A) SEGREGATION OF DUTIES
1) Is the EDP department independent from the accounting and operating departments for which it processes data?
2) Are duties within the data-processing function as adequately segregated as follows:
a) Systems development (design and programming)?
b) Technical support (maintenance of systems software)?
3) In smaller and mini-computer installations with limited opportunities for segregation of duties, do procedures for user departments provide the following controls:
a) Utilization of batch or other input controls?
b) Control of master file changes?
c) Balance master files between processing cycles?
4) Do personnel policies of the EDP function include such procedures as reference checks, security statements, rotation of duties, and terminated-employee security measures?
B) PROCEDURAL CONTROLS
1) Do EDP user controls include the following?
a) Controls over preparation and approval of input transactions outside the EDP department and controls prohibiting the EDP department from initiating transactions?
b) Having the user exercise control procedures over input to ensure all approved input is processed correctly through the system (and only once)?
c) Having controls over entry of data in on-line systems to restrict access to terminals and to restrict data entry to authorized employees?
d) On-line systems controls to prevent documents from being keyed into the system more than once and to permit tracing from the computer output to data source and vice versa?
e) Controls over changes to master files, such as requiring preparation of specific forms indicating data to be changed, approval by a supervisor in the user department, and verifying against a printout of changes?
f) User controls over rejected transactions through the use of a computerized suspense file of rejected transactions or an auxiliary manual system?
g) User department management reconciliation of output totals to input totals for all data submitted, reconciliation of the overall file balances, and review of outputs for reasonableness?
2) Do application controls include the following?
a) Procedures within the data processing control function, providing proper control of data between the user and the EDP department?
b) Controls over data entry; for example, to include adequate supervision, up-to-date instructions, key verification of important fields, and self-checking digits?
c) Program controls over entry of data into on-line systems?
d) Editing and validation of input data?
e) Data processing controls over rejected transactions?
f) Controls for balancing transaction and master files?
g) Procedures within the data processing control function concerning review and distribution of output?
3) Do general controls include the following?
a) Controls over changes to system software?
b) Controls over use and retention of tape and disk files, including provision for retention of adequate records to provide backup capabilities?
c) Controls to limit to authorized employees, access to data processing equipment, tapes, disks, system documentation, and application program documentation?
d) Use of a job accounting system (or console logs) to ensure scheduled programs are processed, proper procedures are followed, and supervisory personnel know only required programs have been processed?
e) Supervision of EDP department employees for all shifts?
f) Documentation of procedures to be followed by computer operators?
g) Documentation of the data processing system to provide for continuation of the organization, even if important data processing employees leave?
h) Procedures to protect against a loss of important files, programs, or equipment?
i) Insurance to cover equipment, programs, and data files?
j) User-approved written specifications for new systems and modifications to existing application systems?
k) Procedures to test and implement new systems and to test modifications to existing application systems?