Progress Report on the activities of the INTOSAI Working Group on IT Audit Chair: SAI India Comptroller and Auditor General of India1
About WGITA Comptroller and Auditor General of India2 WGITA represented by 39 members/observers as on date. Set up to provide support to member SAIs in developing their knowledge and skills in the use and audit of Information Technology. Fulfills its mission and mandate by implementing a triennial work plan. WGITA Work Plan ( ) has already been approved by the Working Group in its 22 nd meeting in April 2013 at Vilnius, Lithuania. Since XX INCOSAI held in November 2010, SAIs of Cambodia, Indonesia, Iraq and Korea have joined this Working Group as members whereas SAI of Brunei Darussalam has joined as an observer. SAIs of Netherlands, Sweden and Canada have opted to withdraw owing to other commitments in INTOSAI.
About WGITA Comptroller and Auditor General of India3 Annual meetings where members present the status of ongoing projects and discuss their progress. A triennial IT Audit seminar held in conjunction with the annual meeting, using a theme that is current and relevant to most members. Works closely with INTOSAI Development Initiative (IDI) in meeting the capacity requirements in IT audit. Held three meetings since the XX INCOSAI 2010.; – 20 th meeting in Sun City in April 2011 – 21 st meeting in Kuala Lumpur in January 2012 – 22 nd meeting in Vilnius in April 2013
Activities of the WGITA Comptroller and Auditor General of India4 Main activities grouped under three main categories; (i) Information interchange, (ii) Knowledge and skill development, and (iii) Development and transfer of knowledge.
Information Interchange Main platforms for information interchange are; – Journal ‘intoIT’, – Working Group website ( andwww.intosaiitaudit.org – The Triennial Performance Auditing Seminars. National Audit Department of Malaysia hosts the website and publication of ‘intoIT’ Journal
Knowledge and Skill Development Cooperating with IDI and AFROSAI-E to support SAIs in that region to strengthen their capacity in the area of IT auditing The output of this cooperation is a programme on IT Audit that covers both technical and auditing areas and focuses on the SAI staff engaged in carrying out such audits.
Development and transfer of knowledge Comptroller and Auditor General of India7 Successfully undertook the following five research projects related to its Work Plan for the period : Project 1: Key Performance Indicators Methodology for auditing IT Programmes (Project Leader: SAI-China; Members: SAIs of Bhutan, Japan, Kuwait, Poland, Russia and USA) The project group prepared guidelines on Key Performance Indicators methodology for auditing IT programmes. The guidelines would be available for use by the entire INTOSAI community on approval in the XXI INCOSAI.
Development and transfer of knowledge Comptroller and Auditor General of India8 Project 2: IT Audit planning and detailed audit procedures to review IT controls (Project Leader: SAI-South Africa; Members: SAIs of Bangladesh, Bhutan, Sri Lanka and Tunisia) The project group has mapped the iSACA guidelines with ISSAIs and is expected to provide the guidance document on IT Audit Planning. This guidance used by IDI in designing their courseware for capacity building programme in IT Audit in AFROSAI-E region. The Working Group and IDI, in a joint effort, has also elaborated on this courseware and has prepared a comprehensive IT audit guidance in the form of a handbook. The IT Audit Handbook would be presented before XXI INCOSAI for approval.
Development and transfer of knowledge Comptroller and Auditor General of India9 Project 3: Optimising IT value in Government Organisations (Project Leader: SAI-Canada; Members: SAIs of Brazil, Norway, Poland, Sweden and United Kingdom) The project objective was to research and share best audit practices in the area of achieving the best value from IT investments. As IT investments bring both value and risk, the various challenges faced by Government departments and IT auditors were looked into. Six sub-projects were undertaken for the preparation of the project report. The group has collected useful reference material which would be hosted on the website and hyperlinked to source documents.
Development and transfer of knowledge Comptroller and Auditor General of India10 Project 4: Green IT (Project Leader: SAI-Norway; Members: SAIs of Austria, Canada, India and Sweden) The project describes Green IT and provides SAIs with a set of audit approaches to keep a focus on environmental aspects in auditing IT systems to motivate governments to ensure an environmental approach to IT investments and use of IT-tools. The outcomes of the project include the production of a list of important questions to ask and areas to cover when auditing IT.
Development and transfer of knowledge Comptroller and Auditor General of India11 Project 5: Cloud Computing and Virtualisation (Project Leader: SAI of the United States of America; Members: SAIs of Australia, Canada, India, Norway, Sweden, Turkey and United Arab Emirates) The project defines cloud computing and describes its advantages like providing shared services as opposed to local servers or storage resources, enabling access to information from most web-enabled hardware and cost savings on reduced facility, hardware/software investments and support. The project team had prepared a draft guide and handbook on Cloud Computing which has been incorporated in the detailed IT Audit handbook prepared by WGITA in collaboration with IDI.
Draft Work Plan ( ) Comptroller and Auditor General of India12 Based on the IT survey and discussions in the 22 nd meeting of the Working Group on IT Audit at Vilnius, Lithuania in April 2013, the following four projects have been identified by the Working Group for the next Work Plan (i.e ): # Name of the projectProject Leader Project Members 1.IT GovernanceBrazilUSA, Kuwait, Kiribati, Lithuania, Malaysia, South Africa, India 2.Data Mining as a Tool in Fraud InvestigationSouth AfricaUSA, Korea, Kuwait, India, China 3.Development of Standards for State Information Systems and Project Audit Russian Federation South Africa, USA, Poland, Slovakia, Japan, India 4.Development of Data Interface Standard for Accounting Software ChinaSouth Africa, Kiribati, USA, Malaysia, Indonesia, India, Poland 5.Development of ISSAI-5300 on ‘Guidelines on IT Audits’ and updating ISSAI 5310 on Information Systems’ Security Audit IndiaIndonesia, Poland, USA, South Africa, Japan, Brazil and Norway
Draft Work Plan ( ) Comptroller and Auditor General of India13 Above projects due for completion before XXII INCOSAI in 2016 in UAE. The ISSAI 5310 on Information Systems’ Security Audit was due for review in Hence, review taken up by the Working Group, for endorsement in the XXI INCOSAI. A project on development of an overarching ISSAI-5300 covering the general principles, approach and methodology of IT Audit also taken up. ISSAI 5300 to provide a natural succession to more specialised standards such as ISSAI-5310 on Audit of security of Information Systems and other areas of IT Audit.
Draft Work Plan ( ) Comptroller and Auditor General of India14 ISSAI-5300 would thus significantly impact the framing of all subsidiary ISSAIs, including ISSAI New drafting conventions for ISSAIs and audit guidelines recently circulated by PSC. The introduction of these conventions necessitate substantial re-drafting of the existing ISSAI In view of these developments, the updated version of ISSAI 5310 to be ready only by the XXII INCOSAI in 2016.
Proposal for approval of KSC Steering Committee WGITA requests approval of the following two documents: 1.WGITA-IDI IT Audit Handbook 2.Key Performance Indicators methodology for auditing IT systems
THANK YOU Comptroller and Auditor General of India16