INTOSAI Working Group on IT Audit

Title

Use

Success in Information Technology Projects (.pdf, 388KB)
 

Title

Use

Internet Delivery Decisions (.pdf, 630 KB)

This better Practice Guide contains various components to help managers make decisions about how best to use the Internet. 

Business Continuity Management - Keeping the wheels in motion (.pdf, 2MB)

This Guide presents a structured approach to business continuity management. The approach involves identifying preventative treatments for continuity risks that can be routinely managed, and developing an organisation- wide business continuity plan-to deal with the consequences should the preventative treatments fail.

Title

Use

Use of IT-tools for statistic analysis and sampling (.htm)

This paper briefly outlines how the National Audit Office of Denmark has integrated the use if IT-tools in the audit products. The following subjects are considered in the paper: the IT products and their use (IDEA, NT auditor etc), statistical sampling, analysis of accounting information, audit of general IT-controls, IT-tools for benchmarking, access to data, process audit and lessons learned.

Planning of choice of methods for performance audit (.htm)

This article deals with the problems associated with that part of the planning phase in which the audit approach and audit methodology are decided. This part of the planning is crucial in relation to the selected subjects. The identification of an area or a subject as material and/or risky is insufficient in itself if the subsequent planning phase does not result in the choice of a relevant audit approach that generates the information that is of importance to the decision-maker. To get this information created it is crucial to choose correct methods and techniques.

Measuring results of performance audit (.htm)

The NAO has documented the results of its performance audit examinations during the past 4 years. This paper describes the methodology used and discusses the problems in relation to this documentation.

Governance as part of performance audit examinations (.htm)

This article concludes on the lessons learned of the NAO in relation to applying good governance as part of the performance audit. Furthermore, the article presents perspectives for this kind of examinations in future years.

Title

Use

Internal Control Guide

(.pdf, 223KB) March 2000

Traditionally, internal control applied only to accounting activities. Today, internal control affects virtually every aspect of an organization's operations.

Internal Control Examples

 (.pdf, 172KB) March 2000

Examples of control objectives, potential errors and control activities for related agency cycles.

Title

Use

Guidelines for Outsourcing Information & Communications Technology

These guidelines for auditing the outsourcing of ICT functions are published by Germany’s 16 state courts of audit in response to recent developments in government operations.

The critical importance of ICT in the delivery of quality government services prompts a uniform approach by external audit bodies to the complex field of outsourcing. Outsourcing ICT is not without risk, and is still to some extent a new field of government activity.

These guidelines aim to provide practical suggestions for adopting a new approach to designing and implementing ICT audits.

Title

Use

Information Technology Audit: General Principles. (IT Audit Monograph Series # 1)    

Controls in a computer information system reflect the policies, procedures, practices and organisational structures designed to provide reasonable assurance that objectives will be achieved. The controls in a computer system ensure effectiveness and efficiency of operations, reliability of financial reporting and compliance with the rules and regulations........................

Survey Questionnaire for IT Applications

Planning questionnaire to be complete prior to an IT Application audit.

Title

Use

Vulnerability Study Checklist

(See also IT Resource page)

This checklist provides an authorized information technology auditor information and tools helpful in performing a basic study of a host computer in order to identify enticements (conditions that would entice a potential intruder to probe further) and vulnerabilities (anything which could provide an unauthorized intruder access.) This information is also intended for network administrators who want to better secure the hosts and networks for which they are responsible.

Title

Use

Local E-Government - April, 2002

Summary (.pdf, 186KB)

Full Report (.pdf, 3.5MB)

E-government is information or services provided on-line by local governments to individuals using the Internet and Web sites. It ranges from simple Web sites conveying only basic information to very complex sites that transform the customary ways of delivering local services. Because successful e-government requires ongoing resources, local governments need to weigh the potential costs against likely benefits before implementing it.

This report identifies best practices for local governments, including cities, counties, and school districts, that deliver e-government services to citizens via the Internet.

