DOCUMENT RESUME 03680 - [B2794022] Computer Auditing in the Executive Departments: Not Enough Is Being Done. FGMSD-77-82; B-115369. September 28, 1977. 22 pp. + 3 appendices (52 pp.). Report by Elmer B. Staets, Comptroller General. Issue Area: Automatic Data Processing: uality of ADP Products (108); Internal Auditing Systems: Sufficiency of Federal Auditors ad Coverage (201). Contact: Financial and General Management Studies Div. Budget Function: Miscellaneous: Automatic Data Processing (1001). Fcur major areas are of audit interest in automatic data processing, in addition to the usual task of verifying data. These are: systems design and development, equipment acquisition, specific applications, and installation management. Benefits to be accrued from better controlled computer-based information systems include: savings, improved efficiency, and cost avoidance. Recommendations: The head of each Federal agency should require internal audit organizations to: (1) study the effect of automatic data processing on agency operations, expenditures, and program accomplishments; (2) determine the extent to which computer activities need to be audited (both ongoing systems reviews and audits of specific aspects); (3) determine whether enough audit escurces are available and, if not, get needld resources by training existing audit staff or hiring people with the necessary skills; (4) develop and carry out audits that will provide enough coverage to determine that resources are used efficiently, economically, and effectively: and (5) peric¢ically review the internal audit coverage of computer-based information systems and adjust resource allocations accordingly. The Office of Management and Budget should monitor the progress of the agencies in these matters. (Author/SC) REP(')R T 7'0 7tH'1 ('ON( R1FSS o00 ,,,,O s BY ''HE CMTR IJ,.. (,II-ENEIRAl, .. OF THE UNI''1 ?ES7'A 7'ES (I Computer Auditing In The Executive Departments: Not Enough Is Being Done Federal agencies spend billions each year on computer systems. Internal audit grouos should be active to help assure management that the computer systems are working and under adequate control. However, some audit organizations have avoided computer-related work. While excellent auditing has been done, some much more work is needed. This report recommends actions management in each Federal agency should take to monitor computer-related tivities adequately. ac- FGMSD-77.82 SEPTEMBER 28, 1977 COMPTROLLER GENEIIAL OF THE UNITED STATES WASHINGTON. D.C. 2054 B-115369 To the President of the Senate and the Speaker of the House of Representatives Many Federal agencies use computers extensively in the accomplishment of their mission. Internal audit organizations should be reviewing computer systems to help provide assur- ance that the systems are properly designed, are operated efficiently, economically, and effectively, and are producing reliable results. This report discusses Federal internal au- dit organization coverage of computers and makes suggestions for Government-wide improvements. We made our study pursuant to the Budget and Accounting Act, 1921 (31 U.S.C. 53), and the Accounting and Auditing Act of 1950 (31 U.S.C. 67). We are sending copies of this report to the Director, Office ,)f Management and Budget, and to the heads of Federal departments and independent agencies. Comptroller General of the United States COMPTROLLER GENERAL'S COMPUTER AUDITING IN THE REPORT TO THE CONGRESS EXECUTIVE DEPARTMENTS: NOT ENOUGH IS BEING DONE DIGEST "Computer error." "Computer fraud." "Computer systems failure." These and similar terms are frequently heard in connection with Government sys- tems, and millions of dollars of losses or waste have been ascribed to them. However, since the computer merely follows its instructions, blaming the computer is inappropriate; the faults lie with people. Proper controls are either not in place or not working effectively when fraud, error, or failure takes place. Controls are a basic responsibility of management; computer failures represent failures by management. With the assistance of good internal auditing, management can find out whether proper controls exist and whether the systems are functl.iing well. At some selected Federal agencies we reviewed, internal auditing of automatic data processing systems and controls has been inadequate. Improvement is needed. Some internal audit 'organizations are doing good work in the computer field, but the record is sotty at best. In some agencies, little audit attention has been paid to automatic data processing despite its importance to agency programs. Responses by auditors tc the challenge of computer auditing have been uneven. Some organizations in and out of the Government have done excellent work; others have avoided contact with computers wherever possible. Such audit ork does not meet recognized audit sta_ 'a (See p. 9.) FGMSD-77-82 fhot. Taw ravotvl, the hoer'Bre Riould b nte ht. rport 1 Foul major areas are of audit interest in automatic data processing, in addition to the usual task of verifying data. These are (1) systems design and development, (2) equipment acquisition, (3) specific applications, and (4) installation manage- ment. Examples of good internal audit work in those four major areas follow: -- The Air Force avoided $31.5 million in costs by making changes as a result of an audit of a proposed system. (See p. 13.) -- A Naval Audit Service review of acquisition of equipment showed that too much of one type of equipment and too little of another type were Leing ordered. (See p. 14.) -- The Department of Health, Education, and Welfare established improved controls in input and output in a medicare system as a result of an internal audit. (See p. 15.) -- A servicewide review of the Army's management and use of computer equipment resulted in identifying and correcting 20 problem areas. (See p. 16.) More work is needed by both Federal manageLs and internal auditors to make sure that audits adequately cover the four areas and that computer-based information systems are better controlled. Benefits could in- clude savings, improved efficiency, and cost avoidance. RECOMMENDATIONS The head of each Federal agency should require internal audit organizations to: 1. Study the effect of automatic data processing on agency operations, expend- itures, and program accomplishments. ii 2. Determine the extent to which computer activities need to be audited (both ongoing systems reviews and audits of specific aspects, such as nstallttion of a new computer-based inventory system). 3. Determine whether enough audit resources are availble, and if not, get needed re- sources by training existing audit staff or hiring people with the necessary skills. 4. Develop and carry out audits that will provide enough coverage to determine that resources are used efficiently, economically, and effectively. 5. Periodically review the internal audit coverage of computer-based information systems and adjust resource allocations accordingly. The Office of Management and Budget should monitor the progress of the agencies in these matters. AGENCY ACTIONS The agencies that GAO asked to comment on the matters in this report agreed that actions are required to provide adequate audit coverage. The Office of Management and Budget suggested that, since carrying out GAO's recommendations would require agency assistance, this report be distri- buted throughout the executive branch. (See p. 22.) This is being done. Tear Sheet iii Contents Page DIGEST CHAPTER I INTRODUCTION 1 What is computer auditing? The role of the computer and its impact on auditors Scope 3 2 MANY AUDIT ORGANIZATIONS HAVE AVOIDED WORK IN COMPUTER SYSTEMS AND APPLICATIONS 5 Private sector Government sector 5 Auditing standards and ADP 6 Research study on computer audit 9 work 10 Summary 11 3 HOW FEDERAL INTERNAL AUDITORS ARE CONTRIBUTING TO IMPROVED ADP MANAGEMENT 12 Audits of system design and development 12 Audits of equipment acquisition Audits of computer applications 14 Audits of ADP installation management 15 Need for greater coverage 16 17 4 CONCLUSIONS AND RECOMMENDATIONS Internal audit involvement is needed 19 Recommendations 19 Agency actions 20 21 APPENDIX I Audit groups contacted during review 23 II Selected sources for developing ADP audit capability 24 III Agency responses Office of Management and Budget 26 General Services Administration Department of Defense 28 29 Page APPENDIX III (cont.) Department of Housing and Urban Development 31 Veterans Administration 32 Department of Health, Education, and Welfare 33 Department of Transportation 35 National Aeronautics and Space Administration 38 United States Postal Service 41 Department of Commerce 43 Department of Labor 45 Department of Agriculture 47 Department of the Interior 52 ABBREVIATIONS ADP automatic data processing EDP electronic data processing GAO General Accounting Office HEW Department of Health, Education, and Welfare OMB Office of Management and Budget CHAPTER 1 INTRODUCTION Have internal auditors in the Federal Government provided adequate coverage of their agencies' computer-based systems? This question arises when one considers the magni- tude of the Government's annual expenditure in the automatic data processing (ADP) area, together with persistent and disquieting reports of costly "computer mistakes," many of which had escaped the auditor's attention. ADP has become an essential and integral part of the operation of nearly every segment of Government activity. Over 10,000 computers are at work in the Federal Government, and a conservative estimate is that in excess of $10 billion is spent annually for ADP. Internal audit groups should be helping top management assure that these immense resources are used efficiently and managed effettively. We made this study to ascertain what can be and is being done in the area of computer auditing by internal audit groups within the Government. We learned during the review that there are widely divergent approaches and concepts in computer auditing. WHAT IS COMPUTER AUDITING? In this report, we use the terms "computer auditing" and "ADP auditing" interchangeably. Computer auditing can be generalized into two broad categories. The first is auditing of what is done by a computer (that is, an audit of a computer application). For example, if an auditor is assigned to review a computerized payroll system, his work will encompass such matters as the adequacy of various controls: controls over material entered into or "input to" the computer, over the integrity of the computer's process- ing, and over computer outputs. The second type of ADP auditing is much broader and goes far beyond just the com- puter system itself. This type of work may involve ques- tions such as: -- Is the system properly designed? -- Is there a valid requirement for the system or application? -- Is the computer being operated efficiently? -- Are the sstem procedures documented properly, and are tey up tc date? --Are the functional users satisfied with the output product? -- Is the computer configuration appropriate for the work to be performed? -- Are all personnel (ADP as well as functional staff) adequately trained for operation and use of the system? --Should the computer have been purchased rather than leased, or should a different type of acquisition have been made (for example, lease with option to purchase)? --Are the data processing and associated resources used effectively and efficiently? Generally, independent public accountants auditing private corporations and businesses are concerned primarily with the first type of computer auditing because their work is often aimed toward verifying financial statements, and controls over the computer system may have a significant bearing on reliability of financial statements produced by that system. Both types of computer auditing are within the province of the internal auditor, who is responsible to management for helping assure that operations are being car- ried out economically, efficiently, and effectively in ac- cordance with the directives of management. Our review pointed out, however, that too many internal audit groups shun ADP auditing, particularly the second aspect. THE ROLE OF THE COMPUTER AND ITS IMPACT ON AUDITORS The environment of auditing has changed materially in the last decade, and this change has been compounded by technological advances in ADP. The complexity of modern computer operations has brought new challenges to auditing and has made it necessary for internal audit groups to develop additional capabilities to function effectively in an ADP environment. 