.

Risk:

1. Increased risk of security incidents undetected.

2. Increased risk of business interruption.

3. Increased risk of improper implementation of security policies & procedures.

Recommendations:

1. It is highly recommended to establish a formal and a centralized security administration

function in order to establish control over the security and integrity of the systems and

applications which at a minimum, should be responsible for the following:

a) The authorization for access to program libraries and data files.

b) The issuance and periodic review of user profiles and passwords.

c) The reviews of information appearing on security violation reports and follow up on

same when needed.

d) The preparation, testing and maintenance of contingency plan for IT operations.

e) The overall physical security of IT department.

f) The development and update of the IT security policy whenever needed.

Furthermore, it is recommended to provide an adequate line of reporting to the IT security

function, which will enable it to effectively act upon suspicious IT activities.

Internal Audit Report Page 16

LOGO DELETED

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 17

LOGO DELETED

3.6 Formal Risk Assessment High

Observation:

There is no evidence for a formal Risk Assessment carried out for IT environment

Risk:

1. Difficult for management to assess the possible impact on the organization to a failure of a

particular part and then to apply appropriate controls to address the risk.

2. Increased risk of business interruption.

3. Increased risk of improper implementation of security policies & procedures.

Recommendations:

1. It is highly recommended to consider carrying out a risk assessment for their IT environment.

A formal Risk Assessment identifies the inherent risks in the IT systems. A Risk Assessment

helps the company to evaluate the importance of each risk, the current controls in place and

the exposure levels. It also identifies the critical areas which need to be addressed by the

management immediately.

2. It is recommend that the assessment be conducted periodically to assess the status and

identification of new IT risks and exposures to the company

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 18

LOGO DELETED

3.7 Program Change Management High

Observation:

There are no developed formalized Policies and Procedures relating to all elements of Change

Management. Current system Change Management high level procedure does not provide

detailed procedural steps for change management. Also there is no detailed guidance provided

for:

1. Escalation policy, process and procedure

2. Change Monitoring procedure

3. Performing analysis

4. Development of a change

5. UAT

6. Development

7. Test and production environment

8. Configuration management

9. Migration to production

10. Production libraries and etc.

Risk:

1. Absence of various control measures

2. Lack of documentation

3. Improper controls to validate the change request

4. Improper migration of changes from the development to production environment

5. Increased risk of business interruption

Internal Audit Report Page 19

LOGO DELETED

Recommendations:

1. It is highly recommended to formally document and approve comprehensive Change

Management policies & procedure, these policies and procedures should be based on

internationally recognized frameworks, standards, and leading practices such as COBIT, ISO

27001, ITIL, etc.

2. It is highly recommended that the developed policies and procedures should be formally

approved by the management and communicated to relevant staff.

3. It is highly recommended to require formalized and documented evidence of users’

requirements and written authorization of program changes before it is implemented

In addition, IT department should review list of changes on periodic basis for all their applications

in order to monitor change management process within the company

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 20

LOGO DELETED

3.8 User Access Administration High

Observation:

1. User access administration policy and procedure is not formally developed and documented

2. Current access control policy and procedure is high level and it is not covering all user

access administration aspects such as:

a) There is no details related to revocation of users access

b) There is no details related to creation of users access

c) There is no details for creation and revocation approvals of users access

Risk:

1. Increased risk of unauthorized access being undetected.

2. Risk on compromise on data integrity.

Recommendations:

It is highly recommended to establish and implement a formally and properly documented

User Access & Revocation Policy and Procedures relating to this policy. This should be

implemented across the company. In addition the assignment of the access should be

monitored by the Security function.

Internal Audit Report Page 21

LOGO DELETED

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 22

LOGO DELETED

3.9 Access Violation Logs Review High

Observation:

There is no formal evidence is being maintained for the regular review of access violation logs

(e.g. signed log review, evidence of follow-up)

Risk:

1. Increased risk for unauthorized access goes undetected.

2. Unauthorized access violation may not be dealt with in a timely manner.

Recommendations:

It is highly recommended that operating system and critical business applications should be set

up to generate access violation logs, these logs should be reviewed by the security function on a

periodic basis, evidence of this review, and follow up actions should be documented and

maintained.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 23

LOGO DELETED

3.10 Periodic Review of Access Privileges High

Observation:

There is no clear and predefined criteria defined for the periodic checks to be carried out to

ensure that employees' current system-level access is appropriate with their job responsibilities

and no changes to their positions/roles conflicting with provided access has been granted.

Risk:

Employees at CONSUMER PRODUCTS AND RETAIL COMPANY A may leave and others may

transfer. As well, their roles and responsibilities may change as their job requirements and

contributions evolve. As such, roles are added and others are altered or deleted. Without a

periodic review, an overall assurance cannot be achieved that privileges are strictly confined to

job roles and responsibilities at all times. Furthermore, if such excess of privileges exist, the

confidentiality, integrity, and availability of system data may be vulnerable to undesirable

manipulation.

