2930 Closing Meeting Agenda

Date / Time: Client: Attendees from Client Side: December 26, 2013 Qasseem Cement Company Abdulrahman Al aidi !"# Manager$

1. SCOPE OF IT PROCEDURES

Update understanding of the Windows 2003 (VAS / JD Edwards) - Qasseem Evaluation of design and implementation of the following IT General Control areas: o Access Security o Program Changes Tested Journal Entries to assist in the completion of ISA240 requirements (in progress) Tested specific application controls related to the following processes: o Sales o Payroll o Fixed Assets

2. Observations noted for current year The below are draft observations for discussion. The below observations will be included in our IT Audit Management Letter QCC FY 2013. The IT Audit Management Letter QCC FY 2013 will include each observation with its associated risk and our recommendation to resolve each observation. The observations below have been grouped according to which specific department they pertain to.

3. Current Year Observations: 1. Annual IT budget and annual IT plan is developed, however a long term IT Strategy document is yet to be devised. IT should be noted that such an IT strategy can be developed upon development of a QCC business strategy 2. Formal business continuity plan is yet to be developed. 3. Policies and Procedures: a. IT Department has developed a number of policies and procedures. However, these are yet to be formally approved. b. Policies and procedures prepared by IT department are not aligned to best practice standards such as ISO27001 or ITIL. 4. Absence of a dedicated information security function to monitor overall information security controls implemented at QCC on an ongoing basis. 5. Absence of a formal risk assessment exercise to assess the overall risk and control environment 6. Absence of IT quality assurance / compliance function to ensure that personnel in IT department perform established processes in the IT department consistently and timely. 7. Administrator audit logs on MS SQL Server database level are not being formally reviewed. 8. Administrator audit logs on JD Edwards application level have not been enabled.

2930 %&' Closing Meeting Agenda (age 2 o) 2

9. A formal service level agreement between IT department and business departments has not been established. 10. Program change management process: Application program changes are not tracked in a centralized repository. All steps performed in the application change management process are not formally recorded. 11. Application owners have not been formally defined 12. Periodic user access rights review is not formally conducted

4. NE T STEP

Delivery of Management Letter Report