Application Controls

Data is inaccurate.

• Appropriate procedures for changing software applications should exist.  Test changes and be sure that they are authorized before implementing in production. 
• Software developers should not have access to production.
• Appropriate edit and validation checks should exist in the application.

Erroneous transactions are not detected.

• All transactions including entry, edits, and deletions should be logged in an audit trail and reviewed on a regular basis.

A disruption in processing occurs with a vendor that processes BC data.

• Vendor contracts should be (1) actively monitored and re-negotiated as appropriate, and (2) include an audit clause.

Applications are not appropriately supported by the vendor.

• A service level agreement should be negotiated with the vendor.  All processes including the flow of data between web servers, application servers, and network systems should be documented.

Sensitive data is exposed to users who do not require access per their job function.

• Access to data should be assigned to appropriate groups and users.