We put the IT in city®

CitySmart Blog

Thursday, December 8, 2016
Brian Ocfemia, Technical Account Manager

Brian OcfemiaObviously, most cities use a form of software for accounting activities. But imagine if your entire city accounting system is run on a bunch of simple electronic spreadsheets. You open one up and start entering data. What could go wrong?

You probably just thought about many things.

  • Errors left unchecked.
  • A risk of deleting data that others have inputted.
  • A risk of someone changing mathematical formulas that compute results.

Thank goodness you have that accounting software instead of a bunch of spreadsheets. Yet, the Arkansas Division of Legislative Audit reports that “data integrity” is the number one information security issue they found in the audits they performed. They define data integrity as the “ability of employees to change receipt or disbursement information after issuance or to edit or delete records without proper approval.”

So even despite using software in many cases, cities still struggle with data integrity issues like the ones that could happen in a simple spreadsheet. Let’s look at a few ways to assess, fix, and overcome some common data integrity issues.

1. Audit your data input processes and assess the feedback.

Whether your state requires an audit or not, it’s helpful to audit your financial systems to identify data integrity issues. An experienced third party can evaluate overall processes and issues with who may input, change, and delete data. On a technical level, the auditor should also look at the underlying rules, code, and logic that allow for data input.

2. If needed, fix or modernize your application.

Usually, something will come up in the audit that needs fixing. You may also find that the auditor recommends modernizing with a new system (especially if an older system lacks appropriate data integrity measures). Arkansas doesn’t mince words when it says, “We recommend that application users work with the application vendor to modify the software to include the data input edits that would eliminate vulnerabilities.” Whichever route you go, work with experienced IT professionals and application vendors to oversee any fixes, changes, or implementations of new applications.

3. Set up proper controls and processes.

Whether fixing your current application or using a new application, you want to ensure that it has the proper controls and processes in place to prevent the chance of data input errors or fraud. For example, once paychecks go out, an employee shouldn’t be able to change payroll data after the fact or delete the record of that payment.

4. Limit access to critical transactions.

Any critical transaction—such as issuing a payment or deleting a record—must require a higher-level access to accomplish. Too many systems allow any employee at any authorization level to make changes. That increases the chance of major errors and increases the risk for fraud. Exceptions will happen, but those exceptions need to be inputted by authorized people with higher-level access and logged.

5. Put field edit checks in place to reduce errors.

Even normal day-to-day data input risks lower data integrity if fields aren’t set up and restricted in appropriate ways. For example, in a payroll application you may reduce errors if:

  • Important fields are required (and you can’t leave them blank)
  • Fields autocorrect (such as hours worked or a check routing number)
  • Fields autofill (such as employee name, hourly wage, or settings that stay the same every week)

Data integrity is an overlooked area of security. You’re typically on the lookout for hackers and data breaches, but a lack of data integrity—missing information, no controls over data, and making it easy to change or delete data—can sneak up on you and lead to serious problems. Don’t wait until an audit to find these issues. Address them by taking a hard look at your current applications with a trained third party and fix any issues that you find.

In total, this three-part series about application policy and security addresses input, processing, and output. You can use these three articles as a checklist to see if you’re matching up to data security best practices.

Questions about data integrity? Reach out to us today.