An important audit that we conduct entails general work flow controls for a computer applications. Below are general guidelines to be used to review these controls for any computer application that may be in use in your area.
Data input controls ensure the accuracy, completeness, and timeliness of data during its conversion from its original source into computer data, or entry into a computer application. Data can be entered into a computer application from either manual online input or by scheduled automated processing. The input control reviewer should determine the adequacy of both manual and automated controls over data input to ensure that data is input accurately with optimum use of computerized validation and editing and that error handling procedures facilitate the timely and accurate resubmission of all corrected data.
1) Documented procedures should exist for any data manually entered into the application. The procedures should include how to identify, correct, and reprocess rejected data.
2) Input edits should be used by the application. These could include checking for invalid field lengths, invalid characters, missing or erroneous data, incorrect dates, or the use of check digits.
3) Input data should also be controlled by the use of record counts, control totals, and event logs.
4) Another way to help ensure appropriate data entry is through authorization/approval. The authorization levels of the assigned approvers should also be reviewed to determine if they are reasonable.
5) Passwords should be used to control access. Passwords should be changed periodically, deleted when users leave the University, and modified to reflect user job changes.
6) Duties should be separated to ensure that no one individual performs multiple critical tasks. (Example: Name Change and distribution of payroll checks)
Data Processing Controls
Data processing controls are used to ensure the accuracy, completeness, and timeliness of data during either batch or online processing. These controls will insure that data is accurately processed through the application and that no data is added, lost, or altered during processing.
1) Documentation should exist explaining the workflow through the application. Examples would be narratives on the application processes, flowcharts, and an explanation of system or error messages.
2) If batch processes are “run” on a regular schedule, there should be documented procedures explaining how this is performed. The schedule of steps to be followed in case normal completion or failure and restart.
3) A processing log should be available. It should be reviewed for unusual or unauthorized activity.
4) Processing logs show errors or problems encountered during processing. These logs should be the source for error reports to be used for trend analysis and follow up analysis.
5) There should be controls in place to document the correct files are used for processing.
6) Processing edits should also be used. These can limit large scale damage which could result in a major database recovery effort.
7) Audit logs should be generated during processing. These logs contain information about each transaction. Data that should be included are: who initiated each of the transactions, the data and time of the transactions, the location of the transaction origination (IP address as an example). Logs are used for activity reporting and anomaly detection.
Data output controls ensure the integrity of output and the correct and timely distribution of any output produced. Output can be in paper, an email attacment, as file input to another application or on an online screen. Output controls result in the verification of accurate control totals, and timely result distribution.
1) Output should be balanced/reconciled to input. There should be adequate separation of duties for the balancing/reconciliation process.
2) There should be documented procedures to explain the methods for the proper balancing/reconciliation and error correcting of output.
3) Output should be reviewed for general acceptability and completeness, including any control totals.
4) There should be error reports. These should contain:
- A description of problems/errors and date identified
- Corrective action taken
5) Record retention and backup schedules for output files should be established. Consideration should be given to rotate output files offsite.
621 Skytop Road, Suite 100 • Syracuse, NY 13244-5290 • (315)443-5150