Managing Local Government Computer Systems - April, 2002

Summary (.pdf, 350 KB)

Full Report (.pdf, 2.4 MB)

Local governments may manage their computer systems in-house, by outside vendors, by an intergovernmental computer collaboration, or by a combination of these three approaches. This report recommends that counties, cities, and school districts adopt certain best practices as they consider how they want to manage their computer systems. It discusses best practices for managing computer systems for local governments, including reliance on vendors, intergovernmental collaborations, and/or in-house staff.

Title

Use

Intellectual Property - Better Practice Guide

(Oct 2001 .pdf, 1600KB)

See also Better Practice Guide

The guide contains checklists for better practice. It aims to assist agencies developing policies and procedures to manage Intellectual Property more efficiently and effectively.

E-government readiness assessment guide (Sept 2001)

This guide draws from the research assembled in the performance audit, "e-government - Use of the Internet and related technologies to improve public sector performance" (above). It addresses issues at the agency level, in a self-help guide format.

Report

Summary

(Best Practices for the Acquisition and Utilisation of Information Technology)

1. Proceso de Adquisición

(Acquisition Process)

2. Proceso de Pre-Implantación

(Pre-Implementation Process)

3. Proceso de Implantación

(Implementation Process)

4. Proceso de Post-Implantación

(Post-Implementation Process)

5. Proceso de Utilización y Seguridad

(Usage and Security Process)

6. Hallazgos más comunes según las auditorías realizadas por la Oficina del Contralor de Puerto Rico

Diez Principios Para Lograr Una Administración Pública De Excelencia

(Ten Principles To Achieve Excellence In Public Administration)

Responsabilidad de la gerencia

(Management responsibility)

Title

Use

Project Survival Toolkit

(.pdf, 84KB)

We sought views on why some projects are sustained and others close. These projects can be grouped under four headings: operating environment, partnerships, communities and project management. In this article we draw on these views to develop a "project survival tool kit" aimed at helping those projects that require public money if they are to continue to meet local needs.

Title

Use

Audit Briefing - Electronic Records Management (.doc, 376KB)

A short paper designed to raise auditors' awareness of the "authenticity" issues surrounding the use of electronic audit evidence.

Audit Briefing - Firewalls (.doc, 265KB)

A short paper designed to raise auditors' awareness of the purpose and operation of firewalls.

Audit Briefing - WLANs (.pdf, 295KB)

A short paper designed to raise auditors' awareness of WLAN technology.

Explanation to accompany the following checklist.

Summary of control objectives - Change & Configuration Management (.pdf, 114KB)

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

Summary of control objectives - Computer Operations

(.pdf, 122KB)

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

Analysis of common risks, control strategies, and suggested topics for discussion with the audit client.

A brief overview for external auditors of the system development process

A checklist for external auditors on system development.

IT audit training course material

AP4 course notes (.zip, 2.7MB)

Misc. course notes (.zip, 1.9MB)

Training notes and support material on various IT-related topics, including programme and project management, e-business, quality management and business continuity management. Although no longer in use, this material may provide a useful basis for further development.

Software available for 'value for money' examinations (.pdf, 1.8MB)

This leaflet provides summary information on the software that we currently hold together with key points on its value to vfm work. The software is divided into six main groups: Planning, Surveys, Data Analysis and Modelling, Text Analysis, Charting, and Presentation.

Collecting, analysing, and presenting data: how software can help (.pdf, 340KB)

A key feature of good quality value for money reports is a comprehensive analysis of data. Software can assist in a number of ways.

Title

Use

Assessing The Reliability of Computer Processed Data (.pdf 181KB, Oct 2002)

This guidance is intended to demystify the assessment of computer processed data. It supplements GAO’s "Yellow Book" (Government Auditing Standards, 1994 Revision), which defines the generally accepted government auditing standards (GAGAS), and replaces the earlier GAO guidance, Assessing the Reliability of Computer-Processed Data (GAO/OP-8.1.3, Sept. 1990).

Federal Information System Controls Audit Manual: Volume I Financial Statement Audits. AIMD-12.19.6, (.pdf, 2.3MB) June 2001.

