Visit
Apply
Give

Department of Internal Audit and Compliance

Information Technology - Technology Management

Effectiveness and efficiency of operations 

A. Formal operating procedures are used for IT processing.

  1. Are detailed, written operating instructions in place for setup, file disposition, error response, restart, and recovery? These instructions are control-oriented, are kept current, and are followed for each application and system.
  2. Are required user actions to process reports through system and program structures minimized? (For example, are dates, critical processing parameters, and similar user data entry automated to the greatest extent possible?)
  3. Do reports have adequate run labels? Are the labels standardized and do they include information such as the data set name and number, creation date, expiration date, report owner, and department owner?

B. IT operations are supervised and reviewed.

  1. Are reports processed by the IT group for functional users supervised and reviewed to ensure that appropriate scheduling standards are being met, appropriate run labels are used, and appropriate databases are calculating and aggregating data accurately?
  2. Is an error log used to track incidents of reporting errors or unusual occurrences (such as abnormal job end, system failures, or incorrect data or calculations) and the resolution of the event documented?
  3. Is an exception report used to log temporary or "quick fix" solutions to errors or unusual occurrences, and the rationale for the "quick fix" and the resolution of a long-term solution documented?

C. Access to IT operations is restricted.

  1. Have clearly defined and approved policies been implemented to restrict access to specific electronic files and electronic information to authorized individuals? Policies cover files distributed on CDs and floppy disks, through networks, over the Internet or intranets, and by e-mail.

D. All approved input is accepted by the IT system and only approved input is accepted.

  1. Have logical safeguards been built into databases to ensure that data being entered is reasonable, or appropriate to the format? (For example, a spreadsheet requiring numbers would alert the user attempting to enter text that the data was not acceptable.)
  2. Is the system programmed to protect against unauthorized access by controlling user actions by menus, linking authorized users and resources, and using tables to define specific user and resource authorizations?

E. Data is accurately converted.

  1. Does the technology used to transmit data during uploads and downloads over network, Internet, extranet, or intranets have built-in controls for checking data transmission accuracy and completeness?

F. Access to online systems is controlled.

  1. Has a security system been implemented that effectively separates duties, authorizing users or user groups to access only those systems and files necessary to perform their job functions?
  2. Do policies for passwords and identification numbers require changing passwords periodically, voiding identification numbers and passwords when employees transfer or leave the University, and changing identification numbers and passwords when employees feel theirs have been compromised?
  3. Has a 24-hour, toll-free communications link been implemented that allows callers to report anonymously on a variety of situations such as computer crime and employee theft?

    Back

Last Updated: 1/3/23