Back

Establish, implement, and maintain data accuracy controls.


CONTROL ID
00921
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • sufficient audit trails (including system records and footage from closed-circuit television (CCTV)) of customers' transactions conducted through the terminals should be retained. Proper procedures and dual controls should also be implemented to reconcile the banknotes in the terminals against the r… (§ 7.3.2(iv), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Data must be updated correctly to assure the data is accurate and complete or the data integrity is maintained. This is a control item that constitutes a greater risk to financial information. This is an IT general control and IT application control. (App 2-1 Item Number IV.4(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Robust information is at the heart of risk management processes in a bank. Inadequate data quality is likely to induce errors in decision making. Data quality requires building processes, procedures and disciplines for managing information and ensuring its integrity, accuracy, completeness and timel… (Introduction ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Authenticity: In computing, e-business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. (Basic Principles of Information Security ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • There should be controls on updating key 'static' business information like customer master files, parameter changes, etc. (Critical components of information security 11) c.11., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Consistency of data— the field/record called for from the new application should be consistent with that of the original application. This should enable consistency in repeatability of the testing exercise (Critical components of information security 12) (ii) d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (Art. 5.1.(c), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • be able to provide representation from the original sources of the reported information attesting to the accuracy of the information within acceptable margins of error; (Verifiability Guidance ¶ 2 Bullet 5, GRI 1: Foundation 2021)
  • Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. (AC3 Accuracy, Completeness and Authenticity Checks, CobiT, Version 4.1)
  • Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the… (AC5 Output Review, Reconciliation and Error Handling, CobiT, Version 4.1)
  • Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. (AC6 Transaction Authentication and Integrity, CobiT, Version 4.1)
  • Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. (AC4 Processing Integrity and Validity, CobiT, Version 4.1)
  • The organization should highlight the data fields that it requires customers to fill in to help the organization assess the fraud risk of the transaction. Key risk data fields include telephone numbers, e-mail address, cardholder name and address, shipping name and address, and the Card Verification… (Pg 33, Pg 39, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of special coding routines to check input values (e.g., macros and automated error checking routines). (CF.13.02.04d, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of default values (e.g., pre-agreed values that will automatically be entered when a new record is added). (CF.13.03.04a, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of drop-down lists consisting of predefined values (e.g., to help users of databases select the correct information). (CF.13.03.04b, The Standard of Good Practice for Information Security)
  • The integrity of information in a critical database should be protected by employing data concurrency methods, to ensure that information is not corrupted when modified by more than one user. (CF.13.03.05, The Standard of Good Practice for Information Security)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of special coding routines to check input values (e.g., macros and automated error checking routines). (CF.13.02.04d, The Standard of Good Practice for Information Security, 2013)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of default values (e.g., pre-agreed values that will automatically be entered when a new record is added). (CF.13.03.04a, The Standard of Good Practice for Information Security, 2013)
  • The risk of inaccurate entry of information into Critical spreadsheets should be reduced by the use of drop-down lists consisting of predefined values (e.g., to help users of databases select the correct information). (CF.13.03.04b, The Standard of Good Practice for Information Security, 2013)
  • The integrity of information in a critical database should be protected by employing data concurrency methods, to ensure that information is not corrupted when modified by more than one user. (CF.13.03.05, The Standard of Good Practice for Information Security, 2013)
  • systems and processes are in place to ensure the accuracy and completeness of information; (§ 9.1.7 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. (§ 6.4.3.1 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; (§ 6.8.3.2.1 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • systems and processes are implemented to ensure the accuracy and completeness of information; (§ 9.1.4 ¶ 1 d), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • systems and processes are implemented to ensure the accuracy and completeness of information; (§ 9.1.4 ¶ 1 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Disclosures should provide high-quality reliable information. They should be accurate and neutral—i.e., free from bias. (§ F. Principle 6 Bullet 1, Implementing the Recommendations of the Task Force on Climate-related Financial Disclosures, October 2021)
