1. Audit Scope
The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse
technology platform. The scope of work for this audit will consist of <XXXX> hours of
professional services and the objectives for this audit will include a review of the following
control points:
Data Warehouse Management
o Data Warehouse Governance
o Financial Management
o Risk Management
o Human Resources
o Portfolio Project Management
Data Warehouse Operations
o DW Architecture and Integration
o Systems Development and Testing
o Change Management
o System Monitoring
o Problem Management
o Logical Security
o Data Transmission
o Metadata
Business Integration
o Service Delivery (Business Process Integration and Analysis)
o Project Management
o Help Desk
Audit Approach
Our approach for the execution of this audit engagement will consist of interviews with key
employees, review of documents, inspections, data extractions and the usage of applicable
audit tools. The audit will consist of the components described below. The phases are listed
in sequential order and should provide an overview of the sequencing of the proposed
engagement.
Phase description Deliverables
1. Mobilization phase– GF Consulting will
perform the following:
Develop and provide to UNCCG an
advanced data request (ADR) of the
relevant documents and materials that
will support our fieldwork.
Develop and provide to UNCCG an
initial interview list of those business
and IT professionals that we anticipate
• Advanced data requests
(see appendix for a
sample request)
• Interview lists of key
employees that we would
like to interview (see
appendix for a sample list)
• Detailed Audit Program
document(s) for each of
2. needing to meet with in order to
perform this audit.
Develop an audit program to guide
activities during the course of this
audit. The audit program guide should
include a list of the controls that would
be reviewed along with a defined
approach for understanding the design
of the control and how it would be
tested to determine if it was operating
effectively.
the following areas: Data
Warehouse Management,
Data Warehouse
Operations and Business
Integration.
2. Execution phase – Once the audit program
has been finalized, and the appropriate
resources have been identified, fieldwork will
proceed in accordance with the audit plan.
• Results from the execution
of the detailed Audit
Program
• Working papers that
support the results from
the detailed Audit
Program
3. Reporting phase – All IT audit work is
summarized in the IT audit report. Our
team will compile and present a draft report
to UNCCG management within three weeks
of completing the execution phase. The
purpose of this draft is discussion and
incorporation of any comments prior to
issuing a final report to UNCCG.
• Draft report for discussion
containing an executive
summary, audit findings
and recommendations for
improvement.
• Final report with edits and
comments from UNCCG
management
Risk Assessment
Based on the information provided by UNCCG during our initial conversation, combined with
our understanding about the business environment in which UNCCG operates, we have
formulated the following risk considerations that we understand are relevant to your
business. Our goal is to incorporate these risk considerations in our audit program to be
developed in the Mobilization Phase of this engagement.
Risk category: Regulatory Risk
1 As a publicly traded company, UNCCG is subject to compliance with the Sarbanes-Oxley
Act of 2002 (SOX). As a result, UNCCG’s management must:
• Accept responsibility for the effectiveness of the company’s internal control over
financial reporting.
• Evaluate the effectiveness of the company’s internal control over financial
reporting using suitable control criteria.
• Support is evaluation with sufficient evidence, including documentation.
3. • Present a written assessment of the effectiveness of the company’s internal
control over financial reporting as of the end of the company’s most recent fiscal
year.
Although this legal requirement may not have a direct impact on the data warehouse
applications subject to this audit, once it is not categorized as a “financial reporting
related” application, it may have an indirect impact in the case that technology
infrastructure is common among the financial reporting systems and the data warehouse
applications. Technology infrastructure (operations, security, processes, people) that
support financial reporting systems are subject to SOX compliance requirements.
Risk category: Techonology/Reputational Risk
2 Privacy regulations
The Personal Data Privacy & Security Act of 2005 bill states that organizations must
“adopt reasonable procedures to ensure the security, privacy and confidentiality of
personally identifiable information” and notify relevant governing bodies when security
breaches occur. The bill also states that, if there is reason to believe the stolen data can
be used for identity theft, then the organization must make public notification. We have
seen increased pressure in the marketplace pushing companies to move to a better
defined and better controlled data privacy controls environment. We understand that a
significant portion of UNCCG’s revenue comes from check cards, credit and debit card
transactions on which some consumer information is collected, processed and may or
may not be stored. It is our understanding that payment information processing is
processed externally. In addition, UNCCG’s consumer loyalty program collects and
stores consumer private information such as telephone numbers, addresses, names and
a history of purchases. Based on those facts, we understand that current and future
privacy regulations are a relevant risk to the business at UNCCG that has both a
regulatory impact and also a brand impact, given that fact that future privacy breaches
will be required to be made public.
