Reference no: EM132938727

Assignment

SeneTech Inc.

Background
SeneTech Inc. is a retail and wholesale business focusing on IT hardware. Its head office is located in Bangkok, Thailand. SeneTech has 20 branches located all over Bangkok. The centralized data center is in Bangkok. SeneTech has more than 20,000 product items. SeneTech implemented a new Warehouse Management System to improve the efficiency of its warehouse operations and a new Mobile Store System to increase its competitive advantage and support the significant increase of sales transactions. Both the Warehouse Management System and the Mobile Store System are integrated with the Enterprise Resource Planning (ERP) system. The Warehouse Management System was implemented to assist SeneTech to control the movement and storage of its inventory and related processes such as shipping, receiving, fulfillment, and packing. The Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech sales employees. This means that a customer does not have to wait in line to pay at a cash register.
IT Organization
During an interview with the IT manager, you noted that there are two divisions - the Operations Division and the Application & Change Development Division.
The job descriptions for each division are as follows.
Operations Division:
o Back up applications, database, operating systems, and configurations
o Restore data based on user request
o Manage and maintain user profiles and authorizations
Application & Change Development Division:
o Develop and test applications
o Transfer applications from the test environment to production environment
o Coordinate with IT vendors
o Manage and maintain databases
o Assign database access authority to users
o Review and set up security configurations

Your review of the long- and short-term IT plans showed that SeneTech has three major projects - Enterprise Resource Planning System (ERP) project, Warehouse Management System project, and Mobile Store System project. In the past, SeneTech used accounting software and a point-of-sale system, but both were not integrated with each other. When a customer purchased a product, a salesperson recorded a sales transaction into the point-of-sale system and printed a sales invoice and a receipt for the customer. The next morning, the salesperson submitted an original sales invoice and a copy of the receipt to accounting personnel. Accounting personnel then recorded the sales transactions in the accounting software. Due to the increased number of sales transactions, it became impossible for the accounting staff to re-key all the sales transactions into the accounting system. SeneTech decided to implement a new ERP system to increase its competitive advantage and provide accurate and timely information to management. Since the current point-of-sale system could not integrate with the new ERP system, SeneTech decided to change the current point-of-sale system to a Mobile Store System. A Mobile Store System is an application which facilitates completion of sales transactions on the sales floor by SeneTech salespeople and at the cash registers. With this system, SeneTech can reduce congestion at cash registers and a customer does not have to wait in line to pay. If customers wish to pay on the sales floor instead of at the cash registers, they must pay by either credit or debit card.

SeneTech decided to implement the Warehouse Management System due to its numerous product items and to assist it in controlling the movement and storage of inventory and processes such as shipping, receiving, fulfillment, and packing.
Both the long- and short-term IT plans are reviewed and approved by the IT manager and top management. The IT manager has to report the progress of major projects to top management every quarter.

System Acquisition, Development and Change
During an interview with the IT manager, you learned that SeneTech established a change management procedure. Before changing or upgrading an application, a change request form must be initiated by a requester. A requester completes the form which is approved by the requester's department manager. The requester forwards the approved request form to the assistant IT manager of application and change who logs each request in a change request log, a listing of all requested changes and the status of the requests. After receiving the change request, the assistant IT manager of application and change assigns this request to his team to perform a system analysis and estimate the required development hours. He will give the final approval for the request after he receives the analysis results and time estimation. If the request is not approved, he will inform the requester via email. If the request is approved, he will assign the change to his team members and inform the requester via email. The application programmer copies the source code from the system's production environment to the development environment and makes the change. The programmer uses the production data to test the program in the development environment. The requester is required to perform user acceptance tests and sign off on the change request form. After signing off, the programmer modifying the program will migrate the program from the development environment to the production environment and sign off to close the job in the change request form. Finally, the programmer submits this form to the assistant IT manager of application and change to update the change request log. Your review of the change request log showed that there are only 30 requests. All the requests are for new reports or adjustments to reports.

Upon review of the user acceptance documents of the ERP and Warehouse Management System, you found that the IT application personnel are responsible for creating test scripts and testing both systems prior to implementation. In addition, all documentation used for implementing ERP and Warehouse Management System have not been received from vendors. The IT manager told you that the vendors have been preparing these even though this project has been live for three months. Moreover, there is no user manual for the ERP and Warehouse Management System.

