Output Controls

Output controls ensure that system output is

not lost, misdirected, or corrupted and that
privacy is not violated. Exposures of this sort
can cause serious disruptions to operations and
may result in financial losses to a firm. For
example, if the checks produced by a firms
cash
disbursements
system
are
lost,
misdirected, or destroyed, trade accounts and
other bills may go unpaid. This could damage
the firms credit rating and result in lost
discounts, interest, or penalty charges. If the
privacy of certain types of output is violated, a
firm could have its business objectives
compromised, or it could even become legally
exposed. Examples of privacy exposures include
the disclosure of trade secrets, patents pending,
marketing research results, and patient medical
records.
The type of processing method in use influences
the choice of controls employed to protect
system output. Generally, batch systems are
more susceptible to exposure and require a
greater degree of control than real-time
systems. In this section, we examine output
exposures and controls for both methods.
Controlling Batch Systems Output
Batch systems usually produce output in the
form of hard copy, which typically requires the
involvement of intermediaries in its production
and distribution. Figure 7.12 shows the stages in
the output process and serves as the basis for
the rest of this section. The output is removed
from the printer by the computer operator,
separated into sheets and separated from other
reports, reviewed for correctness by the data
control clerk, and then sent through interoffice
mail to the end user. Each stage in this process
is a point of potential exposure where the output
could
be
reviewed,
stolen,
copied,
or
misdirected. An additional exposure exists when
processing or printing goes wrong and produces
output that is unacceptable to the end user.
These corrupted or partially damaged reports
are often discarded in waste cans. Computer
criminals have successfully used such waste to
achieve their illicit objectives.
Following, we examine techniques for controlling
each phase in the output process. Keep in mind
that not all of these techniques will necessarily
apply to every item of output produced by the
system. As always, controls are employed on a
costbenefit basis that is determined by the
sensitivity of the data in the reports.
Output
Spooling.
In
large-scale
dataprocessing operations, output devices such as
line printers can become backlogged with many

programs simultaneously demanding these

limited resources. This backlog can cause a
bottleneck,
which
adversely
affects
the
throughput of the system. Applications waiting
to print output occupy computer memory and
block other applications from entering the
processing stream. To ease this burden,
applications are often designed to direct their
output to a magnetic disk file rather than to the
printer directly. This is called output spooling.
Later, when printer resources become available,
the output files are printed.
The creation of an output file as an intermediate
step in the printing process presents an added
exposure. A computer criminal may use this
opportunity to perform any of the following
unauthorized acts:
Access the output file and change critical data
values (such as dollar amounts on checks). The
printer program will then print the corrupted
output as if it were produced by the output run.
Using this technique, a criminal may effectively
circumvent the processing controls designed
into the application.
Access the file and change the number of
copies of output to be printed. The extra copies
may then be removed without notice during the
printing stage.
Make a copy of the output file to produce
illegal output reports.
Destroy the output file before output printing
takes place.
The auditor should be aware of these potential
exposures and ensure that proper access and
backup procedures are in place to protect
output files.
Print Programs. When the printer becomes
available, the print run program produces hard
copy output from the output file. Print programs
are often complex systems that require operator
intervention. Four common types of operator
actions follow:
1. Pausing the print program to load the correct
type of output documents (check stocks,
invoices, or other special forms).
2. Entering parameters needed by the print run,
such as the number of copies to be printed.
3. Restarting the print run at a prescribed
checkpoint after a printer malfunction.
4. Removing printed output from the printer for
review and distribution.
Print program controls are designed to deal with
two types of exposures presented by this
environment: (1) the production of unauthorized
copies of output and (2) employee browsing of
sensitive data. Some print programs allow the