Risk category: Operational Risk
3 External Vendor’s access to enterprise data
Based on the information provided by UNCCG during our initial conversations, we
understand that credit and debit card payment processing is outsourced with an external
vendor.
In addition, UNCCG indicated that it relies on a third party vendor, located in India, to
perform program change and program development functions for the data warehouse (DW)
management system. This external vendor has remote access to the UNCCG environment.
We understand that, even though UNCCG has outsourced program change and program
development functions to a third party vendor, it is still responsible for ensuring the
accuracy, completeness and appropriateness of program changes and developments on the
DW environment.
In order to perform their business function, both these vendors will have the ability to get
access to sensitive enterprise data including consumer information. Based on that fact, we
consider that this is a relevant risk to the company’s IT environment.
4. Risk category: Credit Risk/Technology Risk
4 Unavailability of credit and/or debit card processing application
We understand that a significant portion of UNCCG’s revenue comes from check cards,
credit cards and debit cards transactions, which are processed externally (for approval
purposes) and stored by one of the company’s mainframe based systems (for
reconciliation and historic purposes). Unavailability of either the external processing vendor
or of the mainframe-based system would cause point of sales systems (POS) at the stores
to operate in an “offline mode” and only cash payments would be allowed, until
functionality is completely restored. Based on that information, we consider that
unavailability of card payment applications is a relevant risk to the business that has a
direct impact on the customer’s perception of quality of service and a direct impact on
sales.
Communications
Through regular meetings and ongoing communication with management, we will establish
a relationship of openness and teamwork through which we can discuss significant audit
findings, recommendations for improving internal controls or operations, and current
industry issues (or any other issues management wishes to discuss), and ultimately
develop solid solutions without surprises. We commit to holding regular meetings with
management, both formally and informally, to foster such a relationship.
Management letters and communication are an important element of professional service.
It is our policy to discuss our findings and recommendations with the appropriate members
of management prior to issuance so that we can verify factual accuracy. Our final report
will only include findings and recommendations considered significant. Other matters will be
communicated throughout the engagement and during our regular meetings and fieldwork.
Planned schedule
GF Consulting estimates this engagement will require approximately xxxx weeks of effort,
and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. In
addition, we understand the final report for this audit must be completed no later than July
15, 2006.
5. APPENDIX I – Sample Advanced Data Request
The following information would be helpful in evaluating the existing data warehouse
environment to the extent it already exists.
1. Organization Charts
a. Technology (Development and Operations)
b. Business
2. Telephone Directory
3. User Documentation
a. Data warehouse user training guides
b. Data warehouse user operational manuals
4. Systems documentation
a. Application architecture (including an explanation of any automated interfaces)
b. Systems operations overview (platform and network)
c. Third party vendor agreements
5. Management procedures and policies
a. Operations Management (system monitoring, maintenance, and or scheduled
support)
b. Information Security (logical access)
c. Change Management (change control and configuration management)
d. Business Continuity Plan(s)
e. Disaster Recovery Plan(s)
f. Problem Management
6. APPENDIX II – Sample Interview request
The following is a list of individuals we anticipate will be likely requested to participate in a
one-hour interview with one of our team member. Shedule will be arranged by our team in
observance to UNCCG’s personnel commitments and priorities. Other interviews may be
determined necessary as we make progress and we will make our best efforts to
communicate this as soon as possible so it can be scheduled in a non-disruptive manner.
Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst
7. APPENDIX II – Sample Interview request
The following is a list of individuals we anticipate will be likely requested to participate in a
one-hour interview with one of our team member. Shedule will be arranged by our team in
observance to UNCCG’s personnel commitments and priorities. Other interviews may be
determined necessary as we make progress and we will make our best efforts to
communicate this as soon as possible so it can be scheduled in a non-disruptive manner.
Individual Role
Jerry Lewis Chief Information Officer
Brunno Rodriguez Chief Security Officer
Chris Poknis Vendor Relationship Manager
Andy Tatum IT Operations Manager
Andrew Deloach Database Administrator (DBA)
Chris Maiden Data Warehouse Lead
Mike Maher Data Warehouse Service Delivery Manager
Josh Smith Data Warehouse Architect
Amanda Fernandez SAP Project Lead
Steve Lucas Data Warehouse Senior Analyst