Your review of the vendor selection supporting documents for the Mobile Store System revealed that the assistant IT manager of application and change is responsible for evaluating and selecting applications. In addition, you found that there is no system analysis report. A system analysis report summarizes the preliminary review of the user and system requirements. Your interview of the assistant IT manager of application and change indicated that SeneTech has not updated, patched, or upgraded the operating systems in use. The assistant IT manager of application and change explained that that the applications might not run properly if the operating systems were patched or upgraded.

Computer Operation
You interviewed the IT manager and learned that SeneTech established a computer operation manual and kept this manual in the data center. This manual described the backup and restoration processes of all systems. The backups of the application systems are automated and performed as part of the day-end processing. SeneTech performs full backup of all its data each day on to backup tapes. The backup tapes are kept in a fire-proof safe located in the data center. The IT manager indicated that SeneTech was in the process of selecting an off-site backup location where all the backup tapes would be kept. SeneTech established both business continuity and IT disaster recovery plans to mitigate system disruption risk. However, these plans have not been tested.
Information Security
SeneTech established an IT security policy which required all personnel to attend an IT security training class. SeneTech also implemented a domain controller to ensure that users are authenticated before they access the systems.
The password policy states as follows:
• Passwords should be established for individual users to maintain accountability
• The minimum password length is 6 characters
• Passwords should be changed every 90 days
• Passwords should consist of letters (a-Z), numbers (0-9), and other special characters (such as "?", "#", "tiny_mce_markerquot;, or "%")
The security configurations for domain controller, ERP, Warehouse Management System, and Mobile Store System are as follows:
Configuration Domain Controller ERP Warehouse Management System Mobile Store System
Password Length 8 8 8 8
Password Expiration 120 120 - -
Password Complexity Y Y N N
Failed Login Attempt 3 - - -
Time-out facility N Not Supported Not Supported Not Supported

The assistant IT manager of operations is responsible for maintaining user profiles and authorization lists. To request a new user, termination of a user account, or a user's authorization modification, a requester must fill out a user request form and submit it to the requester's department manager for approval. The approved form is then submitted to the assistant IT manager of operations. The manager creates, changes, or deletes a user account only after the approved user request form has been received. Since SeneTech does not have an authorization matrix for each position, the assistant IT manager of operations sets up the authorization based on the requirements in the user request form.

Upon reviewing the IT security policy, you learned that the failed login log of the domain controller must be reviewed by the assistant IT manager of operations on a monthly basis. However, you found that an IT operations staff reviewed the failed login attempts in the domain controller at the end of each month, signed off as a preparer, and submitted it to the assistant IT manager of operations for final review. You noticed that the assistant IT manager of operations did not sign off as a reviewer, although he indicated that he reviewed this report every month.

The IT security policy states that each department manager should review the list of current users and their authorization at least once a year. You noted during your interview of the assistant IT manager of operations that the list of current users and their authorization would be reviewed in the fourth quarter. You learned that the human resource manager was currently responsible for reviewing the list of current users and their authorizations on behalf of all the department managers. In addition, you noted that the administrator user names and passwords for every system are shared among the IT manager, assistant IT manager of application and change, and assistant IT manager of operations.
When you visited the data center, you noticed that a finger scan system was implemented in front of the SeneTech data center so that only authorized IT employees are allowed access to the data center. All visitors to the data center are required to sign their names in the visitor log book and be escorted by an authorized IT employee. Your review of the visitor log book showed that the visitors wrote their names, the dates of their visit, time in, time out, company name, and the purposes of their visits in the visitor log book. The authorized IT employee escorting the visitor also signed his or her name in the visitor log book. When you visited the data center, an authorized IT employee escorted you at all times. Your review of the list of authorized IT employees showed that all IT staff could access the data center. When observing the data center, you noted that the data center is located on the second floor of SeneTech building and the area of data center is about 25 square meters. Two smoke detectors, a fire alarm, a fire suppression machine and two air conditioners were in the data center. The temperature was 22 degrees Celsius during your visit. However, you noted that uninterrupted power supplies for all the servers and IT equipment were not installed.

Case Requirements
SeneTech is a new client of your audit firm. Your audit manager assigned you to identify weaknesses in the IT general controls. Write a memo to document all the IT general control issues you have identified.

Attachment:- Sene Tech.rar