XV INTERNATIONAL CONGRESS OF SUPREME AUDIT INSTITUTIONS
Cairo, Egypt: September-October 1995
| Theme II | Improving Government Financial Management Through INTOSAI's Standing Committees |
| Sub-theme IIE | EDP Audit |
| Theme Chair: | Uruguay |
| Vice-Chair: | Russian Federation |
| Rapporteur: | India |
| Group Rapporteurs: | Barbados and Kuwait |
| Group Moderators: | Zimbabwe and Sweden |
| Group Technical Liaison Officers | Egypt |
The overall objective of this subtheme is to provide the INTOSAI Standing Committee on EDP
Audit with an opportunity to consult with Supreme Audit Institutions (SAIs). The
consultation will help the Committee to adopt a work plan till the next INCOSAI and
develop products that SAIs will find useful in harnessing Information Technology (IT) for
their varied needs and in fulfilling their mandates.
Discussions during this subtheme will deal with (i) documents already finalised by the Committee for the guidance of SAIs, and (ii) the Committee's work plan till the XVI INCOSAI.
BACKGROUND
The increasing awareness of SAIs regarding the importance of developing knowledge and skills for effective EDP audit and using EDP in SAIs found expression during the XIII INCOSAI in 1989 in the decision to form a Standing Committee on EDP Audit, comprising members with and without EDP knowledge. The Committee was accordingly constituted under the Chairmanship of SAI-India with Austria, Barbados, Canada, Cuba, Ecuador, France, Kiribati, Japan, Kuwait, Russian Federation, Sweden, United Kingdom and Zimbabwe as members.
The Committee has been formed to support SAIs in developing their knowledge and skills in the use and audit of Information Technology (IT). The Committee is expected to (i) provide information and facilities for exchange of experiences, and (ii) encourage bilateral and regional co-operation.
AREAS OF OPERATION:
The Committee's main areas of operation are covered through three Working Groups:
| Group I: | "Auditing of EDP-based accounting systems and EDP support in auditing" |
| Group II: | "Performance audit of the use of EDP systems" |
| Group III: | "The use of EDP in the SAI's own administration" |
Group I’s focus is on audits that involve expression of opinion on financial statements, and the use of technology to make audits more cost-effective. Group II’s focus is on the use, management and effects of IT. These two Groups’ interventions are expected to be in developing and disseminating guidelines for EDP audit, sponsoring symposia and conferences, reviewing and compiling all relevant written documentation built up from SAIs and other public databases, providing training and other support services like deployment of experts, evaluating available software packages, and sponsoring research and development of new packages.
Group III’s focus is on the use of IT in the SAI's administration. Broadly, the areas covered are:
a. Personal Computing (word processing, spreadsheet & graphics).
b. Office Management (accounting, payroll, inventory).
c. Data Management (filing, text retrieval).
d. Business Management (audit planning, monitoring, project management).
e. Office Communications (networks, e-mail, fax).
The Group's interventions are expected to be in providing training, providing guidance involving publication of articles/case studies regarding strategies for computerisation, and providing support services by developing guidelines for funding of projects and deployment of experts to set up the EDP function.
PROJECTS TAKEN UP
After prioritising the projects identified, the Committee has completed the development of five products.
I. Continuing Products
a. Information Technology Journal: In order to keep SAIs abreast of current developments in the use of IT in audit bodies, the Committee decided to produce an Information Technology Journal (called "intoIT") in English twice each year. The Journal is intended to be an important vehicle of communication regarding the Committee’s work and products. The first two issues have been completed and mailed in 1995. The first issue featured articles on one SAI’s IT strategy and the IT audit practices of some other SAIs. The second issue featured articles on another SAI’s approach to computerisation, the products finalised by the Committee and other IT news from SAIs around the world.
b. The INTOSAI EDP Directory: In order to create an information base for its work, the Committee surveyed SAIs regarding their EDP needs, facilities, strengths, etc. and compiled an EDP Directory that is expected to serve as a useful reference for SAIs for bilateral and multi-lateral co-operation efforts relating to Information Technology. It provides general information to all SAIs about IT audit practices and tools, specific information that will enable SAIs to work out bilateral or multilateral arrangements relating to setting up the IT or IT audit function, designing, developing or organising IT training, etc. as well as a basis for exchange of software and IT literature among SAIs. The Committee expects to update this Directory every three years, to coincide with every INCOSAI. In order to create an information base for its work, the Committee surveyed SAIs regarding their EDP needs, facilities, strengths, etc. and compiled an EDP Directory that is expected to serve as a useful reference for SAIs for bilateral and multi-lateral co-operation efforts relating to Information Technology. It provides general information to all SAIs about IT audit practices and tools, specific information that will enable SAIs to work out bilateral or multilateral arrangements relating to setting up the IT or IT audit function, designing, developing or organising IT training, etc. as well as a basis for exchange of software and IT literature among SAIs. The Committee expects to update this Directory every three years, to coincide with every INCOSAI.
II. Products issued as exposure drafts
The following three products approved by the INTOSAI Governing Board have been circulated among INTOSAI members as exposure drafts and amended based on their comments.
a. Guide for developing IT Strategies in SAIs: The objective of the guide is to provide SAIs with guidance on the key elements of drawing up business and IT strategies. The Guide is aimed at Senior Management in SAIs concerned with directing the development, monitoring and review of an IT strategy. It lists out the various stages in developing an IT Strategy and describes each of these stages in detail. While best practice guidance is given wherever necessary, the guide is general enough to be applicable to a wide range of SAIs with differing levels of IT skills. A separate section in the guide is devoted to development of IT Strategies in small SAIs, where emphasis is laid on identification of priorities given the limited resources available. Another chapter deals with the strategy for migrating from existing computer systems or making major changes in the existing IT strategy. The guide also gives some tips for avoiding common pitfalls and managing IT projects successfully. The objective of the guide is to provide SAIs with guidance on the key elements of drawing up business and IT strategies. The Guide is aimed at Senior Management in SAIs concerned with directing the development, monitoring and review of an IT strategy. It lists out the various stages in developing an IT Strategy and describes each of these stages in detail. While best practice guidance is given wherever necessary, the guide is general enough to be applicable to a wide range of SAIs with differing levels of IT skills. A separate section in the guide is devoted to development of IT Strategies in small SAIs, where emphasis is laid on identification of priorities given the limited resources available. Another chapter deals with the strategy for migrating from existing computer systems or making major changes in the existing IT strategy. The guide also gives some tips for avoiding common pitfalls and managing IT projects successfully.
b. IT Audit Curriculum for INTOSAI: Recognizing that the increasing use of Information Technology (IT) by auditees creates new audit risks which must be recognised and dealt with by developing IT audit skills, the Committee has developed an IT audit curriculum which focusses on the main tasks required to meet this new challenge. By remaining general in nature, the curriculum seeks to cater to all members of INTOSAI. It also identifies three categories of auditors, viz. generalists, IT auditors and expert IT auditors and lists out differing skill requirements for each of these categories. The curriculum has a separate section on how less IT skilled SAIs can get started. The key tasks that could be taken up in the first instance by such SAIs have also been identified. This curriculum will help all SAIs to identify the appropriate training requirements for their staff.
c. Information System Security Review Methodology: To enable SAIs to undertake reviews of the security of EDP/IT Systems, the Committee has developed a methodology. This methodology advocates a two-tier approach to Information Systems Security Review. The first method is simple and involves conducting a top-down review of information systems security from a senior management perspective. It can be attempted easily by less IT skilled SAIs without use of computers. The second approach involves a detailed and quantitative analysis of information system assets and attempts to measure the net monetary impact of security exposures and of the countermeasures put in place. This method generally requires the use of sophisticated software tools.
III. Other projects
a. Seminar on "Future Risks and Opportunities in the field of IT Performance Auditing": The Committee organized a seminar on "Future Risks and Opportunities in the field of IT Performance Auditing" in March 1995. 15 SAIs and the NATO Board of Auditors participated in this seminar where 16 papers were presented and discussed on four sub-themes. Both past audit experiences and future trends were discussed. The seminar was intended to provide an opportunity for SAIs to share their experiences, but even theoretical analyses were accepted to afford an opportunity to those with a little or no practical experience to interact and gain from such interaction. Representation for all Regional Working Groups of INTOSAI was sought to be ensured but OLACEFS went unrepresented as one of its member-SAIs could not attend the seminar due to some intervening developments.
