Final Project on Vitakraft

Introduction:

 Vitakraft is a petfood company located in Weston Ohio.

 Small company so it lacks a lot of controls
 Owned by German Owners
 The company would benefit from a Data flowchart, a BPD, and a document
flowchart.
 Video link: https://www.youtube.com/watch?v=AP6cJzz041w
 Timeline:  http://vitakraftsunseed.com/sunseed/about
Importance of Business cycles(why
Vitakraft needs these cycles analyzed):
 Payroll cycle is not well organized
 There is a miscommunication on when the employees will be paid, and who
does what in the payroll cycle.
 Much of this poor segregation comes in the form of who analyzes payroll
changes and who completes what document.
 Slow speeds of sending production orders between departments in
expenditure cycle.
 Miscommunication in the Revenue cycle on who does what and what to do
with shipments and customer returns.
 Miscommunication on required documents and their flow in the production
cycle.
Benefits of the diagrams:

 Data Flowcharts will help in the understanding of the logical order of tasks,
and which steps might not be completed.
 BPD diagrams will ensure that the right employees are doing the right tasks
 Document Flowcharts will help the employees to know which documents need
to be available at which step of the processes.
Benefits of Diagrams Continued:

 Better system of review for payroll, and a clearer communication on raise

opportunities.
 More Understanding on who does what in the payroll process, and who
reviews the payroll before submission.
 Less downtime for purchase order sending between departments.
 Better segregation in the Revenue cycle
 Further understanding of the document flow in the production cycle.
Data Flow Diagram on payroll:
Document flowchart on Payroll:
BPD on payroll:
Document flowchart on Production:
BPD on Revenue Cycle:
Data Flow diagram on Expenditure
cycle:
Narrative Description:
Employee Activity
H.R department Checks over payroll of discrepancies, updates payroll before sending
changes to the payroll Database. Updates employee hours and changes
on database.
Accounting Department Prepares customer invoices and updates the accounts receivable. Also
updates A/P and makes any necessary adjustments throughout work
cycle to general ledger, and other financial reports.
Supervisor Look over time cards, and approve them before sending them up the
ladder to payroll clerk, and HR.
Credit Department Issues credit memos for returned goods, decides if customers can
apply for a loan, or payment plan.
Warehouse Department Checks inventory levels for discrepancies, orders new stock if
necessary, matches and packs customer orders to be sent to the
shipping area for the shipping service to ship products. Generates
reports for shipping service and management. Sends purchase
requisitions for needed orders.
Sales Staff In charge of processing customer orders and creating the sales orders.
Customer Service In charge of receiving faulty or returned products and informing the
credit department to issue a credit memo.
Production Department Reads production orders and operations cards, starts the production.
Makes packing slips, and packing slips, stacks products on pallets to be
sent to warehouse department. Sends purchase requisitions for
needed orders.
Payroll Clerk/Department Records the time card data and creates the payroll reports. These
reports are later sent to HR to look them over. Prepares journal
entries for accounting to check over, makes reports and paychecks to
be distributed.
Shipping service Receives goods and takes them to the customer such as Meijer.
Customer Receives goods, makes orders, and sends faulty or defective
merchandise back to company.
Government Receives reports on company such as tax reports and withholding
reports.
Management Receives reports on payroll, and other internal reports to review.
Production Management Receives inventory file, forecasts production, and plans the
production for the cycle. Also uses the operations list and bill of
materials to make the production order that is later sent to the
production department.
Upper management External entity that looks over the progress reports for the production
location.
Operating departments EG production Record time card data and send it to the payroll department for
further processing.
Controls against computer fraud and
abuse:
 Training in most common methods of identity theft and social engineering
 Employees are trained to not give out personal information or important
company information to unknown sources.
 Use of Firewalls, Anti-malware, encryption and IDS in aid of stopping attacks
 Lack of use of IPS
Controls and AIS:

 Use of Application controls on computers and network to ensure data is

complete, valid, and accurate.
 Detective controls: that ensure duplicate numbers are not inputted.
 Corrective controls: in the form of adjustments to data, and restoring backup
files, and the database.
 Preventative controls: in the form of segregation of duties (still needs more
segregation)
 Lack of security guards, or employee who checks on computer systems daily.
Controls for Information Security:

 Creation of a security aware culture

 Access controls including multi-modal and multi-factor authentication
 Training in preventative and detective measures to high-level IT employees
and managers
 Use of firewalls, IDS, Ant-malware, encryption, and locks on computer
systems rooms
 Lack of use of security guards, or employee to check over computer rooms on
a daily basis.
 Lack of a IPS system
 Lack of a solid plan if an attack were to occur.
Confidentiality and Privacy controls:

 Access controls, and knowledge of what information should and should not be
divulged.
 Encryption and access controls prevent every employee for accessing
critically important documents.
 Use of Data loss prevention software (DLP): to prevent the leakage of
sensitive information
 Use of a spam filter to prevent high-levels of spam, and screening of e-mails
 Lack of the use of a digital watermark or IRM software
 Shredding of personal documents and minimized physical documents, only use
customer information when necessary.
 Lack of an employee to monitor privacy policies.
Processing integrity and availability
controls:
 Use of data entry controls like filed check, sign check, limit check, size
check, reasonableness test, and validity test.
 Reconciliation of the general ledger against the other account totals like
inventory control account being equal to the sum of the item balances in the
inventory database.
 Data users are trained to make sure data is reasonable and complete before
submission.
 Use of checksums
 Lack of good backup plan, every 2-weeks full backup, incremental backups
daily.
Internal controls Overview/Summary:

 The internal control mechanism lines up well with Vitakraft’s goals of

protecting their data, and creating an environment that is aware of the many
attacks that might occur.
 IPS should be implemented to make it possible to not only detect attacks, but
better prevent them.
 Employee should be put in charge of checking over computer rooms on a daily
basis, same employee perhaps could enforce the privacy policy as well.
 More frequent full backups and a better response plan, and action in the case
of an attack or a major data loss.
Narrative Description of Internal
Controls:
Employee Activity
IT Employee #1 Enforces the use of IDS and IPS software to be able to not only
detect attacks but also be able to prevent them in cases where the
patterns are able to be detected in the attacks. Also ensures that
DLP software is properly used to make sure sensitive emails are not
sent out, this process includes screening emails.

IT Employee #2 Handles the firewalls and anti-malware to ensure that attacks are
blocked before they can do too much harm. Also handles the
encryption of data to ensure that potential attackers cannot easily
steal data. Also helps with the input and output controls to make
sure data is complete and reasonable.
IT Employee #3 Handles the corrective controls and application controls as they
deal with the AIS. Ensures that the software that handles errors is
up to date and able to be used by the accounting department as
well as other departments such as the production department. Also
handles the multimodal and multifactor log in to make sure there
are multiple layers to log in attempts.

IT Manager In charge of properly training employees in the ways of preventing

and detecting attacks, also in charge of supervising IT employees
work to ensure that they are properly doing it. Also has the
responsibilities of checking over the computer rooms for tampering
and making sure that all the IT employees know about what
information should and should not be leaked.
IT Manager #2 Double checks the work done by the IT employees and handles the
initiation of a proper 4-step plan in prevention against potential
attacks. Also handles the weekly full backups along with the daily
incremental backups. Last of all, investigates new IT options such
as log analysis, and IRM software.
HR department Shreds personal information and stores employee personal
information online to avoid identity theft.
Management Ensures that customer information is kept in confidence and will
not be sent to third parties. Also ensures that non-IT personnel are
trained in what to look for in case of an attack and what is too
sensitive to leak to competitors or the public.
Conclusions/Recommendations:

 Vitakraft is doing an okay job of diagraming their processes and implementing

controls.
 Examples of issues are a poorly-structured HR department, understanding of
how documents are sent through their system, and improper segregation
between the different departments.
 Vitakraft has a lot of issues in terms of their internal controls.
 Problems include not using an IDS and other controls as mentioned earlier, no
use of log analysis, and a poor plan in case of an attack/bad backup
procedures.
Executive Summary:

 Could employ the use of an IPS in the future to improve the strength of their
network
 Better spam filters to decrease the amount of spam that makes it through
 Better segregation as to who does what in the IT department
 New and improved process in case of an attack (4-step process mentioned in
text)
 More in-depth level of encryption to prevent data theft
 Employee In charge of enforcing privacy policies
 More frequent full-backups, and a detailed comparison of the different
backup methods.
The
End