The following contains a list of some of the internal controls that are appropriate for an EDI operation. The absence of these controls, or appropriate compensating controls, may indicate threats that will prevent the effective and efficient operation of EDI activities. This checklist is adapted from material published by the AICPA and AuditNet.

1. General Controls
   1. EDI transmissions occur at scheduled times.
   2. EDI file retention requirements have been established.
   3. EDI back-up, recovery, and contingency plans exist. These plans undergo periodic testing.
   4. Physical controls are in place to restrict access to data centers that process EDI transactions.
   5. Access control software retricts access to EDI software and data. This software includes ID and password rules, and violation monitoring and reporting.
   6. EDI transactions are encrypted.
   7. EDI document format standards are used and kept up-to-date.
   8. Procudures exist to define and maintain trading partner relationships.
   9. Written agreements exist with the VAN describing all services to be provided.
   10. All changes to the EDI system are documented and tested prior to implementation.

2. Input Controls
   1. An interface has been established to translate transactions from the application system to the EDI system.
   2. Input data are edited for EDI standards, verification to trading partners files, etc.
   3. Sequence numbers and batch totals are assigned to EDI transactions.
   4. Rejected inputs are sent to a suspense file.

3. Processing Controls
   1. Transmission protocols use redundancy and parity checks.

4. Output Controls
   1. Edit checks are applied to EDI transactions before they are routed to the appropriate application.
   2. An interface has been established to translate transactions received from the EDI system to the application system.
   3. Balancing and control procedures ensure that all transaction sets received from trading partners are completely input to an application system.