EDP Audit to the 40th Governing Board of INTOSAI

Report of Mr. C.G. Somiah, Comptroller and Auditor General of India and Chairman of the INTOSAI Standing Committee on EDP Audit to the 40th Governing Board of INTOSAI

Mr. Chairman and Distinguished Members

1.	I have the honour to present this report on the INTOSAI Standing Committee on EDP Audit.
2.	At the 39th Governing Board of INTOSAI at Cairo in October 1994, five products of the Committee were presented for approval. These were the INTOSAI EDP Directory Information Systems Security Review Methodology Guide to Developing IT Strategies in Supreme Audit Institutions IT Audit Curriculum for INTOSAI The first issue of an Information Technology Journal called "intoIT" I had also reported that five other projects were in progress. These were the Guide on Audit of Electronic Data Interchange (EDI) and Electronic Authorisation and Access(EAA) Guide on Funding Utility of CD-ROM for dissemination of information Reference list of Material on Performance Auditing Seminar on "Future Risks and Opportunities in the field of IT Performance Auditing"
3.	Of the five completed products presented for approval, the INTOSAI EDP Directory and the INTOSAI IT Journal have been circulated to all members of INTOSAI and have received good response. The other three products, namely Information Systems Security Review Methodology, Guide to Developing IT Strategies in Supreme Audit Institutions and the IT Audit Curriculum for INTOSAI have been circulated as exposure drafts in all the INTOSAI working languages, amended based on members’ comments and are being presented in final form to the XV INCOSAI.
4.	The progress of other projects was reviewed by the Committee at its 4th Meeting in March 1995 at Stockholm.
5.	The Committee decided to defer the preparation of an IT-specific CD-ROM as it is not economically viable at present. However, Canada have agreed to add IT-related materials to their CD-ROM in English and French while UK have agreed to add IT-related materials to their CD-ROM in English. The Committee has also decided to publicise the availability of such literature through the "into IT" Journal.
6.	In my last report, I had also referred to a "Funding Guide" which was intended to assist SAIs in presenting their case to aid agencies for funding their IT effort. After reviewing an approach paper in August 1994, the Committee decided to reorient the paper to stress the importance of funding an SAI in general rather than its IT effort. In view of this broader focus, the Committee has turned over the paper to the IDI, who had suggested that they would like to publish and circulate it to SAIs and donor agencies.
7.	In order to provide an opportunity for SAIs to share their experiences, the Committee organized a seminar on "Future Risks and Opportunities in the field of IT Performance Auditing" in March 1995. 15 SAIs and the NATO Board of Auditors participated in this seminar where 16 papers were presented and discussed on four sub-themes. The Committee has compiled the papers presented by seminar participants as a booklet, adding the discussions during the seminar suitably and mailed it in July 1995 to all INTOSAI members.
8.	The Committee has also decided that its Journal "into IT" would carry an explicit permission to INTOSAI members to reproduce its contents wholly or partly either as a separate document or in their internal publications. This is to encourage the dissemination of its contents.
9.	Before I turn to the Committee’s work plan for the next three years, I would like to inform the Governing Board that I had approached the SAI of Colombia to join the Committee in order to ensure active participation from the OLACEFS group. They have joined the Committee and so the Committee now comprises 15 members. The present composition of the Committee is indicated in Annexure ‘A’ to this report.
10.	I now come to the Work Plan of the Committee till the XVI INCOSAI which was formulated at its 4th meeting at Stockholm in March 1995. The work plan of the Committee addresses three broad areas namely (i) information interchange, (ii) knowledge and skill development and (iii) development and transfer of knowledge.
11.	The Committee is expected to provide information and facilities for exchange of experiences and encourage bilateral and regional co-operation. The INTOSAI EDP Directory has already been compiled and distributed to provide information for SAIs to identify suitable partners and areas of co-operation. The INTOSAI EDP Directory will be updated in 1998, through a survey of all SAIs in 1997. The Committee is also publishing an IT Journal "intoIT" to provide, on a regular basis, a medium for disseminating information quickly to SAIs and to enable SAIs to exchange experiences and ideas. This IT Journal will be published twice every year. For more complex issues that need personal interaction, the Committee has chosen periodic seminars on specific themes as the appropriate medium for the present. A seminar on "Performance Audit of the Use of EDP" will be organized in 1988 in Sweden and the preparatory work therefor would be undertaken from 1996. Following the seminar, the Committee would publish the papers presented and a summary of the discussions and conclusions emerging therefrom.