Maintaining a clean profile is a structured approach of assigning and revoking application roles.

Recommendations:

1. It is highly recommended that IT department clearly defines periodic review of access privileges

policy and procedure with a specific frequency for each IT application

2. It is recommended that IT department conducts a “Periodic Review of Access Privileges” based

on a report that lists users’ responsibilities and access that generated from all applications by

the IT function on a formal basis

3. This list should be reviewed by the user department heads on a periodic basis to ensure these

are current and appropriate for the job.

Internal Audit Report Page 24

LOGO DELETED

4. Appropriate plans should be set and proper resources should be allocated. This should appear

as part of a policy and procedure to ensure enforcement on an organizational level.

5. As this exercise is conducted, violations of extra, outdated, incorrect assignments of roles

identified and should be reported to the management for action.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 25

LOGO DELETED

3.11 Security Awareness Moderate

Observation:

There is no a formal security awareness exercise has been conducted by the IT department

Risk:

In the absence of security awareness exercise, the organization may find it difficult to educate

users about relevant security issues and convey the consequence for breach of confidentiality

or security.

Recommendations:

1. It is highly recommended that IT security function should conduct a security awareness

exercise on a periodic basis

2. It is recommended to contain a clause in the employment contracts relating to physical

security of IT equipment and confidentiality of data.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 26

LOGO DELETED

Moderate
3.12 Password Standards and Usage

Observation:

As per the IT manager, IT department is following Microsoft windows standard for IT

applications, however,

1. There is no formal policy and procedure developed related to password standards and usage

(i.e. password length, complexity, etc.) for each IT application separately

2. There is no evidence of enforcing Microsoft windows password standards to IT different

applications

3. There is no evidence of clear and predefined control policy and procedures of invalid

attempts actions (i.e. ending the session after 3 invalid attempts)

4. There is no evidence of enforce users to change their passwords regularly

Risk:

1. Weak password standards and its inconsistent implementation increase the risk of

unauthorized access and business interruption to the system resources.

2. Passwords, if unchanged for a long period of time will tend to lose their effectiveness and

their confidentiality thereby enabling an unauthorized user to gain access to the system. This

may compromise the confidentiality and integrity of data maintained on the computer

systems.

Recommendations:

1. It is recommended that IT department should develop appropriate password standard to be

implemented in all application systems.

Internal Audit Report Page 27

LOGO DELETED

2. A periodic review by the security function should be conducted to ensure that the password

standards are consistently applied according to the approved password standard.

3. It is highly recommended that passwords be changed periodically. Passwords should also be

changed immediately if they become known to others, or if an employee with knowledge of one

is terminated.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 28

LOGO DELETED

3.13 Physical Security High

Observation:

During our audit through CONSUMER PRODUCTS AND RETAIL COMPANY A data center, it

was observed the following:

1. The is no fire detection and suppression system in the server room.

2. There are no adequate temperature and humidity monitoring arrangements in the server

room.

3. No CCTV cameras to monitor the activities within the server room.

4. The server room is not equipped with fireproof door.

5. Entry/ Exit logs of visitors visiting the server room are not being maintained.

6. The server room is secured with a standard lock and the key is kept in the door.

7. There is no physical security policies and procedures have been developed

8. There is no evidence of a periodic review of personnel who have access to the data centre

Risk:

1. Unauthorized access to the data centre cannot be detected, which may result in serious

implications due to loss of system or data. This problem is further escalated, due to

unavailability of the CCTV cameras.

2. In case of a fire, IT equipment and data located in the server room are at risk of being

damaged or destroyed resulting in severe operational and business disruption.

3. Lack of control on humidity and inadequate air conditioning in the data center may degrade

the performance and may subsequently damage the equipment.

Recommendations:

Internal Audit Report Page 29

LOGO DELETED

1. It is highly recommended to develop physical security polies and procedures and to be

approved and enforced by the top management

2. A periodic review by the security function should be conducted to ensure that the physical

security are consistently applied

3. It is highly recommended that physical security logs and other approved procedure to be

closely monitored by the IT department

4. Physical access to the Data Centre should be controlled using electronic locks or access cards.

5. Proper fire detection and suppression systems should be installed and regularly maintained.

6. CCTV cameras should also be installed to monitor the activities of any individual entering the

room

7. Maintain a visitor access log to server room which includes:

a) name and organization of the person visiting;

b) signature of the visitor;

c) date of access;

d) time of entry and exit; and

e) Purpose of visit.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 30

LOGO DELETED

3.14 Backup and Data Retention High

Observation:

Backup is taken in a regular basis, however:

1. The backup media are not stored in an offsite location. Currently, backup are kept with IT

manager personally

2. The backup logs are not well maintained

3. No evidence of backup restoration testing is been carried out

4. The current Backup and retention policy is too detailed and technical in some areas and on

the other areas such as restore and retention is too high level which may not be clear

Risk:

1. Subject to various risks that could ultimately have an undesirable business impact

2. Loss of critical business information

3. Unauthorized manipulation of critical data

4. In the absence of testing of backups, the effectiveness, accuracy and completeness of the

backups that are taken cannot be assured. Without periodically checking to ensure they

actually contain a readable version of the data, there is a risk that backup will not be

recoverable in the event of a disaster / business disruption.

5. In the absence of logs or reports for the restoration testing on backups, there may be lack of

control over the function and that may increase the risk of recovery failure of the back-up tapes

in the event of an emergency.

Internal Audit Report Page 31

LOGO DELETED

Recommendations:

1. It is highly recommended to review the Backup and retention operations and then develop and

implement comprehensive Backup Policies and Procedures for the effective operations of

backup and retention. This policy and procedure should be based on internationally recognized

frameworks, standards, and leading practices.

2. It is highly recommended that CONSUMER PRODUCTS AND RETAIL COMPANY A

management should consider selecting and implementing a suitable off-site backup storage

location which is at a suitable distance away from the primary datacenter and geographic

location. Such locations should be secure, heat and humidity controlled. Access to such off-

site backup media should be adequately controlled.

3. It is recommended to send complete data backups offsite on a regular basis.

1. It is recommended that the backup logs should be well maintained on daily basis and

transportation of offsite storage should also be recorded.

2. It is recommended that IT department should consider establishing a formal backup restoration

testing process to help ensure the reliability of backup.

3. The back-up media should be reviewed on a periodic basis to ensure that no errors have

occurred and that the backup tapes are recoverable and the test results should be documented

and maintained and the reports should be reviewed by the IT manager periodically.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 32

LOGO DELETED

3.15 Incident Management Moderate

Observation:

1. No formal incident policy and procedure developed and documented

2. No evidence for proper maintaining an incident log for service and security-related incidents.

Risk:

1. Without a detailed incident policy, procedure and log, CONSUMER PRODUCTS AND

RETAIL COMPANY A may not adequately capture incident/problem information, resolve

them in a timely manner, and effectively monitor their resolution progress.

2. Furthermore, IT management may not be able to track trends and monitor statistics

pertaining to IT related problems encountered by users.

Recommendations:

1. It is highly recommended to establish incident management policy and procedure and it has to

be formally approved by top management and It security Function

2. It is highly recommended to maintain incident logs that cover at least the information listed

below:

a) Reference Number

b) Requester Name, ID, Department and contact information

c) Type of Incident

d) Incident recorder name

e) Date and Time of recording the incident

f) Method of Reporting (Telephone, Online, e-mail, In-Person, etc.)

g) Anticipated timeframe to close the Incident

Internal Audit Report Page 33

LOGO DELETED

h) Incident Categorization (Common incident categories include, Networks and

Communication, IT Infrastructure, Software/Systems/Application, End User

Computing Machines, Devices and Accessories, IT Service and Support

Documentation, IT Premises and Facilities)

i) Incident Status

j) Related Incidents (reference to other related Incidents, if applicable)

k) Incident Impact

l) Incident Urgency

m) Incident prioritization based on urgency and impact

n) Recommended/Implemented solution

o) Related Known Error (reference to any related Known Error)

p) Incident Closure (date of closure, acceptance of the incident requestor, and

approval of the Incident Manager)

Alternatively, an incident management solution can be designed and implemented that will enable

CONSUMER PRODUCTS AND RETAIL COMPANY A management to track and report on

incidents.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 34

LOGO DELETED

3.16 Business Continuity and Disaster Recovery High

Observation:

1. Even though there is a developed very high level disaster recovery procedure, this procedure

doesn’t address the following:

a) Identification of critical business process.

b) Process to be followed in case of business disruptions

c) Persons responsible for restoration of the systems.

d) Plans for testing the DRP and documenting the result.

2. No evidence for documenting and maintaining disaster recovery plans

3. Business continuity plan has not been developed

Risk:

1. In absence of documented DR and BC Plan, staff will not be aware of the functions to be

performed in the event of a disaster.

2. Absence of a comprehensive DR and BC Plan increases the risk that the organization will not

be able to recover its mission critical systems in a timely manner.

3. Unavailability of business systems and applications would lead to loss of business revenue

and loss of customer trust.

Recommendations:

1. It is highly recommended that IT should develop a formally documented and approved DRP

and BCP for its critical business operations.

