Tampa Bay Office Furniture Inc.: A Case Study

Tampa Bay Office Furniture Inc.:
A Case Study
Tampa Bay Office Furniture Inc.: A Case Study
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and
security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in
1969, the non-profit, independent ISACA hosts international conferences, publishes the ISACA® Journal,
and develops international IS auditing and control standards, which help its constituents ensure trust in,
and value from, information systems. It also advances and attests IT skills and knowledge through the
globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security
Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and
Information Systems Control• (CRISC•) designations. ISACA continually updates COBIT®, which
helps IT professionals and enterprise leaders fulfil their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Tampa Bay Office Furniture Inc.: A Case Study (the ‘Work’) primarily
as an educational resource for those seeking to understand COBIT and Val IT. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work should not be considered
inclusive of all proper information, procedures and tests or exclusive of other information, procedures and
tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, enterprise leaders and IT governance, management and assurance
professionals should apply their own professional judgement to the specific control circumstances
presented by the particular systems or information technology environment. The example companies,
organisations, products, domain names, e-mail addresses, logos, people, places and events depicted herein
are fictitious. No association with any real company, organisation, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred.
Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means
(electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of
ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic,
internal and non-commercial use and for consulting/advisory engagements, and must include full
attribution of the material’s source. No other right or permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
Tampa Bay Office Furniture Inc.: A Case Study
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries
throughout the world.
© 2011 ISACA
All rights reserved.
Page 2
Tampa Bay Office Furniture Inc.: A Case Study
Acknowledgements
ISACA wishes to recognise:
Author
Uday Murthy, Ph.D., ACA, ISACA Academic Advocate, University of South Florida, School of
Accountancy, USA
ISACA Board of Directors
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International
President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management, USA, ITGI Trustee
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
Academic Program Subcommittee
Henny J. Claessens, CISA, CISM, CGEIT, Maastricht University, Netherlands, Chair
Claudio Cilli, CISA, CISM, CGEIT, CRISC, CIA, CISSP, CSSLP, University of Rome, Italy
Graham Gal, Ph.D., University of Massachusetts, USA
Yonosuke Harada, CISA, CISM, CGEIT, CAIS, Institute of Information Security, Japan
Sharon Finney, CISM, CISSP, Adventist Health System, USA
M. Richard Moore III, CISM, CISSP, GPEN, MSIA, Nthnet, USA
Vincent Orrico, Ph.D., CISA, CGEIT, CBCLA, CBCP, CISSP, Optimal Vantage Strategies LLC, USA
Krishna Seeburn, CIA, CISSP, CFE, PMP, University of Technology, Mauritius
Lolita E. Vargas-DeLeon, CISA, CIA, CPA, Puerto Rico
© 2011 ISACA
All rights reserved.
Page 3
Tampa Bay Office Furniture Inc.: A Case Study
ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
© 2011 ISACA
All rights reserved.
Page 4
Tampa Bay Office Furniture Inc.: A Case Study
Tampa Bay Office Furniture Inc.
Tampa Bay Office Furniture Inc. (TBOF) is a publicly held company that manufactures office furniture.
The company has two sales offices and a manufacturing plant in the Tampa Bay area. The company has
an IBM AS/400-based accounting system that was implemented three years ago. The system was
developed in-house. Internally, the company has installed a Novell network that connects all employee
desktop computers to the AS/400 system. You are part of the IT audit team in the audit firm performing
the independent audit of TBOF. You have been assigned to review and evaluate the IT general controls
over:
x Access to the system
x Program change procedures
x Computer operations
As part of the audit process, you have interviewed various personnel in TBOF’s computer department,
beginning with Mr. David Smith who is the manager of the IT department at TBOF. You have also
observed personnel performing their regularly assigned duties and reviewed systems documentation and
logs. Based on your interviews, observations and review of documentation, you have compiled a set of
‘audit notes’.
Required
1. Construct an internal control questionnaire (ICQ) containing questions for each of the three areas
(access, program changes, operations), drawing from COBIT. Indicate the COBIT detailed control
objective (e.g., PO1.1) relating to each ICQ question. The questions should be framed such that a
‘yes’ answer indicates a control strength and a ‘no’ answer signifies a control weakness. Only include
questions that apply to the TBOF scenario.
