YES | NO | N/A | Notes Reference | |
---|---|---|---|---|
This section should only be completed by agencies that perform electronic data processing. | ||||
DATA PROCESSING | ||||
Statutory References - 3-112 and 4-70b | ||||
Segregation of Duties | ||||
1. Is the Data Processing department physically independent from all other departments for which it processes data? | ______ | ______ | ______ | ______ |
2. Is the Data Processing department administered independently from any department for which it processes data? | ______ | ______ | ______ | ______ |
3. a. Do each of the following components of the Data Processing department operates as its own entity: | ||||
Systems Development (design and programming)? | ______ | ______ | ______ | ______ |
Technical Support (maintenance of Systems software)? | ______ | ______ | ______ | ______ |
Operations (job scheduling and processing)? | ______ | ______ | ______ | ______ |
b. Do each of these components oversee its own security independent of the others? | ______ | ______ | ______ | ______ |
c. Are personnel from one data processing component allowed to work in another data processing component? | ______ | ______ | ______ | ______ |
4. Do user departments utilize batch controls as a means of tracking and reconciling input? | ______ | ______ | ______ | ______ |
a. Are the changes to the master file reconciled to the batch input by: | ||||
Dollar amount? | ______ | ______ | ______ | ______ |
Transaction count (# of records accessed)? | ______ | ______ | ______ | ______ |
b. Is this a standard practice at the end of each processing cycle? | ______ | ______ | ______ | ______ |
5.a. Are there written data processing personnel policies? | ______ | ______ | ______ | ______ |
b. Do they include procedures for: | ||||
Reference checks? | ______ | ______ | ______ | ______ |
Security statements? | ______ | ______ | ______ | ______ |
Rotation of duties? | ______ | ______ | ______ | ______ |
Security procedure for terminating a data processing employee? | ______ | ______ | ______ | ______ |
Procedural Controls | ||||
User Controls: | ||||
6.Are input transactions prepared, approved and controlled outside of the Data Processing department? | ______ | ______ | ______ | ______ |
7.Does the user department maintain control of the documents processed through batch control counts, transaction counts or other means to track input through the Data Processing department? | ______ | ______ | ______ | ______ |
8. Is an on-line data entry system in use (i.e., is data entered directly into the system and immediately processed)? | ______ | ______ | ______ | ______ |
a. Is this on-line data entry system "real time processing"? | ______ | ______ | ______ | ______ |
Are there immediate changes to master file? | ______ | ______ | ______ | ______ |
Are transactions collected in the maintenance master file? | ______ | ______ | ______ | ______ |
b. Is access to the on-line terminals restricted to all except authorized employees? | ______ | ______ | ______ | ______ |
c. Are the access codes to these on-line terminals changed on a predetermined basis? | ______ | ______ | ______ | ______ |
d. Are the access codes sufficiently complex to deter unauthorized access to these terminals? | ______ | ______ | ______ | ______ |
e. Is there a terminal or operator identifier on each transaction record? | ______ | ______ | ______ | ______ |
9. Are there supporting documents (specific forms) that can substantiate the changes to the master file? | ______ | ______ | ______ | ______ |
a. Are changes to the master file supported by a printout of: | ||||
Individual changes? | ______ | ______ | ______ | ______ |
Summary of changes? | ______ | ______ | ______ | ______ |
b. Are the changes authorized by a supervisor or by a person other than the one who inputs the transaction document? | ______ | ______ | ______ | ______ |
10.Are rejected transactions held in a suspense file? | ______ | ______ | ______ | ______ |
11. Can these rejected transactions be reconciled to the total number of transactions input minus the transactions processed? | ______ | ______ | ______ | ______ |
Application Controls: | ||||
12.Are there written procedures for the control of data between user departments and the Data Processing department? | ______ | ______ | ______ | ______ |
13. Are there written procedures for data entry operators on how data is entered into the system for processing? | ______ | ______ | ______ | ______ |
14. Is there an audit release by the supervisor if certain key fields are entered? | ______ | ______ | ______ | ______ |
15.Can each transaction be traced to a specific terminal and/or specific terminal operator? | ______ | ______ | ______ | ______ |
16. Are there controls for balancing transaction input data to the master files? | ______ | ______ | ______ | ______ |
17. Are rejected transactions listed on a printout and balanced to total number of transactions processed and transactions accepted? | ______ | ______ | ______ | ______ |
General Controls: | ||||
18. Do changes to system software follow a control procedure that insures its integrity? | ______ | ______ | ______ | ______ |
19. Are there controls implemented that limit the use of tape and disk files to only authorized persons? | ______ | ______ | ______ | ______ |
20.Are there security provisions that limit access to the data processing operations area to authorized personnel? | ______ | ______ | ______ | ______ |
21. Are there controls that limit access to tapes, disks, system documentation and application program documentation to authorized employees? | ______ | ______ | ______ | ______ |
22. Is there a job accounting control system to document that work scheduled was processed? | ______ | ______ | ______ | ______ |
23. Are there controls in the operating environment to document what programs were processed? | ______ | ______ | ______ | ______ |
24.Are there controls to determine that proper procedures were followed in processing each program? | ______ | ______ | ______ | ______ |
25.Is there EDP supervision for employees on all shifts? | ______ | ______ | ______ | ______ |
26. Does the set-up and documentation of each program provide a sufficient trail for transition from one employee to another in case of a promotion, transfer or firing? | ______ | ______ | ______ | ______ |
27. Is there a disaster recovery plan in place for: | ||||
a. Equipment? | ______ | ______ | ______ | ______ |
b. Programs? | ______ | ______ | ______ | ______ |
c. Data files? | ______ | ______ | ______ | ______ |
28. Is there insurance coverage for the equipment programs and files? | ______ | ______ | ______ | ______ |
28a.Is this insurance coverage reviewed on an annual basis? | ______ | ______ | ______ | ______ |
29. Are there approved written specifications to update or modify existing applications system? | ______ | ______ | ______ | ______ |
30. Is there an approval and testing process for accepting changes to existing applications systems? | ______ | ______ | ______ | ______ |
DO NOT WRITE IN THIS BOX --AUDITORS USE ONLY
Preliminary opinion on the above Internal Control matters: Data Processing Good Fair Poor |