| YES | NO | N/A | Notes Reference | |
|---|---|---|---|---|
| This section should only be completed by agencies that perform electronic data processing. | ||||
| DATA PROCESSING | ||||
| Statutory References - 3-112 and 4-70b | ||||
| Segregation of Duties | ||||
| 1. Is the Data Processing department physically independent from all other departments for which it processes data? | ______ | ______ | ______ | ______ |
| 2. Is the Data Processing department administered independently from any department for which it processes data? | ______ | ______ | ______ | ______ |
| 3. a. Do each of the following components of the Data Processing department operates as its own entity: | ||||
| Systems Development (design and programming)? | ______ | ______ | ______ | ______ |
| Technical Support (maintenance of Systems software)? | ______ | ______ | ______ | ______ |
| Operations (job scheduling and processing)? | ______ | ______ | ______ | ______ |
| b. Do each of these components oversee its own security independent of the others? | ______ | ______ | ______ | ______ |
| c. Are personnel from one data processing component allowed to work in another data processing component? | ______ | ______ | ______ | ______ |
| 4. Do user departments utilize batch controls as a means of tracking and reconciling input? | ______ | ______ | ______ | ______ |
| a. Are the changes to the master file reconciled to the batch input by: | ||||
| Dollar amount? | ______ | ______ | ______ | ______ |
| Transaction count (# of records accessed)? | ______ | ______ | ______ | ______ |
| b. Is this a standard practice at the end of each processing cycle? | ______ | ______ | ______ | ______ |
| 5.a. Are there written data processing personnel policies? | ______ | ______ | ______ | ______ |
| b. Do they include procedures for: | ||||
| Reference checks? | ______ | ______ | ______ | ______ |
| Security statements? | ______ | ______ | ______ | ______ |
| Rotation of duties? | ______ | ______ | ______ | ______ |
| Security procedure for terminating a data processing employee? | ______ | ______ | ______ | ______ |
| Procedural Controls | ||||
| User Controls: | ||||
| 6.Are input transactions prepared, approved and controlled outside of the Data Processing department? | ______ | ______ | ______ | ______ |
| 7.Does the user department maintain control of the documents processed through batch control counts, transaction counts or other means to track input through the Data Processing department? | ______ | ______ | ______ | ______ |
| 8. Is an on-line data entry system in use (i.e., is data entered directly into the system and immediately processed)? | ______ | ______ | ______ | ______ |
| a. Is this on-line data entry system "real time processing"? | ______ | ______ | ______ | ______ |
| Are there immediate changes to master file? | ______ | ______ | ______ | ______ |
| Are transactions collected in the maintenance master file? | ______ | ______ | ______ | ______ |
| b. Is access to the on-line terminals restricted to all except authorized employees? | ______ | ______ | ______ | ______ |
| c. Are the access codes to these on-line terminals changed on a predetermined basis? | ______ | ______ | ______ | ______ |
| d. Are the access codes sufficiently complex to deter unauthorized access to these terminals? | ______ | ______ | ______ | ______ |
| e. Is there a terminal or operator identifier on each transaction record? | ______ | ______ | ______ | ______ |
| 9. Are there supporting documents (specific forms) that can substantiate the changes to the master file? | ______ | ______ | ______ | ______ |
| a. Are changes to the master file supported by a printout of: | ||||
| Individual changes? | ______ | ______ | ______ | ______ |
| Summary of changes? | ______ | ______ | ______ | ______ |
| b. Are the changes authorized by a supervisor or by a person other than the one who inputs the transaction document? | ______ | ______ | ______ | ______ |
| 10.Are rejected transactions held in a suspense file? | ______ | ______ | ______ | ______ |
| 11. Can these rejected transactions be reconciled to the total number of transactions input minus the transactions processed? | ______ | ______ | ______ | ______ |
| Application Controls: | ||||
| 12.Are there written procedures for the control of data between user departments and the Data Processing department? | ______ | ______ | ______ | ______ |
| 13. Are there written procedures for data entry operators on how data is entered into the system for processing? | ______ | ______ | ______ | ______ |
| 14. Is there an audit release by the supervisor if certain key fields are entered? | ______ | ______ | ______ | ______ |
| 15.Can each transaction be traced to a specific terminal and/or specific terminal operator? | ______ | ______ | ______ | ______ |
| 16. Are there controls for balancing transaction input data to the master files? | ______ | ______ | ______ | ______ |
| 17. Are rejected transactions listed on a printout and balanced to total number of transactions processed and transactions accepted? | ______ | ______ | ______ | ______ |
| General Controls: | ||||
| 18. Do changes to system software follow a control procedure that insures its integrity? | ______ | ______ | ______ | ______ |
| 19. Are there controls implemented that limit the use of tape and disk files to only authorized persons? | ______ | ______ | ______ | ______ |
| 20.Are there security provisions that limit access to the data processing operations area to authorized personnel? | ______ | ______ | ______ | ______ |
| 21. Are there controls that limit access to tapes, disks, system documentation and application program documentation to authorized employees? | ______ | ______ | ______ | ______ |
| 22. Is there a job accounting control system to document that work scheduled was processed? | ______ | ______ | ______ | ______ |
| 23. Are there controls in the operating environment to document what programs were processed? | ______ | ______ | ______ | ______ |
| 24.Are there controls to determine that proper procedures were followed in processing each program? | ______ | ______ | ______ | ______ |
| 25.Is there EDP supervision for employees on all shifts? | ______ | ______ | ______ | ______ |
| 26. Does the set-up and documentation of each program provide a sufficient trail for transition from one employee to another in case of a promotion, transfer or firing? | ______ | ______ | ______ | ______ |
| 27. Is there a disaster recovery plan in place for: | ||||
| a. Equipment? | ______ | ______ | ______ | ______ |
| b. Programs? | ______ | ______ | ______ | ______ |
| c. Data files? | ______ | ______ | ______ | ______ |
| 28. Is there insurance coverage for the equipment programs and files? | ______ | ______ | ______ | ______ |
| 28a.Is this insurance coverage reviewed on an annual basis? | ______ | ______ | ______ | ______ |
| 29. Are there approved written specifications to update or modify existing applications system? | ______ | ______ | ______ | ______ |
| 30. Is there an approval and testing process for accepting changes to existing applications systems? | ______ | ______ | ______ | ______ |
| DO NOT WRITE IN THIS BOX --AUDITORS USE ONLY
Preliminary opinion on the above Internal Control matters: Data Processing Good Fair Poor |