2. It is highly recommended that the DRP and BCP developed should be periodically tested and

results of such testing should be formally documented.

Internal Audit Report Page 35

LOGO DELETED

3. It is recommended that the results of the BCP and DRP testing should be regularly reviewed

and analysed to ensure that all essential aspects of critical business operations, including

logistical issues, have been adequately covered and that relevant individuals are fully aware

of their responsibilities in the event of disaster.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 36

LOGO DELETED

3.17 Network Monitoring Moderate

Observation:

1. No network monitoring policy and procedure has been developed

2. No evidence for network monitoring activities carried out by IT department

3. No evidence for network monitoring tool in place to detect information security breaches on

the network

Risk:

1. Increased risk of network interruption not being detected in a timely manner.

2. Increased risk of business interruption.

3. Increased risk of customers / users dissatisfaction.

4. Without adequate monitoring and reporting on network performance, its performance may

not be properly improved.

Recommendations:

It is highly recommend that IT should ensure that the proper network monitoring mechanism is in place that
should provide for:
a) The use of network analysis/monitoring tools should be restricted to authorized

users only

b) Usage reports from service providers (e.g. invoices) should be examined to

discover any unusual use of the network.

c) The results of monitoring activities should be reviewed by the network ‘owner’ and

presented to the application and installation ‘owners’ to whom services are

provided.

Internal Audit Report Page 37

LOGO DELETED

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 38

LOGO DELETED

3.18 Internal Service Level Agreements Moderate

Observation:

The IT Department, which is the IT service provider for CONSUMER PRODUCTS AND RETAIL

COMPANY A, does not have a detailed Service Level Agreement (SLA) with the company’s

user departments.

Risk:

In the absence of a documented SLA, the objective set for the services provided by the IT for

maintaining the software, hardware and network of the users may not be clear.

The users may not be aware of the normal expected criteria for completion of their tasks.

Additionally, the IT may not have a benchmark to refer to, for monitoring the quality and speed

of their service.

Recommendations:

It is recommended that IT may consider establishing a clearly documented SLA with user

departments to establish better control over the quality and timeliness of service to the users.

The SLA should include, at a minimum, the following

a) IT assets requiring support,

b) Level of support required,

c) Agreed time expectancy for maintenance resolutions,

d) Costs applicable,

e) Method for resolving incomplete/failed performance, and

f) A process for reviewing the SLA at periodic intervals to ensure the user community

is satisfied with the level of IT support provided.

Internal Audit Report Page 39

LOGO DELETED

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 40

LOGO DELETED

3.19 Key Performance Indicators Moderate

Observation:

The IT Department doesn’t formally defined KPIs to monitor IT performance

Risk:

In the absence of formal KPIs, it will be difficult for IT management to assess, quantitatively or

qualitatively, the IT process performance. This will help management to better plan and forecast

IT needs.

Recommendations:

It is highly recommended to develop and approve formal Key Performance Indicators (KPIs) that

track predefined activities and are management tools to aid IT. Their purpose has many

components including:

a) Monitoring of IT resources

b) Providing assistance in realignment of IT resources based on existing

requirements

c) Establishing current statistics on performance from which to create performance

benchmarks to motivate employees and improve performance

d) Ensuring the organization’s processes is properly aligned with the business

strategic plan.

Internal Audit Report Page 41

LOGO DELETED

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 42

 3.20 Formal Help Desk Functions Moderate

Observation:

IT does not have a formal Help Desk for reporting IT problems and tracking their resolution.

Additionally, IT does not utilize any software to aid in problem reporting and resolution

management.

Risk:

In the absence of formal help desk, the following impacts are involved:

a) Problems are not resolved more quickly because the absence of the escalation

procedures which are better control

b) It is difficult to users to follow up their IT problems

c) Formal tracking and classification of IT problems to identify trends and patterns

and take a proactive steps to resolve the problem

d) Help desk allows the IT to avail itself of some of the more modern help

desk/problem reporting and tracking software.

Recommendations:

It is recommended that IT consider formalizing the help desk function through the utilization of

help desk automation tools.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 1

LOGO DELETED

3.21 System Administrator Activities Logging and Review High

Observation:

Activities of the system administrator of the application, operating systems and database are not

logged and reviewed.

Risk:

The system administrator has access to all system files, utilities, security etc. and has the ability

to change the system’s operating characteristics. In the absence of a formal independent and

timely review, any unauthorized changes to the system may not be detected.

Recommendations:

It is highly recommended that that all the system administrators’ activities should be logged and

reviewed by the Security functions. Justification for all changes should be investigated and

documented. Further, the access of the system administrator’s log should only be available with

the Security officer.

Management Response:

Person Date for

Response / Action
Responsible Completion

Internal Audit Report Page 44