Is All Data Input Being Properly Controlled?
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
During the 1980's IS Auditors branched out from traditional types of auditing and started performing technical reviews of the operating system and the controlling of system programmers which previously held the keys to the kingdom. A person having access to a system library or an unapproved user exit poses an exposure but their relative exposure is significantly less then a person having the ability to directly alter production data.
Business users are usually granted access to production data through the application. In this case a user logs onto the online system and the data is updated based on the predetermined functions of the accessed screens. This is considered a controlled method for updating production data since the user can only update data based on the functionality of the production programs. In order to establish a controlled data input function, the following controls must also be available:
- a mechanism to restrict who can access the function (e.g., screen)
- audit trails of the data entered
- edit checks of the data entered
In order to devise these types of application controls, a front-end system must be available for all data input functions. However, due to the number of input functions needed in an application, it is common for alternate mechanisms to be used for capturing data input which do not offer the typical controls required for a data input function. This data is typically used by the batch processing cycle. The data is stored in a sequential data file or a in member of a partitioned dataset by which data is entered in specific positions to represent a data input record which is recognized by the program. The file is referenced by the batch job stream and loaded during batch processing. This approach does not provide for real-time edit checking. Therefore, bad data can be introduced into the production system. In addition, there are no audit trails of the actual data which is entered. Business users are granted direct access to the data which is changed or inputted using an editor (e.g., TSO/ISPF within an MVS environment).
Since it is difficult to systematically identify when these non-controlled data input approaches are used, the use of these type of data input facilities must be discussed with the application group. The use of these practices must analyzed to determine the cost/benefit of installing controlled on-line data input functions.
This article was written more than one year ago. Events may
have changed since this article was written.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.