Kiwi Kapers Limited (KKL) is a New Zealand-based manufacturer and retailer of sports clothing with headquarters in Dunedin. Although its manufacturing facilities are all located in Dunedin, its retail facilities are scattered throughout Southeast Asia, especially in Australia, Singapore, and Indonesia.

\(\mathrm{KKL}\) is an aggressive and innovative user of information systems to support its manufacturing and retail activities. It has a large mainframe computer in Dunedin as well as minicomputers in each of its overseas offices. The minicomputers are linked to the mainframe via communications lines. They fully support the information processing needs of the local offices (e.g., debtors, creditors, general ledger). In addition, they are used to transmit electronic mail and summary information to Dunedin and to receive electronic mail and information on shipments, inventory levels, budgets, and so on from head office.

Microcomputers are also used throughout the company. Some are connected to local area networks which in turn are connected to local office minicomputers or the head office mainframe. Some, however, are used as stand-alone personal computers. In several of the larger overseas offices, the minicomputer provides a gateway to the head office mainframe and in turn to microcomputers connected to other local area networks.
You are a member of the external audit firm that has just taken over the audit of KKL. Your partner has asked you to undertake a review of the security-administration function. In this light, you interview the information systems security administrator of KKL to determine whether he undertakes regular security reviews. He informs you that he undertakes an annual evaluation of information systems security within KKL and that he involves management and users in this review. You ask whether he has any documentation on the recent reviews, and he hands you reports covering the past three years' security reviews.
When you examine the three security review reports, you find they address security only within the Dunedin mainframe facility. They do not cover security over computer facilities within the overseas offices. Moreover, apart from a limited examination of one local area network of microcomputers connected to the Dunedin mainframe, they do not address security over KKL's microcomputer facilities.
When you ask the security administrator about the limited scope of the security reviews that have been conducted, he indicates that so far he has had neither the time nor the resources to evaluate security over computer facilities other than the mainframe. He points out, however, that two years ago he developed security policies and guidelines for all overseas offices. The managers in charge of overseas offices understand that they must ensure compliance with these guidelines in their offices. Moreover, in conjunction with some of the major microcomputer users in Dunedin, he is currently developing security policies and guidelines for microcomputer facilities.
Required. In light of your findings, write a brief report for your partner advising him how you believe the audit of KKL should now proceed.