Please help!! The third column needs to be filled out, like the top row. The definitions of each relevant application are provided as well. Any help you can give would be great. Thank you!

Relevant Application Working Paper Reference # Relevant Application Controls - See Exhibit 3.5b for a complete listing of the relevant application controls 1000.2 AAA Example: Application Controls for AAA ISO 2.02 Data backup plan - Availability control ISO 2.04 Readability of backup data - Availability control ISO 3.02; Access controls & review - Confidentiality control ISEC 1.06; User authentication - Security/Confidentiality control CCM 2.01, System changes Availability/ Integrity control CCM 2.02, System changes Availability/ Integrity control CCM 4.04 System changes - Availability/ Integrity control 1000.2 FDGA Would I copy Control Activities ISEC 1.02-2.05 1000.2 HRPA Would I copy Control Activities CCM 1.03 4.04 Exhibit 3.5b is a listing of the relevant application controls (Control Activity) used to mitigate risks Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20XX # IT Area 1 Information Systems Operations Control Objective Control Activity ISO 1.00 - IT operations ISO 1.01 - Batch and/or online processing is support adequate defined, timely executed, and monitored scheduling, execution, for successful completion. monitoring, and continuity ISO 1.02 - Exceptions identified on batch of systems, programs, and and/or online processing are timely processes to ensure the reviewed and corrected to ensure complete, accurate, and valid accurate, complete, and authorized processing and recording of processing of financial information. financial transactions. ISO 2.00 - The storage of ISO 2.02 - Automated backup tools have financial information is been implemented to manage retention appropriately managed, data plans and schedules, accurate, and complete. ISO 2.04 - Tests for the readability of backups are performed on a periodic basis. Results support timely and successful restoration of backed up data. 2 Information Systems Operations Ipage? L Information Systems Operations 4 Information Security ISO 3.00 - Physical access is ISO 3.02 - Physical access is authorized, appropriately managed to monitored, and restricted to individuals safeguard relevant who require such access to perform their components of the IT job duties. Entry of unauthorized infrastructure and the personnel is supervised and logged. The integrity of financial log is maintained and regularly reviewed information by IT management ISEC 1.00 - Security ISEC 1.02 - Formal policies and procedures configuration of define the organization's information applications, databases, security objectives and the responsibilities networks, and operating of employees with respect to the protection systems is is adequately and disclosure of informational resources. managed to protect against Management monitors compliance with unauthorized changes to ano policies and procedures, and programs and data that may agreement to these are evidenced by the result in incomplete, signature of employees. inaccurate, or invalid ISEC 1.06 - Consistent with information processing or recording of security policies and procedures, local and financial information. remote users are required to authenticate to applications, databases, networks, and operating systems via passwords to enhance computer security. security polic these are Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20XX # IT Area 5 Information Security Control Objective Control Activity ISEC 2.00 - Adequate security ISEC 2.02 - System owners authorize user is implemented to protect accounts and the nature and extent of against unauthorized their access privileges. access and modifications of ISEC 2.04 - Users who have changed roles or systems and information, tasks within the organization, or that have which may result in the been transferred, or terminated are processing or recording of immediately informed to the security incomplete, inaccurate, or department for user account access invalid financial revision in order to reflect the new and/or information ISEC 2.05 - Transmission of sensitive information is encrypted consistent with security policies and procedures to protect its confidentiality. CCM 1.00 - Changes CCM 1.03 - Documentation related to the implemented in change implementation is adequate and revised status. 