Audit Scope

The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse
technology platform. The scope of work for this audit will consist of <! hours of
professional services and the objectives for this audit will include a review of the following
control points"
#ata $arehouse %anagement
o #ata $arehouse Governance
o &inancial %anagement
o 'isk %anagement
o (uman 'esources
o )ortfolio )roject %anagement
#ata $arehouse *perations
o #$ +rchitecture and ,ntegration
o -ystems #evelopment and Testing
o Change %anagement
o -ystem %onitoring
o )roblem %anagement
o .ogical -ecurity
o #ata Transmission
o %etadata
/usiness ,ntegration
o -ervice #elivery 0/usiness )rocess ,ntegration and +nalysis1
o )roject %anagement
o (elp #esk
Audit Approach
*ur approach for the e2ecution of this audit engagement will consist of interviews with key
employees3 review of documents3 inspections3 data e2tractions and the usage of applicable
audit tools. The audit will consist of the components described below. The phases are listed
in se4uential order and should provide an overview of the se4uencing of the proposed
engagement.
Phase description Deliverables
5. Mobilization phase G& Consulting will
perform the following"
#evelop and provide to UNCCG an
advanced data re4uest 0+#'1 of the
relevant documents and materials that
will support our fieldwork.
#evelop and provide to UNCCG an
initial interview list of those business
+dvanced data re4uests
0see appendi2 for a
sample re4uest1
,nterview lists of key
employees that we would
like to interview 0see
appendi2 for a sample list1
#etailed +udit )rogram
and ,T professionals that we anticipate
needing to meet with in order to
perform this audit.
#evelop an audit program to guide
activities during the course of this
audit. The audit program guide should
include a list of the controls that would
be reviewed along with a defined
approach for understanding the design
of the control and how it would be
tested to determine if it was operating
effectively.
document0s1 for each of
the following areas" #ata
$arehouse %anagement3
#ata $arehouse
*perations and /usiness
,ntegration.
6. Execution phase *nce the audit program
has been finali7ed3 and the appropriate
resources have been identified3 fieldwork will
proceed in accordance with the audit plan.
'esults from the e2ecution
of the detailed +udit
)rogram
$orking papers that
support the results from
the detailed +udit )rogram
8. Reporting phase +ll ,T audit work is
summari7ed in the ,T audit report. *ur
team will compile and present a draft report
to UNCCG management within three weeks
of completing the e2ecution phase. The
purpose of this draft is discussion and
incorporation of any comments prior to
issuing a final report to UNCCG.
#raft report for discussion
containing an e2ecutive
summary3 audit findings
and recommendations for
improvement.
&inal report with edits and
comments from UNCCG
management
Risk Assessment
/ased on the information provided by UNCCG during our initial conversation3 combined with
our understanding about the business environment in which UNCCG operates3 we have
formulated the following risk considerations that we understand are relevant to your
business. *ur goal is to incorporate these risk considerations in our audit program to be
developed in the %obili7ation )hase of this engagement.
Risk category: Regulatory Risk
5 +s a publicly traded company3 UNCCG is subject to compliance with the -arbanes9*2ley
+ct of 6::6 0-*1. +s a result3 UNCCG;s management must"
+ccept responsibility for the effectiveness of the company;s internal control over
financial reporting.
<valuate the effectiveness of the company;s internal control over financial
reporting using suitable control criteria.
-upport is evaluation with sufficient evidence3 including documentation.
)resent a written assessment of the effectiveness of the company;s internal
control over financial reporting as of the end of the company;s most recent fiscal
year.
+lthough this legal re4uirement may not have a direct impact on the data warehouse
applications subject to this audit3 once it is not categori7ed as a =financial reporting
related> application3 it may have an indirect impact in the case that technology
infrastructure is common among the financial reporting systems and the data warehouse
applications. Technology infrastructure 0operations3 security3 processes3 people1 that
support financial reporting systems are subject to -* compliance re4uirements.

Risk category: Techonology/Reputational Risk
6 )rivacy regulations
The )ersonal #ata )rivacy ? -ecurity +ct of 6::@ bill states that organi7ations must
=adopt reasonable procedures to ensure the security3 privacy and confidentiality of
personally identifiable information> and notify relevant governing bodies when security
breaches occur. The bill also states that3 if there is reason to believe the stolen data can
be used for identity theft3 then the organi7ation must make public notification. $e have
seen increased pressure in the marketplace pushing companies to move to a better
defined and better controlled data privacy controls environment. $e understand that a
significant portion of UNCCG;s revenue comes from check cards3 credit and debit card
transactions on which some consumer information is collected3 processed and may or
may not be stored. ,t is our understanding that payment information processing is
processed e2ternally. ,n addition3 UNCCG;s consumer loyalty program collects and stores
consumer private information such as telephone numbers3 addresses3 names and a
history of purchases. /ased on those facts3 we understand that current and future
privacy regulations are a relevant risk to the business at UNCCG that has both a
regulatory impact and also a brand impact3 given that fact that future privacy breaches
will be re4uired to be made public.