  • The organization should periodically check the accuracy of records containing personal information, and correct the information if necessary. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The service auditor identifies the information produced by the service organization while performing procedures to assess the design, implementation, and operating effectiveness of controls within the system. When assessing the information produced, the service auditor should consider the reliabilit… (¶ 3.125, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When using analytics, the service auditor would need to perform procedures to validate the completeness and accuracy of the information received from the entity, as discussed beginning in paragraph 3.138. (¶ 3.130 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Depending on the means by which the service auditor obtains the information, the service auditor develops a plan to assess the completeness and accuracy of such information. The following factors may be relevant when assessing the information used in the execution of controls: (¶ 3.142, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • System inputs are measured and recorded completely, accurately, and timely to meet the entity’s processing integrity commitments and system requirements. (PI1.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • When a web site is supported that has access to scoped systems and data, is the data input into applications validated for accuracy? (§ I.4.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, is the data input into applications validated for accuracy? (§ I.4.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, is the data input into applications validated for accuracy? (§ I.4.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • CSR 8.2.2: The organization must use computer matching to match the transaction data with data in master or suspense files in order to identify duplicate or missing transactions. CSR 8.2.3: For high-value, low-volume items, the organization must compare individual transactions or source documents wi… (CSR 8.2.2, CSR 8.2.3, CSR 8.3.1, CSR 8.4.1, CSR 8.4.5, CSR 8.5.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Records Management Application shall have the capability to confirm the accuracy of all user editable metadata items before filing. (§ C4.1.11, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall ensure the "declassified on", "upgraded on", or "downgraded on" field is populated with the appropriate date field when the entry in the "current classification" field is changed. (§ C4.1.14, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Identify valid document-templates and process the data elements required in the corresponding section-templates and entry-templates from the standards adopted in §170.205(a)(3), (4), and (5). (§ 170.315 (b) (1) (ii) (A) (3), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Patient age. (§ 170.315 (c) (4) (iii) (F), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Record. For each and every CQM for which the technology is presented for certification, the technology must be able to record all of the data that would be necessary to calculate each CQM. Data required for CQM exclusions or exceptions must be codified entries, which may include specific terms as de… (§ 170.315 (c) (1) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Identify valid document-templates and process the data elements required in the corresponding section-templates and entry-templates from the standards adopted in §170.205(a)(3), (4), and (5). (§ 170.315 (b) (1) (ii) (A) (3), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Patient age. (§ 170.315 (c) (4) (iii) (F), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Record. For each and every CQM for which the technology is presented for certification, the technology must be able to record all of the data that would be necessary to calculate each CQM. Data required for CQM exclusions or exceptions must be codified entries, which may include specific terms as de… (§ 170.315 (c) (1) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • § 552a(e)(6): Before disseminating records about individuals to persons other than agencies, agencies that maintain a system of records shall make reasonable efforts to ensure the records are complete, accurate, relevant, and timely, unless the dissemination is done in accordance with § 552a(b)(2)… (§ 552a(e)(6), § 552a(o)(1)(J), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Processes to verify that incoming data transmissions and processing are complete and accurate. (App A Objective 16:2a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The Management Information System (MIS) should ensure all information is accurate and complete. (Pg 14, FFIEC IT Examination Handbook - Management)
  • Image quality. (App A Tier 2 Objectives and Procedures N.1 Bullet 4 Sub-Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps. (App A Tier 2 Objectives and Procedures D.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization shall have procedures and controls in place for validating the system to ensure it is accurate, reliable, has consistent intended performance, and has the ability to discern altered or invalid records. (§ 11.10(a), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information syst… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Data elements can be accessed for alteration. (CT.DM-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Maintaining the integrity and security of system data and software is a key component in contingency planning. Data integrity involves keeping data safe and accurate on the system's primary storage devices. There are several methods available to maintain the integrity of stored data. These methods u… (§ 5.1.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Application controls should be implemented to ensure that all data entered in the system is complete and valid. (Pg 33, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)