State Of Connecticut Accountability Directive Number 1 (Revised) State Agency Internal Control Questionnaire - Data Processing State Of Connecticut Accountability Directive Number 1 (Revised) State Agency Internal Control Questionnaire - Data Processing
YES NO N/A Notes
Reference
This section should only be completed by agencies that perform electronic data processing.
DATA PROCESSING
Statutory References - 3-112 and 4-70b
Segregation of Duties
1. Is the Data Processing department physically independent from all other departments for which it processes data? ______ ______ ______ ______
2. Is the Data Processing department administered independently from any department for which it processes data? ______ ______ ______ ______
3. a. Do each of the following components of the Data Processing department operates as its own entity:
Systems Development (design and programming)? ______ ______ ______ ______
Technical Support (maintenance of Systems software)? ______ ______ ______ ______
Operations (job scheduling and processing)? ______ ______ ______ ______
b. Do each of these components oversee its own security independent of the others? ______ ______ ______ ______
c. Are personnel from one data processing component allowed to work in another data processing component? ______ ______ ______ ______
4. Do user departments utilize batch controls as a means of tracking and reconciling input? ______ ______ ______ ______
a. Are the changes to the master file reconciled to the batch input by:
Dollar amount? ______ ______ ______ ______
Transaction count (# of records accessed)? ______ ______ ______ ______
b. Is this a standard practice at the end of each processing cycle? ______ ______ ______ ______
5.a. Are there written data processing personnel policies? ______ ______ ______ ______
b. Do they include procedures for:
Reference checks? ______ ______ ______ ______
Security statements? ______ ______ ______ ______
Rotation of duties? ______ ______ ______ ______
Security procedure for terminating a data processing employee? ______ ______ ______ ______
Procedural Controls
User Controls:
6.Are input transactions prepared, approved and controlled outside of the Data Processing department? ______ ______ ______ ______
7.Does the user department maintain control of the documents processed through batch control counts, transaction counts or other means to track input through the Data Processing department? ______ ______ ______ ______
8. Is an on-line data entry system in use (i.e., is data entered directly into the system and immediately processed)? ______ ______ ______ ______
a. Is this on-line data entry system "real time processing"? ______ ______ ______ ______
Are there immediate changes to master file? ______ ______ ______ ______
Are transactions collected in the maintenance master file? ______ ______ ______ ______
b. Is access to the on-line terminals restricted to all except authorized employees? ______ ______ ______ ______
c. Are the access codes to these on-line terminals changed on a predetermined basis? ______ ______ ______ ______
d. Are the access codes sufficiently complex to deter unauthorized access to these terminals? ______ ______ ______ ______
e. Is there a terminal or operator identifier on each transaction record? ______ ______ ______ ______
9. Are there supporting documents (specific forms) that can substantiate the changes to the master file? ______ ______ ______ ______
a. Are changes to the master file supported by a printout of:
Individual changes? ______ ______ ______ ______
Summary of changes? ______ ______ ______ ______
b. Are the changes authorized by a supervisor or by a person other than the one who inputs the transaction document? ______ ______ ______ ______
10.Are rejected transactions held in a suspense file? ______ ______ ______ ______
11. Can these rejected transactions be reconciled to the total number of transactions input minus the transactions processed? ______ ______ ______ ______
Application Controls:
12.Are there written procedures for the control of data between user departments and the Data Processing department? ______ ______ ______ ______
13. Are there written procedures for data entry operators on how data is entered into the system for processing? ______ ______ ______ ______
14. Is there an audit release by the supervisor if certain key fields are entered? ______ ______ ______ ______
15.Can each transaction be traced to a specific terminal and/or specific terminal operator? ______ ______ ______ ______
16. Are there controls for balancing transaction input data to the master files? ______ ______ ______ ______
17. Are rejected transactions listed on a printout and balanced to total number of transactions processed and transactions accepted? ______ ______ ______ ______
General Controls:
18. Do changes to system software follow a control procedure that insures its integrity? ______ ______ ______ ______
19. Are there controls implemented that limit the use of tape and disk files to only authorized persons? ______ ______ ______ ______
20.Are there security provisions that limit access to the data processing operations area to authorized personnel? ______ ______ ______ ______
21. Are there controls that limit access to tapes, disks, system documentation and application program documentation to authorized employees? ______ ______ ______ ______
22. Is there a job accounting control system to document that work scheduled was processed? ______ ______ ______ ______
23. Are there controls in the operating environment to document what programs were processed? ______ ______ ______ ______
24.Are there controls to determine that proper procedures were followed in processing each program? ______ ______ ______ ______
25.Is there EDP supervision for employees on all shifts? ______ ______ ______ ______
26. Does the set-up and documentation of each program provide a sufficient trail for transition from one employee to another in case of a promotion, transfer or firing? ______ ______ ______ ______
27. Is there a disaster recovery plan in place for:
a. Equipment? ______ ______ ______ ______
b. Programs? ______ ______ ______ ______
c. Data files? ______ ______ ______ ______
28. Is there insurance coverage for the equipment programs and files? ______ ______ ______ ______
28a.Is this insurance coverage reviewed on an annual basis? ______ ______ ______ ______
29. Are there approved written specifications to update or modify existing applications system? ______ ______ ______ ______
30. Is there an approval and testing process for accepting changes to existing applications systems? ______ ______ ______ ______
DO NOT WRITE IN THIS BOX --AUDITORS USE ONLY
Preliminary opinion on the above Internal Control matters:
Data Processing
Good Fair Poor

Back to Comptroller's Home Page
Back to Table of Contents