2 This report was prepared to (1) inform the the level of involvement of internal Congress on audit in the management of Federal agencies' ADP resources and (2) activity in the ADP area by the internal stimulate greater audit groups in those agencies where further effort is needed. This report is addressed to three groups purposes described: for the Addressee Purpose The Congress To alert the Congress to the problem of internal auditors' inadequacies in evaluating the ADP resources of an agency. Heads of agencies To alert them to the role that internal auditors should play in improving management of ADP resources. Federal internal auditors To show what internal audit groups have done in the ADP systems area--the positive results achievable and the approaches taken in auditing specific facets of ADP, to point out sources of training, and to spur into action and involvement those audit groups that have not developed an adequate ADP audit capability. SCOPE We reviewed the activities of internal audit 12 Federal agencies to identify examples groups in ment in ADP. The internal audit groups f audit involve- included in this review are listed in appendix I. Senior managers and staff auditors in interviewed to identify approaches used in these groups were planning, staff- ing, and conducting ADP audits. We also ADP-related audit reports which the audit examined selected groups believed 3 best represented their ADP auditing efforts. Examples of those audits are highlighted in chapter 3. The phenomenon of auditors' noninvolvement or avoidance of computer work is discussed in chapter 2. 4 CHAPTER 2 MANY AUDIT ORGANIZATIONS HAVE AVOIDED WORK IN COMPUTER SYSTEMS AND APPLICATIONS There i a long history of audit organizations' aversion to work involving computers and computer-based applications. PRIVATE SECTOR This situation has been reflected in many articles in auditing publications. For example, in a recent issue of The Internal Auditor three articles appeared on auditing of electronic data processing (EDP), and all of them made reference to th s aversion: "It is commonly accepted that the function of auditing and controlling data processing systems in many organizations is lagging behind * * *." 1/ "The internal computer audit capability in many major companies is underdeveloped. Management is becoming increasingly aware of a computer audit gap because of audit shortcomings and publicity about recent cases of control failures and computer frauds. "Management is realizing that a company may be vulnerable to embarrassing and costly conputer- related losses and that the internal auditors may not be able to satisfactorily assure the adequacy of computer system controls. "Auditors have been reluctant to establish strong computer auditing. * * *" * * * * * 1/F. F, George and F. B. Palmer, "Systems Audicability and Control," The Internal Auditor, Apr. 1977, p. 14. 5 "In many companies, computer auditing has languished, while the computer system has become more and more sophisticated. Today's prospec- tive EDP auditors must often develop their expertise with little guidance and within a system already too complex for their limited EDP training." 1/ "With some slight variations, there are four basic approaches to auditing systems devel- opment: none at all, periodic, responsive, and participative. "A none-at-all approach is still taken by far too many organizations, either by design or for one or more of the following reasons: insuf- ficient manpower, lack of EDP knowledge on the part of the staff, resistance from either senior or data-processing management, and so forth." 2/ GOVERNMENT SECTOR That this situation is not limited to auditors outside Government is demonstrated by the following excerpts from previous GAO reports: "Our survey at DPC Hines [Veterans Administration] raised questions concerning the effectiveness of controls programed in the computer runs of the C&P [compensation and pension] system in assuring the completeness and accuracy of processing transactions. * * * "DPC Hines should take more stringent measures to assure the reliability of the net- work of controls because (1) benefit payments 1/D. R. Byrne, Jr., and G. M. Scott, 'Closing the Computer Audit Gap," The Internal Auditor, Apr. 1977, p. 27. 2/R. C. Culbertson, "Responsive Auditing of Systems Develop- ment," The Internal Auditor, Apr. 1977, p. 33. 6 processed by the system are substantial--about $7.4 billion in fiscal year 1975. * * *" * * * * * "* * * internal auditors should ontinually monitor the computer operation and perform neces- sary appraisals to determine whether an effec- tive and reliable system is functioning. In the absence of such independent evaluations, computer operations are vulnerable to undetected error, misuse, and possible fraud. "We were informed by the Internal Audit Service resident staff at DPC Hines that, because of insufficient manpower, they have not reviewed and evaluated the adequacy of controls over com- puter processing in the C&P system. We were tol', however, that future audit effort by this staff will include increased emphasis on controls within the C&P system at DPC Hines." 1/ "The Office of Inspector General 'Department of Housing and Urban Development] has made limited audits of the automated por- tions of the payroll system. Its internal auditors have made audits which have concen- trated on evaluating the controls over prepar- ing and entering information for computer processing and over computer outputs. It has not, however, thoroughly tested controls in programs used to compute pay amounts. The Inspector General's staff has not actively monitored the design and development of HUD's new payroll system." 2/ "The Office of Audits [Department of Commerce] has made only limited reviews of the I/Letter report to the Veterans Administration on Compensation and Benefit Payment System, MWD-76-90, Feb. 6, 1976. 2/Need for Improvements in the Automated Payroll System of the Department of Housing and Urban Development," FGMSD-75-31, June 18, 1975. 7 automated parts of the payroll system. We noted that the Office of Audits did not participate in designing and developing automated systems and did not review the systems on a continuing basis afteL they become operational." 1/ "We did not make a review of the audit programs used by the Office of Audit [Postal Service] in its payroll audits; we did, how- ever, observe two areas that could be strength- ened, (1) the Office has limited capabilities in the area of computerized systems because it has only one specialist knowledgeable in the design of computerized systems and (2) the Office nas not been an active participant in the design and modification of computer pro- grams, thus assuring itself of adequate inter- nal controls and auditable trails in thesa programs." 2/ Large sums are involved in the systems discussed in the above examples, and the need for auditors to assess the adequacy and effectiveness of control is obvious. All the departments cited above have taken action to correct the specific control deficiencies cited in the reports. For example, the Veterans Administration increased the number of resident auditors at its data processing centers and also conducted a control analysis team study to identify control deficiencies in systems. The Veterans Administration is continuing its efforts to assure that effective controls exist in its ADP systems. Conversely, during our review, several audit staffs indicated to us that they simply do not have the technical competence to perform auditing in the computer environment. Since they do not in fact have this technical knowledge, they simply try to avoid all contact with ADP. l/Need for More Effective Controls Over Computerized Payroll- Processing Operations," FGMSD-76-3, Nov. 10, 1975. 2/"Review of Postal Service Payroll System", GGD-77-37, Mar. 15, 1977. 8 AUDITING STANDARDS AND ADP Over the years, standards have been developed for measuring the quality of audit work. The American Institute of Certified Public Accountants, the nstitute of Internal Auditors, and the Comptroller General of the United St :s have promulgated standards which apply, respectively, to independent public accountants' auditingy, internal auditing, and audits of governmental organizations, programs, activities, and functions. Basic to each of these standards is the concept of technical proficiency of the audit staff. A recent article dealing with meeting these standards in the external auditor's evaluation of controls in computer-based systems stated: "* * * I order Lo perform properly the required tasks of reviewing and evaluating internal control and per- forming subsequent substantive tests of the financial data, the minimum EDP knowledge requirements of the general staff auditor should include 1. A basic understanding of computer systems, including equipment components and their general capabilities. 2. A basic understanding of widely installed computer operating systems and software. 3. A general familiarity with the file proc- essing techniques and data structures. 4. Sufficient working knowledge of computer audit sofAware to use existing standard- ized audit packages. 5. The ability to review and interpret system documentation including flowcharts and record definitions. 6. Sufficient working knowledge of basic EDP controls to a. Identify and evaluate the controls in effect in the client's installation. 9 b. Determine the extent to which such controls should be tested and to evaluate the results of such tests (although not necessarily to execute such tests). 7. Sufficient knowledge of EDP systems to develop the audit plan and supervise its execution. 8. A general familiarity with the dynamics involved in developing and modifying programs and processing systems. "Many audit situations will call for a level of EDP knowledge above thac of the general audit staff member; for these situations an auditor at the level of a computer audit specialist will be required. * * " 1/ The concept of the auditor calling on a specialist to assist in auditing computers is reflected in the Comptroller General's "Standards for Audit of Governmental Organizations, Programs, Activities & Functions," which states: "If the work requires extensive review of computerized systems, the audit staff must include persoas having the appropriate computer skills. These skills may be possessed by staff members or by consultants to the staff." RESEARCH STUDY ON COMPUTER AUDIT WORK The need for auditors to develop their technical competence and perform work in the computer area is further supported by the report of the Institute of Internal Audi- tors' Systems Auditability & Control Study, hose principal conclusions include: "Internal auditors must participate in the system development process to ensure that appropriate 1/E. G. Jancura and F. L. Lilly, "SAS No. 3 and the Evalua- tion of Internal Control," Journal of Accountancy, Mar. 1977, p. 69. 