Amanda Records Ltd is a subsidiary of Amicable. Th e IT risk officer of the SA look at the operations in two offices. $1$ office houses the accounting team and report directly to international Head Office

The purchase ledger department at Johannesburg receives all invoices which are input to the PAIS and ARAMIS systems. Month end accrual are calculated using unmatched GRNs in PAIS, and unmatched invoices on ARAMIS.

IMPETUS is used to create cost of sales journals and is updated from the sales order system.

Data flows form the sales order system to PAIS, SAP, IMPETUS and TRACS are automated, as well as one of the flows from ARAMIS to ZINC. other updates are manual.

Risk assessment outlined general IT controls issues:

No formal disaster recovery plan, Computer room door was left unlocked, client had no policies and procedures for IT; Job descriptions were out of date; most users had the same user ID and password, Management responded very negatively to the points raised.

The business distributes niche vinyl records to record shops. They need to anticipate demand as the failure to deliver stock is significant business risk. Systems and processes are critical in delivering this. Amanda Record$$s core business is music which accounts for approximately $66\%$ of its sales. Record labels includes C & A$,$ Badlands and Motown. Artists include Stress.

$$ Additionally, music by mail is despatched based on sales requests through Friendly Mail Music.

$$ Other key business risks include the quality of the catalogue including current and post artists; technological changes such as digital media streaming as a delivery mechanism; competitor access to market.

$$ The strategy for the business is for continued growth through the development of the catalogue and to monitor and promote products in anticipation of the market trends

$$ Turnover has increased over the past few years and this has been matched with the level of investment in the business.

$$ The business operates from the following sites:

$$ Parent company$-$ Amicable $($Netherlands$)$;

$$ Vinyl manufacture$-$Germany;

$$ Wholesale distribution centre $$ Cape Town;

$$ Accounting function$-$ Johannesburg;

$$ Record companies$-$London

The IT function in the SA is supported from the systems in Netherlands and the General Ledger used in the SA Operations. All other packages are supported by the package supplier.

No development occurs except where upgrades are produced by the package suppliers,

The General Ledger system was written in$-$house. A helpdesk facility is set up for user queries.

The company is highly dependence on IT with most of the business processes being automated, if not all of the data feeds. Most of the updates are in batch overnight. Information is passed from the OPD system to the accounting packages via automated links during this process. Reports are produced mannualy

There is no intention to diversify from the supporting the business. Manufacture and distribution of vinyl and videos,but the business is considering moving into PC games. This will require a major enhancement to the size of the current infrastructure, and they are considering ways in upgrading and automating many of the current process and information flows in order to be able to cope with the increased volumes. An IT Steering Committee has been set up to investigate the enhancements required.

The IT Department contains $40$ personnel split Between Support, Operations and Development

and management of the IT functions.

Staff are mixed between highly experienced $($drawn from Recruitment policy$),$ and inexperienced taken on through graduate training.

The training is generally $$on the job$$ with minimum formal training provided through external courses.

Whenever a member of staff leaves his work is covered by other personnel until a$.$ If unforeseen problems they use contractors. There is IT representation on the main Board

The General Ledger application was written $5$ years ago, Language becoming obsolescent and Enhanced $8$ times a year as a result of Problems arising $($bugs$)$ and enhancements requested by users.

The system occasionally has problems when processing batches and

Accountants manipulate some of the data to produce the required figures.

$,$

Since the OPD system was introduced growing number of unmatched invoices sitting in the PAIS system. JD Edwards is being implemented after the year End to replace the current General Ledger.

$1.$ What is your understanding of the business of Friendly Records. $15$ Marks

$2.$ Identify and document the IT risks using the bow tie method. Articulate the risk statements. $20$ marks

$3.$ Identify and assess the controls in place to mitigate the IT Risks identified and assessed $15$ marks

$4.$ identify areas with the highest risk and indicate how you would further mitigate the risk using risk mitigation options. $15$ marks

$5.$ For risk appetite, based on the information provided, what is your understanding of the risk appetite $10$ marks