|
Booklet:
Operations Section: Risk Mitigation and Control Implementation Subsection: Imaging |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
An
imaging system is a computer system that converts paper documents to electronic
files. Through imaging, financial institutions can electronically store
and manage records. Imaging systems provide the means to quickly find,
retrieve, and share documents in a networked environment.
Item processing imaging systems (IPIS) are generally high speed systems
(up to 1,850 documents per minute, or dpm) designed to capture checks
and other items in the data processing environment. Common uses for IPIS
in financial institutions include proof of deposit, sales draft processing
(credit card or point of sale [POS]), remittance processing, cash letter
settlement, account reconciliation, and statement rendering. The Check
Clearing for the 21st Century Act (“Check 21 Act”) is an example
of an IPIS, in which the processing bank captures negotiable items in
an image format. Instead of forwarding physical items to the Federal Reserve
or other clearing house, the processing bank electronically sends image
replacement documents. This system saves the financial institution significant
costs by streamlining the proof and capture processes and reducing the
cost of shipping physical items.
Document management imaging systems (DMIS) are generally low-speed systems
(approximately 10–200 dpm) designed to capture a range of documents,
such as loan and mortgage file information, IRA and Keogh files, trust
documents, and signature cards. DMIS are often used in a network environment
to facilitate processes, such as a teller electronically viewing a signature
card for verification purposes or a loan officer reviewing a credit file
from a remote branch location.
Computer output to laser disk (COLD) is the computer process that outputs
electronic records and printed reports to laser disk instead of a printer.
This system is used to archive data to one or more optical disks in a
compressed but easily retrievable format. COLD systems are often used
with an imaging system for storage of archived reports, loan documents,
and other customer records.
Quality control is important for all types of imaging and imaging processes
including storage, the scanning and indexing process, and equipment-scanning
rates. Management should ensure there are adequate controls to protect
imaging processes, as many of the traditional audit and controls for paper-based
systems may be reduced. Failure to maintain adequate controls can result
in unusable or irretrievable images, alteration or counterfeiting of images,
and loss or compromise of confidential customer information. Management
should also consider issues such as converting existing paper storage
files, integration of the imaging system into the organization workflow,
and business continuity planning needs to achieve and maintain business
objectives.
The following items are important imaging system control points. As a
part of management’s efforts to develop controls, audit should be
involved to ensure the establishment of appropriate audit controls and
audit trails.
Capture – Management should ensure adequate controls are
in place at the point where image capturing occurs. Capturing can be accomplished
through scanning documents, converting word processing documents and spreadsheets
into unalterable images, or importing existing images into the institution's
system. Poor controls over capturing can result in poor quality images,
high rejection and exception rates, improper indexing, and capturing incomplete
or forged documents. Procedures should be in place to prevent destruction
of original documents before verifying image quality, especially when
the imaged information is used to process transactions.
Indexing – Management should maintain indexing-system integrity
to ensure users can retrieve accurate files in a timely manner based upon
business needs (e.g., customer service, business continuity planning).
For document imaging, naming processes should be in place in order to
easily identify what particular documents are being captured and how they
should be sorted and presented upon retrieval.
Security – The institution-wide security risk assessment
should include imaging systems. Management should ensure there are adequate
security controls to protect the imaging system and confidential customer
information. Such security should provide for separation of duties, input/output
controls, and prevent unauthorized modifications of imaged data or insertion
of fraudulent images.
Training – Appropriate training is key for proper system
use. Inadequate instruction for imaging procedures could lead to quality
control issues and misplaced or unavailable data.
Audit – Like any other system, imaging needs to be scrutinized
to ensure adequate controls have been enabled.
Back-Up and Recovery – Imaging system back-up and recovery
planning should ensure restoration and retrieval of information within
recovery time objectives as defined within the business continuity plan.
The complexity of back-up and recovery solutions will vary based upon
the use of imaged data (e.g., as a reference copy, to support transaction
processing,). Since imaging allows the storage of large volumes of documents,
the loss of imaged files can significantly affect business operations
if back-up electronic or paper files are not readily available. Further,
the loss or malfunction of indexing software could leave the institution
without a mechanism to pull related imaged documents together into a single
coherent view such as an electronic credit file.
Legal Issues – Institutions installing imaging systems
should carefully evaluate the legal implications of converting the original
documents to image. The institution may be required to demonstrate through
audit trails, access records, and electronic storage practices that the
images presented are unaltered. Management should consult with attorneys
to discuss issues such as record retention and destruction of original
documents.