NCJ Number
73526
Date Published
1977
Length
27 pages
Annotation
This executive report of a systems auditability and control study examines the rationale for audit and control in computer-based information systems and the cost implications of systems auditability and control.
Abstract
Two complementary objectives guided the formulation of the research methodology for this project. The first objective was to identify and document specific audit and control techniques of proven value. The second objective was to identify practices and trends in internal audit in data processing for broad segments of business and government, both domestic and international. Data were gathered through either 45 site visits or a mail survey of 1,500 various industry groups and government agencies in Canada, the United States, Europe, and Japan. These companies were believed to be leaders in either their approach to data processing or internal auditing in the data processing environment. It was found that in many organizations no clear delineations had been made among the responsibilities at top management, data processing, internal audit, and the users of electronic data processing (EDP) systems for the control of such systems. Relying on EDP specialists, the users of a computer-based information system bear the main burden of ensuring the accuracy and completeness of inputs and the eventual reports. Internal auditors must be in a position to verify that the controls are adequate and are properly used yet maintain ther objectivity and independence. However, top management must ensure that clear lines of responsibilities exist for the control of EDP systems. Management should, therefore, evaluate current audit and control practices and the data processing skills within the internal audit staff, identify likely future trends in the development of computer-based information systems and data processing technology, and review existing programs and formulate new programs to improve capabilities in both the audit and control areas. Although the study attempted to identify costs associated with auditing computer-based information systems and with the implementation of necessary internal controls, little quantitative information was available. However, it was determined that the cost of detecting and correcting errors in computer-based information systems increases markedly at each successive stage of development and operation. Tabular data are provided. For related documents, refer to NCJ 73524 and 73525.