Process to Remediation
31
IT General Controls
Material WeaknessIdentified in 2015
Control Type Segment Application2014
Deficiency2015 Deficiency
Assessment Control Deficiency Aggregation factorsAggregation
Assessment Material Weakness Factors
TV&E Medea CD
TV&E SIMS CD
Gracenote Salesforce CD
TV&E WideOrbit Traffic CD
TV&E WideOrbit Networks - CD
Gracenote Oracle CD
Corporate Workday CD
Corporate G Treasury - CD
Gracenote People to Oracle - SD
TV&E WideOrbit Networks - CD
Corporate PeopleSoft to Workday CD
SIMS CD
WideOrbit Traffic (Database)
CD
Corporate Workday - CD
Gracenote Salesforce CD
Oracle CD
SalesForce CD
Corporate Workday SD
WideOrbit Traffic CD
WideOrbit Networks CD
SIMS CD
Computer Operations
Corporate Workday CD* Inappropriate access to integrations(EIB)
modify, schedule and launch privileges. CD
IT Governance All All CD * No IT governance process in place
CD
Change Management
* Enterprise wide change management process was not consistently
implemented throughout the fiscal year.* Not all changes flowed
through the formalized change management process.* For changes that
followed the change management process, management was unable to
provide substantiation of effective testing for all changes.*
Ineffective change population monitoring by management
SD
* Significant technology changes without a consistent change
management process increased the risk of accidental, inappropriate
or unauthorized changes that are not identified timely.
* More than half of the direct financial controls have some
degree of underlying IT dependencies (Reports, application
controls, workflows, etc)
* Inconsistent control effectiveness during the year. Some
controls failed multiple times. (Control Failure Rate - Interim 50%
Rollforward/Remediation 25%)
* Go forward sustainability could not be assessed before year
end
* Pervasiveness of control issues across all financially
critical systems - compensating controls are not designed a level
of precision to fully mitigate related risks
* Standard/consistent IT Governance is not in place across all
segments of the organization
* Control owners were not always clearly defined and related
responsibilities were not consistently understood
* Repeat SD from prior year around SDLC and Change
Management
* Pervasiveness of SoD issues across all systems - control was
either not present or compensating controls are not designed at a
level of precision to fully mitigate related risks
* Lack of understanding of the impact of certain security roles
with Workday which lead to certain users being granted
inappropriate access to auto complete EIBS that may enable users to
bypass automated review and approval workflow
* Limited controls governing the use of EIB autocomplete feature
within Workday
SDLC
* Unable to validate proper testing occurred for the
implementations* Performance of implementation controls could not
be substantiated.* Business Process design and security around
auto-complete EIB uploads not fully considered and/ or
documented.
SD
ITGC Security
TV&E
* Limited understanding of intersection security within Workday
and its impact on EIB Integrations* Inappropriate access granted
around roles that enabled users to utilize automcomplete EIB
integrations that can potentially bypass of business review and
approval workflow with Workday* SoD Issues identified during the
semi annual user access review
SD
SOD
Gracenote* User identified with privileged access to both
Database and application level (3)* Management did not perform SoD
review for in broadcast revenue & broadcast rights systems in
2015* All results from the Oracle SoD review were not properly
remediated during 2015* Workday annual SoD review did not include
assessment of access to EIB intregations
SD
TV&E
For Powerpoint
Control TypeSegmentApplication2014 Deficiency2015 Deficiency
AssessmentControl Deficiency Aggregation factorsAggregation
AssessmentMaterial Weakness FactorsITGC Aggregation Roll-Up
Change Management TV&EMedeaüCD* Enterprise wide change
management process was not consistently implemented throughout the
fiscal year.* Not all changes flowed through the formalized change
management process.* For changes that followed the change
management process, management was unable to provide substantiation
of effective testing for all changes.* Ineffective change
population monitoring by managementSD* Significant technology
changes without a consistent change management process increased
the risk of accidental, inappropriate or unauthorized changes that
are not identified timely.