10 audit and control features are designed into new computer-based information systems. "Verification of controls must occur both before and after installation of computer-based infornia- tion systems. "As a result of the growth in complexity and use of computer-based information systems, needs exist for greater internal audit involvement relative to auditing in the data processing environment. "An important need exists for EDP audit staff development because fw internal audit staffs have enough data processing knowledge and expe- rience to audit effectively in the data process- ing environment." * * * * * "Many organizations are not adequately evaluating their audit and control functions in the data processing environment. Top management should initiate a periodic assessment of its audit and control programs." SUMMARY There is no doubt that capable audits of computers and applications require technical competence beyond that required of auditors in the past, but the time is long gone that auditors can both ignore the existence of the computer and successfully discharge their responsibilities. A structured long-range approach to the problem is needed in many agencies to bring auditors to the point that they can deal effectively with computer systems and applica- tions. In our opinion, top management will need to provide strong direction to the auditors to develop a program for appropriate involvement, and periodic reporting of progress made, before the situation is satisfactorily resolved in many agencies. In those agencies where capability has been deve- loped, excellent--even spectacular--audit results have ensued, as exemplified by the internal audits discussed in chapter 3. 11 CHAPTER 3 HOW FEDERAL INTERNAL AUDITORS ARE CONTRIBUTING TO IMPROVED ADP MANAGEMENT Some internal audit groups in the Federal Government ADP are conducting critical and searching analyses of the effectiveness of automated resources, determining systems and assessing the adequacy of the ADP functions to meet users' needs. A number of Federal internal audit groups have made significant contributions to their agen- cies' ADP management. Millions of dollars have been saved, and the effectiveness of programs has been significantly enhanced. ADP auditing covers a wide spectrum. In this chapter work in four major ADP areas: we cite examples of auditing -- Audits of system design and development. -- Audits of equipment acquisition. -- Audits of specific applications. -- Audits of ADP installation management. AUDITS OF SYSTEM DESIGN AND DEVELOPMENT and host ADP systems require considerable time, money, Interactions among managers, users, effort to develop. vital to designers, programers, and the computer are all success in this effort. Auditors have contributed to devel- work done opment of better-controlled systems by reviewing during this phase. These approaches allow system review and audit involvement early in the development before a large investment has been made. The following examples a system illustrate the benefits of early involvement in development effort. Department of Agriculture Audit The Department of Agricuture's internal auditors 3 months reviewed during the testing phase--approximately implementation--a proposed subsystem to before planned process payments for purchases. They used an automated flow chart procedure to test program logic and a test deck whether the program would containing error conditions to test 12 detect the errors and reject the information. The auditors also interviewed personnel concerning operating procedures and controls, and examined system and program documentation. Because system controls were too weak to prevent the processing of test data containing error conditions, the auditors recommended that additional edits be included in the data validation routines. The automatic "flowcharter" showed that certain steps of the programs were not being performed. The auditors recommended that the programers determine whether these steps wre necessary for proper pro- gram performance and remove any unnecessary steps. In addi- tion, the auditors determined that the program documentation did not contain enough information to describe adequately the controls or functions performed. This audit resulted in (1) correcting the error condi- tions prior to system implementation, (2) eliminating un- necessary program instructions, and (3) preparing the. documentation necessary to implement and operate the system. Air Force Audit Agency The Air Force Audit Agency reviewed proposed system concepts, supporting rationale, and documentation for an automated management information system covering contract award data. Matters considered included the adequacy of objectives in relation to user needs, cost reliability, and whether technical requirements were valid. Reviews and discussions were conducted at 15 sites, several headquarters groups, and the system development group. The auditors determined that user needs, system capabilities; and resources had not been substantiated in the original requirements document. Technical and equip- ment specifications were not substantiated by adequate studies, and users indicated there was little need for the proposed online data base. The original economic analysis--which identified the estimated costs and benefits--was inaccurate and unsubstantiated, according to the auditors. Further audit examinations disclosed that the projected manpower reduction, comprising most of the projected savings, was not realistic. The audit resulted in a major change in the scope, equipment, and personnel requirements for the system. The revised requirements, approved at $4.7 million, represented 13 a $31.5 million cost avoidance directly attributable to the audit. AUDITS OF EQUIPMENT ACQUISITION Several internal audit groups we contacted had conducted ADP acquisition reviews. This type of audit work may be per- formed during one or more of three phases in the acquisition cycle: -- Before the final acquisition decision is made. -- Before the acquired equipment, system, or service is operational. -- After the acquired items are operational. The following example illustrates a review made after a system has been acquired and installed. Postoperational review Navy directives require the Naval Audit Service to review computer systems about 12 to 24 months after the installation of major ADP hardware to determine whether the new system meets the original design objectives. These reviews may involve a number of issues, including manage- ment's definition of objectives, the adequacy cf internal controls, and the utilization of individual system components. In one such review, the Naval Audit Service made a post- installation evaluation of a major computer system installed at a Marine Corps facility. The system was one of seven lo- cated at various activities to provide standardized ADP support to all levels of command. The Audit Service reviewed the system's equipment specifications, capability to process the required workload under normal and adverse conditions, and use of selected equipment. The auditors concluded that: -- Adequate standby equipment was not available in the event of protracted power failure or troop deployment. -- Capability was not available to process current program requirements. -- Certain equipment required under the original contract was underutilized and not really needed. 14 In response to the audit report, the Command acted to obtain the funds to acquire standby equipment memory units, while unneeded items were and additional released. AUDITS OF COMPUTER APPLICATIONS The advantages of computer processing Federal agencies to automate many program have encouraged activities. The resulting Governm3nt-wide computer investment on agency functions necessitate effective and its impact control over computer applications. The reliability of the information generated and the resultant manageimercn decisions depend on effective automated systems. Internal audits of agency functions encountered automated systems. To provide frequently tion of a particular function, the internal an adequate evalua- ascertain the system's reliability. auditor must Internal auditors should review computer systems to assess whether: application -- Accurate and timely data are entered into the com- puter and data files are kept updated. -- Adequate manual and automated controls exist over the input and processing of data. -- The user receives timely, accurate, and useful output. --There is adequate documentation of all aspects of the application. In a previous report, 1/ we cited significant improvements anU correctionsseveral instances of internal audit of automated applications. resulting from is basically similar to those examples The case below of good audit cover- age of specific applications. The Departmentof Health, Education, and Welfare (HEW) audit The HEW Audit Agency reviewed the procedures Social Security Administration for automated of the information on organizations providing processing of health services under the medicare program. The auditors assessed tion between headquarters and the regional the coordina- offices, and they l/"Improvements Needed in Managing Automated Decisionmaking By Computers Throughout the Federal Governmet," Apr. 23, 1976. FGMSD-76-5, 15 evaluated procedures used to collect, enter, and disseminate data as well as the accuracy, timeliness, and suitability of system products. They interviewed personnel in eight regional offices concerning the s-tem's usefulness and examined over 400 case files and related computer output. They compared the results so developed with the data pro- duced by the computer and noted that in 30 percent of the cases reviewed the two methods yielded different results. The auditors traced these differences to (1) misunderstand- ing between regional and headquarters personnel which arose from inadequate communication concerning the role of the computer and (2) inaccurate and untimely data. The Social Security Administration took several actions in response to the auditors' recommendations. Central office personnel met with regional staff to train them in the sys- tem's operation and obtain suggestions on possible improve- ments. The computer program was changed to identify proc- essing delays at each step in the overall operation. Control procedures to monitor the status of each case were instituted at the central office, and the need for ccurate information was explained to the regional offices. AUDITS OF ADP INSTALLATION MANAGEMENT The sheer size of te Federal Government's investment in ADP facilities should compel internal audit groups to review the management of these facilities. However, Federal expenditures on ADP portray only a portion of the computer's impact on Government operations. As additional administra- tive and mission-related functions are automated, agencies become more dependent