Processing Integrity and Availability Controls Chapter 10

Processing Integrity Controls Input Forms design Sequentially prenumbered Control to identify potential missing transaction Cut down on errors by making data entry easier Turnaround documents Eliminate errors in data entry This chapter covers the last two principles of the Trust Services Framework. Processing integrity consists of input-processing-output controls. Input controls should prevent inaccurate data from getting into the system. Good forms design can minimize the chance for errors and by having prenumbered documents in sequence allows you to know if a transaction is missing. For example, how do you know if you have billed the customers for all sales in a month? You would first see if the sales orders are invoiced; if a sales order is not in sequence, follow up to see if the goods have shipped or if its on backorder. Turnaround documents are a good input control (an example is your credit card bill, when you pay the bill you tear off a portion of the front page of the bill, it already has your account number preprinted on it) because they make processing more efficient and eliminate potential errors in input (can you imagine having to read someone’s handwriting on a credit card account number?). Processing controls ensure that data is processed correctly. Output controls are additional controls over processing integrity.

Processing Integrity: Data Entry Controls Field check Characters in a field are proper type Sign check Data in a field is appropriate sign (positive/negative) Limit check Tests numerical amount against a fixed value Range check Tests numerical amount against lower and upper limits Size check Input data fits into the field Completeness check Verifies that all required data is entered Validity check Compares data from transaction file to that of master file to verify existence Reasonableness test Correctness of logical relationship between two data items Check digit verification Recalculating check digit to verify data entry error has not been made

Additional Data Entry Controls Batch processing Sequence check Test of batch data in proper numerical or alphabetical sequence Error logs Batch totals Summarize numeric values for a batch of input records Financial total Hash total Record count Online Employee Access controls Automatic data entry Prompting System prompts you for input (online completeness check) Closed-loop verification Checks accuracy of input data by using it to retrieve and display other related information (e.g., customer account # retrieves the customer name) Transaction logs Error Messages

Processing Controls Data matching Two or more items must be matched before an action takes place File labels Ensures correct and most updated file is used Recalculation of batch totals Cross-footing Verifies accuracy by comparing two alternative ways of calculating the same total Zero-balance tests For control accounts (e.g., payroll clearing) Write-protection mechanisms Protect against overwriting or erasing data Concurrent update controls Prevent error of two or more users updating the same record at the same time

Output Controls User review of output Reconciliation Procedures to reconcile to control reports (e.g., general ledger A/R account reconciled to Accounts Receivable Subsidiary Ledger) External data reconciliation Data transmission controls Check sums Hash of file transmitted, comparison made of hash before and after transmission Parity checking Bit added to each character transmitted, the characters can then be verified for accuracy

Output Controls Message Acknowledgment Techniques for data transmission (let the sender of an electronic message know that a message was received) Echo Check When data are transmitted, the system calculates a summary statistic , receiving unit performs the same calculation and sends back to source. If they agree, accuracy is assumed Trailer Record sending unit stores control totals in a trailer record receiving unit uses that information to verify that the entire message was received

Processing Integrity Controls(Spreadsheets) Spreadsheets usually developed by end user Lack of application controls Solutions Multiple people evaluate all cells for possible error Cell formulas. Do not hardwire Use cell references input/output section

Controls Ensuring Availability Systems or information need to be available 24/7 It is not possible to ensure this so:

Availability Controls Preventive maintenance Fault tolerance Use of redundant components Data center location and design Raised floor Fire suppression Air conditioning Uninterruptible power supply (UPS) or back-up generator Surge protection Patch management and antivirus software Backup procedures Full(probably weekly) Incremental Copies only items that have changed since last partial backup Differential backup Copies all changes made since last full backup Disaster recovery plan (DRP) Procedures to restore organization’s IT function Cold site Hot site Business continuity plan (BCP) How to resume all operations, not just IT The main objective of availability controls is to minimize the risk of downtime and to quickly recover and resume normal operations.

10-11

Disaster Recovery Plan (DRP) Procedures to restore an organization’s IT function in the event that its data center is destroyed Cold Site An empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary equipment within a specified period of time Hot Site A facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities Second Data-Center Used for back-up and site mirroring

Recovery Business Continuity Plan (BCP) How to resume not only IT operations, but all business processes Relocating to new offices Hiring temporary replacements

DRP & BCP Documentation Testing Plan, responsibilities, procedures to resume operations should be documented Testing Test to make sure it works as intended Revise as needed Should test at least on an annual basis

Virtualization & Cloud Computing Can reduce time to recover from hardware problems Install files to new box Support real time mirroring Cloud Computing Use redundant banks of servers in multiple locations Reduces risk of system downtime and data loss Potential problem Data retrieval if public cloud provider goes belly-up Policy of making regular back-ups and storing somewhere other than cloud necessary Assess long-run financial viability of cloud provider before taking the plunge