When auditing EDP systems, it will be found that much reliance is placed within the system upon standard forms and documentation in general, as well as upon strict adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining factor in the system is the computer's own capability, and all users are competitors for its time. It is therefore important that an audit control file be built up as part of the working papers, and the auditor should ensure that he is on the distribution list for notifications of all new procedures, documents and systems changes in general. The following should be included in the audit control file.
- Copies of all the forms which source documents might take, and details of the checks that have been carried out to ensure their accuracy.
- Details of physical control over source documents, as well as of the nature of any control totals of numbers, quantities or values, including the names of the persons keeping these controls.
- Full description of how the source documents are to be converted into input media, and the checking and control procedures.
- A detailed account of the clerical, procedural and systems development controls contained in the system (e.g. separation of programmers from operators; separation of control of assets from records relating thereto).
- The arrangements for retaining source documents and input media for suitable periods. This is of great importance, as they may be required for reconstructing stored files in the event of error or mishap.
- A detailed flow diagram of what takes place during each routine processing run.
- Details of all tapes and discs in use, including their layout, labelling, storage and retention arrangements.
- Copies of all the forms which output documents might take, and details of their subsequent sorting and checking.
- The auditor's own comments on the effectiveness of the controls.