Revised audit guidelines released for assessing computer data reliability
Revised guidance is consistent with 2007 'yellow book' Government Auditing Standards
- By William Jackson
- Jul 14, 2009
Government audits increasingly rely on data from computers, and the Government Accountability Office has issued new guidance for determining the reliability of that data.
“Computer-processed data from outside sources are often central to audit reports,” GAO says in the guidelines. “While these data are simply another type of evidence to rely on, assessing them may require more technical effort than other types.”
The guidelines, titled “Assessing the Reliability of Computer-Processed Data,” outline evaluation methods that are consistent with the 2007 “yellow book” Government Auditing Standards, and replace previous GAO guidelines published in 2002.
The current publication focuses on the completeness and accuracy of data that has been generated by or retrieved from a computer system. As used in audits, completeness refers to the extent that relevant records are present in the data and that the fields in each record are populated appropriately, and accuracy refers to the extent that recorded data reflect the underlying information.
Examples of computer-processed data covered in the guidelines are:
- Data extracts from databases, data warehouses, or data repositories.
- Data maintained in Microsoft Excel spreadsheet or Microsoft Access database programs and/or similar commercial products.
- Data extracts from enterprise software applications supported by information technology departments or contractors.
- Public use data or other replicated detail or summary-level databases accessible through an application other than the original source system.
- Data collected from forms and surveys on Web portals.
- Data summarized in a report or copied from a table in a document.
“Because assessing computer-processed data requires more technical tests, it may seem that such data are subject to a higher standard of testing than other evidence,” GAO says. “This is not the case.”
The reliability of data should be analyzed if it materially supports the findings of the audit. According to Yellow Book standards, auditors should assess the sufficiency and appropriateness of this information whether it is provided to auditors or they extract it independently.
The guide gives a flexible, risk-based framework for doing these assessments that can be geared to the needs of each situation. The framework is built on making use of existing information about the data in question, conducting only the work necessary to determine whether the data are reliable enough for your purposes, maximizing professional judgment, and bringing the appropriate people, including management, to the table at key decision points.
Auditors also can take advantage of work that already has been done in assessing data, and GAO may already have related information in its reports available at on its Web site at www.gao.gov. The site also provides other information that might be useful. In conducting the annual governmentwide consolidated financial audit, GAO’s Information Technology team has reported on the effectiveness of controls for financial information systems at major agencies and relevant reports might be available there.
William Jackson is freelance writer and the author of the CyberEye blog.