2. For each of your questions, answer ‘yes’ or ‘no’ based on the information available in your audit
notes. A ‘yes’ answer indicates a control strength and a ‘no’ answer indicates a control weakness.
Note that some of the information in the audit notes may be irrelevant to constructing the ICQ. Also,
for each ICQ question, indicate the audit note number relating to the question and the audit test(s) that
should be undertaken to verify the ‘yes’ answers, i.e., to confirm that the control is operating
properly. You may use the sample ICQ shown in this publication on page 8 as a model.
Audit Notes
1. Observed that the AS/400 system is housed in a secure area on the third floor of TBOF’s corporate
office. Access to the computer room is controlled by an electronic card-key system. All entries to and
exits from the computer room are logged. There is a Halon gas system installed that is automatically
triggered in the event of smoke or fire.
2. In the initial interview with Mr. Smith, he indicated that the IT department was organised in the
following sub-areas: systems administration, security, programming, testing and operations. There
are 11 employees within the IT department.
3. After inquiring about TBOF’s security policy, Mr. Smith indicated that he had created a policy two
years ago. He had downloaded a model security policy off the Internet and rewrote it to suit TBOF’s
needs. Mr. Smith believes strongly that employees are aware of the company’s security policies, but
he makes the security policy document available to any employee upon request. Per Mr. Smith, the
person in the IT department who is responsible for security issues is Ms. Jill Brown.
4. Noted that the security policy document has been approved by the human resources manager.
© 2011 ISACA
All rights reserved.
Page 5
Tampa Bay Office Furniture Inc.: A Case Study
5. Mr. Smith indicated that TBOF has an IT strategic plan that is reviewed and evaluated every year by a
steering committee comprised of members from every functional department in the company. Ms.
Brown indicated that IT security planning is not performed on an annual basis, but there are elements
of IT security addressed in the IT strategic plan.
6. Per Ms. Brown, TBOF requires all users to have a username to log on to the AS/400 system.
Passwords must be eight characters in length and must contain a combination of letters and numbers.
Employees must change their passwords every six months.
7. Noted that TBOF management has a policy of purchasing only Hewlett-Packard (HP) products.
Consequently, all desktop computers are from the HP Pavilion series.
8. Ms. Brown indicates that user sessions automatically time out after 10 minutes of inactivity. Many
(but not all) users have enabled screen savers on their computers that engage after five minutes of
inactivity. A username and password are required to log back on to a machine when the screen saver
is running.
9. Per the organisation chart, accounts payable(AP) is a separate division.
10. Four employees in the AP department process vendor invoices, match invoices to purchase orders,
receiving reports and purchase requisitions. Purchase requisition information is stored on a folder on a
shared drive in the AS/400 system. Since the four AP employees often trade off duties, Mr. Smith
decided to allow them to share the same user profile so that they can all access the shared folder
containing purchase requisition information. This procedure has allowed AP transaction processing to
proceed smoothly even if only one of the four AP staff is available.
11. Ms. Brown confirmed that when an employee is terminated, the user’s account is immediately
disabled and deleted from the system.
12. Mr. Steven Green, the manager of the accounting department, has been given ‘super-user’ status to
enable him to grant appropriate user rights to accounting department employees involved with
making period-ending adjusting entries. Mr. Smith approved Mr. Green’s super-user status as
necessary due to the high turnover in the accounting department that was making it difficult for Ms.
Brown to keep up with the requests for assigning user rights.
13. Ms. Brown indicated that once a month she reviews the access rights of all employees, including
employees in the accounting department. She writes up a report of exceptions and sends the report to
Mr. Green. Ms. Brown is unsure of the follow-up done by Mr. Green, if any.
14. Per Mr. Smith, the company has implemented a sophisticated firewall and intrusion detection system
(IDS) to protect the AS/400 system from hacking attempts. These systems have been subjected to
rigorous testing by Mr. Gary Varner and Mr. William Nesbitt, the two employees in the IT
department who are Novell Certified Engineers™.