on the successful operation of com- puter centers. As automated systems are developed and accepted, manual systems are phased out. As requirements for computer processing grow, the volume of agency infor- mation sto:ed in the computer center's facilities increases. The loss of theze automated systems and information--through long-term disruption of power, natural disasters, or other emergencies--can seriously impair an agency's ability to fulfill its mission. Army auditors' review The Army Audit Agency reviewed the management and use of ADP equipment at a sample of the Army's computer installa- tions in the continental United States, Europe, and the 16 Pacific. The review's objective was to provide an overview of management policies and procedures at headquarters, com- mands, staff agencies, and individual data processing centers. Special audit attention was focused on the Army's use of per- formance evaluation techniques, multiprograming, and other technical ADP advances. The audit agency issued reports to individual commands and installations identifying various problems which could be corrected locally. A final audit report was issued to epartment of the Army headquarters describing 20 problem areas where weaknesses were general in natire, deep-rooted, or could be corrected only at the departmental level. The problem areas included inaccurate equipment inventory records, inadequate scheduling and followup of management inspections, and inefficient use of performance evaluation techniques. One of the 20 areas is this: Individual activities had researched and applied various computer performance evalua- tion techniques independently. The auditors concluded that activities had unnecessarily duplicated each other's efforts by testing similar monitoring tools. They also concluaed that activities were either not using available software monitors or had not adequately planned to make full use of monitoril. efforts. The auditors concluded that the decentralized manage- ment of data processing centers throughout the Army ana the complex structure of controls over ADP center operations helped create many of the problems discussed in the report. They recommended that the Department begin a study of current organization structures and data processing require- ments to centralize the Army's control over ADP facilities. Management agreed with the 20 recommendations presented in the audit report, and corrective actions were taken. For example, the Army began efforts to improve the exchange of information between activities responsible for computer per- formance evaluation and other activities that might be using monitoring tools. Headquarters began comparing the results of performance studies at three activities to summarize the data obtained and to learn better ways of using evaluation techniques. NEED FOR GREATER COVERAGE Although this chapter has included examples of good internal audit, none of the agencies, in our opinion, has achieved an adequate level of overall capability and cover- age in ADP auditing. Within the Department of Defense, for 17 example, with over 4,420 computers at June 30, 1976, and many wide-ranging automated data systems applications, the limited expertise and need for more training in the ADP area are pronounced. In a statement to the Senate Commit- tee on Government Operations, the Deputy Assistant Secretary of Defense for Management Systems reported that, out of a total Defense-wide professional audit staff of 2,264, only 234 auditors (about 10 percent) were considered to have ex- tensive ADP training and experience. 1/ When the magnitude of automated systems and their far-reaching impact on agency operations, programs, and resources are considered, the ade- quacy of coverage by internal audit staffs is questionable and, in our view, a much greater ADP audit capability is needed in many of the agencies. 1/Staff Study of Computer Security in Federal Procrams, Committee on Government Operations, United States Senate, Feb. 1977, p. 177. 18 CHAPTER 4 CONCLUSIONS AND RECOMMENDATIONS The Federal Government continues to rel]- more heavily on ADP technology to achieve many program objectives. Federal agencies annually spend billions of dollars for the design, development, and operation of ADP systems. INTERNAL AUDIT INVOLVEMENT IS NEEDED Internal audit groups are responsible tor reviewing and evaluating all aspects of agency operations. By providing timely and objective evaluations of agency policies and pro- cedures, internal audit groups assist management in achieving desired objectives. The magnitude of Federal ADP expenditures, and ADP's impact on agency operations, should compel internal audit groups to schedule periodic reviews of their agency's ADP activities. 1/ Some audit groups have responded to the challenge; others have not. Some internal audit groups have made a valuable contribution to the effective management of programs by review- ing various aspects of ADP in their agency. They have prevented the development of ADP systems which were not needed or economi- cally justified, identified instances of unnecessary equipment procurement, and improved the protection of valuable computer equipment. Other internal audit groups have improved the reliability of computer-generated information used by agency managers and have identified weaknesses in internal controls which allowed inaccurate data to become a part of agency records. Recom- mendations to correct these problems served to improve the effectiveness of computer systems and the general quality of management decisions. Conversely, the lack of technical ADP knowledge by auditors was cited by other internal audit groups as a barrier to their performing effective ADP auditing. The many facets 1/Two of our recent reports ("Improvements Needed in Managing Automated Decisionmaking by Computers Throughout the Fed- eral Government," FGMSD-76-5, Apr. 23, 1976, p. 53, and "Computer-Related Crimes in Federal Programs," FGMSD-76-27, Apr. 27, 1976, p. 18) also pointed out the increasing need for auditor involvement in computer applications. 19 involved in auditing ADP activities require the internal audit staff to possess, collectively, the technical knowledge and capability to perform penetratinC reviews and develop meaningful recommendations. Without such capability, attempts at auditing computers may be counterproductive. Adequate training also aids the individual auditor in establishing credibility and rapport with data processing personnel in the agency. Internal audit reviews show that teams of auditors with a general ADP background, assisted where necessary by ADP audit specialists, can successfully review both technical and nontechnical ADP issues. With accurate assessments of ADP auditing requirements and identification of scurces of technical capability, internal audit groups can make sig- nificant contributions to increased efficiency and improved performance. Some groups have demonstrated such capability on occasion, and we are hopeful that the examples cited ear- lier will serve to provide encouragement to those audit groups that have been reluctant to perform computer auditing assignments. By the same token, it should be recognized that computer audit proficiency is not a static matter. The advancement of computer technology must be matched by continuing and broadening auditor knowledge and capability if the challenge to perform to standards is to be met. Even for those most capable audit groups, the task to maintain technical pro- ficiency is unending. Greater management attention is essen- tial to help insure that all internal audit groups throughout the Federal Government develop and maintain needed ADP auditing capabilities. RECOMMENDATIONS We recommend that, for proper and effective response to the challenge of computer auditing, the head of each agency require internal audit groups to: 1. Study the effect of ADP on agency operations, expenditures, and program accomplishments. 2. Determine the extent to which computer activities need to be audited (both ongoing system reviews and audits of specific aspects, such as installation of a new computer-based inventory system). 3. Determine whether enough audit resources are available, and if not, get needed resources by 20 training existing audit staff or hiring people with the necessary skills. 4. Develop and carry out audits that will provide enough coverage to determine that ADP resources are used efficiently, economically, and effectively. 5. Periodically review the internal audit coverage of computer-based information systems and adjust resource allocations accordingly. We further recommend that the Office of Management and Budget (OMB) monitor the progress of the agencies in these matters. AGENCY ACTIONS The comments of OMB, 11 other Federal agencies, and the Postal Service on the material presented in this report are included in appendix III. All were in agreement with our position that the importance of computer auditing is growing and that further actions are required to assure adequate audit coverage. The General Services Administration indicated further resources would be necessary to bring its coverage up to the level suggested in our report; the Depart- ment of the Interior and HEW mentioned problems in develop- ing in-house audit capabilities. Several epartmentF, including the Department of the Interior, outlined actions taken or planned to strengthen and improve ADP audit capability. The replies provide additional information that could be helpful for departments and agencies seeking to further ADP audit capa- bility. With respect to our recommendation that OMB monitor the agencies in improving their ADP audit capabilities, the Deputy Director stated that this report, toguther with other recently issued GAO reports and work being doze by the Joint Financial Management Improvement Program, proviued OMB with a basis for improving its guidance to the agencies and for working individually with the departments and agencies on improvements. O4B told us it shared our concern that internal audit groups develop, maintain, and effectively use capabilities for computer auditing and added that it would encourage agencies to establish adequate management controls, including audits, over their ADP operations. OMB stated: 21 "Since implementation of the recommendations in this report would rely heavily on agency partici- pation, we would encourage wide dissemination of the report throughout the executive branch." We are sending copies of the report to the heads of all executive departments and agencies for their information and guidance. 22 APPENDIX I APPENDIX I AUDIT GROUPS CONTACTED DURING REVIEW -partment of Agriculture--Office of udit Dep rtment of Defense--Army Audit Agency, Naval Audit Service, Air Force Audit Agency Department of the Interior--Office of Audit and Investigation Department of Health, Education, and Welfare-- HEW Audit Agency Department of Housing and Urban Development-- Office of Inspector General Department of Labor--Directorate of Audit and Investigation Department of Transportation--Office of Audits General Services Administation--Office of Audits National Aeronautics and Space Administration-- Management Audit Office Veterans Administration--Internal Audit Service 23 APPENDIX II APPENDIX II SELECTED SOURCES FOR DEVELOPING ADP AUDIT CAPABILITY There are , y..sources of help available to Federal internal audit activities in preparing a plan for developing ADP audit capability. Among them are the following: LITERATURE AND TRAINING MATERIAiL Institute of Internal Auditors- Altamonte Springs, Florida: -- "Estaolishing the Internal Audit Function in EDP: Job DeEcriptions." -- 'Auditing Computer Centers." --"Auditing Fast Response Systems." -- "Computer Control and Audit," air, Wood, and Davis. -- "Systems Auditability and Control Study" (three volumes). American Institute of Certified Public Accountants, New York, New York: -- "Auditing and DP," Davi'. -- "Statement on Auditing Standards Number 3." -- "The Auditor's Study and Evaluation of Internal Control in EDP Systems"--an Audit and Accounting Guide." EDP Auditors Association, Hanover Park, Illinois: --"Coltrel Objectives" isecond edition). Canadian Institute of Chartered Accountants, Toronto, Canadal -- "Computer Control Guidelines." --"Computer Audit Guidelines." 