12.	Let me now address the area of knowledge and skill development. An important goal of the Committee is to support SAIs in developing their knowledge and skills in the use and audit of IT. To support SAIs in the use of IT in their own organizations, the Committee has prepared the "Guide to Developing IT Strategies in SAIs". To facilitate the process of building the appropriate IT audit skills, the "IT Audit Curriculum for INTOSAI" has been prepared to help SAIs identify their skill and training requirements. As a logical follow-up of the IT Audit Curriculum, the Committee recognizes the importance of developing high-quality, standard training course-ware for imparting the skills identified in the Curriculum. The EDP Survey conducted by the Committee has shown that this activity is important, urgent and of relevance to the majority of SAIs. The Committee’s work plan till the XVI INCOSAI, therefore, reflects this need, and covers the following activities relating to Knowledge and Skill Development:- Training courses, including material for training the trainers, would be developed for the Level 1 and Level 2 IT audit Skills identified in the IT Audit Curriculum separately for Financial Attest Audit and Performance Audit. These course-ware would be tested for quality assurance and then made available to all the Regional Working Groups of INTOSAI for use by their members. In view of the complexity of performance audit of the use of IT, the Committee will be producing a Reference List of Materials on IT Performance Auditing by October 1996 in English which will provide an introduction to and guidance in this new field. Due to the large and growing levels of investments in IT by auditees, the significant impact that such investments have on the way the auditees do their business and the new risks that they pose, the auditor has to be concerned about auditing systems under development and security-related issues. The Committee has already developed an "Information Systems Security Review Methodology" for the guidance of SAIs. The Committee proposes to develop a Guide on "Audit of IT Systems under Development" by the XVI INCOSAI. The Research work for this will be undertaken during 1996 and 1997 and an exposure draft prepared by early 1998.
13.	The third major objective of the Committee is to support and promote development and transfer of knowledge relating to IT Audit. Advancements in Information Technology tend to be very rapid and the implementation of new technologies by auditees can affect the way audit can be done. The Committee recognizes that the production of "guidance" for SAIs may not always be the most immediate option; in frontier areas of technology, practical experiences of SAIs may be too limited to warrant the preparation of "guides". With this in mind, the Committee has decided that wherever work done or experience to date does not warrant a "guide" immediately, the Committee would opt for the following sequence: Initially, an article in "intoIT" will seek to apprise SAIs about the new developments and their potential implications. A lead paper may then prepared and circulated to SAIs for comments to gather reactions, opinions and experiences. Thirdly , a Research Study would be undertaken to prepare the foundation for a Guide. Finally a Guide would be prepared, if found feasible.
14.	In the light of this approach, the Committee plans to undertake the following activities until the XVI INCOSAI in connection with knowledge development and transfer:- Research on "EDI and the paperless audit environment": Electronic Data Interchange (EDI) may affect many SAIs sooner than anticipated due to the rapid developments in electronic connectivity and create new challenges for SAIs in auditing in a paperless environment. The Committee has, therefore, developed a research paper on "EDI and the Paperless Audit". Besides circulating the research paper to SAIs to apprise them of the implications of this new technology and to elicit their reactions and information about their experiences, the Committee is also researching the legal aspects of EDI in various countries. Depending on the outcome of its research and based on the experiences of SAIs in dealing with auditing in an EDI environment, the Committee may eventually attempt to formulate a guide on Audit of EDI. The increasing popularity of a new model of computing viz. client-server computing, may change the way businesses organize themselves. The Committee, therefore, proposes to have an article in the "intoIT" in early 1996 and probably follow it up with research during the year. This will be an exploratory project whose further course will be decided over the next couple of years. As auditees adapt new technologies like EDI to their requirements, auditors would need methods to assess their effects and analyse their effectiveness. Therefore, the Committee proposes to undertake research in the area on "Performance Audit Methods for analysing effectiveness of use of new technologies by auditees". The first draft of a research paper is proposed to be circulated to the Committee members by March 1997 for comments.
15.	For the convenience of the Governing Board, the Work Plan of the Committee is summarized in a table in Annexure ‘B’ to my Report which is already with you.
16.	My colleagues in the Committee and I thank the Chairman, Secretary General and Members of the Governing Board for their guidance, encouragement and support to the Committee.

ANNEXURE `A’

List of members of the INTOSAI Standing Committee on EDP Audit

ANNEXURE `B’

List of Members of Working Groups of INTOSAI Standing Committe on EDP Audit

Back to Reports Index

INTOSAI Working Group on IT Audit