To define required separation and rotation of duties to minimize the risk of fraud.
University of Houston data processing employees and users of sensitive data.
- Programming and operations functions must be performed by different individuals.
- There should be cross training of operations staff to provide depth and backup, and to reduce individual dependence.
- Any exception to the following guidelines regarding separation of duties for the following groups of employees should be documented and reviewed on a periodic basis for justification and risk analysis purposes:
- Programmers should not execute jobs in a production mode.
- Programmers should not control any transfers between programmer development libraries and production libraries.
- Programmers should/may not have update capability within any production application.
- Operators should not have the ability to make changes to production application or system software libraries.
- Operators should not perform balancing activities, except those necessary for run-to-run controls.
- Operators should not have the ability to make changes to job control language (JCL) of scheduled jobs without proper notification and authorization.
- Operators should execute only those jobs/programs scheduled through the established procedures.
- Operators should not execute (outside of standard production processing) data or software-modifying system utilities without proper authorization and dual control.
- Operators should not override internal tape labels without supervisory approval.
- Data entry personnel should not prepare source documents for input.
- Someone, other than the input operator, should verify all data input, unless programmatically verified.
- The same person should not perform input and output duties.
- The same person should not post and balance general ledger and other sensitive entries.
- The person who prepared the original transaction should not review rejects or non-reads for reentry.
- Master file and other sensitive transaction changes should be under dual control.