[PLEASE HELP]

CASE 1

REQUIRED:

1. Discuss why the auditors of Anna expressed their concern that some measures of the current location are inadequate and that newer alternatives should be found.

2. Cite at least two (2) essential practices and policies of Anna that contribute directly to the security or the computer server. Discuss how each or them is applied in no more than five (5) sentences. - Practice/Policy I: - Practice/Policy Il:

CASE 2

REQUIRED:

1. Are all the controls implemented by Veronica Corporation adequate? If not, cite at least two (2) control weaknesses that are present.

CASE 3

REQUIRED:

1. Evaluate the system of PNB and identify at least one (1) control type for each group where PNB might be at risk. Then, recommend a specific control procedure PNB should implement for each of the identified control types

Anna Financial Services Inc., located in Araneta Center, Cubao City, is a company that provides nancial advice to individuals and small to mid-sized businesses. Its primary operations are in wealth management and financial advice- Each client has an account where basic personal information is stored on a sewer within the main ofce in Cubao City. The company also keeps the information about the amount of investment of each client on a separate server at its data center in Ayala, Makati City. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities. In the last few years, larger commercial banks have started providing such services and are competing for the same set of customers. Anna, which prides itself in personal consumer relations, is now trying to set up additional services to keep its current customers- It has recently upgraded its Website, which formerly only allowed clients to update their personal information. Now clients can access information about their investments, income, and tax liabilities that are stored at the data center in Makati City. As a result of previous dealings, Anna has been given free access to use the computer room of an older production plant. The company believes that this location is secure enough and would keep the data intact from physical intruders- The servers are housed in a room that the production plant used to house its legacy system. The room has detectors for smoke and associated sprinklers. It is enclosed, with no windows, and has specialized temperature-controlled air ducts. Management has recently started looking at other alternatives to house the server as the plant is going to be shut down. Management has major concerns about the secrecy of the location and the associated measures. It wants to incorporate newer methods of physical data protection. The company's auditors have also expressed a concern that some of the measures at the current location are inadequate and that newer alternatives should be found. in reviewing the processes, procedures, and internal controls of one of your audit clients, Veronica Corporation, you notice the following practices in place. Veronica has recently installed a new electronic data processing (EDP) system that affects the accounts receivable, billing, and shipping records. The company identied a computer operator who is permanently assigned to each of the functions of accounts receivable, billing, and shipping. Each of these computer operators is given the responsibility of running the program for transaction processing, making program changes, and reconciling the computer log. To prevent an operator from having exclusive access to the tapes and documentation, the computer operators randomly rotate the custody and control tasks every two (2) weeks over the magnetic tapes and the system documentation. Access controls to the computer room consist of magnetic cards and a digital code for each operator. Moreover, the system analyst and the computer operation supervisor are not allowed to access the computer room. The documentation for the EDP system consists of the following: record layouts, program listings, logs, and error listings. Once goods are shipped from one of Veronica's three (3) warehouses, warehouse personnel fonrvard shipping notices to the accounting department. The billing clerk receives the shipping notice and accounts for the manual sequence of the shipping notices. Any missing notices are investigated- The billing clerk also manually enters the price of the item and prepares daily totals, which are supported by adding machine tapes of the units shipped and the amount of sales. The shipping notices and adding machine tapes are sent to the computer department for data entry. The computer output generated consists of a two-copy invoice and remittance advice, and a daily sales register. The invoices and remittance advice are forwarded to the billing clerk, who mails one copy of the invoice and remittance advice to the customer and les the other copy in an open invoice le, which serves as an accounts receivable document. The daily sales register contains the total of units shipped and sales amounts. The computer operator compares the computer-generated totals to the adding machine tapes. 3. The Philippine National Bank (PNB) has 716 branches and maintains a mainframe computer system at its corporate headquarters. PNB has recently undergone an examination by the state banking examiners, and the examiners have some concerns about its computer operations. During the last few years, each branch has purchased several microcomputers to communicate with the mainframe in the emulation mode. Emulation occurs when a microcomputer attaches to a mainframe computer and, with the use of the appropriate software, can act as if it is one of the mainframe terminals. The branch also uses these microcomputers to download information from the mainframe and, in the local mode, manipulate customer data to make banking decisions at the branch level. Each microcomputer is initially supplied with a word processing application package to formulate correspondence to the customers, a spreadsheet package to perform credit and nancial loan analyses beyond the basic credit analysis package on the mainframe, and a database management package to formulate customer market and sensitivity information. PNB's centralized data processing department is responsible only for mainframe operations; microcomputer security is the responsibility of each branch. Because the bank examiners believe PNB is at risk, they have advised the bank to review the recommendations suggested in a letter issued by banking regulatory agencies. This letter emphasizes the risks associated with end-user operations and encourages banking management to establish sound control policies. More specically, microcomputer end-user operations have outpaced the implementation of adequate controls and have taken processing control out of the centralized environment, introducing vulnerability in new areas of the bank. The letter also emphasizes that the responsibility for corporate policies identifying management control practices for all areas of information processing activities resides with the board of directors. The existence and adequacy of and compliance with these policies and practices will be part of the regular banking examiners' review. The three (3) required control groups for adequate information system security as they relate to PNB are (1) processing controls, (2) physical and environmental controls, and (3) spreadsheet program development controls