Quarterly President's Message IT and Audit Standards- Winter 2009
| IT and Audit Standards- Winter 2009 | | Print | |
| Written by Amanda Noble |
|
While idly flipping through old versions of the yellow book, I saw reference to a document I never knew existed - Additional GAO Audit Standards, Auditing Computer-Based Systems, issued in March 1979. My first thought was dismay that my collection of yellow books is incomplete. My second thought was wow; government auditing standards related to IT systems are 30 years old. Think about that. 1979 marked the beginning of Morning Edition on National Public Radio, the debut of ESPN, the release of the first Star Trek movie, and the overthrow of the Shah of Iran. Jimmy Carter and Leonid Brezhnev signed the SALT II agreement. Personal computers were just coming into use and the first PC spreadsheet, VisiCalc, was released. The Pittsburgh Pirates won the World Series. In short, this was a long time ago, yet local government auditors still find standards regarding information system controls daunting. ALGA has long provided guidance that we don't need to be IT auditors to comply with standards on information system controls. Interestingly, the first standard did seem to require IT audits as part of "government economy and efficiency audits." The standard required auditors to: Review general controls in data processing systems to determine whether the controls were designed in accordance with management direction and known legal requirements, and whether controls were operating effectively to provide for security and reliability of data being processed. Review application controls to assess the reliability of data on which the auditors were relying to ensure data were timely, accurate and complete. The standard noted that auditors should play a role in designing and developing new systems or significant modifications to existing systems when feasible, but acknowledged that audit organizations may not have the resources or staff skills to review system design and development. Most of us would find this a difficult standard to meet. The 1988 revision introduced the more familiar language of testing the reliability of evidence from computer-based systems and clarified that the extent of testing depended on audit objectives and how the data would be used. Auditors weren't required to test general and application controls unless system reliability was a primary audit objective. The 2007 revision requires auditors to obtain an understanding of information system controls sufficient to assess audit risk and plan the audit consistent with audit objectives. Auditors should evaluate the design and operating effectiveness of controls when they are significant to audit objectives. And, of course, designing or developing an information system is now explicitly recognized as a non-audit service that would impair an audit organization's independence. Advances in technology have changed how local governments and local government auditors operate. Audit standards have evolved along with the technology. We don't need to be IT auditors to meet the standard, but we do need to understand systems of control. Luckily, that's what we auditors do. Once we strip away the technical jargon, systems controls are like controls in manual processes. Both are intended to ensure that: transactions are accurate and authorized, incompatible duties are segregated, records are maintained and protected from change, and results are monitored and measured. Articles in this issue of the Local Government Auditor's Quarterly explore different approaches to auditing IT systems in performance audits.
Amanda Noble |
