GAO refreshes guidelines for rating computer data reliability

Revised guidance is consistent with 2007 'yellow book' Government Auditing Standards

Government audits increasingly rely on data from computers, and the Government Accountability Office has issued new guidance for determining the reliability of that data.

“Computer-processed data from outside sources are often central to audit reports,” GAO says in the guidelines. “While these data are simply another type of evidence to rely on, assessing them may require more technical effort than other types.”

The guidelines, titled “Assessing the Reliability of Computer-Processed Data,” outline evaluation methods that are consistent with the 2007 “yellow book” Government Auditing Standards, and replace previous GAO guidelines published in 2002.

The current publication focuses on the completeness and accuracy of data that has been generated by or retrieved from a computer system. As used in audits, completeness refers to the extent that relevant records are present in the data and that the fields in each record are populated appropriately, and accuracy refers to the extent that recorded data reflect the underlying information.

Examples of computer-processed data covered in the guidelines are:

  • Data extracts from databases, data warehouses, or data repositories.
  • Data maintained in Microsoft Excel spreadsheet or Microsoft Access database programs and/or similar commercial products.
  • Data extracts from enterprise software applications supported by information technology departments or contractors.
  • Public use data or other replicated detail or summary-level databases accessible through an application other than the original source system.
  • Data collected from forms and surveys on Web portals.
  • Data summarized in a report or copied from a table in a document.

“Because assessing computer-processed data requires more technical tests, it may seem that such data are subject to a higher standard of testing than other evidence,” GAO says. “This is not the case.”

The reliability of data should be analyzed if it materially supports the findings of the audit. According to Yellow Book standards, auditors should assess the sufficiency and appropriateness of this information whether it is provided to auditors or they extract it independently.

The guide gives a flexible, risk-based framework for doing these assessments that can be geared to the needs of each situation. The framework is built on making use of existing information about the data in question, conducting only the work necessary to determine whether the data are reliable enough for your purposes, maximizing professional judgment, and bringing the appropriate people, including management, to the table at key decision points.

Auditors also can take advantage of work that already has been done in assessing data, and GAO may already have related information in its reports available at on its Web site at The site also provides other information that might be useful. In conducting the annual governmentwide consolidated financial audit, GAO’s Information Technology team has reported on the effectiveness of controls for financial information systems at major agencies and relevant reports might be available there.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.