Presentation on theme: "Processing Integrity and Availability Controls"— Presentation transcript:
1 Processing Integrity and Availability Controls Chapter 10
2 Processing Integrity Controls InputForms designSequentially prenumberedControl to identify potential missing transactionCut down on errors by making data entry easierTurnaround documentsEliminate errors in data entryThis chapter covers the last two principles of the Trust Services Framework.Processing integrity consists of input-processing-output controls. Input controls should prevent inaccurate data from getting into the system.Good forms design can minimize the chance for errors and by having prenumbered documents in sequence allows you to know if a transaction is missing. For example, how do you know if you have billed the customers for all sales in a month? You would first see if the sales orders are invoiced; if a sales order is not in sequence, follow up to see if the goods have shipped or if its on backorder.Turnaround documents are a good input control (an example is your credit card bill, when you pay the bill you tear off a portion of the front page of the bill, it already has your account number preprinted on it) because they make processing more efficient and eliminate potential errors in input (can you imagine having to read someone’s handwriting on a credit card account number?).Processing controls ensure that data is processed correctly. Output controls are additional controls over processing integrity.
3 Processing Integrity: Data Entry Controls Field checkCharacters in a field are proper typeSign checkData in a field is appropriate sign (positive/negative)Limit checkTests numerical amount against a fixed valueRange checkTests numerical amount against lower and upper limitsSize checkInput data fits into the fieldCompleteness checkVerifies that all required data is enteredValidity checkCompares data from transaction file to that of master file to verify existenceReasonableness testCorrectness of logical relationship between two data itemsCheck digit verificationRecalculating check digit to verify data entry error has not been made
4 Additional Data Entry Controls Batch processingSequence checkTest of batch data in proper numerical or alphabetical sequenceError logsBatch totalsSummarize numeric values for a batch of input recordsFinancial totalHash totalRecord countOnlineEmployee Access controlsAutomatic data entryPromptingSystem prompts you for input (online completeness check)Closed-loop verificationChecks accuracy of input data by using it to retrieve and display other related information (e.g., customer account # retrieves the customer name)Transaction logsError Messages
5 Processing Controls Data matching Two or more items must be matched before an action takes placeFile labelsEnsures correct and most updated file is usedRecalculation of batch totalsCross-footingVerifies accuracy by comparing two alternative ways of calculating the same totalZero-balance testsFor control accounts (e.g., payroll clearing)Write-protection mechanismsProtect against overwriting or erasing dataConcurrent update controlsPrevent error of two or more users updating the same record at the same time
6 Output Controls User review of output Reconciliation Procedures to reconcile to control reports (e.g., general ledger A/R account reconciled to Accounts Receivable Subsidiary Ledger)External data reconciliationData transmission controlsCheck sumsHash of file transmitted, comparison made of hash before and after transmissionParity checkingBit added to each character transmitted, the characters can then be verified for accuracy
7 Output ControlsMessage Acknowledgment Techniques for data transmission (let the sender of an electronic message know that a message was received)Echo CheckWhen data are transmitted, the system calculates a summary statistic , receiving unit performs the same calculation and sends back to source. If they agree, accuracy is assumedTrailer Recordsending unit stores control totals in a trailer recordreceiving unit uses that information to verify that the entire message was received
8 Processing Integrity Controls(Spreadsheets) Spreadsheets usually developed by end userLack of application controlsSolutionsMultiple people evaluate all cells for possible errorCell formulas.Do not hardwireUse cell referencesinput/output section
9 Controls Ensuring Availability Systems or information need to be available 24/7It is not possible to ensure this so:
10 Availability Controls Preventive maintenanceFault toleranceUse of redundant componentsData center location and designRaised floorFire suppressionAir conditioningUninterruptible power supply (UPS) or back-up generatorSurge protectionPatch management and antivirus softwareBackup proceduresFull(probably weekly)IncrementalCopies only items that have changed since last partial backupDifferential backupCopies all changes made since last full backupDisaster recovery plan (DRP)Procedures to restore organization’s IT functionCold siteHot siteBusiness continuity plan (BCP)How to resume all operations, not just ITThe main objective of availability controls is to minimize the risk of downtime and to quickly recover and resume normal operations.
12 Disaster Recovery Plan (DRP) Procedures to restore an organization’s IT function in the event that its data center is destroyedCold SiteAn empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary equipment within a specified period of timeHot SiteA facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activitiesSecond Data-CenterUsed for back-up and site mirroring
13 Recovery Business Continuity Plan (BCP) How to resume not only IT operations, but all business processesRelocating to new officesHiring temporary replacements
14 DRP & BCP Documentation Testing Plan, responsibilities, procedures to resume operations should be documentedTestingTest to make sure it works as intendedRevise as neededShould test at least on an annual basis
15 Virtualization & Cloud Computing Can reduce time to recover from hardware problemsInstall files to new boxSupport real time mirroringCloud ComputingUse redundant banks of servers in multiple locationsReduces risk of system downtime and data lossPotential problemData retrieval if public cloud provider goes belly-upPolicy of making regular back-ups and storing somewhere other than cloud necessaryAssess long-run financial viability of cloud provider before taking the plunge