This dissertation discusses the growth of auditing and internal control and evaluates the present degree of knowledge and the current and future roles of auditors in a computer-based environment. An analysis of the current state of computer-based auditing is presented along with current research in audit and security methodologies is presented and critiqued. The concept of System Metrics is formulated and defined and a computer-audit analysis system called the Risk Evaluation Model (REM) is created, described and utilized. The Risk Evaluation Model is an interactive set of programs written in FORTRAN which assesses Information Systems for a variety of attributes to judge the "quality" of a system. Currently the system assesses:

1. Portability of the System;
2. Maintainability of the System;
3. Complexity of the System;
4. Known threats to the System and known Features neutralizing those threats;
5. The General System Security Level; and
6. The Hardware Reliability of the System. The model is currently implemented on the Prime 750 computer.