<
 
 
 
 
ž
>
Vous consultez une page Web conservée, recueillie par Bibliothèque et Archives Canada le 2006-11-30 à 17:33:57. Il se peut que les informations sur cette page Web soient obsolètes, et que les liens hypertextes externes, les formulaires web, les boîtes de recherche et les éléments technologiques dynamiques ne fonctionnent pas. Voir toutes les versions de cette page conservée.
Chargement des informations sur les médias

You are viewing a preserved web page, collected by Library and Archives Canada on 2006-11-30 at 17:33:57. The information on this web page may be out of date and external links, forms, search boxes and dynamic technology elements may not function. See all versions of this preserved page.
Loading media information
X
Treasury Board of Canada Secretariat - Government of Canada
Skip to Side MenuSkip to Content Area
Français Contact Us Help Search Canada Site
What's New About Us Policies Site Map Home

1. Directives and Guidelines
2. Introduction
3. Financial Systems
4. Timing and Recording of Transactions
5. Mechanics of Coding Systems
6. Controls in Financial Systems
7. Enquiries
Appendix A
Appendix B
Appendix C 
Appendix D

Other Related Documents

Alternate Format(s)
Printable Version

Financial Systems and Controls

Previous Table of Contents Next


Appendix C
Techniques for Control in a Computer Systems Environment

1. Introduction

(a) The control techniques that follow give guidance to financial and EDP personnel involved in the development and maintenance of financial systems. Computer Control Guidelines, published by the Canadian Institute of Chartered Accountants, and the volume on control of the Systems Auditability and Control Study of the Institute of Internal Auditors, provide further information.

(b) Techniques for control include project management practices such as phased development, economic justification, and full documentation. These practices are required by Treasury Board directives and guidelines contained in the Project Management Policy (Chapter 2-2) of the Capital Projects and Procurement Volume, Treasury Board Manual, and are not repeated here.

2. Authorization and Data Preparation

(a) The authorization of transactions should not be performed by personnel who have custody of assets or access to records.

(b) Instructions for the preparation of source documents should be documented.

(c) Time frames should be established for the processing of source documents from the point of receipt to the input-preparation stage.

(d) Transmittal documents should be used to control the flow of documents from the originating source to the input-preparation stage.

(e) A quality review of source documents should be provided for.

(f) Retention time periods for original source documents should allow sufficient time for the detection and correction of errors.

(g) The authority to initiate source documents should be limited.

(h) Each source document should be assigned a number for identification purposes, preferably through preprinted sequential numbers.

(i) Special-purpose forms should be used to present data in the format required for data entry.

(j) The authorized use of source documents and input forms should be restricted.

(k) Separation of duties should be maintained in the following areas:

- separation of the data processing department from its functional users,

- segregation of duties within the data processing department, and

- separation in the user department between source data generation and other functions.

(l) Approval signatures on source documents should be used for providing evidence of proper transaction authorization and for audit trail purposes.

(m) A manual review of source documents should be performed by user personnel to ensure completeness and accuracy of input.

(n) Source document logs should be maintained by each user organization to record the flow of transactions and batches in order to identify missing items and maintain accountability.

(o) Record-handling procedures that provide user personnel with instructions for error detection, correction, and re-submission of source documents should be reassessed periodically.

(p) Error logs should be used to follow up unresolved errors and to ensure their correction and timely re-entry into a system. Such error logs should not be maintained in the data processing area.

3. Data Input

3.1 Data validation

(a) Independent verification of data input.

(b) Predefined and stored formats to ensure that data are recorded in the proper fields, formats, and characters.

(c) Data input transactions, edited and validated close to source to minimize processing of erroneous data.

(d) Use of controls to verify input as being received from an authorized source.

3.2 Batch balancing

(a) Use of processing schedules to determine that all transactions have been received and entered on time.

(b) Use of turnaround documents such as payment advices for accounts receivable.

(c) Use of record logs to show the receipt and disposition of data, to account for all batches received, and to establish an audit trail within the system.

(d) Use of a batch header record as a control document for the individual source documents in that batch. Information on the batch header record (such as batch total, transactions count, and batch number) is used in verifying the completeness and accuracy of the batch.

(e) Automated balancing to batch header control totals, with procedures for reconciling differences and authorizing corrections.

3.3 Error Handling

(a) Interactive error correction in the case of input terminal systems, to permit immediate detection, display, and correction of errors.

(b) Issuance of edit error listings prior to processing, in the case of batch-oriented systems, with correction prior to processing of data.

(c) Error messages indicating the suggested corrective action to be taken for each data field that is in error.

(d) Editing of corrected data using the same data validation, batch balancing, and error-handling routines as for the original data.

(e) Production of control totals for rejects as well as for accepted data.

(f) Statistics on all errors, with corrective action on repeated occurrences.