* More than half of the direct financial controls have some
degree of underlying IT dependencies (Reports, application
controls, workflows, etc)
* Inconsistent control effectiveness during the year. Some
controls failed multiple times. (Control Failure Rate - Interim 50%
Rollforward/Remediation 25%)
* Go forward sustainability could not be assessed before year
end
* Pervasiveness of control issues across all financially
critical systems - compensating controls are not designed a level
of precision to fully mitigate related risks
* Standard/consistent IT Governance is not in place across all
segments of the organization
* Control owners were not always clearly defined and related
responsibilities were not consistently understood
* Repeat SD from prior year around SDLC and Change
Management
* Pervasiveness of SoD issues across all systems - control was
either not present or compensating controls are not designed at a
level of precision to fully mitigate related risks
* Lack of understanding of the impact of certain security roles
with Workday which lead to certain users being granted
inappropriate access to auto complete EIBS that may enable users to
bypass automated review and approval workflow
* Limited controls governing the use of EIB autocomplete feature
within WorkdayMW
TV&ESIMSüCD
GracenoteSalesforceüCD
TV&EWideOrbit TrafficüCD
TV&EWideOrbit Networks-CD
GracenoteOracleüCD
CorporateWorkday üCD
CorporateG Treasury-CD
SDLCGracenotePeople to Oracle-SD* Unable to validate proper
testing occurred for the implementations* Performance of
implementation controls could not be substantiated.* Business
Process design and security around auto-complete EIB uploads not
fully considered and/ or documented.SD
TV&EWideOrbit Networks-CD
CorporatePeopleSoft to Workday üCD
ITGC SecurityTV&ESIMSüCD* Limited understanding of
intersection security within Workday and its impact on EIB
Integrations* Inappropriate access granted around roles that
enabled users to utilize automcomplete EIB integrations that can
potentially bypass of business review and approval workflow with
Workday* SoD Issues identified during the semi annual user access
review * Not all users were reviewed during the 2nd half review*
User Provisioning issuesSD
WideOrbit Traffic (Database)üCD
CorporateWorkday-CD
GracenoteSalesforceüCD
SODGracenoteOracleüCD* User identified with privileged access to
both Database and application level (3)* Management did not perform
SoD review for in broadcast revenue & broadcast rights systems
in 2015* All results from the Oracle SoD review were not properly
remediated during 2015* Workday annual SoD review did not include
assessment of access to EIB intregationsSD
SalesForceCD
CorporateWorkdaySD
TV&EWideOrbit TrafficüCD
WideOrbit NetworksCD
SIMSCD
Computer OperationsCorporateWorkdayCD* Inappropriate access to
integrations(EIB) modify, schedule and launch privileges. * Use of
EIB(Bulk upload) autocomplete process with limited monitoring *
Limited understanding of the privileges required to modify,
schedule and launch integrationsCD
IT GovernanceAllAllüCD* No IT governance process in placeCD
Notes:
(1) - Scale is from 1 to 5 with 5 as the highest. The ratings
are subjective but in general, low severity was given to items with
a lower risk profile and with less significant issues identified
during testing. High severity items included items such as The
PeopleSoft to Oracle implementation where performance of the
implementations could not be substantiated.
(2) Ekta Bhandari and Anthony Moisant managed Gracenote side of
the Workday Implementation.
Original
Control TypeSegmentApplicationApplication DescriptionSeverity of
2015 Deficiency (scale of 1 to 5) (1)2014 Deficiency2015 Deficiency
Assessment2015 Accountable PersonOrganizationControl Deficiency
Aggregation factorsAggregation AssessmentMaterial Weakness
FactorsITGC Aggregation Roll-Up
Change Management TV&EMedeainvoicing, account receivable,
collections for Tower Distribution4üCDAndy RosenbergTower Finance*
Enterprise wide change management process was not consistently
implemented throughout the fiscal year.* Not all changes flowed
through the formalized change management process.* For changes that
followed the change management process, management was unable to
provide substantiation of effective testing for all changes.*
Ineffective change population monitoring by managementSD*
Significant technology changes without a consistent change
management process increased the risk of accidental, inappropriate
or unauthorized changes that are not identified timely.
* More than half of the direct financial controls have some
degree of underlying IT dependencies (Reports, application
controls, workflows, etc)
* Inconsistent control effectiveness during the year. Some
controls failed multiple times. (Control Failure Rate - Interim 50%
Rollforward/Remediation 25%)
* Go forward sustainability could not be assessed before year
end
* Pervasiveness of control issues across all financially
critical systems - compensating controls are not designed a level
of precision to fully mitigate related risks
* Standard/consistent IT Governance is not in place across all
segments of the organization
* Control owners were not always clearly defined and related
responsibilities were not consistently understood
* Repeat SD from prior year around SDLC and Change
Management
* Pervasiveness of SoD issues across all systems - control was
either not present or compensating controls are not designed at a
level of precision to fully mitigate related risks
* Lack of understanding of the impact of certain security roles
with Workday which lead to certain users being granted
inappropriate access to auto complete EIBS that may enable users to
bypass automated review and approval workflow
* Limited controls governing the use of EIB autocomplete feature
within WorkdayMW
TV&ESIMSProgram asset management system for all stations
