StudyDaddy Computer Science You are the auditor in charge of the Gail Industries audit. It is your responsibility to prepare a control table that will be used to evaluate all controls and the associated policies and processes fo

You are the auditor in charge of the Gail Industries audit. It is your responsibility to prepare a control table that will be used to evaluate all controls and the associated policies and processes fo

Control Objectives and Related Controls

Physical Security (Datacenter)

Control Objective 1: The controls provide reasonable assurance that physical access to computer resources within Gail Industries’ data center is restricted to authorized and appropriate personnel.

To protect physical assets, management has documented and implemented physical access procedures to grant, control, monitor, and revoke access to the on-site SCOPE datacenter.

The datacenter requires two-factor authentication: a biometric credential via retinal eye scanner and a badge access card. Individuals requesting badge access document the request on a standardized employee management form that must be approved by departmental management. Administrative access to the badge access system is restricted to authorized IT personnel.

When an employee is terminated, IT personnel revoke the badge access privileges as a component of the termination process. In addition, the IT manager performs a review of badge access privileges on a monthly basis to help ensure that terminated employees do not retain badge access.

All visitors must sign a logbook upon entering the datacenter, with a picture ID presented to their escort. Access is restricted to authorized IT personnel and equipment technicians.

CCTV surveillance cameras are utilized throughout the facility and the datacenter to record activity; these images are retained for a minimum of 45 days.

Physical Security (Facilities)

Control Objective 2: Controls provide reasonable assurance that physical access to assets within Gail Industries’ facilities is restricted to authorized and appropriate personnel.

To protect physical assets, management has documented and implemented physical access procedures to grant, control, monitor, and revoke access to the on-site SCOPE facility.

A door badge access system is employed to control access to areas within the facility (including the datacenter) through the use of predefined security zones.

Individuals requesting badge access to the facility document the request on a standardized employee management form, accessible through Gail Industries’ employee on-boarding system (known as GEO). All requests must be approved by departmental management. Administrative access to the badge access system is restricted to authorized IT personnel.

Upon termination (voluntary or involuntary), SCOPE IT personnel revoke the badge access privileges as a task in the termination process. In addition, the IT manager performs a monthly review of badge access privileges to ensure that terminated employees do not retain badge access.

Both entrances into the facility are locked and are monitored by administrative personnel. The receptionist must unlock the door for visitor access. Visitors are required to ring a video doorbell and announce themselves to the receptionist. Visitors sign a logbook when entering the facility, and they are required to wear a visitor’s badge at all times. Visitors must be escorted by an authorized employee when accessing sensitive facility areas such as the mail room and server room.

CCTV surveillance cameras are utilized throughout the facility and server room to record activity. Video images are retained for a minimum of 45 days.

Environmental Safeguards

Control Objective 3: Controls provide reasonable assurance that environmental safeguards protect physical assets and the data that resides on those assets.

Management has implemented environmental controls to protect physical assets within the datacenter and office facility, including fire detection and suppression controls. The office facility is protected by audible and visual alarms, fire and smoke detectors, a sprinkler system, and hand-held fire extinguishers. A halon-free fire suppression system and smoke detectors protect the datacenter. An uninterruptible power supply (UPS) is in place to provide temporary electricity in the event of a power outage and mitigate the risk of power surges impacting infrastructure to the data center.

Management retains the following inspection reports completed by the third-party vendors as evidence of their completion:

  • Annual inspection of the fire detection and sprinkler fire suppression system

  • Annual inspection of hand-held fire extinguishers located throughout the facility

  • Annual inspection of the fire suppression system

  • Semi-annual inspection of the UPS systems

Change Management

Control Objective 4: Controls provide reasonable assurance that changes to network infrastructure and system software are documented, tested, approved, and properly implemented to protect data from unauthorized changes and to support user entities’ internal control over financial reporting.

Documented change management policies and procedures are in place to address change management activities. Further, there are provisions for emergency changes to the infrastructure and operating systems. Change requests are documented via a change request (CR) form. CRs include details of the change, including the change requestor, the date of the request, the change description, and change specifications. Management, through the Change Advisory Board (CAB), holds a weekly meeting to review and prioritize change requests. During this meeting, management authorizes change requests by signing off on the CR form.

Detailed testing is performed prior to implementation of the change in test environments that are logically separated from the production environment. The CAB approves the changes prior to implementation. The ability to implement infrastructure and operating system updates to the production systems is restricted to user accounts of authorized IT personnel.

Logical Security

Control Objective 5: Controls provide reasonable assurance that administrative access to network infrastructure and operating system resources is restricted to authorized and appropriate users to support user entities’ internal control over financial reporting.

Information security policies have been documented and are updated annually to assist personnel in the modification of access privileges to information systems and guide them in safeguarding system infrastructure, information assets, and data. Infrastructure and operating system users are authenticated via user account and password prior to being granted access. Password requirements are configured to enforce minimum password length, password expiration intervals, password complexity, password history requirements, and invalid password account lockout threshold, as documented in the IT Procedures and Policies document.

The CCS application authenticates users through the use of individual user accounts and password before granting access to the applications. CCS utilizes predefined security groups for role-based access privileges. The application enforces requirements: password minimum length, password expiration intervals, password complexity, password history, and invalid password account lockout threshold.

Payment Processing

Control Objective 6: Controls provide reasonable assurance that payments received are processed accurately and timely, and processing exceptions are resolved.

Documented payment processing policies and procedures are in place to guide personnel in the following activities:

  • Mailroom processing

  • Identification and posting of payments

  • Research and processing of unidentified payments

  • Financial reporting

  • Bank reconciliations

Financial instruments are required to remain within the mailroom during payment processing. When mail is delivered by the courier, both the courier and the mail room supervisor initial the mail receipt log to verify the envelope count received.

Physical access privileges of data entry personnel are segregated from balancing and mailroom personnel. Logical access to processing systems are segregated among data entry, balancing, and mailroom personnel.

Data Transmission

Control Objective 7: Controls provide reasonable assurance that transmitted payment data is complete, accurate, and timely.

SCOPE exchanges payment and invoice information electronically with Smallville via scheduled inbound and outbound data transmissions each day. Smallville provides a list of newly created invoices that were issued on the previous business day. SCOPE receives this information in the CCS application and uses this for processing payments. Each day, all payments processed by SCOPE are sent back to the city of Smallville, which imports this data into its systems.

Deposits

Control Objective 8: Controls provide reasonable assurance that deposits are processed completely, accurately, and in a timely manner.

Documented procedures are in place that address the transfer and security of financial instruments, including delivery of the mail from the Post Office (P.O.) boxes to the SCOPE mailroom and the delivery of deposits from the SCOPE mailroom to the bank processing center.

A courier pickup and delivery schedule, outlining the date/times of scheduled mail deliveries by the third-party courier, is maintained and posted in the mailroom. SCOPE utilizes a third-party courier service for delivery of financial instruments to the city of Smallville’s bank.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!