24 APPENDIX II APPENDIX II General Accounting Office: -- "Auditing Computers With a Test Deck (With Emphasis on Payroll Applications)." -- "Guide for Evaluating Automated Systems (Exposure Draft)." -- "Guide for Reliability Assessment of Controls in Computerized Systems (Financial Statement Audits) (Exposure Draft)." TRAINING COURSES Interagency Auditor Training Center, Washington, D.C. Civil Service Commission, ADP Management Training Center, Washington, D.C. Department of Defense Computer Institute, Washington, D.C. Canadian Institute of Chartered Accountants, Toronto, Canada Institute of Internal Auditors, Altamonte Springs, Florida American Institute of Certified Public Accountants, New York, New York Each of these organizations has ADP training courses suitable for improving the knowledge and capability of auditors. In addition, many colleges and universities are enlarging their computer curricula, have developed specialized courses toand a number of firms help auditors develop technical proficiency in computer-related work. 25 APPENDIX III APPENDIX III EXECUTIVE OFFICE OF THE PRESIDENT od;.,ifiOFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 JUL 21 1977 Honorable Elmer B. Staats Comptroller General of the United States General Accounting Office Washington, D.C. 20548 Dear Mr. Staats: This is in response to your letter of June 17, 1977 and your draft report entitled "Computer Auditing in the Executive Departments: Is Enough Being Done?" We read the report with great interest and share your concern that internal audit groups throughout the Federal Government develop, main- tain and effectively use capabilities for computer auditing. The increasing use of computer and communications technology within the Federal Government has introduced a variety of new management problems. Among these is the need for assuring adequate management control over the automatic data processing (ADP) function. Auditing is an important tool used by agency management to monitor and control internal operations. We believe the ADP function should command more attention from agency managers for a number of reasons: (1) ADP impacts significantly upon virtually every aspect of an agency's operations, (2) by its nature ADP permits huge sums of money and large amounts of information to be handled by relatively few individuals, (3) computer users rarely have the ability or knowledge to verify the accuracy of computer systems, and (4) the large and rapidly growing cost of ADP itself. The Office of Management and Budget will continue to encourage agencies to establish adequate management controls, including audits, over their ADP operations. At the same time, we believe it is the perogative of the agency head to make the basic assignments of audit responsibility within his agency and to make the priority decisions on the application of these resources. To assist agency management in carrying out the above, Federal Management Circular (FMC) 73-2 "Audit of Federal Operations and Programs by Executive Branch Agencies" was issued in September 1973. 26 APPENDIX III APPENDIX III As you know in recent months, in addition to this report, the General Accounting Office has issued two draft reports dealing with Federal Agency Audit operations: "An Overview of Federal Internal Audit" and "Need for More Effective Cross Service Auditing Arrangements." Both of these reports recom- mend OMB provide additional audit guidance to agencies and direct certain actions to be taken. GAO has also initiated a comprehensive review of internal operations in all the major departments and agencies with work currently underway in five agencies. Also, the recent General Accounting Office draft report "New Methods Needed for Checking Payments Made by Computers" contains recommendations affecting the audit pro- cess. In addition, the Joint Financial Management Improve- ment Program, which is a joint effort of the Treasury, OMB, the Civil Service Commission and GAO, is conducting a com- prehensive study of Federal, State and local audit systems applicable to the Federal Assistance Programs. Since your report and these other detailed analyses seek to affect audit priorities and allocation of resources, we believe it is important that any additional guidance issued by OMB be in the context of a comprehensive picture of the Government's total needs and priorities. We believe these detailed analyses may provide us a basis for improving the guidance in F4C 73-2 and for working individually with the departments and agencies on improvements. Since implementation of the recommendations in this report would rely heavily on agency participation, we would encourage wide dissemination of the final report throughout the executive branch. We understand from discussions with your staff that the four agencies cited in Chapter 2 of the report have undertaken action to correct the inadequacies reprrted. Thank you for the opportunity to comment on the draft report. Sincerely, James T. McIntyre, Jr. Deputy Director 27 APPENDIX III APPENDIX III UNITED STATES OF AMERICA GENERAL SERVICES ADMINISTRATION WASHINGTON, DC 2405 July 25, 1977 Honorable Elmer B Staats Comptroller General of the United States General Accounting Office Washington, DC 20548 Dear Mr. Staats: Thank you for providing the opportunity to comment on your draft report: "Computer Auditing in the Executive Departments: Is Enough Being Done?" We agree with your conclusions and recommendations. Your report provides for the possibility of improving agency ADP auditing capability through both the expansion and upgrading of existing auditing staff and the contracting-out for certain auditing specialists. It would be helpful to the GSA and other agencies if you could provide some guidelines for determining when the improvements can be best satisfied by internal up- grading and when it would be better to go outside for ADP auditing exper- tise. As recommended in the report, the Office of Audits in the GSA will be directed to study the impact of automatic data processing on the GSA's operations, expenditures, and programs; to ascertain audit requirements and associated need for resources; to develop and implement an adequate audit program to encompass all aspects of ADP functions; to review periodically audit priorities and evaluate the effectiveness of the audit program. Although the Office of Audits has been making respectable progress in its endeavors to ascertain the need for audit coverage for both internal computer operations and Government-wide ADP responsibilities deriving from the Brooks Bill, its level of effort falls short of the coverage you recom- mend. To meet General Accounting Office standards, however, it will be necessary to secure additional resources. Sincerely, istrator 28 APPENDIX III APPENDIX III ASSISTANT SECRETARY OF DEFENSE WASHIN0TON, D.C. 2001 COMPTROLLER a4 AUG' Sa Mr. Dones. Scantlebury Director, Financial and General Management Studies Division U.S. General Accounting Office Washington, D.C. 20548 Dear Mr. Scantlebury: This letter responds to the GAO draft report dated June 17, 1977, "Computer Auditing in the Executive Departments: Is Enough Being Done?" We agree with the basic conclusions and recommendations to assure that the adequacy of audit coverage of ADP operations is periodically evaluated. We fully appreciate the growing dependence on computers and the need for audits within the computer environment in view cf the potential for (a) savings, (b) improved efficiency and (c) cost avoidance, and the need for better control of computer-based infor- mation systems. Since ADP is critical to many DoD operations, the mission of internal audit has been logically expanded over the past few years to cover computer auditing as discussed in the GAO draft report. The benefits from this expanded effort have been illustrated in the GAO draft report by inclusion of examples of audit results acaieved by the Military Department audit organizations. e also recognize the need for increased oversight over ADP programs and we are taking steps to further improve audit services within DoD. Under direction of my DASD (Audit), we have initiated a study within DoD (a) to review the nature and extent of internal audit coverage of ADP resources, (b) to define current performance, resources, skills and training problems associated with audit within the ADP environment and (c) to develop suitable overall DoD internal audit guidance for approaching audits of ADP systems and operations. We believe this study is in consonance with the intent of the GAO recommendations. We noted one point of information in the GAO draft report which requires correction. On page 22, a reference to the Army Audit Agency review of the management and utilization of ADP equipment states that the audit was accomplished at 450 installations. 29 APPENDIX III APPENDIX III when Actually, the Army had 450 installations which had computers loca- the cited audit was performed. Of these 450 data processing tions 16 were included in the selective audit. and We appreciate the opportunity to comment on this draft report by your staff concerning computer audit- the observations furnished ing in the Executive Departments. Sincerely, Fred P. Wacker Assistant Secretary of Defe:se 30 APPENDIX III APPENDIX III ofi" on oj i'i DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT 2*i-aIlii *, ~OFFICE OF INSPECTOR GENERAL 'J.j.!t WASHINGTON, D.C. 70410 July 21, 1977 IN REPLY REFER TO: Mr. Henry Eschwege Director, Community and Economic Development Division U.S. General Accountinj Office Washington, D.C. 20542 Dear Mr. Eschwege: The Secretary has asked me to conmment on the proposed draft "Computer Auditing in the Executive Departments: Is Enough Being report Done?" The Department of Housing and Urban Development (HUD) has already recognized the need for increased emphasis in the area of computer auditing and the Office of Inspector General has taken aggressive to meet this need. Since GAO contacted HUD on this review, action recruited three experienced ADP auditors and developed an ADP wve have training program for our audit staff. We have developed an approach to comnuter auditing that is tailored to the needs of HUD and the capabilities our audit staff, with consideration of recommendations in prior cf Accounting Office (GAO) reports. General Our approach to computer auditing recognizes that on the Department's operations, expenditures and programtheaccomlishr:,nts impact of ADP is more significant than direct expenditures for ADP resources. Conse- quently, we are emphasizing reviews of automated systems, both and under development. In addition, vie