15. Documentation provided by Ms. Brown included printouts of system logs from the AS/400 system. A
section of the logs provides details of user logons, including date/time of logon and the module within
the system that was accessed. Failed logons and ‘access denied’ entries are in a separate section of the
logs. When asked, Ms. Brown indicated that although she reviews the logs occasionally, she does not
have time to review them every week.
16. When observing an AP employee working at her machine, noted that the antivirus program flashed an
alert on the screen and automatically deleted an infected file.
© 2011 ISACA
All rights reserved.
Page 6
Tampa Bay Office Furniture Inc.: A Case Study
17. Ms. Brown indicated that she is the individual in the IT department responsible for assigning user
rights to employees, which define the functions that each employee can perform within TBOF’s
AS/400 system. All requests for changes in user rights, except for super-user accounts, come to Ms.
Brown.
18. Mr. Smith said that management plans to invest in an enterprise resource planning (ERP) system
(such as SAP® or Oracle®) that will integrate accounting with the marketing, production and
management business functions in the near future.
19. Asked about the process of handling program changes, Mr. Smith indicated that all program change
requests are first sent via e-mail to Ms. Vicky Mitchell, who is the person in the IT department
responsible for handling program changes. Ms. Mitchell then forwards the e-mail to Mr. Smith, who
replies either approving or denying the change request. As documentation of the program change
requests and approval/denial, Ms. Mitchell saves a copy of each of these e-mails in a separate folder
in her e-mail Inbox. This process works well for the most part, except that users occasionally have
‘emergency’ change requests that Ms. Mitchell sometimes has to process without Mr. Smith’s
approval when he is absent.
20. Ms. Mitchell indicated that she assigns approved program change requests to Mr. Jack Solomon, the
programmer in the IT department who is responsible for program changes. Mr. Solomon makes these
changes on an ‘off-line’ duplicate version of the live operational system running on the AS/400
system. Testing of the changed versions of programs is done by a second programmer, Mr. Tony
Yeager, whose only job is to test program changes. Once Mr. Yeager is satisfied with the change, Mr.
Solomon transfers the changed program over to the production (live) system.
21. Regarding the routine running of programs on the AS/400 system, Mr. Smith provided a detailed
schedule that shows when jobs are routinely run on the system. For example, all payroll jobs are run
on Friday at 10 a.m. Sales and purchasing systems are ‘real-time’—these transactions are processed
from remote terminals in the sales and purchasing departments. The accounting, marketing and
production departments of TBOF submit jobs, per the approved schedule, for routine reports they
require.
22. Mr. Smith indicates that there is one daytime operator of the system and one nighttime operator, with
a backup operator from the network administration department who can perform the duties as
necessary in case of sickness or absence.
23. In touring the computer room, noted that the operator clicked on a prompt on the main computer
console to close a window. Upon inquiry, operator indicated that the prompt was a notification of an
update to the AS/400 operating system; he indicated that all such ‘patches’ are installed together on
the last Saturday of every month to avoid operational disruption. During the tour, the operator
received a phone call from the marketing manager to run a report on an ‘emergency basis’. The
operator complained about the request, but acquiesced. To record the unscheduled job, the operator
wrote an entry in the operator’s log next to the main console.
24. Observed that the printer in the computer room prints a one-page report of every job run on the
AS/400 system. These job reports are filed within the computer room.
25. Upon inquiry, the operator indicated that scheduled jobs stop running very rarely due to system
errors. When such situations occur, the operator calls one of the systems administrators in the IT
department, who provides instructions on how the aborted job should be re-run.
© 2011 ISACA
All rights reserved.
Page 7
Tampa Bay Office Furniture Inc.: A Case Study
Sample ICQ
#
1.
Question
Is the BSN parking lot #36
monitored by USF police?
© 2011 ISACA
COBIT
Control
Objective
M1.1
Yes
No
Audit
Note
#
12
All rights reserved.
Audit Test(s)
x Park car with student tag for two
hours and observe if ticket is
received.
x Observe lot to determine if USF
police check parking tags on
parked cars.
Page 8
Tampa Bay Office Furniture Inc.: A Case Study
ISACA Professional Guidance Publications
Many ISACA publications contain detailed assessment questionnaires and work programmes that provide valuable
guidance. Please visit www.isaca.org/bookstore or e-mail bookstore@isaca.org for more information.