(Broadcast Rights and related amortization)4üCDDavid WeintrobIT
Support
GracenoteSalesforceRevenue recognition and contract management
for Gracenote Music and Video4üCDAnthony Moisant* / Mathew
LeedsGracenote IT
TV&EWideOrbit TrafficCustomer information, order entry,
traffic, invoicing, AR, and collections for television stations
3üCDDavid MurrayIT Apps
TV&EWideOrbit NetworksCustomer information, order entry,
traffic, invoicing, AR, and collections for WGNA3-CDDavid MurrayIT
Apps
GracenoteOracleFinancial accounting system for Gracenote,
including invoicing for Gracenote Music3üCDAnthony Moisant* /
Mathew LeedsGracenote IT
CorporateWorkday HR system Financial accounting system for
Tribune Media3üCDDavid DoolittleIT Apps
CorporateG TreasuryWire transfers, manage cash balances,
etc.1-CDDan BeezieTreasury
SDLCGracenotePeople to OracleReplaced TMS PeopleSoft Financials
with Gracenote's Oracle EBS - Financial Accounting
system5-SDAnthony Moisant*/Ekta Bhandari*Gracenote IT and Finance *
Unable to validate proper testing occurred for the implementations*
Performance of implementation controls could not be substantiated.*
Business Process design and security around auto-complete EIB
uploads not fully considered and/ or documented.SD
TV&EWideOrbit NetworksReplaced WideOrbit Traffic and
DealMaker - Customer information, order entry, traffic, invoicing,
AR, and collections for WGNA4-CDDavid Murray/Cindy LaCheyIT
Apps
CorporatePeopleSoft to Workday Replaced PeopleSoft Financials
with Workday Financials3üCDErik BurnsAnthony Moisant*/Ekta
Bhandari*(2)IT PMO / Gracenote
ITGC SecurityTV&ESIMSProgram asset management system for all
stations (Broadcast Rights and related amortization)2üCDDavid
Weintrob / Judy Juds*IT Support* Limited understanding of
intersection security within Workday and its impact on EIB
Integrations* Inappropriate access granted around roles that
enabled users to utilize automcomplete EIB integrations that can
potentially bypass of business review and approval workflow with
Workday* SoD Issues identified during the semi annual user access
review * Not all users were reviewed during the 2nd half review*
User Provisioning issuesSD
WideOrbit Traffic (Database)Underlying database supporting the
WideOrbit Traffic system - Customer information, order entry,
traffic, invoicing, AR, and collections for local television
stations 2üCDSyed Ali*IT DBA
CorporateWorkdayHR system and Financial Accounting system for
Tribune Media 2-CDDuane SmithIT Compliance
GracenoteSalesforceRevenue recognition and contract management
for Gracenote Music and Video2üCDAnthony Moisant*/Mea
MillerGracenote IT and Sales
SODGracenoteOracleFinancial accounting system for Gracenote,
including invoicing for Gracenote Music4üCDAnthony Moisant*/Don
KowallGracenote IT* User identified with privileged access to both
Database and application level (3)* Management did not perform SoD
review for in broadcast revenue & broadcast rights systems in
2015* All results from the Oracle SoD review were not properly
remediated during 2015* Workday annual SoD review did not include
assessment of access to EIB intregationsSD
SalesForceRevenue recognition and contract management for
Gracenote Music and Video3CDEileen Parker / Mea MillerGracenote
IT
CorporateWorkdayHR system and Financial Accounting system for
Tribune Media 5SDJim Ragas* / Dan HartmanShared Services
TV&EWideOrbit TrafficCustomer information, order entry,
traffic, invoicing, AR, and collections for television stations
3üCDCindy LaChey / David MurrayShared Services
WideOrbit NetworksCustomer information, order entry, traffic,
invoicing, AR, and collections for WGNA3CDCindy LaChey / David
MurrayShared Services
SIMSProgram asset management system for all stations (Broadcast
Rights and related amortization)2CDJudy Juds* / Dave
WeintobBoroadcasting Group Office
Computer OperationsCorporateWorkdayHR system and Financial
Accounting system for Tribune Media 4CDDavid DoolittleIT APPS*
Inappropriate access to integrations(EIB) modify, schedule and
launch privileges. * Use of EIB(Bulk upload) autocomplete process
with limited monitoring * Limited understanding of the privileges
required to modify, schedule and launch integrationsCD
IT GovernanceAllAll4üCDDuane SmithIT Compliance* No IT
governance process in placeCD
* - Employee is no longer working for the company
Notes:
(1) - Scale is from 1 to 5 with 5 as the highest. The ratings
are subjective but in general, low severity was given to items with
a lower risk profile and with less significant issues identified
during testing. High severity items included items such as The
PeopleSoft to Oracle implementation where performance of the
implementations could not be substantiated.
(2) Ekta Bhandari and Anthony Moisant managed Gracenote side of
the Workday Implementation.
Sheet2
SegmentApplicationDescriptionIT Point Person(s)
AllAllDuane Smith
CorporateG TreasuryWire transfers, manage cash balances, etc.Dan
Beezie
TV&EMedeainvoicing, account receivable, collections for
Tower DistributionAndy Rosenberg
GracenoteOracleFinancial accounting system for Gracenote,
including invoicing for Gracenote MusicMatthew Leads/Don Kowall
GracenoteSalesforceRevenue recognition and contract management
for Gracenote Music and VideoMatthew Leads/Eileen Parker/Mea
Miller
TV&ESIMSProgram asset management system for all stations
(Broadcast Rights and related amortization)David Weintrob
TV&EWideOrbit NetworksReplaced WideOrbit Traffic and
DealMaker - Customer information, order entry, traffic, invoicing,
AR, and collections for WGNADavid Murray/Cindy LaChey
TV&EWideOrbit TrafficCustomer information, order entry,
traffic, invoicing, AR, and collections for television stations
David Murray/Cindy LaChey
CorporateWorkdayHR system and Financial Accounting system for
Tribune Media Dan Hartman/David Doolittle/Chris Lewis (Fin)/Vishal
Khubani (HR)
