Software Program Inc. Case Study

Introduction about Software Program Inc:

The Software Program Inc is a software developing company that sells its developed software on its platform. The application developed are tools like spreadsheets, documentation, and presentation applications. Their Business’s main objective is developing applications and sales of the applications to businesses that can use the application.

• Software Program Inc. is a business that sells workplace efficiency tools. The audit charter is the first thing that is essential for defining the audit universe of the audit. This audit charter will be designed by the top management of Software Program Inc and will be sent to the audit team. We will first discover more about the audit's business pattern and see which approach for auditing is needed. For this, we will need to get the ins and outs of the company which can be done by having meetings with the top management of the organization (i.e. CFO, CIO). In addition, we need to make sure that the internal control applied is adequate and efficient enough to meet industry requirements. The company has a variety of streams from which the company’s and the customer’s data can be compromised. For this, efficient controls have to be applied to make sure that there is no leak of any kind of data. Since the business takes credit card payments, we will determine if it complies with the standard policies. To determine the high-risk audit processes, we will evaluate the governance in the organization and the risk assessment of the processes, once we have completed our research on the business and the standards that we need to check for. Following that, we will begin allocating the audit resources appropriately. There are three major networks in the organization and they are administrative, research & development, and web operations. As these are three very different networks, each network should have a different approach to auditing. First, we will do a compliance test to see if the necessary controls are there. After doing that, we will conduct substantial testing to determine how effective and efficient each control is. Audit findings will show all the flaws that are present in the system right now and can lead to a threat in the future. These audit findings will be reported to the top management of the organization to make sure that these risks are looked into and the risk is minimized. To make sure that there is any action taken on the findings, the audit team will follow up with the top management regarding the findings.
• We must evaluate the effect and possibility of what will happen if anything goes wrong or if the risk materializes to assess the risk. The organization operates over three networks: administrative systems, R&D, and web operations. The hazards associated with administrative networks are related to financial data and the risks related to this network are very important because any threats in this department can lead to devastating effects on the reputation of the organization and exploitation of the information. To make sure that the data is secured we will look into 2 types of threats i.e. inside and outside. For outside threats, we can look into the firewalls, and data access controls. For internal threats, we must ensure that the third-party vendors are following the policies and that the employees in the organization are aware of the risks and how to avoid them. The most precious information which is information related to research is kept on the R&D network. The competition may attempt to gain access to this network look into the research data and see what they can do to get better than their competition. We'll examine if the internal controls make sure that only the appropriate individuals have access and if they are compliant with the privilege policy. The Web Operations networks will have different risks as this network will contain operational processes rather than financial processes.  The rules in place ensure availability all the time so that the consumer can always reach these support websites and contact centers. As the availability of the process needs to be high we have to look into the disaster recovery plan so that if something goes wrong there has to be a quick or alternate plan in place to make sure that the system is available to the customers. We will assess the risks using the COBIT framework that helps us select the controls that need to be tested for the organization, a procedure that must be incorporated into the audit process. We will evaluate these controls' materiality considering the review before prioritizing which controls need to be tested and when. This enables us to plan the resource allocation for the audit and assign high-risk processes to each resource so that the high-risk processes are adequately examined. Once all the steps of the audit are complete, we will report the finding of the audit to the top management of the organization to make them understand the risks that can harm the organization and follows up on the findings is done to make sure that the findings are being addressed

The processes that need to be included in evaluating the control design and effectiveness are as follows:

1. The process of providing the least amount of access that the employee will need for their responsibilities to be performed.
2. The process of having the right governance in place to ensure each employee has their designation and responsibilities known which will make the process of reporting easier as the hierarchy is structured.
3. The procedure for ensuring that disaster recovery and business continuity strategies for support functions are reliable.
4. The procedure for ensuring that the quality of the software is up to a well-defined standard.
5. Every internal transaction that takes place and logging of those transactions.
6. The process of payment for the services from a credit card.
7. The procedure for offering software licenses to clients.
8. Incident and change management procedures are correctly structured and work efficiently.
9. Examining PearTree Software Inc.'s compliance with the standard regulations and policies
10. The procedures to make sure that the software is working fine after going live.