| A.
Control Activities / Information and Communications |
| Yes |
N/A |
No |
|
|
|
|
|
1. Is there a formal
organizational chart which identifies the individuals responsible
for the: |
|
|
|
|
a. Computer systems? |
|
|
|
|
b. Computer security? |
|
|
|
2. Are the responsibilities
of parties written in respect to: |
|
|
|
|
a. Data collection? |
|
|
|
|
b. Data transmittal? |
|
|
|
|
c. Data conversion? |
|
|
|
|
d. Data editing? |
|
|
|
|
e. Error correction
and control? |
|
|
|
|
f. Processing and
output control? |
|
|
|
|
g. Data and report
distribution? |
|
|
|
|
3. Are there adequate
controls over the process of identifying, correcting, and re-processing
data rejected by the computer program? |
|
|
|
|
4. Are procedures
in place to ensure that all transactions are keyed in a timely
manner? |
|
|
|
|
5. Is the data processed
by the computer uniform, controlled and authorized? |
|
|
|
6. Does the initiating
department independently control data submitted for processing
through use of: |
|
|
|
|
a. A turn-around
transmittal document? |
|
|
|
|
b. Record counts? |
|
|
|
|
c. Dollar totals? |
|
|
|
|
7. Are source documents
retained for a sufficient period and in an adequate manner to
permit identification with output records if the need arises? |
|
|
|
|
8. Are sufficient
generations of files maintained to facilitate reconstruction
of records? |
|
|
|
|
9. Is at least one
generation maintained in a location other than the tape storage
area? |
|
|
|
|
10. Is off-site computer
file storage used? |
|
|
|
|
11. Are there provisions
for retaining and/or copying master files, and is there practical
means of reconstructing a damaged or destroyed file? |
|
|
|
|
12. Are documented
backup procedures established with another compatible data center
to cover a natural disaster or other emergency situation? |
|
|
|
|
13. Are responsibilities
segregated to assure that no one individual has the ability to
input data, process data, review output data? |
|
|
|
14. If a terminal
is used to transmit or receive data, are: |
|
|
|
|
a. Authorization
codes required? |
|
|
|
|
b. Separate codes
assigned to each user of the system? |
|
|
|
|
c. Transaction
data logs used to provide a partial audit trail, including:
originating terminal and message ID; transaction type code;
time of day that the transaction is logged; and a copy of the
transaction records? |
|
|
|
|
15. Is there a control
in place to verify that the computer generated check number matches
the number printed on the check? |
|
|
|
|
16. Is there a control
in place to verify that the computer generated voucher number
matches the number printed on the check? |
|
|
|
17. Are data files
and programs protected against: |
|
|
|
|
a. fire and other
hazards? |
|
|
|
|
b. unauthorized
entry and/or use? |
|
|
|
|
18. If the processing
center is involved with payroll operations, are adequate controls
exercised over blank checks? |
|
|
|
|
19. Is there a security
software package to restrict and control users' access? |
|
|
|
|
20. Is physical access
to the computer center restricted? |
|
|
|
|
21. Is physical access
to on-line terminals restricted? |
|
|
|
|
22. Does every user
have a unique user-id/password? |
|
|
|
|
a. Are user passwords
kept secret from other users? |
|
|
|
|
b. Are user passwords
changed periodically? |
|
|
|
|
c. Are users aware
of the confidential nature of their passwords? |
|
|
|
23. When an employee
is terminated, are the following precautions implemented immediately: |
|
|
|
|
a. The employee
is denied access to the equipment? |
|
|
|
|
b. The employee
is denied access to any data, program listing, etc.? |
|
|
|
|
c. All other employees
are informed of the employees termination? |
|
|
|
|
d. The employees
user-id and password are deleted from the computer system? |
| Comments for section A. (please specify
question number) |
|
|
| B.
Monitoring |
| Yes |
N/A |
No |
|
|
|
|
|
|
24. Is someone assigned
to review output for general acceptability and completeness? |
|
|
|
|
25. Does management
investigate security violations? |
|
|
|
|
26. Does management
restrict users' access to the minimum level needed to perform
job? |
|
|
|
|
27. Have procedures
been documented for disaster control and recovery for both computer
and manual operations? |
|
|
|
|
28. Does the department
or management balance control totals generated during computer
processing with those originally established and reconcile all
discrepancies? |
By clicking the Submit button, I do hereby certify, to the best of my knowledge,
that the answers provided in this self-assessment of internal control is
a true representation of the operations of this department.
