THE NATIONAL BUREAU OF STANDARDS, WITH THE SUPPORT OF THE U.S. ACCOUNTING OFFICE, SPONSORED AN INVITATIONAL WORKSHOP ENTITLED 'AUDIT AND EVALUATION OF COMPUTER SECURITY,' HELD IN MIAMI BEACH, FLA., ON MARCH 22-24, 1977. LEADING EXPERTS IN THE AUDIT AND COMPUTER COMMUNITIES WERE INVITED TO DISCUSS THE SUBJECT IN ONE OF TEN SESSIONS, EACH OF WHICH CONSIDERED A DIFFERENT ASPECT OF THE THEME. THE SESSION ON INTERNAL AUDIT STANDARDS DEFINED THE LARGER SUBJECT OF INTERNAL AUDIT OF A COMPUTER SYSTEM, AND THEN DEFINED COMPUTER SECURITY AUDIT. THE QUALIFICATIONS AND TRAINING SESSION DREW UP AN OUTLINE OF THE BROAD BODY OF KNOWLEDGE NEEDED TO PERFORM A COMPUTER SECURITY AUDIT. THE GROUP CONSIDERING SECURITY ADMINISTRATION DISCUSSED THE LEGAL BASIS FOR ESTABLISHING A SECURITY ADMINISTRATION FUNCTION IN A FEDERAL ORGANIZATION AND DEFINED THE SECURITY ADMINISTRATION FUNCTION. FOUR CONCEPTUAL MODULES FOR THE DEVELOPMENT OF AN OPEN-ENDED STRUCTURED MODEL OF COMPUTER SECURITY AUDIT WERE IDENTIFIED IN THE SESSION ENTITLED 'AUDIT CONSIDERATIONS IN VARIOUS SYSTEM ENVIRONMENTS.' THE SESSION ON ADMINISTRATIVE AND PHYSICAL CONTROLS ESTABLISHED THE THESIS THAT THE CONCERNS OF DATA SECURITY AND THE RESPONSIBILITIES OF THE AUDITOR ARE COMPLEMENTARY, SINCE BOTH DEAL WITH THE PROTECTION OF RESOURCES WITHIN THE DATA PROCESSING MISSION. SUGGESTIONS FOR THE AUDITOR ARE ALSO INCLUDED. THE 'PROGRAM INTEGRITY' SESSION EMPHASIZES THAT PROGRAM INTEGRITY MUST BE CONSIDERED OVER THE ENTIRE LIFE CYCLE OF THE PROGRAM. SAFEGUARDS HAVING A DIRECT BEARING ON DATA INTEGRITY AUDIT WERE DISCUSSED IN THE 'DATA INTEGRITY' GROUP. REPORTS ARE ALSO INCLUDED FOR SESSIONS DEALING WITH COMMUNICATIONS, POSTPROCESSING AUDIT TOOLS AND TECHNIQUES, AND INTERACTIVE AUDIT TOOLS AND TECHNIQUES. (RCB)