Processing—Data is properly processed by the computer, and files are updated correctly These controls would include requirements that users reconcile relevant input control totals with data

processed by the application.

To the extent possible, application processing should be standardized, and the manual and automated procedures used should be documented. Audit trails and output reports should be monitored on a regular basis to help ensure that transactions are processed as intended. Users should reconcile relevant input control totals with data processed by the application. For example, the ledger system could provide total debits and credits to be calculated for the input transactions to ensure balancing. Further, the application should have controls to ensure that the correct file is processed, file processing errors are detected, and operator errors are identified. Errors may indicate control weaknesses or control processes that are being bypassed. Where possible, limit and reasonableness checks should be incorporated within programs to help detect clerical or processing errors. Schools should also implement sufficient controls to protect the confidentiality of data during processing. 3. Output—Files and reports generated by the application are created properly and accurately reflect

the results of processing, and reports are controlled and distributed to the authorized users.

Output controls provide assurance that data has been processed accurately and completely, and that the output is distributed correctly and in a timely manner. Output can be in hardcopy form, electronic files that become input to other systems, or as information available for online viewing.

A designated employee independent of processing responsibilities should prepare reconciliations, or automated controls may be incorporated into the application to ensure that correct processing has occurred. When feasible, an employee should compare processed information to original source documents.

Output controls should ensure that the application’s results are delivered only to the appropriate end users, output is restricted from unauthorized access, and record retention and backup schedules are established. In particular, schools should ensure that content and availability of output and data are consistent with end users’ needs, data sensitivity, confidentiality requirements, and applicable laws and regulations. Further, critical documents and reports, such as blank check stock and confidential

INFORMATION TECHNOLOGY

1/10

IX-8

responsibilities is necessary so that no individual performs incompatible duties that may permit errors or fraud to occur and remain undetected.3

The extent to which duties are separated depends on the size of the organization and the risk associated with its activities. A large organization will have more flexibility in separating key duties than a small organization that must depend on only a few individuals to perform its operations. These smaller organizations may rely more extensively on supervisory review to control activities. Similarly, activities that involve extremely large dollar transactions, or are otherwise inherently risky, should be divided among several individuals and be subject to relatively extensive supervisory review.4

Additionally, to prevent the unauthorized or fraudulent manipulation of applications or data, schools should separate key responsibilities between IT personnel and users. To accomplish this, schools should designate specific users to initiate and authorize transactions, and prohibit IT personnel from initiating or authorizing transactions. In addition, users should not have system-level access to modify data or programs. When independence is not possible, such as when users also perform IT functions related to the accounting system, management must periodically review transactions to help compensate for inadequate separation of duties.

Further, among the IT personnel, programming responsibilities should be separated from computer operation responsibilities. Unauthorized modifications to programs or files are more likely if an employee has the ability to perform both programming and operating functions. If separation of these duties is not feasible, schools should ensure that a supervisor reviews system logs, balancing reports, and other relevant indicators regularly.

DOCUMENTATION

Schools should establish and document policies and procedures for its IT operations. The amount of documentation necessary depends upon the circumstances and complexity of the school’s IT systems. However, at a minimum, standards and procedures related to systems development, change management, security, and computer operations, as described above, should be developed and regularly maintained. Documentation of application systems and the controls associated with them is also very important. System, program, operations, and user documentation should be prepared and maintained in a standardized, organized manner.

In designing and implementing IT systems, organized and thorough documentation can: 1. Provide an understanding of the system’s objectives, concepts, processes, and output.

2. Provide a resource for systems analysts and programmers responsible for maintaining and revising existing systems.

3. Enable supervisory review of work performed on the system.

3 _{Based on the Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G,}

February, 2009. Chapter 3, section 3.4.

INFORMATION TECHNOLOGY

4. Serve as a reference for existing staff and as a basis for training new personnel.

5. Communicate system information to systems analysts, programmers, operators, and auditors.

System documentation should include a brief narrative description of the system’s business purpose and provide both an overview of the system and an explanation of the integration, if any, with other systems. Information on system testing performed and user involvement and sign-off should be maintained. Input, processing, output, file, security, and related controls for each system should be described. In addition, information regarding significant system changes, including their purpose, scope, authorization, and effective dates, should be preserved.

Program documentation should include a description of the program’s purpose; a flowchart, decision table, or detailed logic narrative; a list of built-in control features such as error-detection routines; a detailed description of file formats and record layouts; and the program code itself. Operating instructions, input and output formats, users’ request for any changes, change test results, and user’s approval of the revised program, if applicable, should also be documented. The interrelationship between that program and other programs that make up the system should also be described.

Operations documentation should include setup instructions and on-going operational requirements, recovery and restart procedures in the event of hardware or software malfunctions, and error-correction procedures. The error correction procedures should include documentation of the problem, cause-analysis, identification of the individual assigned to correct it, and timely review by a supervisor to verify that the problem was resolved. Furthermore, this documentation should also include a list of control procedures and the personnel (positions) responsible for performing them.

User documentation should outline user instructions and provide information about how to use the application, including:

1. Input and output descriptions including data entry screens and data display screens. 2. Applicable cut-off procedures for submitting data.

3. Balancing and reconciliation procedures. 4. Basic and common functionality.

5. Advanced functionality.

INFORMATION TECHNOLOGY

1/10

IX-10

proper use of electronic resources and information is to develop Internet and electronic mail use and security policies; and to implement security and monitoring measures to ensure computer users’ compliance with the policies. These policies should address:

1. Who is allowed to use the Internet and electronic mail. 2. When they are allowed to use it.

3. What constitutes acceptable use of the Internet and electronic mail. 4. What constitutes unacceptable use of the Internet and electronic mail. 5. Monitoring procedures for Internet account activity.

6. Virus, spam, and other types of malware protection.

7. Requirements and guidelines over the use and configuration of firewalls and other network perimeter security devices, such as Intrusion Prevention Systems, Intrusion Detection Systems, Network Access Control devices, etc.

8. Procedures for reporting and responding to suspected security and policy violations.

A written Internet and electronic mail policy raises users’ level of security awareness and serves as guidance for technical decisions affecting Internet and electronic mail activity. Further, the policy may help strengthen the school’s position in the event of legal prosecution of a security violation. This policy need not be technical; however, it should include a summary of the school’s Internet and electronic mail security concerns. Further, users should be required to acknowledge and document receipt of the policy, and their intention to follow the policy before being granted access to the Internet and electronic mail. Schools should also institute periodic security awareness training to remind users of their requirements and responsibilities.