Frameworks and Model
• Business Model for Information Security, 2010
• COBIT® 4.1, 2007
• Enterprise Value: Governance of IT Investments: The Val IT™ Framework 2.0, 2008
• ITAF™: A Professional Practices Framework for IT Assurance, 2008
• The Risk IT Framework, 2009
COBIT-related Publications
• Aligning COBIT® 4.1, ITIL V3® and ISO/IEC 27002 for Business Benefit, 2008
• Building the Business Case for COBIT® and Val IT™: Executive Briefing, 2009
• COBIT® and Application Controls, 2009
• COBIT® Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition,
2007
• COBIT® Mapping: Mapping of CMMI® for Development V1.2 With COBIT® 4.1, 2011
• COBIT® Mapping: Mapping of FFEIC With COBIT® 4.1, 2010
• COBIT® Mapping: Mapping of ISO 20000 With COBIT® 4.1, 2011
• COBIT® Mapping: Mapping of ISO/IEC 17799:2000 With COBIT®, 2nd Edition, 2006
• COBIT® Mapping: Mapping of ISO/IEC 17799:2005 With COBIT® 4.0, 2006
• COBIT® Mapping: Mapping of ITIL V3 With COBIT® 4.1, 2008
• COBIT® Mapping: Mapping of NIST SP800-53 With COBIT® 4.1, 2007
• COBIT® Mapping: Mapping of PMBOK“ With COBIT® 4.0, 2006
• COBIT® Mapping: Mapping of SEI’s CMM“ for Software With COBIT® 4.0, 2006
• COBIT® Mapping: Mapping of TOGAF 8.1 With COBIT® 4.0, 2007
• COBIT® QuickstartTM, 2nd Edition, 2007
• COBIT® Security BaselineTM, 2nd Edition, 2007
• COBIT® User Guide for Service Managers, 2009
• Implementing and Continually Improving IT Governance, 2009
• IT Assurance Guide: Using COBIT®, 2007
Risk IT-related Publication
• The Risk IT Practitioner Guide, 2009
Val IT-related Publications
• Enterprise Value: Getting Started With Value Management, 2008
• The Business Case Guide: Using Val IT• 2.0, 2010
• Value Management Guidance for Assurance Professionals: Using Val ITTM 2.0, 2010
Academic Guidance
IT Governance Using COBIT® and Val ITTM material:
x Student Book, 2nd Edition, 2007
x Caselets, 2nd Edition and Teaching Notes, 2007
x TIBO Case Study, 2nd Edition and Teaching Notes, 2007 (Spanish translation also available)
x Presentation, 2nd Edition, 2007 (35-slide PowerPoint deck on COBIT)
x Caselets, 3rd Edition and Teaching Notes, 2010
x City Medical Center Case Study. 3rd Edition and Teaching Notes, 2010
x Tampa Bay Office Furniture Inc. and Teaching Notes, 2011
Academic Guidance cont.
© 2011 ISACA
All rights reserved.
