Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA
The first point about transfers of data is that from an IT auditor’s perspective, all data transfers have a fairly high level of inherent risk. Moving data from one database to another, one system to another or one application to another is simply a dangerous situation. Many things can go wrong with the transfer, and it is possible that errors could occur and not be recognized or identified—short of some effective mitigating control.
This fact leads to the second point: All data transfers need some kind of control to gain an acceptable level of reliance on the target data; that is, the source data are precisely the same as the target data. There are a variety of ways an effective mitigating control can be implemented.
A key consideration in analyzing the effectiveness of a mitigating control for data transfers is how much of it is automated and how much is manual. Those that are fully automated are not susceptible to human failure and, once tested, will perform the same way repeatedly.
For instance, the application or technology that is doing the transfer may be able to do an automated reconciliation of target data to source data. If the medium is custom middleware, this is particularly an achievable goal. Such an automated control could use a batch-control approach. The middleware could read the number of records, total an amount column, total another numeric column, make the transfer, and then check those batch control totals—number of records, total dollars and total number—against the target data. If all three agree, it is highly probable that the source data are the target data.
Automated reconciliations are also possible. For example, if accounting data are transferred from accounting software to a financial reporting system, which could be as simple as an electronic spreadsheet, the middleware transfer system could access the beginning balance, sum the net effect of the class of transactions for that account balance, calculate an ending balance and verify it is the ending balance in the general ledger.
A standard commercial tool that might assist in these kinds of transfers is extract, transform and load (ETL), used in posting data to a data warehouse. ETL processes are designed to detect data anomalies and errors and, thus, can be helpful in making sure data from the source database is the data in the target database and identifying errors that exist in the source data that need to be corrected. This includes missing data, as well.
In conclusion, IT auditors should look for opportunities to automate a reconciliation of source data to target data any time a data transfer occurs.