operator to specify more copies of output than

the output file calls for, which allows for the
possibility of producing unauthorized copies of
output. One way to control this is to employ
output document controls similar to the source
document controls discussed earlier. This is
feasible when dealing with prenumbered
invoices for billing customers or prenumbered
check stock. At the end of the run, the number
of copies specified by the output file can be
reconciled with the actual number of output
documents used. In cases where output
documents are not prenumbered, supervision
may be the most effective control technique. A
security officer can be present during the
printing of sensitive output. To prevent
operators from viewing sensitive output, special
multipart paper can be used, with the top copy
colored black to prevent the print from being
read. This type of product, which is illustrated in
Figure 7.13, is often used for payroll check
printing. The receiver of the check separates the
top copy from the body of the check, which
contains readable details. An alternative privacy
control is to direct the output to a special
remote printer that can be closely supervised.
Bursting. When output reports are removed
from the printer, they go to the bursting stage
to have their pages separated and collated. The
concern here is that the bursting clerk may
make an unauthorized copy of the report,
remove a page from the report, or read
sensitive information. The primary control
against these exposures is supervision. For very
sensitive reports, bursting may be performed by
the end user.
Waste. Computer output waste represents a
potential exposure. It is important to dispose of
aborted reports and the carbon copies from
multipart paper removed during bursting
properly. Computer criminals have been known
to sift through trash cans searching for
carelessly discarded output that is presumed by
others to be of no value. From such trash,
computer criminals may obtain a key piece of
information about the firms market research,
the credit ratings of its customers, or even trade
secrets that they can sell to a competitor.
Computer waste is also a source of technical
data, such as passwords and authority tables,
which a perpetrator may use to access the
firms data files. Passing it through a paper
shredder can easily destroy sensitive computer
output.
Data Control. In some organizations, the data
control group is responsible for verifying the
accuracy of computer output before it is
distributed to the user. Normally, the data

control clerk will review the batch control figures

for balance; examine the report
body for garbled, illegible, and missing data;
and record the receipt of the report in data
controls batch control log. For reports
containing highly sensitive data, the end user
may perform these tasks. In this case, the report
will bypass the data control group and go
directly to the user.
Report Distribution. The primary risks
associated with report distribution include
reports being lost, stolen, or misdirected in
transit to the user. A number of control
measures can minimize these exposures. For
example, when reports are generated, the name
and address of the user should be printed on the
report. For multicopy reports, an address file of
authorized users should be consulted to identify
each recipient of the report. Maintaining
adequate access control over this file becomes
highly important. If an unauthorized individual
were able to add his or her name to the
authorized user list, he or she would receive a
copy of the report. For highly sensitive reports,
the following distribution techniques can be
used:
The reports may be placed in a secure mailbox
to which only the user has the key.
The user may be required to appear in person
at the distribution center and sign for
the report.
A security officer or special courier may
deliver the report to the user.
End User Controls. Once in the hands of the
user, output reports should be reexamined for
any errors that may have evaded the data
control clerks review. Users are in a far better
position to identify subtle errors in reports that
are not disclosed by an imbalance in control
totals. Errors detected by the user should be
reported to the appropriate computer services
management. Such errors may be symptoms of
an
improper
systems
design,
incorrect
procedures, errors inserted by accident during
systems maintenance, or unauthorized access
to data files or programs. Once a report has
served its purpose, it should be stored in a
secure location until its retention period has
expired. Factors influencing the length of time a
hard copy report is retained include:

Statutory
requirements
specified
by
government agencies, such as the IRS.
The number of copies of the report in
existence. When there are multiple copies,
certain of these may be marked for permanent
retention, while the remainder can be destroyed
after use.
The existence of magnetic or optical images of
reports that can act as permanent backup.

When the retention date has passed, reports

should be destroyed in a manner consistent with
the sensitivity of their contents. Highly sensitive
reports should be shredded.
Controlling Real-Time Systems Output
Real-time systems direct their output to the
users computer screen, terminal, or printer.
This method of distribution eliminates the
various intermediaries in the journey from the
computer center to the user and thus reduces
many of the exposures previously discussed.

The primary threat to real-time output is the

interception,
disruption,
destruction,
or
corruption of the output message as it passes
along the communications link. This threat
comes from two types of exposures: (1)
exposures from equipment failure; and (2)
exposures from subversive acts, whereby a
computer criminal intercepts the output
message transmitted between the sender and
the
receiver.
Techniques
for
controlling
communications exposures were discussed
previously in Chapter 3.