The Peer Review Committee has received several inquiries regarding computer-processed data. Should computer processed data be validated? How much testing should the auditor perform? What type of testing should be performed? What are peer reviewers looking for when assessing compliance relating to computer-processed data?

The answer to all of these questions except the last is a very unsatisfying “It Depends”. It depends on the scope of the audit, it depends on the audit objectives, it depends on the auditor’s findings, it depends on how the data is used by the auditor, it depends on the source of the data, it depends on the effectiveness of the controls over the system that produced the data, it depends . . . . .

The answer to “What are peer reviewers looking for when assessing compliance relating to computer processed data?” is easy. Peer review teams look for policies and internal controls addressing GAS requirements, and then they look for documentation that the policies and internal controls were effectively carried out during the review period.

Whether computer-processed data has been adequately validated is ultimately a matter of professional judgment and, obviously, there is a great deal of room for differences in professional judgment on this topic. A peer review is not about questioning professional judgment. A peer review is about assessing processes. That is, verifying that an appropriate internal quality control system is in place and that adherence to established policies and procedures was appropriately documented. (See GAS 3.51) These are the key elements in demonstrating to peer review teams an audit organization’s compliance with GAS requirements relating to computer-processed data.