API PUBL 3802:1992

This guide is intended as a reference document in the preparation of more definitive guidelines, programs, and procedures for specific users and business risks. Users of the guide should be alert and responsive to the individual needs of their organization.
The guide was written primarily for audit professionals, but it may also benefit information systems, EDI, Controllers, and legal professionals across the industry. It represents the views and experiences of its authors. An effort has been made to be comprehensive; however, it is not possible to anticipate the control needs of every organization. Certain controls may not be enforceable or even useful in a particular environment.
The basic principles of control, such as segregation of duties, documentation, timeliness, completeness, supervision, and review, are as necessary in EDI as in any other business environment. This guide identifies key exposures and security issues which are unique to the implementation of the technology. It does not replace the traditional application audit program. Rather, it emphasizes the types of controls which apply more specifically to an EDI environment.
This guide focuses on the exchange of data rather than funds. As such, controls specific to Electronic Funds Transfer (EFT) have not been included; however, many of the controls outlined herein could be extended to the EFT environment.