Standards of Internal Controls - Arizona State University
Standards of Internal Controls - Arizona State University
Standards of Internal Controls - Arizona State University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
6.1.6 Departments responsible for s<strong>of</strong>tware<br />
development or maintenance are<br />
responsible for preparing and<br />
maintaining detailed data processing<br />
policies and procedures. The policies<br />
and procedures should include:<br />
a. Identification and operation <strong>of</strong><br />
inherent, configurable and manual<br />
data processing controls and selfassessment<br />
processes.<br />
b. Criteria for management approval<br />
<strong>of</strong> inherent, configurable and manual<br />
data processing controls and system<br />
changes to move s<strong>of</strong>tware from a test<br />
to production status:<br />
c. Documentation standards for<br />
system inherent, configurable, and<br />
manual controls, system architecture,<br />
logical design, and physical design;<br />
and<br />
d. S<strong>of</strong>tware coding standards that<br />
define program structure, guidelines<br />
for logic complexity, and data<br />
element naming conventions.<br />
Refer to risk: A-11<br />
A-6 Computer equipment may be<br />
damaged by fire or other natural<br />
causes or intentionally damaged by<br />
unauthorized persons.<br />
A-7 Backup files may not be available for<br />
processing in the event <strong>of</strong> a disaster.<br />
A-8 Our ability to conduct business may<br />
be significantly impaired in the event<br />
<strong>of</strong> a disaster at a computer or network<br />
site.<br />
A-9 Adequate computer resources may<br />
not be available to meet business<br />
requirements and growth.<br />
A-10 We may be liable for misuse or<br />
unauthorized copying <strong>of</strong> proprietary<br />
s<strong>of</strong>tware.<br />
A-11 System inherent and/or configurable<br />
data processing controls may not be<br />
utilized and/or operating efficiently<br />
or effectively. Responsibilities<br />
associated with operating and/or<br />
maintaining system s<strong>of</strong>tware<br />
operations and application<br />
documentation may not be clearly<br />
defined.