ITGC Area Summary of Issue Strength or Weakness IT Management FFC has an IT strategic plan Strength IT Management CIO reports only to the Chief Financial Officer Weakness IT Management Applications, Operations, Information Security, and Database Administration are reported to the CIO Weakness IT Management FFC has an IT steering committee – 1. the Senior Vice President (SrVP) and Chief Information Officer (CIO) 2. the VP, Applications 3. the VP, Data Base Administration (DBA) 4. the VP, Operations 5. the VP, Information Security (IS) 6. the Executive Vice President and Chief Financial Officer (CFO) 7. the SrVP, Internal Audit Strength Systems Development FFC design, develop, and implement systems in a logical fashion Strength Systems In addition, the organization consider internal controls as an integral part of systems design, and the IT personnel adequately tested the new bio-coding payment system prior to its implementation, so we determined the risk assessment in this area is low. However, FFC’s Internal Audit Department is involved as a voting member of the project teams. Internal audit performs post-implementation reviews on all projects over $2 million. Internal Audit should be independent, and should not be involved in the project ream. Third, the risk assessment in the area of Data Security is high. Although they have high control on the physical access to their data center computer room, but they have low control on the logical access. In order to control the physical access, FFC’s computer room within its data center is locked at all times. All outsiders must first contact the data center manager in order to enter the computer room. Each must bring an official picture ID, sign a visitors’ log, and be escorted at all times by data center personnel during the visit. They also have environmental control in the computer room and are tested semi-annually. However, the Human Resources Department only forward the Transfers and Terminations report each month, and not immediately after the employee is transferred or terminated. The security policy is not current and was revised in 2005. The system generates a logical access violation report daily, but the company police only requires the Vice