anticipate significant existing in manual audit work and increased audit coverage from the use rductions of existing automated systems to support audits of program areas. We evaluate our computer audit coverage annually when we develop our annual audit plan. We plan to increase our computer auditing as our training program helps us to develop the expertise necessary work. In the future, we plan to audit more automated systems for this more reviews to assure that ADP resources are used efficiently,and conduct economically and effectively. jSincerely, . / James B. Thomas, Jr. / /nspector General 31 APPENDIX III APPENDIX TII VETERANS ADMINISTRATION OFFICE OF THE ADMINISTRATOR OF VETERANS AFFAIRS WASHINGTON, D.C. 20420 AUGUST 18 1977 Mr. Gregory J. Ahart Director, Human Resources Dvision U. S. General Accounting Office 441 G treet, N.W. Washin.gton, DC 20548 Dear Mr. Ahart: Your draft report to the Congress, "Computer Auditing in the Executive Departments: Is Enougn Being Done?" was transmitted on June 20, 1977, and I am pleased to offer our comments. This report summarizes what selected Federal agency internal audit groups are accomplishing in auditin, automatic data processing (ADP) systems and controls, and reports on the inadequacy of present coverage and the need for further improvement. Veterans Administration (VA) de- partments and staff offices reviewed the report and basically agree with your conclusions and recommendations. Since 1975, substantial improvements have been made in the VA's computer auditing function. In addition to the audit function of the ADP Evaluation Division of our Internal Audit Service, the Department of Data Management ADP Systems Audit Staff has, since 1962, performed technical audits of computer programs. During July 13 and 19 meetings with staff members of the General Accounting Office Financial and General Management Studie Division, which prepared this report, the VA's progress in improv- ing computer auditing was reviewed. Consequently, certain corrections and changes to the report, suggested by the Internal Audit Service, were accepted and will appear in the final report. The Veterans Administration will continue efforts to provide the necessary ieview and evaluation of automatic data processing systems and programs. Sincerely', ,, CLE Administ3 or 32 APPENDIX III APPENDIX III DEPARTMENT OF HEALTH, EDUCATION. AND WELFARE OFFICE OF THE SECRETARY WASHINGTON. D C. 2020 AUG 19 1977 Mr. GregorY J. Ahart Director, Human Resources Division U.S. General Accounting Office Washington, D.C. 20548 Dear Mr. Ahart: The Secretary asked that I respond to your request of comments on your draft report, "Computer Auditing in June 20 for our the Executive Departments: Is Enough Being Done?" The enclosed comments the tentative position of the Department and are subject represent when the final version of this report is received. to reevaluation We appreciate the opportunity to comment on this draft publication. report before its Sincerely yours, Thomas D. Morris Inspector General Enclosure 33 APPENDIX III APPENDIX III COMMENTS OF THE DEPARTMENT OF HEALTH, EDUCATION, AND WELFARE ON THE GAO DAFT REPORT, "COMPUTER AUDITING Il THE EXECUTIVE DEPARTMENTS: IS ENOUGH BEING DONE?" OVERVIEW We concur with the recommended five-step approach to determine and maintain an effective response to the computer auditing challenge. Within the HEW Audit Agency we will initiate an office-by-office analysis of the impact of ADP in assigned areas of audit responsi- bility and estimate as precisely as possible the type and number of resources needed to provide reasonable audit coverage of HEW's com- puter operations. Once these data are known, a master plan to auditing the computer area can be designed for implementation. The analysis of needed audit resources will be started during the current fiscal year. The Department endorses GAO's recommendation of a much greater internal audit involvement in the ADP area. We must, however, view this as a much-desired, but long-range goal--due to the very sizeable numbers of resources needed to adequately plan, staff, and perform these audits-- and because of proolems caused by competing priorities. The above described master plan will be the vehicle by which we will formalize our planning in this area. The HEW Audit Agency has long performed the first type of computer auditing described in the draft report -- audits of specific computer applications. However, for the second type of auditing -- systems reviews and specific A aspects -- limited work has been performed due to the lack of qualified staff to perform these specialized audits. Although initial steps have been made toward acquit;ng needed talent through continuing ADP training for selected staff auditors and the recent employment of two computer systems analysts, upgrading HEW's total ADP audit capability can be a slow process which is dependent on budgetary constraints that traditionally have been tight. We are pleased that an HEW Audit Agency audit is characterized in the GAO report as an example of good audit coverage of specific computer applications. The example is fairly typical of the in-depth intrnal audit coverage being directed to automated processe; that have a signifi- cant impact in relation to the specific objectives of internal audit assignments. Beginning in 1973 with the development of the HEW Com-: puter Audit System (HEWCAS), a computer program which can be used by auditors to extract information needed for audit from a computer file, audits of automatcd processes have become increasingly sophisticated. It is standard practice now to include use of computer programs, test decks or other advanced techniques in HE!W internal audit programs en- compassing specific computer applications. 34 APPENDIX III APPENDIX III OFFICE OF THE SECRETARY OF TRANSPORTATION WASHINGTON, D.C. 20590 ASSISTANT SECRETARY fOR ADMINISTRATION July 15, 1977 Mr. Henry Eschwege Director Community and Economic Development Division U.S. General Accounting Office Washington, D.C. 20548 Dear Mr. Eschwege: We have enclosed two copies of our reply to the General Accounting Office draft report "Computer Auditing in the Executive Departments: Is Enough Being Done?" Please let us know if we can assist you further. Sincerely, Edward W. Scot Jr. Enclosures (2) 35 APPENDIX III APPENDIX III DEPARTMENT OF TRANSPORTATION REPLY TO GAO DRAFT REPORT DATED JUNE 17, 1977 ON COMPUTER AUDITING INTHE EXECUTIVE DEPARTMENTS: ISENOUGH BEING DONE? SUMMARY OF GAO FINDINGS AND RECOMMENDATIONS GAO believes -- in view of the potential for: (1)savings, (2)improved efficiency, and (3)cost avoidance, and the need for better control of cmputer-based information systems -- additional efforts are needed now by both Federal managers and internal auditors to assure that adequate audit coverage is accorded certain areas. These areas are identified as: 1) systems design and 'ovelopment, (2)equipment acquisition, 3) specific applications, and (4)Automatic Data Processing ADP) installation management. GAO recommends that, for a proper and effective response to the challenge of computer auditing, the head of each agency require internal audit organizations to: a. Study ADP's impact on agency operations, expenditures, and program accomplishments. b. Determine the extent to which computer activities are in need of audit coverage (both ongoing systems reviews and audits of specific aspects such as installation of a new computer-based inventory system). c. Determine whether available audit resources are adequate to perform the work and, if not, take action to obtain needed resources by: (1)training existing audit staff, (2)hiring needed talent, (3)contracting for such capability, or (4)a combination of these three. 36 APPENDIX III APPENDIX III d. Develop and implement an approach to auditing of the computer area that will assure adequate coverage to determine that ADP resources are used efficiently, economically, and effectively. e. Periodically review the adequacy of internal audit cverage of computer-based information systems and adjust resource allocations accordingly. GAO isalso recommending that the Office of Management and Budget monitor the progress of the agencies n these matters. POSITION STATEMENT The Department of Transportation concurs with the GAO conclusions and has or will initiate actions on the recommendations made. 37 APPENDIX III APPENDIX III National Aeronautics and Space Administration Washington, D.C. 20546 Reply to Atr OiW JUL 1 5 1977 Mr. R. W. Gutmann Director Procurement and Systems Acquisition Division U.S. General Accounting Office Washington, DC 20548 Dear Mr. Gutnann: Thank you for the opportunity to comment on the draft report entitled, "Computer Auditing In The Executive Departments: Is Enough Being Done?", which was prepared by GAO's Financial and General Management Studies Division and transtted with your letter, dated June 17, 1977. NASA recognizes that it is essential for adequate controls of computer operations and systems to exist and that internal audits help to assure what these controls are effective. We are currently reviewing our audit coverage of computer activities and the need for increased effort; GAO's draft report will be useful in this connection. The enclosure contains NASA comments on the specific actions by internal audit organizations that are mentioned in the proposed reconmmendation to the head of each agency. We will be pleased to discuss these comments, if you have any questions. Sincerely, ~ '"KennethR. Capman .~ ." .Assistant Administrator for DOD and Interagency Affairs Enclosure 38 APPENDIX III APPENDIX III NASA COMMENTS ON GAO DRAFT .REPORT "COMPUTER AUDITING IN THE EXECUTIVE DEPARTMENTS: IS ENOUGH BEING DONE?" The GAO recommends that, for a proper and effective response to the challenge of computer auditing, the head of each agency require internal audit organizations to take five specific actions. NASA comments on the five actions are presented below. 1. Study ADP's impact on agency operation, expenditures and program accomplishments. ADP has a highly significant impact on NASA opera- tions, expenditures, and program accomplishments both on technical programs and business management processes. NASA management recognizes its responsibility for establishing effective controls over ADP systems. We also recognize the importance of internal audits as a means of assuring such controls exist. In analyzing NASA needs for internal audit coverage, we will be studying the relative significance and impact of ADP activities compared to the other NASA operations. 2. Determine the etent to which computer activities are in need of audit coverage (both ongoing systems reviews and audits of specific aspects such as installation of a new computer-based inventory svstem, The NASA Management Audit Office annually assesses internal audit needs and establishes priorities in preparing the annual audit plan. Computer activities are included in this annual assessment. We are currently updating a universe of NASA audit needs on a long-range basis. This will include emphasis on the assessment of the need for improved ADP controls and the involvement of the internal auditors both in systems development and in verification of controls. 39 APPENDIX III APPENDIX III 3. Determine whether available audit resources are adequate to perform the work and, if not, take action t obtain needed resources by (a) training existing audit staff, (b) hiring needed talent, (c) contracting for such capability, or (d) combination of these three. Our present audit staff will continue to be trained in the audit of ADP. We are currently determining the level of ADP training necessary for our audits as well as exploring the need for the use of more specialized ADP personnel or consultants and advanced computer audit techniques. 4. Develop and implement an approach to aud.itinq of the computer area that will assure adequate coverage to determine that ADP resources are used efficiently, economically, and effectively. As indicated we will assess the adequacy of our available resources to increase the audit coverage of our ADP operations. Additionally, the internal auditors are working with NASA ADP managers to determine how the auditors can most effectively serve NSA management in the development of systems and in the verification of computer controls. 5. Periodicallv review the adeauacy of internal audit coveraqe of computer-based information systems and adjust resource allocations accordingly. The adequacy of audit coverage of NASA's computer- based information systems is considered in the annual audit planning process. Adjustment of resource allocations to accommodate computer audit needs has to be balanced with the priorities of other audit areas. Duward L. Crow Date Associate Deputy Administrator 40 APPENDIX III APPENDIX III Eros rortt .rvs THE POSTMASTER GENERAL Washington, DC 20260 July 25, 1977 Mr. Victor L. Lowe Director, General Government Division U. S. General Accounting Office Washington, D. C. 20548 Dear Mr. Lowe: Thank you for the opportunity to comment on your proposed report to the Congress concerning computer auditing in the Executive Depart- ments. The report's observations concerning the Service's computer auditing capability are (1) our Office of Audit, Inspection Service, has limited capabilities in the area of computerized systems because it has only one specialist knowledgeable in the design of computerized systems, and (2) the Office of Audit has not been an active participant in the design and modification of computer programs, thus assuring itself of adequate internal controls and auditable trails in these programs. These observations resulted from a January 1976 review of the Service's payroll system, and though substantially true at that time, have now become outdated as indicated by the following developments: 1. Since July 1976, Inspectors have successfully completed 20 audit software programs. Ten Inspectors ar presently able to write computer programs using audit software. 2. In February 1977, procedures were incorporated in our field and management manuals for the use of audit software and the development of computer specialist Inspectors. Our guidelines for specialists govern-complement, qualifications, utilization, workload, and training. 3. Since May 1976, the Inspection Service has initiated seven systems development audits, including review of computerized markup, electronic money orders, and the ayoll 1 L'esi . 41 APPENDIX III APPENDIX III In order to carry out development auditing policy, a procedure is being formulated so that whenever top-management approves the development of a major new system, the Inspection Service will be notified. The following comments address each of the report's recommendations-- -- Automatic data processing's impact on Postal Service operations, expenditures, and program accomplishments will be studied next fiscal year through several scheduled audits. During the last fiscal year, management audits were accomplished at the New York and Wilkes Barre Data Centers. -- The extent to which computer activities are in need of audit coverage is determined through our annual workload planning and a program of audit surveys. -- The determination of whether available audit resources are adequate to perform the work will be accomplished through the periodic assess- ments we plan of our new computer audit specialist program. -- Our audit programs for financial and operational audits include adequate coverage to determine that automatic data processing resources are used efficiently, economically, and effectively. -- The adequacy of internal audit coverage of computer-based information systems is reviewed periodically through our program of internal management reviews of all levels of Inspection Service management. We are in agreement with the report's conclusion that additional efforts are needed now by both federal managers and internal auditors to assure adequate auditing coverage of automatic data processing. Postal manage- ment has cooperated with the Inspection Service on all audit matters, including automatic data processing, and our new policy of development auditing will require even greater management/audit coordination. Sincerely, Benjam F. Bailar 42 APPENDIX III APPENDIX III 0La O C% , UNITED STATES DEPARTMENT OF COMMERCE The Assistant Secretary for Administration es ) Washington. D.C 20230 1971 Mr. D. L. Scantlebury Director, Financial and General Management Studies Division U.S. General Accounting Office Washington, D. C. 20548 Dear Mr. Scantlebury: We have reviewed the GAO draft report on "Computer Auditing In The Executive Departments: Is Enough Being Done?" We agree with the GAO conclusion that additional efforts are needed by Federal managers and internal auditors to assure adequate audit coverage of ADP applications. In recognition of this need, our Office of Audits, in fiscal year 1977, initiated reviews of the design and development of automated administrative systems and allocated staff time in our audit plans to review automated decisionmaking applications within the Department. Also, the Office has audited controls over computerized payroll processing operations at the National Bureau of Standards and the National Oceanic and Atmospheric Admin- istration. Further, the Office has provided staff for a Department-wide evaluation of ADP installations. Specific areas being evaluated include (1) the implementation of proposed computer systems as set forth in Departmental approved budgets and requirements studies, (2) utilization of ADP equipment, (3) procedures and controls to assure that only significant applications are computerized, (4) user charges for ADP services, (5) users' satisfaction with timeliness of services and accuracy of output, (6) comparative cost analyses for in-house versus contractual services, and (7) procedures and measures for security and protection. During the last year the Office provided formal training to selected staff members in computer technology and COBOL and in auditing (1) systems supported by ADP equipment, (2) security in an ADP environment, and (3) the management of ADP centers. 43 APPENDIX III APPENDIX III The Office of Audits plans to continue to increase its under- standing of the total computer area available for audit, as a basis for further development and implementation of a systematic approach to audits in that area. In this con- nection, the Office of Audits has hired new talent in the ADP field. However, in order for audits in the computer area to be truly effective, the Office of Audits will train additional and auditors who can specialize in the auditing of ADP systems ADP mdnagement. To be proficient requires a specialization of auditors in the ADP field so that an overall understanding can be developed and maintained of the various areas ADP encompasses within the DeDartment. It was pointed out in a recent GAO audit report that the current audit cycle of the Office of Audits is unduly long and additional audit coverage is needed in all areas. Accordingly, the Office will continue to reassess the resources allocated to ADP auditing in relation to its total requirements, as part of its annual audit planning. Sincerely, Elsa A. Porter Assistant Secretary for Administration 44 APPENDIX III APPENDIX III U.S. DEPARTMENT OF LABOR AD,'a S OFFICE OF THE ASSISTANT SECRETARY FOR ADMINIST1NTION WASHINGTON, D.C. 20210 2 1 JUL 1977 Mr. Gregory J. Ahart Director, Human Resources Division U. S. General Accounting Office Washington, D.C. 20548 Dear Mr. Ah. Thank you for the opportunity to review and respond to the draft report, "Computer Auditing In The Executive Departments: Is Enough Being Done". We are pleased to provide you with the following comments stating the efforts taken by the Directorate of Audit and Investigations (DA&I) in Computer Auditing. Beginning in FY 1972, the DA&I utilized the Department's ADP Technical Evaluation staff to provide technical assistance to the audit staff in four audits of State Employment Security ADP Operations which were either fully or partially funded by the Department of Labor. A separate report was issued for each review to the auditee and the regional Employment and Training Administration (ETA) containing their comments. A summary report was then issued to the Assistant Secretary of ETA discussing the results of the reviews which required attention bv the Department. The following areas which needed improvement were reported: Reasonable and prudent panning and financial management practices did not exist; Where the States were trying to centralize the ADP operations, Federal regulations were not being followed by the State, regional Federal and national Federal authorities; Procurement practices in the following needed to be improved personal service contracts equipment acquisitions competitive procurement; and 45 APPENDIX III APPENDIX III Inefficient use of electronic accounting machines when capacity was available on the computer. Management responded to the above findings and promised to take corrective action. Pi August 1975, the Department's ADP Technical Evaluation 3taff was transferred to DA&I and became the Office of ADP Evaluations (OADPE). During the two years of its existence our OADPE has regularly conducted ADP operational audits; system control audits; ADP cost determinations; audit software development and technical assistance; and design, development, and implementation of retrieval and analysis software in support of financial and compliance audits, and operational program audits. During fiscal year 1978, DA&I will determine the specific methodology of implementing a multi-tiered approach to ADP auditing which will include enhancing the ADP skills of our general staff auditors. It is our judgement that these approaches will provide DA&I with an increased capability to address the complex problems of an automated environment. Sincerely, /UCK stu~t Sy etary for Aflministra lon and Management 46 APPENDIX III APPENDIX III Ffl US. DEPA'TMENT OF AGRICULTURE OFF!CE OF AUDIT OFFICE OF THE SECRETARY* WASHINGTON, D.C. 20250 JUL 2 6 1977 Mr. Henry Eschwege, Director Community and Economic Development Division U. S. General Accounting Ofice Washington, D. C. 20548 Dear Mr. Eschwege: We have reviewed the draft of the proposed GAO Report to "Computer Auditing in the Executive Department: Is EnoughCongress entitled We appreciate the opportunity to review and comment on Being Done?" behalf ment before the final report is issued. Our detailed response ofisthe Depart- attached. We in the Office of Audit (OA) see our role as a service Secretary and to USDA offices and agencies. We maintain agency to the flexibility to respond to requests for audit service. a high degree of It we have taken affirmative actions to keep pace with the is our view that need to develop manpower and implement audit programs geared to the computerized environment. OA has performed work in