(g) An input control function that is independent from source data preparation, to control error handling and ensure correction of data.

3.4 General

(a) Steps should be taken to ensure that there will be no further processing of source documents following input preparation.

(b) Procedures should provide for returning illegible or incomplete source documents.

(c) Dual custody of accountable forms should be maintained. A member of the data processing organization and a member of the user department should jointly authorize the release of prenumbered forms from storage.

4. Data Transmittal

4.1 Delivery

(a) Couriers should be bonded.

(b) Back-up copies should be kept of all magnetic tapes, cards, or other media used for data transmittal.

(c) Record counts and batch totals should be used to ensure no data have been lost in transmittal.

(d) Access to the data should be limited to authorized personnel.

4.2 Telecommunications

(a) Internal control totals should be used during transmission.

(b) Re-transmission by the transmitting unit of transaction data that are detected by the receiving unit to be in error.

(c) All incoming and outgoing messages should be validated.

(d) Line usage records and statistics for audit trail purposes should be kept.

(e) Message sequence numbers should be assigned to all input and output messages and recorded on an input/output message log to assist in system recovery or to restart and trace messages.

(f) All errors and re-transmission of messages should be logged and statistics of re-transmissions should be maintained.

(g) The user manual should include error-correction procedures of transmissions.

4.3 Processing

(a) Computer-generated transactions should be monitored through programs that print these transactions, thereby enabling users to perform a manual check on the computer-generated transactions. Computer generated transactions may include balance controls between programs in the system, which may take the form of reasonableness checks or run-to-run control totals.

(b) A system of automated control totals for balancing the entire system and for balancing between systems should be developed and should be adequately explained in the technical documentation.

(c) Anticipation controls such as sequence checking may be used within the system to anticipate each transaction and detect missing transactions.

(d) Exception reports should be prepared each time a program control is overridden or bypassed.

(e) Computer files should be balanced by reconciling the number of records on the opening of a file and changes made during processing with the closing balance. Control records should contain totals of amounts and record counts for each critical data field on the file.

(f) Rejects should be logged by the system, to show that all rejects have been corrected and re-submitted.

(g) Automated suspense files should be generated by the system for all rejected transactions. These error suspense files should be maintained by the data processing organization to follow up corrected transactions that are rejected.

(h) Discrepancy reports from the error suspense file should be printed periodically and provided to users of the system to ensure that the handling of errors results in their correction and re-entry in a timely manner.

4.4 Data Access

(a) A formal library system should be developed for the handling of all application system data files.

(b) External and internal labels should be used to prevent the misuse of files.

(c) Access to records and files should be restricted to authorized users by security-classification level.

(d) All system enquiries should be recorded on an independent file, and an enquiry report should be produced for review by data processing management.

(e) Access authorization tables should be updated regularly and only on the basis of authorization by those with designated authority.

(f) Procedures should provide for formal authorization of any program modification. Such modifications should be authorized only by the user.

(g) Steps should be taken to ensure that the master file can be reconstructed by maintaining independent copies of it and the intervening transactions. Access to file copies should also be restricted to authorized users.

(h) Systems should be designed to report on an exception basis those records and fields which exhibit no activity for a significant period of time.

(i) Systems should be designed to report on an exception basis those records and fields which exhibit excessive activity.

(j) Critical files should be scanned periodically by an audit program to report illogical or incorrect file content.

(k) Back-up procedures should exist for all critical files. These procedures should provide for off-site data, program back-up, and hardware back-up.

(l) Recovery and restart procedures should exist for all critical application systems.

(m) A disaster plan should be in place in case of loss of application data or system software, or of equipment or key personnel.

4.5 Output

(a) Output control totals should be reconciled with input totals before reports are released.

(b) Statistical records of output reports should be maintained on the system and printed, summarizing the number of application reports generated, number of pages per report, cost per report, and number of lines per report.

(c) In on-line systems the number of transactions per period should be balanced against output control totals. Variances between input and output quantities should be monitored.

(d) Output reports should be scheduled so that users know when to anticipate them, and follow-up action should be initiated when reports are delayed.

(e) Output reports should be delivered only to authorized recipients.

(f) Report distribution should be limited to the authorized number of report copies.

(g) Users should be furnished with a report that reconciles manually maintained batch totals with totals accumulated by the computer system for the particular application.

(h) Sampling and other quality-control techniques should be used for checking the accuracy and completeness of reports.

(i) Negotiable documents should be moved from the storage area to the computer operations area and back, under the dual custody of members from data processing and the user organization.

(j) An independent history file of errors should be kept independently of processing files to analyze report error trends and statistics by type, source, and frequency.

(k) Provision should be made for feedback from output recipients as to the timeliness, accuracy, and suitability of system reports.

 
Previous Table of Contents Next