Audit Scope

The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse
technology platform. The scope of work for this audit will consist of <XXXX> hours of
professional services and the objectives for this audit will include a review of the following
control points:

▪ Data Warehouse Management

o Data Warehouse Governance
o Financial Management
o Risk Management
o Human Resources
o Portfolio Project Management

▪ Data Warehouse Operations

o DW Architecture and Integration
o Systems Development and Testing
o Change Management
o System Monitoring
o Problem Management
o Logical Security
o Data Transmission
o Metadata

▪ Business Integration
o Service Delivery (Business Process Integration and Analysis)
o Project Management
o Help Desk

Audit Approach
Our approach for the execution of this audit engagement will consist of interviews with key
employees, review of documents, inspections, data extractions and the usage of applicable
audit tools. The audit will consist of the components described below. The phases are listed
in sequential order and should provide an overview of the sequencing of the proposed
engagement.

Phase description Deliverables

1. Mobilization phase– GF Consulting will
perform the following:
➢ Develop and provide to UNCCG an
advanced data request (ADR) of the
relevant documents and materials that
will support our fieldwork.
➢ Develop and provide to UNCCG an
initial interview list of those business
and IT professionals that we
anticipate
 Advanced data requests
(see appendix for a
sample request)
 Interview lists of key
employees that we would
like to interview (see
appendix for a sample list)
 Detailed Audit Program
document(s) for each
of
 needing to meet with in order to the following areas: Data
perform this audit. Warehouse Management,
Data Warehouse
➢ Develop an audit program to guide
Operations and Business
activities during the course of this
Integration.
audit. The audit program guide should
include a list of the controls that would
be reviewed along with a defined
approach for understanding the design
of the control and how it would be
tested to determine if it was operating
effectively.

2. Execution phase – Once the audit program  Results from the execution
has been finalized, and the appropriate of the detailed Audit
resources have been identified, fieldwork will Program
proceed in accordance with the audit plan.
 Working papers that
support the results from
the detailed Audit
Program
3. Reporting phase – All IT audit work is  Draft report for
summarized in the IT audit report. Our discussion containing an
team will compile and present a draft report executive summary, audit
to UNCCG management within three weeks findings and
of completing the execution phase. The recommendations for
purpose of this draft is discussion and improvement.
incorporation of any comments prior to
 Final report with edits and
issuing a final report to UNCCG.
comments from UNCCG
management

Risk Assessment

Based on the information provided by UNCCG during our initial conversation, combined with
our understanding about the business environment in which UNCCG operates, we have
formulated the following risk considerations that we understand are relevant to your
business. Our goal is to incorporate these risk considerations in our audit program to be
developed in the Mobilization Phase of this engagement.

Risk category: Regulatory Risk

1 As a publicly traded company, UNCCG is subject to compliance with the Sarbanes-Oxley

Act of 2002 (SOX). As a result, UNCCG’s management must:

 Accept responsibility for the effectiveness of the company’s internal control

over financial reporting.
 Evaluate the effectiveness of the company’s internal control over financial
reporting using suitable control criteria.
 Support is evaluation with sufficient evidence, including documentation.
  Present a written assessment of the effectiveness of the company’s internal
control over financial reporting as of the end of the company’s most recent
fiscal year.

Although this legal requirement may not have a direct impact on the data warehouse
applications subject to this audit, once it is not categorized as a “financial reporting
related” application, it may have an indirect impact in the case that technology
infrastructure is common among the financial reporting systems and the data warehouse
applications. Technology infrastructure (operations, security, processes, people) that
support financial reporting systems are subject to SOX compliance requirements.

Risk category: Techonology/Reputational Risk

2 Privacy regulations

The Personal Data Privacy & Security Act of 2005 bill states that organizations must
“adopt reasonable procedures to ensure the security, privacy and confidentiality of
personally identifiable information” and notify relevant governing bodies when security
breaches occur. The bill also states that, if there is reason to believe the stolen data
can be used for identity theft, then the organization must make public notification. We
have seen increased pressure in the marketplace pushing companies to move to a
better defined and better controlled data privacy controls environment. We understand
that a significant portion of UNCCG’s revenue comes from check cards, credit and debit
card transactions on which some consumer information is collected, processed and may
or may not be stored. It is our understanding that payment information processing is
processed externally. In addition, UNCCG’s consumer loyalty program collects and
stores consumer private information such as telephone numbers, addresses, names and
a history of purchases. Based on those facts, we understand that current and future
privacy regulations are a relevant risk to the business at UNCCG that has both a
regulatory impact and also a brand impact, given that fact that future privacy breaches
will be required to be made public.

