Professional Documents
Culture Documents
The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse
technology platform. The scope of work for this audit will consist of <XXXX> hours of
professional services and the objectives for this audit will include a review of the following
control points:
▪ Business Integration
o Service Delivery (Business Process Integration and Analysis)
o Project Management
o Help Desk
Audit Approach
Our approach for the execution of this audit engagement will consist of interviews with key
employees, review of documents, inspections, data extractions and the usage of applicable
audit tools. The audit will consist of the components described below. The phases are listed
in sequential order and should provide an overview of the sequencing of the proposed
engagement.
2. Execution phase – Once the audit program Results from the execution
has been finalized, and the appropriate of the detailed Audit
resources have been identified, fieldwork will Program
proceed in accordance with the audit plan.
Working papers that
support the results from
the detailed Audit
Program
3. Reporting phase – All IT audit work is Draft report for
summarized in the IT audit report. Our discussion containing an
team will compile and present a draft report executive summary, audit
to UNCCG management within three weeks findings and
of completing the execution phase. The recommendations for
purpose of this draft is discussion and improvement.
incorporation of any comments prior to
Final report with edits and
issuing a final report to UNCCG.
comments from UNCCG
management
Risk Assessment
Based on the information provided by UNCCG during our initial conversation, combined with
our understanding about the business environment in which UNCCG operates, we have
formulated the following risk considerations that we understand are relevant to your
business. Our goal is to incorporate these risk considerations in our audit program to be
developed in the Mobilization Phase of this engagement.
Although this legal requirement may not have a direct impact on the data warehouse
applications subject to this audit, once it is not categorized as a “financial reporting
related” application, it may have an indirect impact in the case that technology
infrastructure is common among the financial reporting systems and the data warehouse
applications. Technology infrastructure (operations, security, processes, people) that
support financial reporting systems are subject to SOX compliance requirements.
2 Privacy regulations
The Personal Data Privacy & Security Act of 2005 bill states that organizations must
“adopt reasonable procedures to ensure the security, privacy and confidentiality of
personally identifiable information” and notify relevant governing bodies when security
breaches occur. The bill also states that, if there is reason to believe the stolen data
can be used for identity theft, then the organization must make public notification. We
have seen increased pressure in the marketplace pushing companies to move to a
better defined and better controlled data privacy controls environment. We understand
that a significant portion of UNCCG’s revenue comes from check cards, credit and debit
card transactions on which some consumer information is collected, processed and may
or may not be stored. It is our understanding that payment information processing is
processed externally. In addition, UNCCG’s consumer loyalty program collects and
stores consumer private information such as telephone numbers, addresses, names and
a history of purchases. Based on those facts, we understand that current and future
privacy regulations are a relevant risk to the business at UNCCG that has both a
regulatory impact and also a brand impact, given that fact that future privacy breaches
will be required to be made public.
In addition, UNCCG indicated that it relies on a third party vendor, located in India, to
perform program change and program development functions for the data warehouse (DW)
management system. This external vendor has remote access to the UNCCG environment.
We understand that, even though UNCCG has outsourced program change and program
development functions to a third party vendor, it is still responsible for ensuring the
accuracy, completeness and appropriateness of program changes and developments on the
DW environment.
In order to perform their business function, both these vendors will have the ability to get
access to sensitive enterprise data including consumer information. Based on that fact,
we consider that this is a relevant risk to the company’s IT environment.
Risk category: Credit Risk/Technology Risk
We understand that a significant portion of UNCCG’s revenue comes from check cards,
credit cards and debit cards transactions, which are processed externally (for approval
purposes) and stored by one of the company’s mainframe based systems (for
reconciliation and historic purposes). Unavailability of either the external processing
vendor or of the mainframe-based system would cause point of sales systems (POS) at
the stores to operate in an “offline mode” and only cash payments would be allowed, until
functionality is completely restored. Based on that information, we consider that
unavailability of card payment applications is a relevant risk to the business that has a
direct impact on the customer’s perception of quality of service and a direct impact on
sales.
Communications
Through regular meetings and ongoing communication with management, we will establish
a relationship of openness and teamwork through which we can discuss significant audit
findings, recommendations for improving internal controls or operations, and current
industry issues (or any other issues management wishes to discuss), and ultimately
develop solid solutions without surprises. We commit to holding regular meetings with
management, both formally and informally, to foster such a relationship.
Management letters and communication are an important element of professional service.
It is our policy to discuss our findings and recommendations with the appropriate members
of management prior to issuance so that we can verify factual accuracy. Our final report
will only include findings and recommendations considered significant. Other matters will
be communicated throughout the engagement and during our regular meetings and
fieldwork.
Planned schedule
GF Consulting estimates this engagement will require approximately xxxx weeks of effort,
and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. In
addition, we understand the final report for this audit must be completed no later than July
15, 2006.
APPENDIX I – Sample Advanced Data Request
The following information would be helpful in evaluating the existing data warehouse
environment to the extent it already exists.
1. Organization Charts
a. Technology (Development and Operations)
b. Business
2. Telephone Directory
3. User Documentation
a. Data warehouse user training guides
b. Data warehouse user operational manuals
4. Systems documentation
a. Application architecture (including an explanation of any automated interfaces)
b. Systems operations overview (platform and network)
c. Third party vendor agreements
Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst
APPENDIX II – Sample Interview request
Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst