DS11 Data Management

DS11: Data Management

1. Description

Application and general controls over the IT operations to ensure that data remains complete, accurate and valid during its input, update and storage.

2. Control Objectives

Data Preparation Procedures - establish data preparation procedures to be followed. In this context, input form design should help to assure that errors and omissions are minimized. Error handling procedures during data origination should reasonably ensure that errors and irregularities are detected, reported and corrected
Source Document Authorization Procedures - ensure that source documents are properly prepared by authorized personnel who are acting within their authority and that an adequate segregation of duties is in place regarding the origination and approval of source documents
Source Document Data Collection - ensure that all authorized source documents are complete and accurate, properly accounted for and transmitted in a timely manner for entry
Source Document Error Handling - ensure that errors and irregularities are detected, reported and corrected
Source Document Retention - ensure original source documents are retained or are reproducible by the organization for an adequate amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements
Data Input Authorization Procedures - ensure that data input is performed only by authorized staff
Accuracy, Completeness And Authorization Checks - Transaction data entered for processing (people-generated, system-generated or interfaced inputs) should be subject to a variety of controls to check for accuracy, completeness and validity. Procedures should also be established to assure that input data is validated and edited as close to the point of origination as possible
Data Input Error Handling - correction and resubmission of data which was erroneously input
Data Processing Integrity - processing of data that ensure separation of duties is maintained and that work performed is routinely verified. The procedures should ensure adequate update controls such as run-to-run control totals and master file update controls are in place
Data Processing Validation, Editing - that data processing validation, authentication and editing is performed as close to the point of origination as possible
Data Processing Error Handling - ensure that erroneous transactions are identified without being processed and without undue disruption of the processing of other valid transaction
Output Handling And Retention - Prevention of misuse
Output Distribution - written procedures for distribution
Output Balancing And Reconciliation - routine balancing to relevant control totals (audit trails should be provided to facilitate the tracing of transaction processing and the reconciliation of disrupted data). Assuring that the accuracy of output reports is reviewed by the provider and the relevant users (procedures should also be in place for controlling errors contained in the output)
Output Review And Error Handling - Procedures to assure accuracy of output
Security Provision For Output Reports - assuring that the security of output reports is maintained for those awaiting distribution, as well as those already distributed to users,
Protection Of Sensitive Information And Message - ensure that adequate protection of sensitive information is provided during transmission, transport and disposal against unauthorized access and modification,
Protection Of Disposed Sensitive Information - Data marking, data cannot be retrieved
Storage Management - establish and maintain procedures (including retention periods) for data storage which consider retrieval, integrity and cost effectiveness requirements and ensure that the data is checked periodically.,
Retention Periods And Storage Terms - All documents, applications and keys
Media Library Management System - assuring that contents of its media library containing data are inventoried systematically, that any discrepancies disclosed by a physical inventory are remedied in a timely fashion and that measures are taken to maintain the integrity of magnetic media stored in the library.
Media Library Management Responsibilities - Housekeeping procedures designed to protect media library contents should be established by information services function management. Standards should be defined for the external identification of magnetic media and the control of their physical movement and storage to support accountability,
Back-up And Restoration - implement a strategy for backup and restoration to ensure that it includes a review of business requirements, and the development, implementation, testing and documentation of the recovery plan. Procedures should be in place to ensure back-ups are taken in accordance with the defined back-up strategy, and usability of back-ups is regularly verified. Back-up procedures for information technology-related media should include the proper storage of the data files and software. Backups should be stored securely, and the storage sites periodically reviewed regarding physical access security and security of data files and other items,
Backup Jobs - Usability of backups verified
Backup Storage - Onsite and offsite storage
Archiving - ensuring that archiving meets legal and business requirements, and is properly safeguarded and accounted for,
Protection Of Sensitive Messages - Data transmission
Authentication and Integrity - the authentication and integrity of information originated outside the organisation, whether received by telephone, voicemail, paper document, fax or e-mail, should be appropriately checked before potentially critical action is taken,
Electronic Transaction Integrity - define and implement appropriate procedures and practices for sensitive and critical electronic transactions ensuring integrity and authenticity of:
- atomicity (indivisible unit of work, all of its actions succeed or they all fail);
- consistency (if the transaction cannot achieve a stable end state, it must return the system to its initial state);
- isolation (a transaction’s behavior is not affected by other transactions that execute concurrently); and
- durability (transaction’s effects are permanent after it commits, its changes should survive system failures).
Continued Integrity Of Stored Data - Media checks, correctness of data

3. Key Goal Indicators

A measured reduction in the data preparation process and tasks
A measured improvement in the quality, timeline and availability of data
A measured increase in customer satisfaction and reliance upon the data
A measured decrease in corrective activities and exposure to data corruption
Reduced number of data defects, such as redundancy, duplication and inconsistency
No legal or regulatory data compliance conflicts

4. Key Performance Indicators

Percent of data input errors
Percent of updates reprocessed
Percent of automated data integrity checks incorporated into the applications
Percent of errors prevented at the point of entry
Number of automated data integrity checks run independently of the applications
Time interval between error occurrence, detection and correction
Reduced data output problems
Reduced time for recovery of archived data

5. Critical Success Factors

Data entry requirements are clearly stated, enforced and supported by automated techniques at all levels, including database and file interfaces
The responsibilities for data ownership and integrity requirements are clearly stated and accepted throughout the organisation
Data accuracy and standards are clearly communicated and incorporated into the training and personnel development processes
Data entry standards and correction are enforced at the point of entry
Data input, processing and output integrity standards are formalised and enforced
Data is held in suspense until corrected
Effective detection methods are used to enforce data accuracy and integrity standards
Effective translation of data across platforms is implemented without loss of integrity or reliability to meet changing business demands
There is a decreased reliance on manual data input and rekeying processes
Efficient and flexible solutions promote effective use of data
Data is archived and protected and is readily available when needed for recovery

6. Service Maturity Variations

0 Non-existent	Data is not recognised as a corporate resource and asset. There is no assigned data ownership or individual accountability for data integrity and reliability. Data quality and security is poor or nonexistent.
1 (Initial/Ad Hoc)	The organisation recognises a need for accurate data. Some methods are developed at the individual level to prevent and detect data input, processing and output errors. The process of error identification and correction is dependent upon manual activities of individuals, and rules and requirements are not passed on as staff movement and turnover occur. Management assumes that data is accurate because a computer is involved in the process. Data integrity and security are not management requirements and, if security exists, it is administered by the information services function.
2 (Repeatable but Intuitive)	The awareness of the need for data accuracy and maintaining integrity is prevalent throughout the organisation. Data ownership begins to occur, but at a department or group level. The rules and requirements are documented by key individuals and are not consistent across the organisation and platforms. Data is in the custody of the information services function and the rules and definitions are driven by the IT requirements. Data security and integrity are primarily the information services function’s responsibilities, with minor departmental involvement.
3 (Defined Process)	The need for data integrity within and across the organisation is understood and accepted. Data input, processing and output standards have been formalised and are enforced. The process of error identification and correction is automated. Data ownership is assigned, and integrity and security are controlled by the responsible party. Automated techniques are utilised to prevent and detect errors and inconsistencies. Data definitions, rules and requirements are clearly documented and maintained by a database administration function. Data becomes consistent across platforms and throughout the organisation. The information services function takes on a custodian role, while data integrity control shifts to the data owner. Management relies on reports and analyses for decisions and future planning.
4 (Managed and Measurable)	Data is defined as a corporate resource and asset, as management demands more decision support and profitability reporting. The responsibility for data quality is clearly defined, assigned and communicated within the organisation. Standardised methods are documented, maintained and used to control data quality, rules are enforced and data is consistent across platforms and business units. Data quality is measured and customer satisfaction with information is monitored. Management reporting takes on a strategic value in assessing customers, trends and product evaluations. Integrity of data becomes a significant factor, with data security recognised as a control requirement. A formal, organisation-wide data administration function has been established, with the resources and authority to enforce data standardisation.
5 Optimized	Data management is a mature, integrated and cross-functional process that has a clearly defined and well-understood goal of delivering quality information to the user, with clearly defined integrity, availability and reliability criteria. The organisation actively manages data, information and knowledge as corporate resources and assets, with the objective of maximising business value. The corporate culture stresses the importance of high quality data that needs to be protected and treated as a key component of intellectual capital. The ownership of data is a strategic responsibility with all requirements, rules, regulations and considerations clearly documented, maintained and communicated.