Risk category: Operational Risk

3 External Vendor’s access to enterprise data

Based on the information provided by UNCCG during our initial conversations, we

understand that credit and debit card payment processing is outsourced with an external
vendor.

In addition, UNCCG indicated that it relies on a third party vendor, located in India, to
perform program change and program development functions for the data warehouse (DW)
management system. This external vendor has remote access to the UNCCG environment.
We understand that, even though UNCCG has outsourced program change and program
development functions to a third party vendor, it is still responsible for ensuring the
accuracy, completeness and appropriateness of program changes and developments on the
DW environment.

In order to perform their business function, both these vendors will have the ability to get
access to sensitive enterprise data including consumer information. Based on that fact,
we consider that this is a relevant risk to the company’s IT environment.
Risk category: Credit Risk/Technology Risk

4 Unavailability of credit and/or debit card processing application

We understand that a significant portion of UNCCG’s revenue comes from check cards,
credit cards and debit cards transactions, which are processed externally (for approval
purposes) and stored by one of the company’s mainframe based systems (for
reconciliation and historic purposes). Unavailability of either the external processing
vendor or of the mainframe-based system would cause point of sales systems (POS) at
the stores to operate in an “offline mode” and only cash payments would be allowed, until
functionality is completely restored. Based on that information, we consider that
unavailability of card payment applications is a relevant risk to the business that has a
direct impact on the customer’s perception of quality of service and a direct impact on
sales.

Communications
Through regular meetings and ongoing communication with management, we will establish
a relationship of openness and teamwork through which we can discuss significant audit
findings, recommendations for improving internal controls or operations, and current
industry issues (or any other issues management wishes to discuss), and ultimately
develop solid solutions without surprises. We commit to holding regular meetings with
management, both formally and informally, to foster such a relationship.
Management letters and communication are an important element of professional service.
It is our policy to discuss our findings and recommendations with the appropriate members
of management prior to issuance so that we can verify factual accuracy. Our final report
will only include findings and recommendations considered significant. Other matters will
be communicated throughout the engagement and during our regular meetings and
fieldwork.

Planned schedule
GF Consulting estimates this engagement will require approximately xxxx weeks of effort,
and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. In
addition, we understand the final report for this audit must be completed no later than July
15, 2006.
APPENDIX I – Sample Advanced Data Request

The following information would be helpful in evaluating the existing data warehouse
environment to the extent it already exists.

1. Organization Charts
a. Technology (Development and Operations)
b. Business

2. Telephone Directory

3. User Documentation
a. Data warehouse user training guides
b. Data warehouse user operational manuals

4. Systems documentation
a. Application architecture (including an explanation of any automated interfaces)
b. Systems operations overview (platform and network)
c. Third party vendor agreements

5. Management procedures and policies

a. Operations Management (system monitoring, maintenance, and or
scheduled support)
b. Information Security (logical access)
c. Change Management (change control and configuration management)
d. Business Continuity Plan(s)
e. Disaster Recovery Plan(s)
f. Problem Management
APPENDIX II – Sample Interview request

The following is a list of individuals we anticipate will be likely requested to participate in a

one-hour interview with one of our team member. Shedule will be arranged by our team
in observance to UNCCG’s personnel commitments and priorities. Other interviews may be
determined necessary as we make progress and we will make our best efforts to
communicate this as soon as possible so it can be scheduled in a non-disruptive manner.

Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst
APPENDIX II – Sample Interview request

The following is a list of individuals we anticipate will be likely requested to participate in a

one-hour interview with one of our team member. Shedule will be arranged by our team
in observance to UNCCG’s personnel commitments and priorities. Other interviews may be
determined necessary as we make progress and we will make our best efforts to
communicate this as soon as possible so it can be scheduled in a non-disruptive manner.

Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst