oversight

Computer Auditing in the Executive Departments: Not Enough Is Being Done

Published by the Government Accountability Office on 1977-09-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                         DOCUMENT RESUME
03680 - [B2794022]

Computer Auditing in the Executive Departments: Not Enough Is
Being Done. FGMSD-77-82; B-115369. September 28, 1977. 22 pp. +
3 appendices (52 pp.).
Report by Elmer B. Staets, Comptroller General.
Issue Area: Automatic Data Processing:   uality of ADP Products
     (108); Internal Auditing Systems: Sufficiency of Federal
    Auditors ad Coverage (201).
Contact: Financial and General Management Studies Div.
Budget Function: Miscellaneous: Automatic Data Processing
     (1001).

          Fcur major areas are of audit interest in automatic
data processing, in addition to the usual task of verifying
data. These are: systems design and development, equipment
acquisition, specific applications, and installation management.
Benefits to be accrued from better controlled computer-based
information systems include: savings, improved efficiency, and
cost avoidance. Recommendations: The head of each Federal
agency should require internal audit organizations to: (1) study
the effect of automatic data processing on agency operations,
expenditures, and program accomplishments; (2) determine the
extent to which computer activities need to be audited (both
ongoing systems reviews and audits of specific aspects); (3)
determine whether enough audit escurces are available and, if
not, get needld resources by training existing audit staff or
hiring people with the necessary skills; (4) develop and carry
out audits that will provide enough coverage to determine that
resources are used efficiently, economically, and effectively:
and (5) peric¢ically review the internal audit coverage of
computer-based information systems and adjust resource
allocations accordingly. The Office of Management and Budget
should monitor the progress of the agencies in these matters.
(Author/SC)
                REP(')R T 7'0 7tH'1 ('ON( R1FSS
   o00
,,,,O    s
                BY ''HE CMTR IJ,.. (,II-ENEIRAl,
                                             ..

                OF THE UNI''1 ?ES7'A 7'ES
                (I




               Computer Auditing In The Executive
               Departments: Not Enough Is
               Being Done

               Federal agencies spend billions each
                                                    year on
              computer systems. Internal audit
                                                     grouos
              should be active to help assure management
              that the computer systems are working
                                                        and
              under adequate control.

               However, some audit organizations
                                                      have
              avoided computer-related work. While
              excellent auditing has been done,      some
                                                much more
              work is needed. This report recommends
              actions management in each Federal
                                                   agency
              should take to monitor computer-related
              tivities adequately.                     ac-




             FGMSD-77.82
                                                       SEPTEMBER 28, 1977
               COMPTROLLER GENEIIAL OF THE UNITED STATES
                          WASHINGTON. D.C.   2054




B-115369




To the President of the Senate and the
Speaker of the House of Representatives

     Many Federal agencies use computers extensively in the
accomplishment of their mission.  Internal audit organizations
should be reviewing computer systems to help provide assur-
ance that the systems are properly designed, are operated
efficiently, economically, and effectively, and are producing
reliable results. This report discusses Federal internal au-
dit organization coverage of computers and makes suggestions
for Government-wide improvements.

     We made our study pursuant to the Budget and Accounting
Act, 1921 (31 U.S.C. 53), and the Accounting and Auditing Act
of 1950 (31 U.S.C. 67).

     We are sending copies of this report to the Director,
Office ,)f Management and Budget, and to the heads of Federal
departments and independent agencies.




                                Comptroller General
                                of the United States
  COMPTROLLER GENERAL'S               COMPUTER AUDITING IN THE
  REPORT TO THE CONGRESS              EXECUTIVE DEPARTMENTS:   NOT
                                      ENOUGH IS BEING DONE

             DIGEST
             "Computer error."
             "Computer fraud."
             "Computer systems failure."

             These and similar terms are frequently
             heard in connection with Government sys-
             tems, and millions of dollars of losses
             or waste have been ascribed to them.
             However, since the computer merely follows
             its instructions, blaming the computer is
             inappropriate; the faults lie with people.
             Proper controls are either not in place or
             not working effectively when fraud, error,
             or failure takes place.

             Controls are a basic responsibility of
             management; computer failures represent
             failures by management. With the assistance
             of good internal auditing, management can
             find out whether proper controls exist and
             whether the systems are functl.iing well.

            At some selected Federal agencies we
            reviewed, internal auditing of automatic
            data processing systems and controls has
            been inadequate.  Improvement is needed.
            Some internal audit 'organizations are
            doing good work in the computer field, but
            the record is sotty at best. In some
            agencies, little audit attention has been
            paid to automatic data processing despite
            its importance to agency programs.

            Responses by auditors tc the challenge of
            computer auditing have been uneven. Some
            organizations in and out of the Government
            have done excellent work; others have
            avoided contact with computers wherever
            possible. Such audit   ork does not meet
            recognized audit sta_    'a  (See p. 9.)

                                                     FGMSD-77-82
    fhot.
  Taw            ravotvl, the
hoer'Bre Riould b nte ht. rport   1
Foul major areas are of audit interest in
automatic data processing, in addition to
the usual task of verifying data. These
are (1) systems design and development,
(2) equipment acquisition, (3) specific
applications, and (4) installation manage-
ment. Examples of good internal audit
work in those four major areas follow:

-- The Air Force avoided $31.5 million in
   costs by making changes as a result of
   an audit of a proposed system. (See
   p. 13.)
-- A Naval Audit Service review of
   acquisition of equipment showed that
   too much of one type of equipment and
   too little of another type were Leing
   ordered.  (See p. 14.)
-- The Department of Health, Education, and
   Welfare established improved controls in
   input and output in a medicare system as a
   result of an internal audit. (See p. 15.)

-- A servicewide review of the Army's
   management and use of computer equipment
   resulted in identifying and correcting
   20 problem areas. (See p. 16.)
More work is needed by both Federal
manageLs and internal auditors to make sure
that audits adequately cover the four areas
and that computer-based information systems
are better controlled. Benefits could in-
clude savings, improved efficiency, and
cost avoidance.

RECOMMENDATIONS
The head of each Federal agency should
require internal audit organizations to:

1.   Study the effect of automatic data
     processing on agency operations, expend-
     itures, and program accomplishments.



                      ii
             2.   Determine the extent to which computer
                  activities need to be audited (both
                  ongoing systems reviews and audits of
                  specific aspects, such as nstallttion
                  of a new computer-based inventory
                  system).
             3.   Determine whether enough audit resources
                  are availble, and if not, get needed re-
                  sources by training existing audit staff or
                  hiring people with the necessary skills.
             4.   Develop and carry out audits that will
                  provide enough coverage to determine
                  that resources are used efficiently,
                  economically, and effectively.
             5.   Periodically review the internal audit
                  coverage of computer-based information
                  systems and adjust resource allocations
                  accordingly.
             The Office of Management and Budget should
             monitor the progress of the agencies in
             these matters.

             AGENCY ACTIONS

             The agencies that GAO asked to comment on
             the matters in this report agreed that
             actions are required to provide adequate
             audit coverage. The Office of Management
             and Budget suggested that, since carrying
             out GAO's recommendations would require
             agency assistance, this report be distri-
             buted throughout the executive branch.
             (See p. 22.) This is being done.




Tear Sheet


                                  iii
                         Contents

                                                       Page
 DIGEST
 CHAPTER

       I    INTRODUCTION                                    1
                What is computer auditing?
                The role of the computer and its
                  impact on auditors
                Scope
                                                            3
       2    MANY AUDIT ORGANIZATIONS HAVE AVOIDED
              WORK IN COMPUTER SYSTEMS AND
              APPLICATIONS                                  5
                Private sector
                Government sector                           5
                Auditing standards and ADP                  6
                Research study on computer audit            9
                  work                                  10
                Summary
                                                        11
      3    HOW FEDERAL INTERNAL AUDITORS ARE
             CONTRIBUTING TO IMPROVED ADP MANAGEMENT
                                                       12
               Audits of system design and
                 development                           12
               Audits of equipment acquisition
               Audits of computer applications         14
               Audits of ADP installation management   15
               Need for greater coverage               16
                                                       17
   4       CONCLUSIONS AND RECOMMENDATIONS
               Internal audit involvement is needed    19
               Recommendations                         19
               Agency actions                          20
                                                       21
APPENDIX
   I       Audit groups contacted during review
                                                       23
 II        Selected sources for developing
                                           ADP
             audit capability
                                                       24
III        Agency responses
               Office of Management and Budget
                                                       26
               General Services Administration
               Department of Defense                   28
                                                       29
                                                  Page
APPENDIX

 III (cont.)   Department of Housing and Urban
                 Development                       31
               Veterans Administration             32
               Department of Health, Education,
                 and Welfare                       33
               Department of Transportation        35
               National Aeronautics and Space
                 Administration                   38
               United States Postal Service       41
               Department of Commerce             43
               Department of Labor                45
               Department of Agriculture          47
               Department of the Interior         52

                        ABBREVIATIONS

ADP        automatic data processing
EDP        electronic data processing
GAO        General Accounting Office
HEW        Department of Health, Education, and
             Welfare
OMB        Office of Management and Budget
                         CHAPTER 1
                        INTRODUCTION
     Have internal auditors in the Federal Government
provided adequate coverage of their agencies' computer-based
systems? This question arises when one considers the magni-
tude of the Government's annual expenditure in the automatic
data processing (ADP) area, together with persistent and
disquieting reports of costly "computer mistakes," many of
which had escaped the auditor's attention.

     ADP has become an essential and integral part of the
operation of nearly every segment of Government activity.
Over 10,000 computers are at work in the Federal Government,
and a conservative estimate is that in excess of $10 billion
is spent annually for ADP. Internal audit groups should be
helping top management assure that these immense resources
are used efficiently and managed effettively.

     We made this study to ascertain what can be and is
being done in the area of computer auditing by internal audit
groups within the Government. We learned during the review
that there are widely divergent approaches and concepts in
computer auditing.
WHAT IS COMPUTER AUDITING?

     In this report, we use the terms "computer auditing"
and "ADP auditing" interchangeably. Computer auditing can
be generalized into two broad categories. The first is
auditing of what is done by a computer (that is, an audit
of a computer application).  For example, if an auditor
is assigned to review a computerized payroll system, his
work will encompass such matters as the adequacy of various
controls: controls over material entered into or "input to"
the computer, over the integrity of the computer's process-
ing, and over computer outputs. The second type of ADP
auditing is much broader and goes far beyond just the com-
puter system itself. This type of work may involve ques-
tions such as:

    -- Is the system properly designed?
    -- Is there a valid requirement for the system
       or application?
     -- Is the computer being operated efficiently?
     -- Are the sstem procedures documented properly,
        and are tey up tc date?
     --Are the functional users satisfied with the
       output product?

     -- Is the computer configuration appropriate for
        the work to be performed?
     -- Are all personnel (ADP as well as functional staff)
        adequately trained for operation and use of the
        system?
     --Should the computer have been purchased rather than
       leased, or should a different type of acquisition
       have been made (for example, lease with option to
       purchase)?
     --Are the data processing and associated resources
       used effectively and efficiently?
     Generally, independent public accountants auditing
private corporations and businesses are concerned primarily
with the first type of computer auditing because their work
is often aimed toward verifying financial statements, and
controls over the computer system may have a significant
bearing on reliability of financial statements produced by
that system. Both types of computer auditing are within
the province of the internal auditor, who is responsible to
management for helping assure that operations are being car-
ried out economically, efficiently, and effectively in ac-
cordance with the directives of management. Our review
pointed out, however, that too many internal audit groups
shun ADP auditing, particularly the second aspect.
THE ROLE OF THE COMPUTER AND
ITS IMPACT ON AUDITORS

     The environment of auditing has changed materially in
the last decade, and this change has been compounded by
technological advances in ADP. The complexity of modern
computer operations has brought new challenges to auditing
and has made it necessary for internal audit groups to
develop additional capabilities to function effectively in
an ADP environment.




                               2
      This report was prepared to (1) inform the
 the level of involvement of internal            Congress on
                                      audit in the management
 of Federal agencies' ADP resources and (2)
 activity in the ADP area by the internal   stimulate greater
                                          audit groups in
 those agencies where further effort is needed.

      This report is addressed to three groups
 purposes described:                           for the

 Addressee                       Purpose
 The Congress                    To alert the Congress to the
                                 problem of internal auditors'
                                 inadequacies in evaluating the
                                 ADP resources of an agency.

 Heads of agencies               To alert them to the role that
                                 internal auditors should play
                                 in improving management of ADP
                                 resources.
Federal internal auditors    To show what internal audit
                             groups have done in the ADP
                             systems area--the positive
                             results achievable and the
                             approaches taken in auditing
                             specific facets of ADP, to
                             point out sources of training,
                             and to spur into action and
                             involvement those audit groups
                             that have not developed an
                             adequate ADP audit capability.
SCOPE

     We reviewed the activities of internal audit
12 Federal agencies to identify examples           groups in
ment in ADP. The internal audit groups     f audit involve-
                                         included in this
review are listed in appendix I.
     Senior managers and staff auditors in
interviewed to identify approaches used in these groups were
                                            planning, staff-
ing, and conducting ADP audits. We also
ADP-related audit reports which the audit examined selected
                                           groups believed




                             3
best represented their ADP auditing efforts. Examples of
those audits are highlighted in chapter 3. The phenomenon
of auditors' noninvolvement or avoidance of computer work
is discussed in chapter 2.




                            4
                         CHAPTER 2

        MANY AUDIT ORGANIZATIONS HAVE AVOIDED WORK
            IN COMPUTER SYSTEMS AND APPLICATIONS

     There i a long history of audit organizations'
aversion to work involving computers and computer-based
applications.
PRIVATE SECTOR

     This situation has been reflected in many articles in
auditing publications. For example, in a recent issue of
The Internal Auditor three articles appeared on auditing of
electronic data processing (EDP), and all of them made
reference to th s aversion:
          "It is commonly accepted that the function
     of auditing and controlling data processing systems
     in many organizations is lagging behind * * *." 1/



          "The internal computer audit capability in
     many major companies is underdeveloped. Management
     is becoming increasingly aware of a computer audit
     gap because of audit shortcomings and publicity about
     recent cases of control failures and computer frauds.
          "Management is realizing that a company may be
     vulnerable to embarrassing and costly conputer-
     related losses and that the internal auditors may
     not be able to satisfactorily assure the adequacy
     of computer system controls.
          "Auditors have been reluctant to establish
     strong computer auditing. * * *"
                   *    *    *       *   *




1/F. F, George and F. B. Palmer, "Systems Audicability and
  Control," The Internal Auditor, Apr. 1977, p. 14.




                              5
          "In many companies, computer auditing has
     languished, while the computer system has become
     more and more sophisticated. Today's prospec-
     tive EDP auditors must often develop their
     expertise with little guidance and within a
     system already too complex for their limited EDP
     training." 1/


          "With some slight variations, there are
     four basic approaches to auditing systems devel-
     opment:  none at all, periodic, responsive, and
     participative.
          "A none-at-all approach is still taken by
     far too many organizations, either by design or
     for one or more of the following reasons: insuf-
     ficient manpower, lack of EDP knowledge on the
     part of the staff, resistance from either senior
     or data-processing management, and so forth." 2/
GOVERNMENT SECTOR

     That this situation is not limited to auditors outside
Government is demonstrated by the following excerpts from
previous GAO reports:

          "Our survey at DPC Hines [Veterans Administration]
     raised questions concerning the effectiveness of
     controls programed in the computer runs of the C&P
     [compensation and pension] system in assuring
     the completeness and accuracy of processing
     transactions.   * * *

          "DPC Hines should take more stringent
     measures to assure the reliability of the net-
     work of controls because (1) benefit payments




1/D. R. Byrne, Jr., and G. M. Scott, 'Closing the Computer
  Audit Gap," The Internal Auditor, Apr. 1977, p. 27.

2/R. C. Culbertson, "Responsive Auditing of Systems Develop-
  ment," The Internal Auditor, Apr. 1977, p. 33.




                             6
     processed by the system are substantial--about
      $7.4 billion in fiscal year 1975. * * *"

                 *     *     *     *     *


           "* * * internal auditors should   ontinually
     monitor the computer operation and perform neces-
     sary appraisals to determine whether an effec-
     tive and reliable system is functioning. In the
     absence of such independent evaluations, computer
     operations are vulnerable to undetected error,
     misuse, and possible fraud.
           "We were informed by the Internal Audit
     Service resident staff at DPC Hines that, because
     of insufficient manpower, they have not reviewed
     and evaluated the adequacy of controls over com-
     puter processing in the C&P system. We were tol',
     however, that future audit effort by this staff
     will include increased emphasis on controls within
     the C&P system at DPC Hines." 1/



           "The Office of Inspector General
      'Department of Housing and Urban Development]
     has made limited audits of the automated por-
      tions of the payroll system. Its internal
     auditors have made audits which have concen-
     trated on evaluating the controls over prepar-
     ing and entering information for computer
     processing and over computer outputs.   It has
     not, however, thoroughly tested controls in
     programs used to compute pay amounts. The
     Inspector General's staff has not actively
     monitored the design and development of HUD's
     new payroll system." 2/



          "The Office of Audits [Department of
     Commerce] has made only limited reviews of the

I/Letter report to the Veterans Administration on Compensation
  and Benefit Payment System, MWD-76-90, Feb. 6, 1976.
2/Need for Improvements in the Automated Payroll System of the
  Department of Housing and Urban Development," FGMSD-75-31,
  June 18, 1975.


                             7
     automated parts of the payroll system. We noted
     that the Office of Audits did not participate
     in designing and developing automated systems
     and did not review the systems on a continuing
     basis afteL they become operational." 1/


           "We did not make a review of the audit
     programs used by the Office of Audit [Postal
     Service] in its payroll audits; we did, how-
     ever, observe two areas that could be strength-
     ened, (1) the Office has limited capabilities
     in the area of computerized systems because
     it has only one specialist knowledgeable in
     the design of computerized systems and (2) the
     Office nas not been an active participant in
     the design and modification of computer pro-
     grams, thus assuring itself of adequate inter-
     nal controls and auditable trails in thesa
     programs." 2/

     Large sums are involved in the systems discussed in
the above examples, and the need for auditors to assess the
adequacy and effectiveness of control is obvious. All the
departments cited above have taken action to correct the
specific control deficiencies cited in the reports. For
example, the Veterans Administration increased the number
of resident auditors at its data processing centers and also
conducted a control analysis team study to identify control
deficiencies in systems. The Veterans Administration is
continuing its efforts to assure that effective controls
exist in its ADP systems.
     Conversely, during our review, several audit staffs
indicated to us that they simply do not have the technical
competence to perform auditing in the computer environment.
Since they do not in fact have this technical knowledge,
they simply try to avoid all contact with ADP.



l/Need for More Effective Controls Over Computerized Payroll-
  Processing Operations," FGMSD-76-3, Nov. 10, 1975.

2/"Review of Postal Service Payroll System", GGD-77-37,
  Mar. 15, 1977.




                             8
AUDITING STANDARDS AND ADP
     Over the years, standards have been developed for
measuring the quality of audit work. The American Institute
of Certified Public Accountants, the nstitute   of Internal
Auditors, and the Comptroller General of the United St    :s
have promulgated standards which apply, respectively,  to
independent public accountants' auditingy, internal auditing,
and audits of governmental organizations, programs,
activities, and functions.
     Basic to each of these standards is the concept of
technical proficiency of the audit staff. A recent article
dealing with meeting these standards in the external auditor's
evaluation of controls in computer-based systems stated:
     "* * * I   order Lo perform properly the required tasks
     of reviewing and evaluating internal control and per-
     forming subsequent substantive tests of the financial
     data, the minimum EDP knowledge requirements of the
     general staff auditor should include

          1.    A basic understanding of computer systems,
                including equipment components and their
                general capabilities.

          2.    A basic understanding of widely installed
                computer operating systems and software.

          3.    A general familiarity with the file proc-
                essing techniques and data structures.

          4.    Sufficient working knowledge of computer
                audit sofAware to use existing standard-
                ized audit packages.

           5.   The ability to review and interpret system
                documentation including flowcharts and
                record definitions.

           6.   Sufficient working knowledge of basic EDP
                controls to

                a.   Identify and evaluate the controls in
                     effect in the client's installation.




                                9
               b.   Determine the extent to which such
                    controls should be tested and to
                    evaluate the results of such tests
                    (although not necessarily to
                    execute such tests).
          7.   Sufficient knowledge of EDP systems to
               develop the audit plan and supervise
               its execution.

          8.   A general familiarity with the dynamics
               involved in developing and modifying
               programs and processing systems.
     "Many audit situations will call for a level
     of EDP knowledge above thac of the general audit
     staff member; for these situations an auditor at
     the level of a computer audit specialist will be
     required. * * " 1/

     The concept of the auditor calling on a specialist to
assist in auditing computers is reflected in the Comptroller
General's "Standards for Audit of Governmental Organizations,
Programs, Activities & Functions," which states:
     "If the work requires extensive review of
     computerized systems, the audit staff must include
     persoas having the appropriate computer skills.
     These skills may be possessed by staff members or
     by consultants to the staff."
RESEARCH STUDY ON COMPUTER AUDIT WORK
     The need for auditors to develop their technical
competence and perform work in the computer area is further
supported by the report of the Institute of Internal Audi-
tors' Systems Auditability & Control Study, hose principal
conclusions include:
     "Internal auditors must participate in the system
     development process to ensure that appropriate



1/E. G. Jancura and F. L. Lilly, "SAS No. 3 and the Evalua-
  tion of Internal Control," Journal of Accountancy,
  Mar. 1977, p. 69.


                              10
     audit and control features are designed into new
     computer-based information systems.
     "Verification of controls must occur both before
     and after installation of computer-based infornia-
     tion systems.
     "As a result of the growth in complexity and use
     of computer-based information systems, needs exist
     for greater internal audit involvement relative to
     auditing in the data processing environment.

     "An important need exists for EDP audit staff
     development because fw internal audit staffs
     have enough data processing knowledge and expe-
     rience to audit effectively in the data process-
     ing environment."
                   *     *        *   *    *


     "Many organizations are not adequately evaluating
     their audit and control functions in the data
     processing environment. Top management should
     initiate a periodic assessment of its audit and
     control programs."
SUMMARY
     There is no doubt that capable audits of computers and
applications require technical competence beyond that
required of auditors in the past, but the time is long gone
that auditors can both ignore the existence of the computer
and successfully discharge their responsibilities.

     A structured long-range approach to the problem is
needed in many agencies to bring auditors to the point that
they can deal effectively with computer systems and applica-
tions. In our opinion, top management will need to provide
strong direction to the auditors to develop a program for
appropriate involvement, and periodic reporting of progress
made, before the situation is satisfactorily resolved in many
agencies. In those agencies where capability has been deve-
loped, excellent--even spectacular--audit results have ensued,
as exemplified by the internal audits discussed in chapter 3.




                             11
                             CHAPTER 3

       HOW FEDERAL INTERNAL AUDITORS ARE CONTRIBUTING

                    TO IMPROVED ADP MANAGEMENT

     Some internal audit groups in the Federal Government
                                                  ADP
are conducting critical and searching analyses of
                       the effectiveness of automated
resources, determining
systems and assessing the adequacy of the ADP functions
to meet users' needs.  A number of Federal internal audit
groups have made significant contributions to their agen-
cies' ADP management.  Millions of dollars have been saved,
and the effectiveness of programs has been significantly
enhanced.

     ADP auditing covers a wide spectrum.  In this chapter
                             work in four major ADP areas:
we cite examples of auditing

     -- Audits of   system design and development.

     -- Audits of equipment acquisition.

     -- Audits of specific applications.

     -- Audits of ADP installation management.

AUDITS OF SYSTEM DESIGN AND DEVELOPMENT
                                                          and
     host ADP systems require considerable time, money,
                    Interactions among managers,  users,
effort to develop.
                                                 vital to
designers, programers, and the computer are all
success in this effort.  Auditors have contributed to devel-
                                                  work done
opment of better-controlled systems by reviewing
during this phase.  These approaches allow system review
and audit involvement early in the development before a
large investment has been made.  The following examples
                                                 a system
illustrate the benefits of early involvement in
development effort.

Department of Agriculture Audit

      The Department of Agricuture's internal auditors
                                                   3 months
 reviewed during the testing phase--approximately
                implementation--a proposed  subsystem to
 before planned
 process payments for purchases.  They used an automated
 flow chart procedure to test program  logic and a test deck
                                      whether the program would
 containing error conditions to test




                                 12
detect the errors and reject the information.  The auditors
also interviewed personnel concerning operating procedures
and controls, and examined system and program documentation.

     Because system controls were too weak to prevent the
processing of test data containing error conditions, the
auditors recommended that additional edits be included in
the data validation routines. The automatic "flowcharter"
showed that certain steps of the programs were not being
performed.  The auditors recommended that the programers
determine whether these steps wre necessary for proper pro-
gram performance and remove any unnecessary steps.  In addi-
tion, the auditors determined that the program documentation
did not contain enough information to describe adequately
the controls or functions performed.

     This audit resulted in (1) correcting the error condi-
tions prior to system implementation, (2) eliminating un-
necessary program instructions, and (3) preparing the.
documentation necessary to implement and operate the
system.

Air Force Audit Agency

     The Air Force Audit Agency reviewed proposed system
concepts, supporting rationale, and documentation for an
automated management information system covering contract
award data.  Matters considered included the adequacy
of objectives in relation to user needs, cost reliability,
and whether technical requirements were valid.  Reviews
and discussions were conducted at 15 sites, several
headquarters groups, and the system development group.

     The auditors determined that user needs, system
capabilities; and resources had not been substantiated in
the original requirements document. Technical and equip-
ment specifications were not substantiated by adequate
studies, and users indicated there was little need for
the proposed online data base.

     The original economic analysis--which identified the
estimated costs and benefits--was inaccurate and
unsubstantiated, according to the auditors.  Further audit
examinations disclosed that the projected manpower reduction,
comprising most of the projected savings, was not realistic.

     The audit resulted in a major change in the scope,
equipment, and personnel requirements for the system.   The
revised requirements, approved at $4.7 million, represented



                             13
a $31.5 million cost avoidance directly attributable to the
audit.

AUDITS OF EQUIPMENT ACQUISITION

     Several internal audit groups we contacted had conducted
ADP acquisition reviews. This type of audit work may be per-
formed during one or more of three phases in the acquisition
cycle:

     -- Before the final acquisition decision is made.

     -- Before the acquired equipment, system, or service
        is operational.

     -- After the acquired items are operational.

The following example illustrates a review made after a
system has been acquired and installed.

Postoperational review

     Navy directives require the Naval Audit Service to
review computer systems about 12 to 24 months after the
installation of major ADP hardware to determine whether the
new system meets the original design objectives.  These
reviews may involve a number of issues, including manage-
ment's definition of objectives, the adequacy cf internal
controls, and the utilization of individual system components.

     In one such review, the Naval Audit Service made a post-
installation evaluation of a major computer system installed
at a Marine Corps facility. The system was one of seven lo-
cated at various activities to provide standardized ADP
support to all levels of command.  The Audit Service reviewed
the system's equipment specifications, capability to process
the required workload under normal and adverse conditions,
and use of selected equipment.  The auditors concluded that:

     -- Adequate standby equipment was not available in the
        event of protracted power failure or troop deployment.

    -- Capability was not available to process current
       program requirements.

    -- Certain equipment required under the original contract
       was underutilized and not really needed.




                             14
      In response to the audit report, the
                                           Command acted to
 obtain the funds to acquire standby equipment
 memory units, while unneeded items were       and additional
                                         released.
 AUDITS OF COMPUTER APPLICATIONS

      The advantages of computer processing
 Federal agencies to automate many program have encouraged
                                            activities. The
 resulting Governm3nt-wide computer investment
 on agency functions necessitate effective      and its impact
                                            control over
 computer applications.
      The reliability of the information generated
                                                     and the
 resultant manageimercn decisions depend on effective automated
 systems. Internal audits of agency functions
 encountered automated systems. To provide       frequently
 tion of a particular function, the internal  an adequate evalua-
 ascertain the system's reliability.           auditor must

     Internal auditors should review computer
systems to assess whether:                    application

     -- Accurate and timely data are entered
                                              into the com-
        puter and data files are kept updated.
     -- Adequate manual and automated controls
                                                exist over
        the input and processing of data.
     -- The user receives timely, accurate,
                                             and useful output.
     --There is adequate documentation of
                                            all aspects of
        the application.
     In a previous report, 1/ we cited
significant improvements anU correctionsseveral instances of
internal audit of automated applications. resulting from
is basically similar to those examples      The case below
                                       of good audit cover-
age of specific applications.
The Departmentof Health, Education,
and Welfare (HEW) audit
     The HEW Audit Agency reviewed the procedures
Social Security Administration for automated       of the
information on organizations providing       processing of
                                       health services under
the medicare program. The auditors assessed
tion between headquarters and the regional   the coordina-
                                           offices, and they

l/"Improvements Needed in Managing Automated
                                             Decisionmaking
  By Computers Throughout the Federal Governmet,"
  Apr. 23, 1976.                                   FGMSD-76-5,

                             15
evaluated procedures used to collect, enter, and disseminate
data as well as the accuracy, timeliness, and suitability
of system products. They interviewed personnel in eight
regional offices concerning the s-tem's usefulness and
examined over 400 case files and related computer output.
They compared the results so developed with the data pro-
duced by the computer and noted that in 30 percent of the
cases reviewed the two methods yielded different results.
The auditors traced these differences to (1) misunderstand-
ing between regional and headquarters personnel which arose
from inadequate communication concerning the role of the
computer and (2) inaccurate and untimely data.

     The Social Security Administration took several actions
in response to the auditors' recommendations. Central office
personnel met with regional staff to train them in the sys-
tem's operation and obtain suggestions on possible improve-
ments. The computer program was changed to identify proc-
essing delays at each step in the overall operation. Control
procedures to monitor the status of each case were instituted
at the central office, and the need for ccurate information
was explained to the regional offices.
AUDITS OF ADP INSTALLATION MANAGEMENT

     The sheer size of te Federal Government's investment
in ADP facilities should compel internal audit groups to
review the management of these facilities. However, Federal
expenditures on ADP portray only a portion of the computer's
impact on Government operations. As additional administra-
tive and mission-related functions are automated, agencies
become more dependent on the successful operation of com-
puter centers. As automated systems are developed and
accepted, manual systems are phased out. As requirements
for computer processing grow, the volume of agency infor-
mation sto:ed in the computer center's facilities increases.
The loss of theze automated systems and information--through
long-term disruption of power, natural disasters, or other
emergencies--can seriously impair an agency's ability to
fulfill its mission.
Army auditors' review

     The Army Audit Agency reviewed the management and use
of ADP equipment at a sample of the Army's computer installa-
tions in the continental United States, Europe, and the




                             16
Pacific. The review's objective was to provide an overview
of management policies and procedures at headquarters, com-
mands, staff agencies, and individual data processing centers.
Special audit attention was focused on the Army's use of per-
formance evaluation techniques, multiprograming, and other
technical ADP advances.

    The audit agency issued reports to individual commands
and installations identifying various problems which could
be corrected locally. A final audit report was issued
to epartment of the Army headquarters describing 20 problem
areas where weaknesses were general in natire, deep-rooted,
or could be corrected only at the departmental level. The
problem areas included inaccurate equipment inventory records,
inadequate scheduling and followup of management inspections,
and inefficient use of performance evaluation techniques.
One of the 20 areas is this: Individual activities had
researched and applied various computer performance evalua-
tion techniques independently. The auditors concluded that
activities had unnecessarily duplicated each other's efforts
by testing similar monitoring tools. They also concluaed
that activities were either not using available software
monitors or had not adequately planned to make full use of
monitoril. efforts.

     The auditors concluded that the decentralized manage-
ment of data processing centers throughout the Army ana the
complex structure of controls over ADP center operations
helped create many of the problems discussed in the report.
They recommended that the Department begin a study of
current organization structures and data processing require-
ments to centralize the Army's control over ADP facilities.

     Management agreed with the 20 recommendations presented
in the audit report, and corrective actions were taken. For
example, the Army began efforts to improve the exchange of
information between activities responsible for computer per-
formance evaluation and other activities that might be using
monitoring tools.  Headquarters began comparing the results
of performance studies at three activities to summarize the
data obtained and to learn better ways of using evaluation
techniques.
NEED FOR GREATER COVERAGE

     Although this chapter has included examples of good
internal audit, none of the agencies, in our opinion, has
achieved an adequate level of overall capability and cover-
age in ADP auditing. Within the Department of Defense, for


                             17
example, with over 4,420 computers at June 30, 1976, and
many wide-ranging automated data systems applications, the
limited expertise and need for more training in the ADP
area are pronounced. In a statement to the Senate Commit-
tee on Government Operations, the Deputy Assistant Secretary
of Defense for Management Systems reported that, out of a
total Defense-wide professional audit staff of 2,264, only
234 auditors (about 10 percent) were considered to have ex-
tensive ADP training and experience. 1/ When the magnitude
of automated systems and their far-reaching impact on agency
operations, programs, and resources are considered, the ade-
quacy of coverage by internal audit staffs is questionable
and, in our view, a much greater ADP audit capability is
needed in many of the agencies.



1/Staff Study of Computer Security in Federal Procrams,
  Committee on Government Operations, United States Senate,
  Feb. 1977, p. 177.




                            18
                         CHAPTER 4

               CONCLUSIONS AND RECOMMENDATIONS

     The Federal Government continues to rel]- more heavily
on ADP technology to achieve many program objectives.   Federal
agencies annually spend billions of dollars for the design,
development, and operation of ADP systems.

INTERNAL AUDIT INVOLVEMENT IS NEEDED

     Internal audit groups are responsible tor reviewing and
evaluating all aspects of agency operations.  By providing
timely and objective evaluations of agency policies and pro-
cedures, internal audit groups assist management in achieving
desired objectives. The magnitude of Federal ADP expenditures,
and ADP's impact on agency operations, should compel internal
audit groups to schedule periodic reviews of their agency's ADP
activities. 1/

     Some audit groups have responded to the challenge; others
have not.  Some internal audit groups have made a valuable
contribution to the effective management of programs by review-
ing various aspects of ADP in their agency.  They have prevented
the development of ADP systems which were not needed or economi-
cally justified, identified instances of unnecessary equipment
procurement, and improved the protection of valuable computer
equipment.

     Other internal audit groups have improved the reliability
of computer-generated information used by agency managers and
have identified weaknesses in internal controls which allowed
inaccurate data to become a part of agency records.  Recom-
mendations to correct these problems served to improve
the effectiveness of computer systems and the general quality
of management decisions.

     Conversely, the lack of technical ADP knowledge by
auditors was cited by other internal audit groups as a barrier
to their performing effective ADP auditing. The many facets



1/Two of our recent reports ("Improvements Needed in Managing
  Automated Decisionmaking by Computers Throughout the Fed-
  eral Government," FGMSD-76-5, Apr. 23, 1976, p. 53, and
  "Computer-Related Crimes in Federal Programs," FGMSD-76-27,
  Apr. 27, 1976, p. 18) also pointed out the increasing need
  for auditor involvement in computer applications.



                             19
involved in auditing ADP activities require the internal
audit staff to possess, collectively, the technical knowledge
and capability to perform penetratinC reviews and develop
meaningful recommendations. Without such capability, attempts
at auditing computers may be counterproductive. Adequate
training also aids the individual auditor in establishing
credibility and rapport with data processing personnel in
the agency.
      Internal audit reviews show that teams of auditors with
a general ADP background, assisted where necessary by ADP
audit specialists, can successfully review both technical
and nontechnical ADP issues. With accurate assessments
of ADP auditing requirements and identification of scurces
of technical capability, internal audit groups can make sig-
nificant contributions to increased efficiency and improved
performance. Some groups have demonstrated such capability
on occasion, and we are hopeful that the examples cited ear-
lier will serve to provide encouragement to those audit
groups that have been reluctant to perform computer auditing
assignments.
     By the same token, it should be recognized that computer
audit proficiency is not a static matter. The advancement
of computer technology must be matched by continuing and
broadening auditor knowledge and capability if the challenge
to perform to standards is to be met. Even for those most
capable audit groups, the task to maintain technical pro-
ficiency is unending. Greater management attention is essen-
tial to help insure that all internal audit groups throughout
the Federal Government develop and maintain needed ADP
auditing capabilities.
RECOMMENDATIONS
     We recommend that, for   proper and effective response
to the challenge of computer auditing, the head of each
agency require internal audit groups to:

     1.   Study the effect of ADP on agency operations,
          expenditures, and program accomplishments.

     2.   Determine the extent to which computer activities
          need to be audited (both ongoing system reviews
          and audits of specific aspects, such as installation
          of a new computer-based inventory system).
     3.   Determine whether enough audit resources are
          available, and if not, get needed resources by



                              20
          training existing audit staff or hiring people
          with the necessary skills.

     4.   Develop and carry out audits that will provide
          enough coverage to determine that ADP resources
          are used efficiently, economically, and effectively.

     5.   Periodically review the internal audit coverage
          of computer-based information systems and adjust
          resource allocations accordingly.
     We further recommend that the Office of Management and
Budget (OMB) monitor the progress of the agencies in these
matters.

AGENCY ACTIONS

     The comments of OMB, 11 other Federal agencies, and
the Postal Service on the material presented in this report
are included in appendix III. All were in agreement with
our position that the importance of computer auditing is
growing and that further actions are required to assure
adequate audit coverage. The General Services Administration
indicated further resources would be necessary to bring its
coverage up to the level suggested in our report; the Depart-
ment of the Interior and HEW mentioned problems in develop-
ing in-house audit capabilities.

      Several epartmentF, including the Department of
the Interior, outlined actions taken or planned to
strengthen and improve ADP audit capability. The replies
provide additional information that could be helpful for
departments and agencies seeking to further ADP audit capa-
bility.

     With respect to our recommendation that OMB monitor
the agencies in improving their ADP audit capabilities, the
Deputy Director stated that this report, toguther with other
recently issued GAO reports and work being doze by the Joint
Financial Management Improvement Program, proviued OMB with
a basis for improving its guidance to the agencies and for
working individually with the departments and agencies on
improvements.

     O4B told us it shared our concern that internal audit
groups develop, maintain, and effectively use capabilities
for computer auditing and added that it would encourage
agencies to establish adequate management controls, including
audits, over their ADP operations. OMB stated:


                             21
     "Since implementation of the recommendations in
     this report would rely heavily on agency partici-
     pation, we would encourage wide dissemination of
     the report throughout the executive branch."

We are sending copies of the report to the heads of all
executive departments and agencies for their information
and guidance.




                             22
APPENDIX I                                          APPENDIX I

             AUDIT GROUPS CONTACTED DURING REVIEW
 -partment of Agriculture--Office of   udit
Dep rtment of Defense--Army Audit Agency, Naval Audit
  Service, Air Force Audit Agency
Department of the Interior--Office of Audit and
  Investigation
Department of Health, Education, and Welfare--
  HEW Audit Agency
Department of Housing and Urban Development--
  Office of Inspector General
Department of Labor--Directorate of Audit and
  Investigation
Department of Transportation--Office of Audits

General Services Administation--Office of Audits

National Aeronautics and Space Administration--
  Management Audit Office
Veterans Administration--Internal Audit Service




                            23
APPENDIX II                                           APPENDIX II


                SELECTED SOURCES FOR DEVELOPING

                        ADP AUDIT CAPABILITY

     There are , y..sources of help available to Federal
internal audit activities in preparing a plan for developing
ADP audit capability.  Among them are the following:

LITERATURE AND TRAINING MATERIAiL

Institute of Internal Auditors-        Altamonte Springs, Florida:

     -- "Estaolishing the Internal Audit Function in
        EDP:  Job DeEcriptions."

     -- 'Auditing Computer Centers."

     --"Auditing Fast Response Systems."

     -- "Computer Control and Audit,"        air, Wood, and
        Davis.

     -- "Systems Auditability and Control Study"
        (three volumes).

American Institute of Certified Public Accountants,
  New York, New York:

     -- "Auditing and    DP,"   Davi'.

     -- "Statement on Auditing Standards Number       3."

     -- "The Auditor's Study and Evaluation of Internal
        Control in EDP Systems"--an Audit and Accounting
        Guide."

EDP Auditors Association, Hanover Park,        Illinois:

     --"Coltrel Objectives"      isecond edition).

Canadian Institute of Chartered Accountants,         Toronto, Canadal

     -- "Computer Control Guidelines."

     --"Computer Audit Guidelines."




                                  24
APPENDIX II                                         APPENDIX II

General Accounting Office:

     -- "Auditing Computers With a Test Deck
        (With Emphasis on Payroll Applications)."
     -- "Guide for Evaluating Automated Systems
        (Exposure Draft)."
     -- "Guide for Reliability Assessment of Controls
        in Computerized Systems (Financial Statement
        Audits) (Exposure Draft)."
TRAINING COURSES
Interagency Auditor Training Center, Washington, D.C.
Civil Service Commission, ADP Management Training
  Center, Washington, D.C.
Department of Defense Computer Institute, Washington,
  D.C.
Canadian Institute of Chartered Accountants, Toronto,
  Canada
Institute of Internal Auditors, Altamonte Springs,
  Florida
American Institute of Certified Public Accountants,
  New York, New York
     Each of these organizations has ADP training courses
suitable for improving the knowledge and capability of
auditors. In addition, many colleges and universities are
enlarging their computer curricula,
have developed specialized courses toand a number of firms
                                       help auditors develop
technical proficiency in computer-related work.




                             25
APPENDIX III                                           APPENDIX III



                   EXECUTIVE OFFICE OF THE PRESIDENT
  od;.,ifiOFFICE           OF MANAGEMENT AND BUDGET
                           WASHINGTON, D.C.   20503




                                                       JUL 21 1977
Honorable Elmer B. Staats
Comptroller General of the
  United States
General Accounting Office
Washington, D.C.  20548
Dear Mr. Staats:
This is in response to your letter of June 17, 1977 and your
draft report entitled "Computer Auditing in the Executive
Departments: Is Enough Being Done?" We read the report
with great interest and share your concern that internal
audit groups throughout the Federal Government develop, main-
tain and effectively use capabilities for computer auditing.
The increasing use of computer and communications technology
within the Federal Government has introduced a variety of new
management problems. Among these is the need for assuring
adequate management control over the automatic data processing
(ADP) function. Auditing is an important tool used by agency
management to monitor and control internal operations. We
believe the ADP function should command more attention from
agency managers for a number of reasons: (1) ADP impacts
significantly upon virtually every aspect of an agency's
operations, (2) by its nature ADP permits huge sums of money
and large amounts of information to be handled by relatively
few individuals, (3) computer users rarely have the ability
or knowledge to verify the accuracy of computer systems, and
(4) the large and rapidly growing cost of ADP itself.
The Office of Management and Budget will continue to encourage
agencies to establish adequate management controls, including
audits, over their ADP operations. At the same time, we
believe it is the perogative of the agency head to make the
basic assignments of audit responsibility within his agency
and to make the priority decisions on the application of
these resources. To assist agency management in carrying out
the above, Federal Management Circular (FMC) 73-2 "Audit of
Federal Operations and Programs by Executive Branch Agencies"
was issued in September 1973.



                                    26
APPENDIX III                                      APPENDIX III




As you know in recent months, in addition to this report,
the General Accounting Office has issued two draft reports
dealing with Federal Agency Audit operations: "An Overview
of Federal Internal Audit" and "Need for More Effective Cross
Service Auditing Arrangements." Both of these reports recom-
mend OMB provide additional audit guidance to agencies and
direct certain actions to be taken. GAO has also initiated a
comprehensive review of internal operations in all the major
departments and agencies with work currently underway in five
agencies. Also, the recent General Accounting Office draft
report "New Methods Needed for Checking Payments Made by
Computers" contains recommendations affecting the audit pro-
cess. In addition, the Joint Financial Management Improve-
ment Program, which is a joint effort of the Treasury, OMB,
the Civil Service Commission and GAO, is conducting a com-
prehensive study of Federal, State and local audit systems
applicable to the Federal Assistance Programs. Since your
report and these other detailed analyses seek to affect audit
priorities and allocation of resources, we believe it is
important that any additional guidance issued by OMB be in
the context of a comprehensive picture of the Government's
total needs and priorities. We believe these detailed
analyses may provide us a basis for improving the guidance
in F4C 73-2 and for working individually with the departments
and agencies on improvements.

Since implementation of the recommendations in this report
would rely heavily on agency participation, we would encourage
wide dissemination of the final report throughout the
executive branch. We understand from discussions with your
staff that the four agencies cited in Chapter 2 of the report
have undertaken action to correct the inadequacies reprrted.
Thank you for the opportunity to comment on the draft report.
                                  Sincerely,



                                  James T. McIntyre, Jr.
                                  Deputy Director




                             27
 APPENDIX III                                             APPENDIX III


                            UNITED STATES OF AMERICA
                     GENERAL SERVICES ADMINISTRATION
                               WASHINGTON, DC   2405




July   25,   1977

Honorable Elmer B Staats
Comptroller General of
the United States
General Accounting Office
Washington, DC 20548
Dear Mr. Staats:
Thank you for providing the opportunity to comment on your draft report:
"Computer Auditing in the Executive Departments: Is Enough Being Done?"
We agree with your conclusions and recommendations. Your report provides
for the possibility of improving agency ADP auditing capability through
both the expansion and upgrading of existing auditing staff and the
contracting-out for certain auditing specialists. It would be helpful
to the GSA and other agencies if you could provide some guidelines for
determining when the improvements can be best satisfied by internal up-
grading and when it would be better to go outside for ADP auditing exper-
tise.
As recommended in the report, the Office of Audits in the GSA will be
directed to study the impact of automatic data processing on the GSA's
operations, expenditures, and programs; to ascertain audit requirements
and associated need for resources; to develop and implement an adequate
audit program to encompass all aspects of ADP functions; to review
periodically audit priorities and evaluate the effectiveness of the audit
program.
Although the Office of Audits has been making respectable progress in its
endeavors to ascertain the need for audit coverage for both internal
computer operations and Government-wide ADP responsibilities deriving from
the Brooks Bill, its level of effort falls short of the coverage you recom-
mend. To meet General Accounting Office standards, however, it will be
necessary to secure additional resources.
Sincerely,



        istrator


                                      28
     APPENDIX III                                                  APPENDIX III




                                ASSISTANT SECRETARY OF DEFENSE
                                     WASHIN0TON, D.C. 2001


COMPTROLLER
                                                    a4   AUG' Sa


        Mr. Dones. Scantlebury
        Director, Financial and General Management
              Studies Division
        U.S. General Accounting Office
        Washington, D.C. 20548

        Dear Mr. Scantlebury:

        This letter responds to the GAO draft report dated June 17, 1977,
        "Computer Auditing in the Executive Departments:  Is Enough Being
        Done?" We agree with the basic conclusions and recommendations to
        assure that the adequacy of audit coverage of ADP operations is
        periodically evaluated.

       We fully appreciate the growing dependence on computers and the
       need for audits within the computer environment in view cf the
       potential for (a) savings, (b) improved efficiency and (c) cost
       avoidance, and the need for better control of computer-based infor-
       mation systems. Since ADP is critical to many DoD operations, the
       mission of internal audit has been logically expanded over the past
       few years to cover computer auditing as discussed in the GAO draft
       report. The benefits from this expanded effort have been illustrated
       in the GAO draft report by inclusion of examples of audit results
       acaieved by the Military Department audit organizations.   e also
       recognize the need for increased oversight over ADP programs and we
       are taking steps to further improve audit services within DoD.

       Under direction of my DASD (Audit), we have initiated a study within
       DoD (a) to review the nature and extent of internal audit coverage of
       ADP resources, (b) to define current performance, resources, skills
       and training problems associated with audit within the ADP environment
       and (c) to develop suitable overall DoD internal audit guidance for
       approaching audits of ADP systems and operations. We believe this
       study is in consonance with the intent of the GAO recommendations.

       We noted one point of information in the GAO draft report which
       requires correction. On page 22, a reference to the Army Audit
       Agency review of the management and utilization of ADP equipment
       states that the audit was accomplished at 450 installations.



                                            29
                                                       APPENDIX III
APPENDIX III




                                                               when
  Actually, the Army had 450 installations which had computers
                                                               loca-
  the cited audit was performed. Of these 450 data processing
  tions 16 were included in the selective audit.

                                                                 and
  We appreciate the opportunity to comment on this draft report
                             by your staff concerning computer  audit-
  the observations furnished
  ing in the Executive Departments.

                                    Sincerely,




                                            Fred P. Wacker
                                    Assistant Secretary of Defe:se




                                    30
     APPENDIX III
                                                                                    APPENDIX III
     ofi" on
oj    i'i                     DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
     2*i-aIlii   *, ~OFFICE                     OF INSPECTOR GENERAL
        'J.j.!t                              WASHINGTON, D.C. 70410


                                                July 21, 1977
                                                                                             IN REPLY REFER TO:




          Mr. Henry Eschwege
          Director, Community and Economic
            Development Division
          U.S. General Accountinj Office
          Washington, D.C. 20542
          Dear Mr. Eschwege:
              The Secretary has asked me to conmment on the proposed draft
         "Computer Auditing in the Executive Departments: Is Enough Being report
                                                                              Done?"
              The Department of Housing and Urban Development (HUD) has already
        recognized the need for increased emphasis in the area of computer
        auditing and the Office of Inspector General has taken aggressive
        to meet this need. Since GAO contacted HUD on this review,             action
        recruited three experienced ADP auditors and developed an ADP wve  have
                                                                          training
        program for our audit staff. We have developed an approach
                                                                       to comnuter
        auditing that is tailored to the needs of HUD and the capabilities
        our audit staff, with consideration of recommendations in prior         cf
        Accounting Office (GAO) reports.                                    General

            Our approach to computer auditing recognizes that
      on the Department's operations, expenditures and programtheaccomlishr:,nts
                                                                   impact of ADP
      is more significant than direct expenditures for ADP resources.
                                                                         Conse-
      quently, we are emphasizing reviews of automated systems, both
     and under development. In addition, vie anticipate significant existing
      in manual audit work and increased audit coverage from the use rductions
                                                                       of
     existing automated systems to support audits of program areas.
           We evaluate our computer audit coverage annually when we develop
     our annual audit plan. We plan to increase our computer    auditing as our
     training program helps us to develop the expertise necessary
     work. In the future, we plan to audit more automated systems for this
     more reviews to assure that ADP resources are used efficiently,and conduct
     economically and effectively.

                                                   jSincerely,                  .


                                                    / James B. Thomas, Jr.
                                                  / /nspector         General
                                                  31
APPENDIX III                                                        APPENDIX   TII




                     VETERANS ADMINISTRATION
                  OFFICE OF THE ADMINISTRATOR OF VETERANS AFFAIRS
                         WASHINGTON, D.C.          20420

                               AUGUST 18 1977

Mr. Gregory J. Ahart
Director, Human Resources Dvision
U. S. General Accounting Office
441 G treet, N.W.
Washin.gton, DC 20548

Dear Mr. Ahart:

          Your draft report to the Congress, "Computer Auditing in the
Executive Departments:  Is Enougn Being Done?" was transmitted on June 20,
1977, and I am pleased to offer our comments.

          This report summarizes what selected Federal agency internal
audit groups are accomplishing in auditin, automatic data processing (ADP)
systems and controls, and reports on the inadequacy of present coverage
and the need for further improvement. Veterans Administration (VA) de-
partments and staff offices reviewed the report and basically agree with
your conclusions and recommendations.

          Since 1975, substantial improvements have been made in the VA's
computer auditing function. In addition to the audit function of the ADP
Evaluation Division of our Internal Audit Service, the Department of Data
Management ADP Systems Audit Staff has, since 1962, performed technical
audits of computer programs. During July 13 and 19 meetings with staff
members of the General Accounting Office Financial and General Management
Studie Division, which prepared this report, the VA's progress in improv-
ing computer auditing was reviewed. Consequently, certain corrections
and changes to the report, suggested by the Internal Audit Service, were
accepted and will appear in the final report.

          The Veterans Administration will continue efforts to provide the
necessary ieview and evaluation of automatic data processing systems and
programs.

                                              Sincerely',     ,,



                                                  CLE
                                              Administ3     or




                                         32
  APPENDIX III
                                                           APPENDIX   III




            DEPARTMENT OF HEALTH, EDUCATION. AND WELFARE
                            OFFICE OF THE SECRETARY
                              WASHINGTON. D C. 2020

                               AUG 19 1977




Mr. GregorY J. Ahart
Director, Human Resources
  Division
U.S. General Accounting
  Office
Washington, D.C. 20548
Dear Mr. Ahart:
The Secretary asked that I respond to your request of
comments on your draft report, "Computer Auditing in June 20 for our
                                                      the Executive
Departments: Is Enough Being Done?" The enclosed comments
the tentative position of the Department and are subject     represent
when the final version of this report is received.        to reevaluation

We appreciate the opportunity to comment on this draft
publication.                                            report before its

                                Sincerely yours,


                                Thomas D. Morris
                                Inspector General
Enclosure




                                     33
APPENDIX III                                            APPENDIX III


COMMENTS OF THE DEPARTMENT OF HEALTH, EDUCATION, AND WELFARE ON THE
GAO DAFT REPORT, "COMPUTER AUDITING Il THE EXECUTIVE DEPARTMENTS:
IS ENOUGH BEING DONE?"

OVERVIEW
We concur with the recommended five-step approach to determine and
maintain an effective response to the computer auditing challenge.
Within the HEW Audit Agency we will initiate an office-by-office
analysis of the impact of ADP in assigned areas of audit responsi-
bility and estimate as precisely as possible the type and number of
resources needed to provide reasonable audit coverage of HEW's com-
puter operations. Once these data are known, a master plan to
auditing the computer area can be designed for implementation. The
analysis of needed audit resources will be started during the current
fiscal year.
The Department endorses GAO's recommendation of a much greater internal
audit involvement in the ADP area. We must, however, view this as a
much-desired, but long-range goal--due to the very sizeable numbers
of resources needed to adequately plan, staff, and perform these audits--
and because of proolems caused by competing priorities. The above
described master plan will be the vehicle by which we will formalize
our planning in this area.
The HEW Audit Agency has long performed the first type of computer
auditing described in the draft report -- audits of specific computer
applications. However, for the second type of auditing -- systems
reviews and specific A aspects -- limited work has been performed
due to the lack of qualified staff to perform these specialized audits.
Although initial steps have been made toward acquit;ng needed talent
through continuing ADP training for selected staff auditors and the
recent employment of two computer systems analysts, upgrading HEW's
total ADP audit capability can be a slow process which is dependent
on budgetary constraints that traditionally have been tight.
We are pleased that an HEW Audit Agency audit is characterized in the
GAO report as an example of good audit coverage of specific computer
applications. The example is fairly typical of the in-depth intrnal
audit coverage being directed to automated processe; that have a signifi-
cant impact in relation to the specific objectives of internal audit
assignments. Beginning in 1973 with the development of the HEW Com-:
puter Audit System (HEWCAS), a computer program which can be used by
auditors to extract information needed for audit from a computer file,
audits of automatcd processes have become increasingly sophisticated.
It is standard practice now to include use of computer programs, test
decks or other advanced techniques in HE!W internal audit programs en-
compassing specific computer applications.


                                  34
APPENDIX III                                                           APPENDIX III




                      OFFICE OF THE SECRETARY OF TRANSPORTATION
                                 WASHINGTON, D.C.   20590



ASSISTANT SECRETARY
 fOR ADMINISTRATION

                                                            July 15, 1977




          Mr. Henry Eschwege
          Director
          Community and Economic Development Division
          U.S. General Accounting Office
          Washington, D.C. 20548
          Dear Mr. Eschwege:
         We have enclosed two copies of our reply to the General
         Accounting Office draft report "Computer Auditing in the
         Executive Departments: Is Enough Being Done?"           Please let
         us know if we can assist you further.

                                          Sincerely,


                                          Edward W. Scot         Jr.
         Enclosures (2)




                                       35
APPENDIX III                                              APPENDIX III



                 DEPARTMENT OF TRANSPORTATION REPLY

                                 TO

                GAO DRAFT REPORT DATED JUNE 17, 1977

                                 ON

          COMPUTER AUDITING INTHE EXECUTIVE DEPARTMENTS:
                      ISENOUGH BEING DONE?


            SUMMARY OF GAO FINDINGS AND RECOMMENDATIONS

  GAO believes -- in view of the potential for:   (1)savings,
  (2)improved efficiency, and (3)cost avoidance, and the need
  for better control of cmputer-based information systems --
  additional efforts are needed now by both Federal managers and
  internal auditors to assure that adequate audit coverage is
  accorded certain areas. These areas are identified as:
   1) systems design and 'ovelopment, (2)equipment acquisition,
   3) specific applications, and (4)Automatic Data Processing
   ADP) installation management.
  GAO recommends that, for a proper and effective response to the
  challenge of computer auditing, the head of each agency require
  internal audit organizations to:
  a. Study ADP's impact on agency operations, expenditures, and
  program accomplishments.
  b. Determine the extent to which computer activities are in
  need of audit coverage (both ongoing systems reviews and audits
  of specific aspects such as installation of a new computer-based
  inventory system).
   c. Determine whether available audit resources are adequate to
   perform the work and, if not, take action to obtain needed resources
   by: (1)training existing audit staff, (2)hiring needed talent,
   (3)contracting for such capability, or (4)a combination of these
   three.



                                  36
APPENDIX III                                            APPENDIX III




  d. Develop and implement an approach to auditing of the computer
  area that will assure adequate coverage to determine that ADP
  resources are used efficiently, economically, and effectively.
  e. Periodically review the adequacy of internal audit cverage
  of computer-based information systems and adjust resource
  allocations accordingly.
  GAO isalso recommending that the Office of Management and Budget
  monitor the progress of the agencies n these matters.
  POSITION STATEMENT
  The Department of Transportation concurs with the GAO conclusions
  and has or will initiate actions on the recommendations made.




                                   37
               APPENDIX III                                      APPENDIX III




                   National Aeronautics and
                   Space Administration
                   Washington, D.C.
                   20546


Reply to Atr OiW                                     JUL 1   5   1977

             Mr. R. W. Gutmann
             Director
             Procurement and Systems
               Acquisition Division
             U.S. General Accounting Office
             Washington, DC 20548


             Dear Mr. Gutnann:
             Thank you for the opportunity to comment on the draft report
             entitled, "Computer Auditing In The Executive Departments:
             Is Enough Being Done?", which was prepared by GAO's Financial
             and General Management Studies Division and transtted with
             your letter, dated June 17, 1977.
             NASA recognizes that it is essential for adequate controls
             of computer operations and systems to exist and that
             internal audits help to assure what these controls are
             effective. We are currently reviewing our audit coverage
             of computer activities and the need for increased effort;
             GAO's draft report will be useful in this connection.
             The enclosure contains NASA comments on the specific actions
             by internal audit organizations that are mentioned in the
             proposed reconmmendation to the head of each agency. We
             will be pleased to discuss these comments, if you have
             any questions.

             Sincerely,




        ~ '"KennethR. Capman .~
   ."     .Assistant Administrator for
           DOD and Interagency Affairs

             Enclosure

                                              38
  APPENDIX III                                   APPENDIX III



                NASA COMMENTS ON GAO DRAFT .REPORT
        "COMPUTER AUDITING IN THE EXECUTIVE DEPARTMENTS:
                     IS ENOUGH BEING DONE?"


The GAO recommends that, for a proper and effective response
to the challenge of computer auditing, the head of each
agency require internal audit organizations to take five
specific actions. NASA comments on the five actions are
presented below.


1. Study ADP's impact on agency operation, expenditures
and program accomplishments.

         ADP has a highly significant impact on NASA opera-
tions, expenditures, and program accomplishments both on
technical programs and business management processes. NASA
management recognizes its responsibility for establishing
effective controls over ADP systems. We also recognize
the importance of internal audits as a means of assuring
such controls exist. In analyzing NASA needs for internal
audit coverage, we will be studying the relative significance
and impact of ADP activities compared to the other NASA
operations.


2. Determine the etent to which computer activities are
in need of audit coverage (both ongoing systems reviews and
audits of specific aspects such as installation of a new
computer-based inventory svstem,

         The NASA Management Audit Office annually assesses
internal audit needs and establishes priorities in preparing
the annual audit plan. Computer activities are included
in this annual assessment. We are currently updating a
universe of NASA audit needs on a long-range basis. This
will include emphasis on the assessment of the need for
improved ADP controls and the involvement of the internal
auditors both in systems development and in verification
of controls.




                               39
 APPENDIX III                                  APPENDIX III



3.   Determine whether available audit resources are adequate
to perform the work and, if not, take action t obtain needed
resources by (a) training existing audit staff, (b) hiring
needed talent, (c) contracting for such capability, or
 (d) combination of these three.

          Our present audit staff will continue to be trained
in the audit of ADP. We are currently determining the level
of ADP training necessary for our audits as well as exploring
the need for the use of more specialized ADP personnel or
consultants and advanced computer audit techniques.


4. Develop and implement an approach to aud.itinq of the
computer area that will assure adequate coverage to determine
that ADP resources are used efficiently, economically, and
effectively.

          As indicated we will assess the adequacy of our
available resources to increase the audit coverage of
our ADP operations. Additionally, the internal auditors are
working with NASA ADP managers to determine how the auditors
can most effectively serve NSA management in the development
of systems and in the verification of computer controls.


5. Periodicallv review the adeauacy of internal audit
coveraqe of computer-based information systems and adjust
resource allocations accordingly.

          The adequacy of audit coverage of NASA's computer-
based information systems is considered in the annual audit
planning process. Adjustment of resource allocations to
accommodate computer audit needs has to be balanced with the
priorities of other audit areas.




        Duward L. Crow                          Date
Associate Deputy Administrator




                              40
  APPENDIX III                                           APPENDIX III
                                   Eros rortt


                                     .rvs



                          THE POSTMASTER GENERAL
                               Washington, DC 20260


                                                       July 25, 1977
Mr. Victor L. Lowe
Director, General Government
 Division
U. S. General Accounting Office
Washington, D. C. 20548

Dear Mr. Lowe:

Thank you for the opportunity to comment on your proposed report to
the Congress concerning computer auditing in the Executive Depart-
ments.

The report's observations concerning the Service's computer auditing
capability are (1) our Office of Audit, Inspection Service, has limited
capabilities in the area of computerized systems because it has only
one specialist knowledgeable in the design of computerized systems,
and (2) the Office of Audit has not been an active participant in the
design and modification of computer programs, thus assuring itself of
adequate internal controls and auditable trails in these programs.

These observations resulted from a January 1976 review of the Service's
payroll system, and though substantially true at that time, have now
become outdated as indicated by the following developments:

   1.    Since July 1976, Inspectors have successfully completed 20
         audit software programs. Ten Inspectors ar presently able
         to write computer programs using audit software.

  2.     In February 1977, procedures were incorporated in our field
         and management manuals for the use of audit software and the
         development of computer specialist Inspectors. Our guidelines
         for specialists govern-complement, qualifications, utilization,
         workload, and training.

  3.     Since May 1976, the Inspection Service has initiated seven
         systems development audits, including review of computerized
         markup, electronic money orders, and the ayoll 1 L'esi .

                                     41
 APPENDIX III                                                     APPENDIX III




        In order to carry out development auditing policy, a procedure
       is being formulated so that whenever top-management approves
       the development of a major new system, the Inspection Service
       will be notified.

The following comments address each of the report's recommendations--

-- Automatic data processing's impact on Postal Service operations,
   expenditures, and program accomplishments will be studied next
   fiscal year through several scheduled audits. During the last fiscal
   year, management audits were accomplished at the New York and
   Wilkes Barre Data Centers.

-- The extent to which computer activities are in need of audit coverage
   is determined through our annual workload planning and a program of
   audit surveys.

-- The determination of whether available audit resources are adequate
   to perform the work will be accomplished through the periodic assess-
   ments we plan of our new computer audit specialist program.

-- Our audit programs for financial and operational audits include adequate
   coverage to determine that automatic data processing resources are
   used efficiently, economically, and effectively.

-- The adequacy of internal audit coverage of computer-based information
   systems is reviewed periodically through our program of internal
   management reviews of all levels of Inspection Service management.

We are in agreement with the report's conclusion that additional efforts
are needed now by both federal managers and internal auditors to assure
adequate auditing coverage of automatic data processing.   Postal manage-
ment has cooperated with the Inspection Service on all audit matters,
including automatic data processing, and our new policy of development
auditing will require even greater management/audit coordination.

                                       Sincerely,




                                       Benjam       F.   Bailar



                                  42
APPENDIX III                                                    APPENDIX III


                    0La O C%


                          ,           UNITED STATES DEPARTMENT OF COMMERCE
                                      The Assistant Secretary for Administration
                               es   ) Washington. D.C   20230

      1971



Mr. D. L. Scantlebury
Director, Financial and General
  Management Studies Division
U.S. General Accounting Office
Washington, D. C. 20548
Dear Mr. Scantlebury:
We have reviewed the GAO draft report on "Computer Auditing
In The Executive Departments: Is Enough Being Done?"
We agree with the GAO conclusion that additional efforts
are needed by Federal managers and internal auditors to
assure adequate audit coverage of ADP applications.  In
recognition of this need, our Office of Audits, in fiscal
year 1977, initiated reviews of the design and development
of automated administrative systems and allocated staff
time in our audit plans to review automated decisionmaking
applications within the Department.
Also, the Office has audited controls over computerized
payroll processing operations at the National Bureau of
Standards and the National Oceanic and Atmospheric Admin-
istration. Further, the Office has provided staff for a
Department-wide evaluation of ADP installations. Specific
areas being evaluated include (1) the implementation of
proposed computer systems as set forth in Departmental
approved budgets and requirements studies, (2) utilization
of ADP equipment, (3) procedures and controls to assure
that only significant applications are computerized, (4)
user charges for ADP services, (5) users' satisfaction
with timeliness of services and accuracy of output, (6)
comparative cost analyses for in-house versus contractual
services, and (7) procedures and measures for security
and protection.
During the last year the Office provided formal training
to selected staff members in computer technology and COBOL
and in auditing (1) systems supported by ADP equipment, (2)
security in an ADP environment, and (3) the management of
ADP centers.

                                      43
APPENDIX III                                    APPENDIX III




The Office of Audits plans to continue to increase its under-
standing of the total computer area available for audit, as
a basis for further development and implementation of a
systematic approach to audits in that area. In this con-
nection, the Office of Audits has hired new talent in the
ADP field.
However, in order for audits in the computer area to be
truly effective, the Office of Audits will train additional and
auditors who can specialize in the auditing of ADP systems
ADP mdnagement. To be proficient requires a specialization
of auditors in the ADP field so that an overall understanding
can be developed and maintained of the various areas ADP
encompasses within the DeDartment.
 It was pointed out in a recent GAO audit report that the
current audit cycle of the Office of Audits is unduly long
and additional audit coverage is needed in all areas.
Accordingly, the Office will continue to reassess the resources
allocated to ADP auditing in relation to its total requirements,
as part of its annual audit planning.
Sincerely,



Elsa A. Porter
Assistant Secretary
  for Administration




                               44
 APPENDIX III                                                          APPENDIX III



                      U.S. DEPARTMENT OF LABOR                                        AD,'a

                                                             S
                OFFICE OF THE ASSISTANT SECRETARY FOR ADMINIST1NTION
                              WASHINGTON, D.C.   20210




2 1 JUL 1977
Mr. Gregory J. Ahart
Director, Human Resources Division
U. S. General Accounting Office
Washington, D.C. 20548
Dear Mr. Ah.
Thank you for the opportunity to review and respond to the draft
report, "Computer Auditing In The Executive Departments:
Is Enough Being Done". We are pleased to provide you with
the following comments stating the efforts taken by the
Directorate of Audit and Investigations (DA&I) in Computer
Auditing.
Beginning in FY 1972, the DA&I utilized the Department's
ADP Technical Evaluation staff to provide technical assistance
to the audit staff in four audits of State Employment Security
ADP Operations which were either fully or partially funded
by the Department of Labor. A separate report was issued
for each review to the auditee and the regional Employment and
Training Administration (ETA) containing their comments.
A summary report was then issued to the Assistant Secretary
of ETA discussing the results of the reviews which required
attention bv the Department. The following areas which needed
improvement were reported:
   Reasonable and prudent panning and financial
   management practices did not exist;
   Where the States were trying to centralize the
   ADP operations, Federal regulations were not
   being followed by the State, regional Federal
   and national Federal authorities;
   Procurement practices in the following needed to
   be improved
       personal service contracts
       equipment acquisitions
       competitive procurement; and




                                       45
APPENDIX III                                           APPENDIX III




   Inefficient use of electronic accounting machines
   when capacity was available on the computer.

Management responded to the above findings and promised to
take corrective action.

Pi August 1975, the Department's ADP Technical Evaluation
3taff was transferred to DA&I and became the Office of ADP
Evaluations (OADPE).

During the two years of its existence our OADPE has regularly
conducted ADP operational audits; system control audits; ADP
cost determinations; audit software development and technical
assistance; and design, development, and implementation
of retrieval and analysis software in support of financial and
compliance audits, and operational program audits.

During fiscal year 1978, DA&I will determine the specific
methodology of implementing a multi-tiered approach to ADP
auditing which will include enhancing the ADP skills of our
general staff auditors. It is our judgement that these
approaches will provide DA&I with an increased capability to
address the complex problems of an automated environment.

Sincerely,



             /UCK
     stu~t Sy   etary for
Aflministra lon and Management




                                  46
         APPENDIX III
                                                                             APPENDIX III

Ffl     US. DEPA'TMENT OF AGRICULTURE   OFF!CE OF AUDIT   OFFICE OF THE SECRETARY* WASHINGTON, D.C. 20250




                                                                         JUL 2 6 1977
       Mr. Henry Eschwege, Director
       Community and Economic
         Development Division
       U. S. General Accounting Ofice
       Washington, D. C. 20548
      Dear Mr. Eschwege:
      We have reviewed the draft of the proposed GAO Report to
      "Computer Auditing in the Executive Department: Is EnoughCongress entitled
      We appreciate the opportunity to review and comment on     Being Done?"
                                                             behalf
      ment before the final report is issued. Our detailed response ofisthe Depart-
                                                                         attached.
      We in the Office of Audit (OA) see our role as a service
      Secretary and to USDA offices and agencies. We maintain   agency to the
      flexibility to respond to requests for audit service.     a high degree of
                                                             It
      we have taken affirmative actions to keep pace with the is our view that
                                                               need to develop
      manpower and implement audit programs geared to the computerized
                                                                        environment.
      OA has performed work in all areas covered by
      example, we have been directly involved in USDAthehardware
                                                          GAO recommendations. For
                                                                  and software pro-
      curements to determine their impact on agency operations,
      program accomplishments. Additional emphasis on monitoringexpenditures and
      development as noted on page 15 of the draft report has        major ADP systems
      avoidances, (2)more effective system controls, and (3)     resulted in (1)cost
      bility of systems.                                         improved audita-

   OA, in coordination with the Offile of Automdted Data Systems
   and maintains an inventory of USCA ADP applications. This        (ADS), established
   to determine which "computer activities are in need of       inventory   is used
  which computer-based information systems support relatedaudit   coverage"  and
                                                             audit work.
  We established and aggressively implemented an ADP oriented
  for auditors. OA has hired ADP professionals and secured training program
  outside ADP contractors to augment the existing staff       the service of
                                                         as  required.
  Departmental computer centers; minicomputer and ADP terminal            We audit
  and existing application systems to maximize                    installations;
  effective use of ADP resources. Finally, we efficient,    economical, and
                                                annually review the adequacy
  of internal audit coverage of computer-based information
  appropriate resource adjustments.                          systems and make

 We substantially agree with the issues and recommendations
 There is a strong correlation between these and the actions in the report.
 to improve our ADP audit management.                         e have taken


                                              47
 APPENDIX III                                             APPENDIX III



If you have comments or questions about our response, we will be pleased
to discuss them with you or your staff.


LE !ARD'.GRE
Director
Attachment




                                   48
  APPENDIX III                                              APPFNDIX III



                 Response to Specific GAO Recommendations

 GAO Recommendation.
 "Study ADP'. impact on agency operations, expenditures, and program accom-
 plishments."
 OA Comments.
More than two years ago, the Director, Office of Audit, recognized the
importance of including this recommendation in internal audit procedures.
Since then OA has established the Financial Management and Automated Systems
Division (FM&ASD) with assigned responsibilities to initiate and coordinate
ADP audit work. FM&ASD provides guidance and technical assistance to the
audit staff in assessing ADP's impact on agency operations, expenditures,
and program accomplishments. FM&ASD initiated a program to involve OA in
major ADP hardware and suftware procurements, and USDA system development
activities. In addition to auditing the requirements analyses, economic
analyses, and workload projections, OA reviews the overall impact of the
new ADP activity.
GAO Recommendation.
"Determine the extent to which computer activities are in need of audit
coverage (both ongoing systems reviews and audits of specific aspects
such as installation of a new computer-based inventory system)."
OA Response.
Over a year ago, OA established an inventory of major USDA operational ADP
systems, an inventory of new USDA systems under development, and an inventory
of non-USDA systems funded by USDA (e.g. Automated Food Stamp Systems).
In coordination with the Office of Automated Data Systems, the Agency Senior
ADP Managers and the Agency Applications Review Boards, OA updates and
maintains these inventories. The inventories are reviewed from time to
time to determine the extent to which computer activities are in need of
audit coverage.
OA maintains a staff at the major USDA computer sites to periodically audit
 individual applications, utilization of facilities, security, etc. The
 same staff also monitors new system development activities to insure
adequacy of audit trails, testing procedures, internal controls, project
management, etc. Specifically, our audi'. team in St. Louis has assisted
 the Farmers Home Administration in the development of its Unified Manage-
ment Information System by identifying inadequate controls and suggesting
more effective mechanisms for project management. At New Orleans, our
audit team has pointed out weaknesses in the National Finance Center's
Central Accounting System testing, certifying and implementation procedures
and in overall project management and control.


                                   49
  APPENDIX III
                                                              APPENDIX TII



  Audit work is also programmed for ongoing ADP activities,
  utilization of minicomputers & terminal, ccuracy          such as
  utilization of facilities.                         of input data, and

  GAO Recommendation.
 "Determine whether available audit resources are adequate
 work and, if not, take action to obtain needed resources to perform the
 existing audit staff, (b)hiring needed talent, (c)        by (a)training
 capability, or (d)a combination of these three."    contracting for such

 OA Comments.
 OA has elected to follow option (d) in the recommendation.
 OA established a comprehensive training model to insure       Two years ago,
 receives proper ADP training. Now, 40% of OA's staff     the  audit staff
                                                        has
 ADP training and 20% advanced ADP training. OA management  received  basic
 6 senior level computer specialists and currently            has also hired
                                                    has vacancies for an
 additional computer specialist and an EDP auditor.
 contracted for outside technical services to augment In addition. we have
                                                       our staff's expertise.
 GAO Recommendation.
 "Develop and implement an approach to auditing
 will assure adequate coverage to determine that ofADPthe computer area that
 efficiently, economically and effectively."            resources are used

OA Comments.
In 1975, OA contracted with A. D. Little Company to
the USDA Washington Computer Center and prepare an perform an audit of
use in auditing the other four Departmental Computeraudit guide for OA
                                                      Centers (DCC). We
have completed audits at each center, except St. Louis,
in part, by GAO in 1976. FM&ASD schedules audits          which was audited,
                                                  of
cyclical basis, approximately 18 to 24 months apart.  each  DCC on a
                                                       OA
audited or will audit other Departmental ADP facilities.   staff has also
lease vs. purchase analyses, utilization data, workload     We evaluate
to determine "ADP resources are used efficiently,        projections, etc.,
effectively."                                     economically and

GAO Recommendation.
"Periodically review the adequacy of internal audit
                                                    coverage of computer-
based information systems and adjust resource allocations
                                                          accordingly."
OA Comments.
Every four months, FM&ASD evaluates accomplishment
                                                   and adequacy of internal
audit coverage of computer-based information systems.
                                                       As a result of this


                                     50
 APPENDIX III                                            APPENDIX III




evaluation, FM&ASD makes adjustments to work priorities and resource
allocations. Annually, FM&ASD, in coordination with Regional Managers,
other Division Directors, and the Assistant Director for Operations:
(1)performs a detailed analysis of previous accomplishments, (2)
establish!es a prioritized audit program for the coming year, and (3)re-
allocates resources for program accomplishment. However, because our
program is flexible resources can be diverted or re-allocated as
conditions warrant.




                                   51
APPENDIX III                                                  APPENDIX III




         United States Department of the Interior
                     OFFICE OF THE SECRETARY
                       WASHINGTON, D.C.    20240
                                                           JUL 2?1977

Mr. Henry Eschwege
Director, Community and
  Economic Development Division
General Accounting Office
Washington, D.C. 20548

Dear Mr. Eschwege:

We have reviewed your proposed report to the Congress entitled "Computer
Auditing in the Executive Departments:  Is Enough Being Done?"

We agree with your report's conclusions that additional efforts are needed
now by internal auditors to assure that adequate audit coverage is given
to computers and automated applications. We also agree with the report's
recommendations. However, we feel that the report is somewhat unbalanced
because it does not report on the efforts of individual internal audit
groups, such as the Department of the Interior, to develop and/or improve
their ADP audit capability. Since April 1975 we have provided introductory
training on ADP auditing to more than 50 auditors (40 percent) of our
regular audit staff. More intensive ADP audit training has been provided
to 18 auditors. We have also performed preinstallation and postinstallation
audits of ADP applications plus computer equipment acquisition audits, as
follows:
                                                                  Date of
Review                               Type of Audit                Report

Automatic Customer Accounting         System development,
  System - Earth Resource Observa-    Equipment acquisition
  tion System Data Center                                            3-15-76

Review of the Government of           System development
  American Samoa Financial
  Accounting System                                                  4-15-76

Department of the Interior            Computer application
  Denver Payroll System                                              6-21-76

Billings Area Office                  System development,
  Indian Information System           Equipment acquisition         9-21-76

Mining Enforcement Safety             Equipment acquisition          10-15-76
  Administration's ADP System


                                     52
APPENDIX III                                                   APPENDIX III




U.S. Fish and Wildlife Service's        Computer application          10-15-76
  Refuges Program Planning -
  Budgeting Evaluation System

Mining Enforcement Safety               Computer application          7-12-77
  Administration's Accident/
  Injury and Employment/
  Production Data Information
  Systems


The report also does not discuss the problems associated with developing
in-house ADP audit capability, which appears to be the approach most
Federal agencies are taking. Problem areas are:

     - Selection and/or recruitment of staff resources
     - Meeting the training requirements of the ADP auditor
     - Turnover of ADP auditors once trained

The report recommends that audit groups engage in four types of ADP audit:
(1) system design and development, (2) equipment acquisition, (3) computer
applications, and (4) ADP installation management. One other type of audit,
operational audit of ADP functional areas, should also be included. This
type of audit would include topics such as:

     -   Data entry techniyqes
     -   ADP standards
     -   ADP communications
     -   ADP project anagement, etc.

Although these topics are reviewed during the audits of ADP installation
management, agencies with several ADP centers must provide centralized
standards and guidelines because of the absence of industry standards or
criteria of performance.

We concur with the report's recommendation that internal audit groups
study ADP's impact on their agency's operations, expenlitures, and program
accomplishment. However, we believe this action, as :ecommended, would
only provide one-time data, part of which could be used to establish the
ADP audit requirement (also on a one-time basis). We suggest that an
additional recommendation be included to require agencies to maintain an
ADP resource and application inventory that provides an up-to-date
reference of an agency's ADP operations and program impact.

With regard to the recomr dation for more audits in ADP equipmenL acqui-
sition, we feel it important to point out that most ADP procurements today
take place in a goldfish bowl, observed closely by the General Services




                                   53
APPENDIX III
                                                         APPENDIX III




Administration and the Office of Management and Budget,
                                                        as well as by
Congressional staffs. We wonder if additional audits
                                                      of these functions
would provide the highest marginal payoff for the use
                                                      of these scarce
audit resources.

We appreciate the opportunity to review and comment on
                                                       your proposed
report. Your final report should be of considerable
                                                     value to us in
establishing our annual ADP audit requirements.

                                  S   rely,



                          De uty Assistant Secretary
                                 Policy, Budget and Administration




GAO note:   Page references in this appendix refer to the
            draft report and may not correspond to this
            final report.




(91310)


                                 54