all areas covered by example, we have been directly involved in USDAthehardware GAO recommendations. For and software pro- curements to determine their impact on agency operations, program accomplishments. Additional emphasis on monitoringexpenditures and development as noted on page 15 of the draft report has major ADP systems avoidances, (2)more effective system controls, and (3) resulted in (1)cost bility of systems. improved audita- OA, in coordination with the Offile of Automdted Data Systems and maintains an inventory of USCA ADP applications. This (ADS), established to determine which "computer activities are in need of inventory is used which computer-based information systems support relatedaudit coverage" and audit work. We established and aggressively implemented an ADP oriented for auditors. OA has hired ADP professionals and secured training program outside ADP contractors to augment the existing staff the service of as required. Departmental computer centers; minicomputer and ADP terminal We audit and existing application systems to maximize installations; effective use of ADP resources. Finally, we efficient, economical, and annually review the adequacy of internal audit coverage of computer-based information appropriate resource adjustments. systems and make We substantially agree with the issues and recommendations There is a strong correlation between these and the actions in the report. to improve our ADP audit management. e have taken 47 APPENDIX III APPENDIX III If you have comments or questions about our response, we will be pleased to discuss them with you or your staff. LE !ARD'.GRE Director Attachment 48 APPENDIX III APPFNDIX III Response to Specific GAO Recommendations GAO Recommendation. "Study ADP'. impact on agency operations, expenditures, and program accom- plishments." OA Comments. More than two years ago, the Director, Office of Audit, recognized the importance of including this recommendation in internal audit procedures. Since then OA has established the Financial Management and Automated Systems Division (FM&ASD) with assigned responsibilities to initiate and coordinate ADP audit work. FM&ASD provides guidance and technical assistance to the audit staff in assessing ADP's impact on agency operations, expenditures, and program accomplishments. FM&ASD initiated a program to involve OA in major ADP hardware and suftware procurements, and USDA system development activities. In addition to auditing the requirements analyses, economic analyses, and workload projections, OA reviews the overall impact of the new ADP activity. GAO Recommendation. "Determine the extent to which computer activities are in need of audit coverage (both ongoing systems reviews and audits of specific aspects such as installation of a new computer-based inventory system)." OA Response. Over a year ago, OA established an inventory of major USDA operational ADP systems, an inventory of new USDA systems under development, and an inventory of non-USDA systems funded by USDA (e.g. Automated Food Stamp Systems). In coordination with the Office of Automated Data Systems, the Agency Senior ADP Managers and the Agency Applications Review Boards, OA updates and maintains these inventories. The inventories are reviewed from time to time to determine the extent to which computer activities are in need of audit coverage. OA maintains a staff at the major USDA computer sites to periodically audit individual applications, utilization of facilities, security, etc. The same staff also monitors new system development activities to insure adequacy of audit trails, testing procedures, internal controls, project management, etc. Specifically, our audi'. team in St. Louis has assisted the Farmers Home Administration in the development of its Unified Manage- ment Information System by identifying inadequate controls and suggesting more effective mechanisms for project management. At New Orleans, our audit team has pointed out weaknesses in the National Finance Center's Central Accounting System testing, certifying and implementation procedures and in overall project management and control. 49 APPENDIX III APPENDIX TII Audit work is also programmed for ongoing ADP activities, utilization of minicomputers & terminal, ccuracy such as utilization of facilities. of input data, and GAO Recommendation. "Determine whether available audit resources are adequate work and, if not, take action to obtain needed resources to perform the existing audit staff, (b)hiring needed talent, (c) by (a)training capability, or (d)a combination of these three." contracting for such OA Comments. OA has elected to follow option (d) in the recommendation. OA established a comprehensive training model to insure Two years ago, receives proper ADP training. Now, 40% of OA's staff the audit staff has ADP training and 20% advanced ADP training. OA management received basic 6 senior level computer specialists and currently has also hired has vacancies for an additional computer specialist and an EDP auditor. contracted for outside technical services to augment In addition. we have our staff's expertise. GAO Recommendation. "Develop and implement an approach to auditing will assure adequate coverage to determine that ofADPthe computer area that efficiently, economically and effectively." resources are used OA Comments. In 1975, OA contracted with A. D. Little Company to the USDA Washington Computer Center and prepare an perform an audit of use in auditing the other four Departmental Computeraudit guide for OA Centers (DCC). We have completed audits at each center, except St. Louis, in part, by GAO in 1976. FM&ASD schedules audits which was audited, of cyclical basis, approximately 18 to 24 months apart. each DCC on a OA audited or will audit other Departmental ADP facilities. staff has also lease vs. purchase analyses, utilization data, workload We evaluate to determine "ADP resources are used efficiently, projections, etc., effectively." economically and GAO Recommendation. "Periodically review the adequacy of internal audit coverage of computer- based information systems and adjust resource allocations accordingly." OA Comments. Every four months, FM&ASD evaluates accomplishment and adequacy of internal audit coverage of computer-based information systems. As a result of this 50 APPENDIX III APPENDIX III evaluation, FM&ASD makes adjustments to work priorities and resource allocations. Annually, FM&ASD, in coordination with Regional Managers, other Division Directors, and the Assistant Director for Operations: (1)performs a detailed analysis of previous accomplishments, (2) establish!es a prioritized audit program for the coming year, and (3)re- allocates resources for program accomplishment. However, because our program is flexible resources can be diverted or re-allocated as conditions warrant. 51 APPENDIX III APPENDIX III United States Department of the Interior OFFICE OF THE SECRETARY WASHINGTON, D.C. 20240 JUL 2?1977 Mr. Henry Eschwege Director, Community and Economic Development Division General Accounting Office Washington, D.C. 20548 Dear Mr. Eschwege: We have reviewed your proposed report to the Congress entitled "Computer Auditing in the Executive Departments: Is Enough Being Done?" We agree with your report's conclusions that additional efforts are needed now by internal auditors to assure that adequate audit coverage is given to computers and automated applications. We also agree with the report's recommendations. However, we feel that the report is somewhat unbalanced because it does not report on the efforts of individual internal audit groups, such as the Department of the Interior, to develop and/or improve their ADP audit capability. Since April 1975 we have provided introductory training on ADP auditing to more than 50 auditors (40 percent) of our regular audit staff. More intensive ADP audit training has been provided to 18 auditors. We have also performed preinstallation and postinstallation audits of ADP applications plus computer equipment acquisition audits, as follows: Date of Review Type of Audit Report Automatic Customer Accounting System development, System - Earth Resource Observa- Equipment acquisition tion System Data Center 3-15-76 Review of the Government of System development American Samoa Financial Accounting System 4-15-76 Department of the Interior Computer application Denver Payroll System 6-21-76 Billings Area Office System development, Indian Information System Equipment acquisition 9-21-76 Mining Enforcement Safety Equipment acquisition 10-15-76 Administration's ADP System 52 APPENDIX III APPENDIX III U.S. Fish and Wildlife Service's Computer application 10-15-76 Refuges Program Planning - Budgeting Evaluation System Mining Enforcement Safety Computer application 7-12-77 Administration's Accident/ Injury and Employment/ Production Data Information Systems The report also does not discuss the problems associated with developing in-house ADP audit capability, which appears to be the approach most Federal agencies are taking. Problem areas are: - Selection and/or recruitment of staff resources - Meeting the training requirements of the ADP auditor - Turnover of ADP auditors once trained The report recommends that audit groups engage in four types of ADP audit: (1) system design and development, (2) equipment acquisition, (3) computer applications, and (4) ADP installation management. One other type of audit, operational audit of ADP functional areas, should also be included. This type of audit would include topics such as: - Data entry techniyqes - ADP standards - ADP communications - ADP project anagement, etc. Although these topics are reviewed during the audits of ADP installation management, agencies with several ADP centers must provide centralized standards and guidelines because of the absence of industry standards or criteria of performance. We concur with the report's recommendation that internal audit groups study ADP's impact on their agency's operations, expenlitures, and program accomplishment. However, we believe this action, as :ecommended, would only provide one-time data, part of which could be used to establish the ADP audit requirement (also on a one-time basis). We suggest that an additional recommendation be included to require agencies to maintain an ADP resource and application inventory that provides an up-to-date reference of an agency's ADP operations and program impact. With regard to the recomr dation for more audits in ADP equipmenL acqui- sition, we feel it important to point out that most ADP procurements today take place in a goldfish bowl, observed closely by the General Services 53 APPENDIX III APPENDIX III Administration and the Office of Management and Budget, as well as by Congressional staffs. We wonder if additional audits of these functions would provide the highest marginal payoff for the use of these scarce audit resources. We appreciate the opportunity to review and comment on your proposed report. Your final report should be of considerable value to us in establishing our annual ADP audit requirements. S rely, De uty Assistant Secretary Policy, Budget and Administration GAO note: Page references in this appendix refer to the draft report and may not correspond to this final report. (91310) 54
Computer Auditing in the Executive Departments: Not Enough Is Being Done
Published by the Government Accountability Office on 1977-09-28.
Below is a raw (and likely hideous) rendition of the original report. (PDF)