Federal agencies, the Congress, and the public rely on computer-based information systems to carry out agency programs, manage federal resources, and report program costs and benefits. The methodology outlined in this manual provides guidance to auditors in evaluating internal controls over the integrity, confidentiality, and availability of data maintained in these systems. The manual is primarily designed for evaluations of general and application controls over financial information systems that support agency business operations. However, it could also be used when evaluating the general and application controls over computer-processed data from agency program information systems, as called for in Government Auditing Standards.

Electronic Law Enforcement: Introduction to Investigations in an Electronic Environment

GAO-01-121G. .html, February 2001.

The Office of Special Investigations (OSI) is a specialized unit within GAO created to meet the Congress' need for quick, focused responses to questions and issues of criminal activity, fraud, and abuse. Staffed with senior criminal investigators, its primary mission is to identify and investigate potential fraud, criminal misconduct, and serious wrongdoing involving federal funds, programs, and activities.

OSI has two special publications created as a service to the investigative and law enforcement communities: Investigators' Guide to Sources of Information (GAO/OSI-97-2) and Electronic Law Enforcement: Introduction to Investigations in an Electronic Environment (GAO-01-121G)

GAO-01-376G, February 2001

This guide is intended to assist federal agencies in maximizing the success of chief information officers (CIO). Principles and practices gleaned from the case studies presented in this guide offer concrete suggestions on what agency executives can do to ensure the effectiveness of their CIO organizations.

Executive Guide: Creating Value Through World-Class Financial Management. GAO/AIMD-00-134. April 2000.

This executive guide is intended to assist federal agencies in achieving the objectives of the Chief Financial Officers (CFO) Act of 1990 and subsequent related legislation by providing case studies of 11 practices critical for establishing and maintaining sound financial operations.

Core Financial System Checklist: Checklist for Reviewing Systems Under the Federal Financial Management Improvement Act

This checklist assists agencies in implementing and monitoring their core systems, and management and auditors in reviewing agency core systems to determine if they substantially comply with the Federal Financial Management Improvement Act. AIMD-00-21.2.2, February 2000.

Information Security Risk Assessment: Practices of Leading Organizations. GAO/AIMD-00-33 November, 1999

This guide is intended to help federal managers implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. 

Executive Guide: Leading Practices in Capital Decision-Making. GAO/AIMD-99-32. December 1998.

This executive guide summarizes 12 fundamental practices that have been successfully implemented by organizations recognized for their outstanding capital decision-making practices. It also provides examples of leading practices from which the federal government may be able to draw lessons and ideas. 

Executive Guide: Measuring Performance and Demonstrating Results of Information Technology Investments. GAO/AIMD-98-89. March 1998.

By using comprehensive performance information, more informed decisions can be made about IT investments at a time when resources are limited and public demands for better government service are high.

Executive Guide: Information Security Management: Learning From Leading Organizations

GAO/AIMD-98-68. (.pdf, 239KB) May, 1998.

Increased computer interconnectivity and the popularity of the Internet are offering organizations of all types unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. However, the success of many of these efforts depends, in part, on an organization's ability to protect the integrity, confidentiality, and availability of the data and systems it relies on.

AIMD-10.1.15 April 1997.

This guide is designed to help auditors review business process re-engineering projects in a federal settings, determine the soundness of these efforts, and identify actions needed to improve the prospects for their success. 

Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft). AIMD-10.1.23

Guidance that provides a method for evaluating and assessing how well a federal agency is selecting and managing its IT resources and identifies specific areas where improvements can be made.

Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology. AIMD-94-115. May 1, 1994. 48 pp.

Federal agencies have not kept pace with evolving management practices and skills necessary to define critical information needs, and select, apply and control changing information technologies. This report focuses on what agencies can do now to improve performance by using new approaches to managing information and related technologies. It summarizes 11 fundamental practices that led to performance improvements, both short- and long-term, in leading private and public organizations. 

Title

Use

Information Security

This section of the Auditor of Public Accounts website provides guidance on what constitutes strong information security policy development, implementation, and maintenance:

Frequently Asked Questions

Sample Policies & Procedures