Risk category: Operational Risk
8 <2ternal Aendor;s access to enterprise data
/ased on the information provided by UNCCG during our initial conversations3 we
understand that credit and debit card payment processing is outsourced with an e2ternal
vendor.
,n addition3 UNCCG indicated that it relies on a third party vendor3 located in ,ndia3 to
perform program change and program development functions for the data warehouse 0#$1
management system. This e2ternal vendor has remote access to the UNCCG environment.
$e understand that3 even though UNCCG has outsourced program change and program
development functions to a third party vendor3 it is still responsible for ensuring the
accuracy3 completeness and appropriateness of program changes and developments on the
#$ environment.
,n order to perform their business function3 both these vendors will have the ability to get
access to sensitive enterprise data including consumer information. /ased on that fact3 we
consider that this is a relevant risk to the company;s ,T environment.
Risk category: Credit Risk/Technology Risk
B Unavailability of credit andCor debit card processing application
$e understand that a significant portion of UNCCG;s revenue comes from check cards3
credit cards and debit cards transactions3 which are processed e2ternally 0for approval
purposes1 and stored by one of the company;s mainframe based systems 0for
reconciliation and historic purposes1. Unavailability of either the e2ternal processing vendor
or of the mainframe9based system would cause point of sales systems 0)*-1 at the stores
to operate in an =offline mode> and only cash payments would be allowed3 until
functionality is completely restored. /ased on that information3 we consider that
unavailability of card payment applications is a relevant risk to the business that has a
direct impact on the customer;s perception of 4uality of service and a direct impact on
sales.
Communications
Through regular meetings and ongoing communication with management3 we will establish
a relationship of openness and teamwork through which we can discuss significant audit
findings3 recommendations for improving internal controls or operations3 and current
industry issues 0or any other issues management wishes to discuss13 and ultimately
develop solid solutions without surprises. $e commit to holding regular meetings with
management3 both formally and informally3 to foster such a relationship.
%anagement letters and communication are an important element of professional service.
,t is our policy to discuss our findings and recommendations with the appropriate members
of management prior to issuance so that we can verify factual accuracy. *ur final report will
only include findings and recommendations considered significant. *ther matters will be
communicated throughout the engagement and during our regular meetings and fieldwork.
Planned schedule
G& Consulting estimates this engagement will re4uire appro2imately 2222 weeks of effort3
and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. ,n
addition3 we understand the final report for this audit must be completed no later than Duly
5@3 6::E.
APPENDIX I Sample Advanced Data Request
The following information would be helpful in evaluating the e2isting data warehouse
environment to the e2tent it already e2ists.
5. *rgani7ation Charts
a. Technology 0#evelopment and *perations1
b. /usiness
6. Telephone #irectory
8. User #ocumentation
a. #ata warehouse user training guides
b. #ata warehouse user operational manuals
B. -ystems documentation
a. +pplication architecture 0including an e2planation of any automated interfaces1
b. -ystems operations overview 0platform and network1
c. Third party vendor agreements
@. %anagement procedures and policies
a. *perations %anagement 0system monitoring3 maintenance3 and or scheduled
support1
b. ,nformation -ecurity 0logical access1
c. Change %anagement 0change control and configuration management1
d. /usiness Continuity )lan0s1
e. #isaster 'ecovery )lan0s1
f. )roblem %anagement
APPENDIX II Sample Intervie request
The following is a list of individuals we anticipate will be likely re4uested to participate in a
one9hour interview with one of our team member. -hedule will be arranged by our team in
observance to UNCCG;s personnel commitments and priorities. *ther interviews may be
determined necessary as we make progress and we will make our best efforts to
communicate this as soon as possible so it can be scheduled in a non9disruptive manner.
Indiidual Role
Derry .ewis Chief ,nformation *fficer
/runno 'odrigue7 Chief -ecurity *fficer
Chris )oknis Aendor 'elationship %anager
+ndy Tatum ,T *perations %anager
+ndrew #eloach #atabase +dministrator 0#/+1
Chris %aiden #ata $arehouse .ead
%ike %aher #ata $arehouse -ervice #elivery %anager
Dosh -mith #ata $arehouse +rchitect
+manda &ernande7 -+) )roject .ead
-teve .ucas #ata $arehouse -enior +nalyst