Audit Serve, Inc.
 |
Technical Articles |
|
|
Conferences |
|
|
Audit Programs |
|
|
Audit Serve Seminars |
|
|
Consulting Services |
|
|
Audit Vision Email Newsletter Free! |
|
|
What's New |
|
|
Contact Us |
The Worldwide Connection for Audit, Security, Control and SOX Professionals
Auditing
External Data Interfaces
By: Mitchell H. Levine
Low Cost &
Highly Skilled
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or
email levinemh@auditserve.com
for additional information
An external data interface is the exchange of data between two separate systems. The two systems could be systems maintained by a single organization or it could be an exchange of data between two separate organizations. The exchange of data could be a file which is processed at a later time (i.e., batch load) or it can be a real-time update. The data source could be an entire file or one record at a time. All of these characteristics of the external data interface factor into the control design needed to ensure the proper exchange of data.
The audit controls, which are critical for external data interfaces,
are:
- Controls to ensure a complete data exchange
- Controls to ensure proper
data exchanged
- Backup/Recovery controls
The remaining portion of this article will discuss in detail the audit approach for each of these control components.
Controls to ensure a complete data exchange
The completeness of whether the complete set of data is received starts at the sending system in terms of control that are in place to ensure all data is present. If a data is being sent at a record level then the process used by the sending system to trigger the event is area of audit focus in regards to the circumstances in which the record updates would not be triggered. The audit needs to evaluate the controls to queue the transactions in the event that the receiving system is down.
If the data exchange is a batch process, then controls must be evaluated to ensure that all records within the file were received. Disruption can occur during transmission, which causes an incomplete file creation on the receiving system. The best control in this case is the use of end-of-file markers, which is checked by the receiving system to ensure a complete file, was received.
As an alternative, record counts ensures the proper number of records are received by comparing the record counts stored on the header record
The “trigger” is the primary control, which is necessary to ensure that a proper exchange occurred. The trigger is evaluated at both the sending and receiving systems. The sending system may have a time trigger to send the file at a particular time in the day. The receiving system has a trigger to determine when the file will be loaded. A time trigger could be used to send the file or to load the file on the receiving system. The receiving system could have a trigger, which operates in background and waits for a file to be created. The sending system could have a trigger, which sends the file upon a manual initiation on their system. The most important control which needs to be verified during the audit is whether a review process is in place to ensure the processes, which initiate the sending, and receiving of data occurred within the timeframes required.
Controls to ensure proper data exchanged
The integrity of a data interface also requires controls to ensure that the proper data is exchanged. The sending system needs to provide controls to ensure the data represent the period of activity that is understood by the receiving system. This is achieved by placing a date/time marker on the header record for a batch transmission and placing date/time markers on the records, which is checked by the receiving system.
To ensure that duplicate processing does not occur, controls need to be in place on the sending system to remove the records upon verification that they have been successfully processed by the receiving system. The alternative creating a separate file representing different data exchanges which has a distinguishable naming convention to ensure that the receiving system does not process the same data. Another alternative is to have the receiving system check whether a record has been previously processed.
Backup/Recovery controls
Backup/Recovery
ensures that a process can be rerun in the event that the data interchange
was not successful. As part
of the audit, the file retention of data being loaded by the receiving
system needs to be verified. In
addition, the sending system needs to save the data in the event the
receiving system does not successfully process the files.
The audit
of external data interfaces has become a critical component of an
application and integrated audit since standalone systems are not common
in the typical IT environment.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
This article appeared in a past issue of the Audit Vision E-Mail Newsletter.
Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US
This website has been optimized for Netscape and Internet Explorer 4.0
and above. Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000 All rights reserved. 27 Pine Street, Suite 700, New Canaan,
CT 06840 USA.