Page 9
Tampa Bay Office Furniture Inc.: A Case Study
Information Security Using the CISM® Review Manual and BMIS™ material:
x Caselets, 2010
x More 4Less Foods Case Study, 2010
x Teaching Notes, 2010
Executive and Management Guidance
• An Executive View of IT Governance, 2008
• An Introduction to the Business Model for Information Security, 2009
• Board Briefing on IT Governance, 2nd Edition, 2003
• Creating a Culture of Security, 2011
• Defining Information Security Management Position Requirements: Guidance for Executives and Managers, 2008
• Identifying and Aligning Business Goals and IT Goals: Full Research Report, 2008
• Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition,
2006
• Information Security Governance: Guidance for Information Security Managers, 2008
• Information Security Governance—Top Actions for Security Managers, 2005
• ITGI Enables ISO/IEC 38500:2008 Adoption, 2009
• IT Governance and Process Maturity, 2008
• IT Governance Domain Practices and Competencies:
– Governance of Outsourcing, 2005
– Information Risks: Whose Business Are They?, 2005
– IT Alignment: Who Is in Charge?, 2005
– Measuring and Demonstrating the Value of IT, 2005
– Optimising Value Creation From IT Investments, 2005
• IT Governance Roundtables:
– Defining IT Governance, 2008
– IT Staffing Challenges, 2008
– Unlocking Value, 2009
– Value Delivery, 2008
• Global Status Report on GEIT 2011, 2011
• Managing Information Integrity: Security, Control and Audit Issues, 2004
• Understanding How Business Goals Drive IT Goals, 2008
• Unlocking Value: An Executive Primer on the Critical Role of IT Governance, 2008
Practitioner Guidance
• Audit/Assurance Programs:
– Apache™ Web Services Server Audit/Assurance Program, 2010
– Change Management Audit/Assurance Program, 2009
– Cloud Computing Management Audit/Assurance Program, 2010
– Crisis Management Audit/Assurance Program, 2010
– Generic Application Audit/Assurance Program, 2009
– Identity Management Audit/Assurance Program, 2009
– Information Security Management Audit/Assurance Program, 2010
– IT Continuity Planning Audit/Assurance Program, 2009
®
– Microsoft Internet Information Services (IIS) 7 Web Services Server Audit/Assurance Program, 2011
®
®
– Microsoft SQL Server Database Audit/Assurance Program, 2011
– Mobile Computing Security Audit/Assurance Program, 2010
– MySQL™ Server Audit/Assurance Program, 2010
– Network Perimeter Security Audit/Assurance Program, 2009
– Outsourced IT Environments Audit/Assurance Program, 2009
– Security Incident Management Audit/Assurance Program, 2009
– Social Media Audit/Assurance Program, 2011
– Systems Development and Project Management Audit/Assurance Program, 2009
– UNIX/LINUX Operating System Security Audit/Assurance Program, 2009
Practitioner Guidance cont.
®
– VMware Server Virtualization Audit/Assurance Program, 2011
© 2011 ISACA
All rights reserved.
Page 10
Tampa Bay Office Furniture Inc.: A Case Study
Windows Active Directory Audit/Assurance Program, 2010
z/OS Security Audit/Assurance Program, 2009
• Cybercrime: Incident Response and Digital Forensics, 2005
• Enterprise Identity Management: Managing Secure and Controllable Access in the Extended Enterprise
Environment, 2004
• Information Security Career Progression Survey Results, 2008
• Information Security Harmonisation—Classification of Global Guidance, 2005
• IT Control Objectives for Basel II, 2007
• IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, 2011
• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control
Over Financial Reporting, 2nd Edition, 2006
• OS/390—z/OS: Security, Control and Audit Features, 2003
• Peer-to-peer Networking Security and Control, 2003
• Risks of Customer Relationship Management: A Security, Control and Audit Approach, 2003
• Security Awareness: Best Practices to Serve Your Enterprise, 2005
• Security Critical Issues, 2005
• Security Provisioning: Managing Access in Extended Enterprises, 2002
• SharePoint® Deployment and Governance Using COBIT® 4.1: A Practical Approach, 2010
• Stepping Through the IS Audit, 2nd Edition, 2004
• Stepping Through the InfoSec Program, 2007
• Technical and Risk Management Reference Series:
– Security, Audit and Control Features Oracle® Database, 3rd Edition, 2009
– Security, Audit and Control Features Oracle® E-Business Suite, 3rd Edition, 2010
– Security, Audit and Control Features PeopleSoft, 2nd Edition, 2006
– Security, Audit and Control Features SAP®ERP, 3rd Edition, 2009
• Top Business/Technology Issues Survey Results 2011, 2011
• Top Business/Technology Survey Results, 2008
• White Papers:
– Cloud Computing: Business Benefits With Security, Governance and Assurance Perspective, 2009
– Data Analytics—A Practical Approach, 2011
– Data Leak Prevention, 2010
– Electronic Discovery,2011
– Leveraging XBRL for Value in Organizations, 2011
– New Service Auditor Standard: A User Entity Perspective, 2010
– Securing Mobile Devices, 2010
– Security Information and Event Management: Business Benefits and Security, Governance and Assurance
Perspective, 2010
– Social Media: Business Benefits and Security, Governance and Assurance Perspectives, 2010
– Sustainability, 2011
– Virtualization: Benefits and Challenges, 2010
–
–
© 2011 ISACA
All rights reserved.
Page 11