Data Processing Function Audit Program



The data processing function should be sufficiently important in the organizational hierarchy to enable it to meet established overall objectives and to promote independence from user departments. Major working units within each data processing function should be adequately described with their responsibilities delineated and documented. Adequate separation of duties within each function should be provided, or, where not feasible, compensating controls should be practiced.

Suggested interviewees for ICQ:

A. Director of Data Processing

A. Control Objective #1 - Separation of Duties Between Data Processing and the User Departments

  1. Review the location of data processing department within the University's hierarchy, and assess its suitability in terms of independence from user departments.
  2. Review the data control activities performed by data processing and users. Determine if data processing is only controlling the processing of data and that users exercise proper control over original submission, verification, validation, and error correction.

B. Control Objective #2 - Separation of Duties Within Data Processing

  1. Review documentation to determine that responsibilities assigned to each major organizational unit are adequately described.
  2. Interview data processing personnel and observe data processing activities to confirm that the separation of duties is being followed.

C. Control Objective #3 - Planning for Data Processing Resources

  1. Determine if the steering committee is at a high enough level to be independent from Data Processing and which is able to allocate resources to best achieve the goals of the whole organization.
  2. Review the policy that establishes the steering committee and defines its goals and responsibilities. Review documentation to provide evidence that the steering committee is operating as it was designed. Determine if the method for allocating resources is fair and reasonable.