6 Change Control Ipage 13 7 Management applications, databases, complete. networks, and operating CCM 1.05 - Documentation related to the systems (altogether change implementation has been released referred to as "system and communicated to system users. changes") are assessed for risk, authorized, and thoroughly documented to ensure desired results are adequate. Change CCM 2.00 - Changes CCM 2.01 - System changes are tested Control implemented in before implementation into the Management applications, databases, production environment consistent with networks, and operating test plans and cases. systems (altogether referred CCM 2.02 - Test plans and cases involving to as "system changes") are complete and representative test data appropriately tested. Tests (instead of production data) are approved are performed by a group by application owners and development other than the the group management responsible for the system (e.g., operating systems changes are implemented by someone other than the systems programmer, etc.). Ipage 12 L Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20xx # IT Area Control Objective Control Activity 8 Change CCM 3.00 - Changes CCM 3.01 - Problems and errors Control implemented in encountered during the testing of system Management applications, databases, changes are identified, corrected, retested, networks, and operating followed up for correction, and systems (altogether documented. referred to as "system changes") are appropriately managed to reduce disruptions, unauthorized alterations, and errors page 13 L L which impact the accuracy, completeness, and valid processing and recording of financial information. 9 Change CCM 4.00 - Changes Control implemented in Management applications, databases, networks, and operating systems (altogether referred to as "system changes") are formally approved to support accurate, complete, and valid processing and recording of financial information. CCM 4.04 - An overall review is performed by management after system changes have been implemented in the live or production environment to determine whether the objectives for implementing system changes were met. 7. An understanding of Company XYZ's IT environment is documented in w/p 1540. 8. The three relevant applications for the IT audit are: a. All Accounting Application (AAA) - used to capture and processing accounting-related transactions. AAA is installed on a UNIX platform (or operating system) and uses Oracle database. AAA can be accessed via a Windows network. b. Financial Document Generator Application (FDGA) - used to produce all types of financial reports and documentation. FDGA is installed on a Windows operating system, and uses Oracle as its database. FDGA is accessed via a Windows network c. Human Resources and Payroll Application (HRPA) - used to manage the company's human resources and process payroll. This application is hosted outside of the company, at a third-party organization called HRP-For-All. 9. The relevant application controls used to mitigate risks in this audit are listed in Exhibit 3.5b on pages 8 through 13(these must be added to the IT Planning Memo). Use w/ 1000.2 for reference purposes. Relevant Application Working Paper Reference # Relevant Application Controls - See Exhibit 3.5b for a complete listing of the relevant application controls 1000.2 AAA Example: Application Controls for AAA ISO 2.02 Data backup plan - Availability control ISO 2.04 Readability of backup data - Availability control ISO 3.02; Access controls & review - Confidentiality control ISEC 1.06; User authentication - Security/Confidentiality control CCM 2.01, System changes Availability/ Integrity control CCM 2.02, System changes Availability/ Integrity control CCM 4.04 System changes - Availability/ Integrity control 1000.2 FDGA Would I copy Control Activities ISEC 1.02-2.05 1000.2 HRPA Would I copy Control Activities CCM 1.03 4.04 Exhibit 3.5b is a listing of the relevant application controls (Control Activity) used to mitigate risks Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20XX # IT Area 1 Information Systems Operations Control Objective Control Activity ISO 1.00 - IT operations ISO 1.01 - Batch and/or online processing is support adequate defined, timely executed, and monitored scheduling, execution, for successful completion. monitoring, and continuity ISO 1.02 - Exceptions identified on batch of systems, programs, and and/or online processing are timely processes to ensure the reviewed and corrected to ensure complete, accurate, and valid accurate, complete, and authorized processing and recording of processing of financial information. financial transactions. ISO 2.00 - The storage of ISO 2.02 - Automated backup tools have financial information is been implemented to manage retention appropriately managed, data plans and schedules, accurate, and complete. ISO 2.04 - Tests for the readability of backups are performed on a periodic basis. Results support timely and successful restoration of backed up data. 2 Information Systems Operations Ipage? L Information Systems Operations 4 Information Security ISO 3.00 - Physical access is ISO 3.02 - Physical access is authorized, appropriately managed to monitored, and restricted to individuals safeguard relevant who require such access to perform their components of the IT job duties. Entry of unauthorized infrastructure and the personnel is supervised and logged. The integrity of financial log is maintained and regularly reviewed information by IT management ISEC 1.00 - Security ISEC 1.02 - Formal policies and procedures configuration of