Report of Mr.C.G.Somiah, Comptroller and Auditor General of India and Chairman of the INTOSAI Standing Committee on EDP Audit to the XV INCOSAI

Mr. Chairman and distinguished colleagues

1. I have the honour to present this report on the INTOSAI Standing Committee on EDP Audit.
2. The Committee was constituted pursuant to a decision at the XIII INCOSAI in Berlin in June 1989. The Comptroller and Auditor General of India was appointed the Chairman of the Committee, which initially consisted of 11 other SAIs representing different levels of EDP expertise. Subsequently, three more SAIs (Cuba Russian Federation and Colombia) were added to the Committee. The present composition of the Committee is enclosed in Annexure `A’ to this report.
3. The terms of reference for the Committee approved in October 1992, envisage that the Committee would support SAIs in developing their knowledge and skills in the use and audit of information technology by providing information and facilities for exchange of experiences, and encouraging bilateral and regional cooperation.
4. At the inaugural meeting of the Committee in October 1992 at Washington, the work plan for the Standing Committee was discussed and three working groups were formed, for each of the three areas of operation of the Committee, namely
  1. Auditing of EDP based accounting systems and EDP support in auditing,
  2. Performance auditing of the use of EDP systems,
  3. The use of EDP in the SAI’s own administration.

Canada, Sweden and the United Kingdom were nominated as the convenors of these working groups.

5. The Committee has met four times so far at Washington, Ottawa, New Delhi and Stockholm to consider the action plans prepared by the working groups, identify projects , establish priorities and develop work plans for each project. Five products have so far been completed. An INTOSAI EDP Directory has been compiled and circulated to enable SAIs to identify suitable partners and areas of cooperation. The first two issues of an IT Journal have also been circulated to all members of INTOSAI and have received good response. The other three products, namely Information Systems Security Review Methodology, Guide to Developing IT Strategies in Supreme Audit Institutions and the IT Audit Curriculum for INTOSAI have been circulated as exposure drafts in all the INTOSAI working languages, amended based on members’ comments and are presented in final form to the XV INCOSAI.
6. There are other projects that are in progress. In order to provide an opportunity for SAIs to share their experiences, the Committee organized a seminar on "Future Risks and Opportunities in the field of IT Performance Auditing" in March 1995. The Committee has also compiled and circulated the seminar output to all INTOSAI members.
7. The committee had also prepared a "Funding Guide" which was intended to assist SAIs in presenting their case to aid agencies for funding their IT effort. The Committee has now turned over the paper to the IDI, who had suggested that they would like to publish and circulate it to SAIs and donor agencies.
8. I now come to the Work Plan of the Committee till the XVI INCOSAI which was formulated at its 4th meeting at Stockholm in March 1995. The work plan of the Committee addresses three broad areas namely (i) information interchange, (ii) knowledge and skill development and (iii) development and transfer of knowledge.
9. In the area of information interchange, the INTOSAI EDP Directory which has already been compiled and distributed to provide information for SAIs to identify suitable partners and ares of co-operation, will be updated in 1998. The IT Journal published by the Committee to provide a medium for disseminating information to SAIs and to enable SAIs to exchange experiences and ideas will be published twice every year. For more complex issues that need personal interaction, the Committee has chosen periodic seminars on specific themes as the appropriate medium for the present. A seminar on "Performance Audit of the Use of EDP" will be organized in 1988 in Sweden.
10. Let me now address the area of knowledge and skill development. To support SAIs in the use of IT in their own organizations, the Committee has prepared the "Guide to Developing IT Strategies in SAIs". To facilitate the process of building the appropriate IT audit skills, the "IT Audit Curriculum for INTOSAI" has been prepared to help SAIs identify their skill and training requirements. As a logical follow-up of the IT Audit Curriculum, the Committee recognizes the importance of developing standard training course-ware for imparting the skills identified in the Curriculum. Therefore the Committee’s work plan till the XVI INCOSAI covers the following activities :
  • Training courses would be developed for the Level 1 and Level 2 IT audit Skills identified in the IT Audit Curriculum separately for Financial Attest Audit and Performance Audit.
  • The Committee will be producing a Reference List of Materials on IT Performance Auditing by October 1996 in English which will provide an introduction to and guidance in this new field.
  • Due to the large and growing levels of investments in IT by auditees, and the new risks that they pose, the auditor has to be concerned about auditing systems under development and security-related issues. The Committee proposes to develop a Guide on "Audit of IT Systems under Development" by the XVI INCOSAI.
11. The third major objective of the Committee is to support and promote development and transfer of knowledge relating to IT Audit. In this connection, the Committee plans to undertake the following activities until the XVI INCOSAI :
  • Electronic Data Interchange (EDI) may affect many SAIs sooner than anticipated due to the rapid developments in electronic connectivity. The Committee has, therefore, developed a research paper on "EDI and the Paperless Audit". The Committee is also researching the legal aspects of EDI in various countries. Depending on the outcome of its research and based on the experiences of SAIs in dealing with auditing in an EDI environment, the Committee may eventually attempt to formulate a guide on Audit of EDI.
  • The Committee, proposes to undertake an exploratory project relating to auditing in a client server environment which is a new model of computing that may change the way businesses organize themselves.
  • The Committee proposes to undertake research in the area on "Performance Audit Methods for analysing effectiveness of use of new technologies by auditees". The first draft of a research paper is proposed to be circulated to the Committee members by March 1997 for comments.
12. My colleagues in the Committee and I thank the Chairman and all distinguished colleagues for their guidance, encouragement and support to the Committee.


ANNEXURE `A’

List of members of the INTOSAI Standing Committee on EDP Audit


ANNEXURE `B’

List of Members of Working Groups of INTOSAI Standing Committe on EDP Audit

 

Back to Reports Index