Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide to Auditing for Controls and Security: A System Development Life Cycle Approach



Zella G. Ruthberg, Bonnie T. Fisher, William E. Perry, John W. Lainhart, James G. Cox, Mark Gillen, Douglas B. Hunt


This guide addresses auditing the system development life cycle (SDLC) process for an automated information system (AIS), to ensure that controls and security are designed and built into the system. The guide also presents a process for deciding which system to audit among an organization's universe of systems. It is directed toward mid-level ADP auditors having a minimum of two years experience in ADP auditing, but can also be used by security reviewers, quality assurance personnel, and as a training tool for less experienced ADP auditors. ADP managers and system developers will also find it useful guidance on security and control issues. The guide is designed to provide audit/review programs for each major phase of the SDLC process and assumes a large sensitive system. The reader is expected to make appropriate modifications for small less sensitive systems. The guide represents the results of the past four years of activities by the Electronic Data Processing (EDP) Systems Review and Security Work Group of the Computer Security Project within the President's Council on Integrity and Efficiency (PCIE).
Special Publication (NIST SP) - 500-153
Report Number


audit, computer security, SDLC, system development life cycle


Ruthberg, Z. , Fisher, B. , Perry, W. , Lainhart, J. , Cox, J. , Gillen, M. and Hunt, D. (1988), Guide to Auditing for Controls and Security: A System Development Life Cycle Approach, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed March 3, 2024)
Created April 1, 1988, Updated November 10, 2018