Kara and Scott Baker own a small retail company, Basic Requirements, with one store located in a small college town and a website through which customers can make purchases. The store sells traditional but up-to-date clothing for young women such as tee-shirts, jeans, chinos, and skirts. The store has been open for ten years and the owners added the online shopping capability just last year. Online business has been slow, but Kara and Scott believe that as student customers graduate from the university they will use the online site to continue to have access to their favorite store from their college days. The store’s website has many features. It classifies clothing by type and customers can view items in various colors. To purchase an item, the user clicks on the icon depicting the desired product and adds it to an individual online shopping basket. The customer can view the basket and make a purchase at any time while browsing the site. When checking out at the site, a new customer must first register, providing billing and shipping information, as well as credit card data. Returning customers log in with the identification code and password they created when they registered. They also use that method to check on an order status. If a customer forgets their login information, they can simply click on a link to have it emailed to them. Once a user registers, Basic Requirements’ system will automatically add their email address to a file that they use to regularly send out emails about sales and other promotions. Kara and Scott are concerned about internal controls in their business. They especially worry because they know that their web access creates some special risks. They have asked one of their customers who is an accounting student at the university to evaluate the reliability of their information system, with respect to security, availability, and privacy.

Requirements:
1. Identify two security, availability, and privacy risks that Basic Requirements faces.
2. For each risk identified above, describe two internal controls Basic Requirements should use to protect against these risks.
3. The accounting student who is evaluating the reliability of Basic Requirements’ information system is interested in becoming an IT auditor. Describe some of the specific actions an IT auditor would take to verify that Kara and Scott have adequate controls in place concerning privacy.