define the organization's information applications, databases, security objectives and the responsibilities networks, and operating of employees with respect to the protection systems is is adequately and disclosure of informational resources. managed to protect against Management monitors compliance with unauthorized changes to ano policies and procedures, and programs and data that may agreement to these are evidenced by the result in incomplete, signature of employees. inaccurate, or invalid ISEC 1.06 - Consistent with information processing or recording of security policies and procedures, local and financial information. remote users are required to authenticate to applications, databases, networks, and operating systems via passwords to enhance computer security. security polic these are Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20XX # IT Area 5 Information Security Control Objective Control Activity ISEC 2.00 - Adequate security ISEC 2.02 - System owners authorize user is implemented to protect accounts and the nature and extent of against unauthorized their access privileges. access and modifications of ISEC 2.04 - Users who have changed roles or systems and information, tasks within the organization, or that have which may result in the been transferred, or terminated are processing or recording of immediately informed to the security incomplete, inaccurate, or department for user account access invalid financial revision in order to reflect the new and/or information ISEC 2.05 - Transmission of sensitive information is encrypted consistent with security policies and procedures to protect its confidentiality. CCM 1.00 - Changes CCM 1.03 - Documentation related to the implemented in change implementation is adequate and revised status. 6 Change Control Ipage 13 7 Management applications, databases, complete. networks, and operating CCM 1.05 - Documentation related to the systems (altogether change implementation has been released referred to as "system and communicated to system users. changes") are assessed for risk, authorized, and thoroughly documented to ensure desired results are adequate. Change CCM 2.00 - Changes CCM 2.01 - System changes are tested Control implemented in before implementation into the Management applications, databases, production environment consistent with networks, and operating test plans and cases. systems (altogether referred CCM 2.02 - Test plans and cases involving to as "system changes") are complete and representative test data appropriately tested. Tests (instead of production data) are approved are performed by a group by application owners and development other than the the group management responsible for the system (e.g., operating systems changes are implemented by someone other than the systems programmer, etc.). Ipage 12 L Company Name General Computer Controls Objectives and Activities Selected Fiscal Year 20xx # IT Area Control Objective Control Activity 8 Change CCM 3.00 - Changes CCM 3.01 - Problems and errors Control implemented in encountered during the testing of system Management applications, databases, changes are identified, corrected, retested, networks, and operating followed up for correction, and systems (altogether documented. referred to as "system changes") are appropriately managed to reduce disruptions, unauthorized alterations, and errors page 13 L L which impact the accuracy, completeness, and valid processing and recording of financial information. 9 Change CCM 4.00 - Changes Control implemented in Management applications, databases, networks, and operating systems (altogether referred to as "system changes") are formally approved to support accurate, complete, and valid processing and recording of financial information. CCM 4.04 - An overall review is performed by management after system changes have been implemented in the live or production environment to determine whether the objectives for implementing system changes were met. 7. An understanding of Company XYZ's IT environment is documented in w/p 1540. 8. The three relevant applications for the IT audit are: a. All Accounting Application (AAA) - used to capture and processing accounting-related transactions. AAA is installed on a UNIX platform (or operating system) and uses Oracle database. AAA can be accessed via a Windows network. b. Financial Document Generator Application (FDGA) - used to produce all types of financial reports and documentation. FDGA is installed on a Windows operating system, and uses Oracle as its database. FDGA is accessed via a Windows network c. Human Resources and Payroll Application (HRPA) - used to manage the company's human resources and process payroll. This application is hosted outside of the company, at a third-party organization called HRP-For-All. 9. The relevant application controls used to mitigate risks in this audit are listed in Exhibit 3.5b on pages 8 through 13(these must be added to the IT Planning Memo). Use w/ 1000.2 for reference purposes