To extend the benefits of the seminar to a larger audience, the Committee has published the papers presented at the seminar including conclusions from, and summaries, of the discussions and circulated to INTOSAI members.
b. Research Paper on "Strengthening Legislative Auditing Institutions in Developing Countries - A Catalyst to Enhance Good Governance": The Committee recognized that the greatest need for implementation of IT in the less IT-experienced SAIs was funding for hardware, software and training. While this was not explicitly within its mandate, the Committee felt it was important enough to prepare a paper aimed at Donor Agencies, explaining the importance of the SAI to good governance, and the importance of the ability of the SAI to use and audit IT. This project has been completed but the paper has been turned over to IDI for carrying it forward, including for distribution to SAIs.
WORK PLAN TILL XVI INCOSAI
The work plan of the Committee is outlined below under three broad headings:
- Information Interchange
- Knowledge and Skill Development
- Knowledge Development and Transfer.
Information Interchange
The Committee is expected to provide information and facilities for exchange of experiences and encourage bilateral and regional co-operation. The INTOSAI EDP Directory has been compiled to provide such an information base for SAIs to identify suitable partners and areas of co-operation. The Committee has also started the IT Journal - "intoIT" - to provide a mechanism, on a regular basis, for disseminating information quickly to SAIs and to enable SAIs to exchange experiences and ideas. For more complex issues that need personal interaction, the Committee has chosen periodic seminars on specific themes as the appropriate medium for the present.
In connection with information interchange, the Committee plans to undertake the following activities for the period till the XVI INCOSAI:
- The INTOSAI EDP Directory will be updated in 1998, through a survey of all SAIs in 1997.
- The IT Journal "intoIT" will be published twice every year.
- A seminar on "Performance Audit of the Use of EDP" will be organized in 1998 in Sweden and the preparatory work therefor would be undertaken from 1996. Following the seminar, the papers presented and a summary of the discussions and conclusions emerging therefrom, would be published.
Knowledge and Skill Development:
An important goal of the Committee is to support SAIs in developing their knowledge and skills in the use and audit of IT. To support SAIs in the use of IT in their own organizations, the Committee has prepared the "Guide to Developing IT Strategies in SAIs". To facilitate the process of building the appropriate IT audit skills, the "IT Audit Curriculum for INTOSAI" has been prepared to help SAIs identify their skill and training requirements. As a logical follow-up of the IT Audit Curriculum, the Committee recognizes the importance of developing high-quality, standard training course-ware for imparting the skills identified in the Curriculum. The EDP Survey conducted by the Committee has shown that this activity is important, urgent and of relevance to the majority of SAIs. The Committee’s work plan for the next 3 years, therefore, reflects this need.
In connection with knowledge and skill development, the Committee plans to undertake the following activities for the period till the XVI INCOSAI:
- Training courses, including material for training the trainers, would be developed by 1996 for the Level 1 skills (IT audit skills needed by generalist auditors) identified in the IT Audit Curriculum separately for Financial Attest Audit and Performance Audit. These course-ware would be tested for quality assurance by 1997 and be made available to all the Regional Working Groups of INTOSAI for the use of their members.
- Training courses, including material for training the trainers, would be developed by 1997 for the Level 2 skills (IT audit skills needed by IT audit specialists) identified in the IT Audit Curriculum. These courses would also be separate for Financial Attest Audit and Performance Audit and the course-ware would be tested for quality assurance by 1998 before making them available to the INTOSAI Regional Working Groups.
- As part of the effort to test the quality of the training course-ware, the Committee also proposes to run some of the training courses in the SPASAI Region in 1997 and 1998.
- In view of the complexity of performance audit of the use of IT, the Committee will be producing a Reference List of Materials on IT Performance Auditing by October 1996 in English. This list will be in two parts. The first part will be based on information retrieved electronically from various public databases, while the second part will be based on responses received from a survey of SAIs. This list is expected to provide an introduction to, and guidance in, this new and challenging field.
- Due to the large and growing levels of investments in IT by auditees, the significant impact that such investments have on the way the auditees do their business and the new risks that they pose, the auditor has to be concerned about auditing systems under development and security-related issues. The Committee has already developed an "Information Systems Security Review Methodology" for the guidance of SAIs. The Committee proposes to develop a Guide on "Audit of IT Systems under Development" by the XVI INCOSAI. The Research work therefor will be undertaken during 1996 and 1997 and an exposure draft prepared by early 1998.
Knowledge Development and Transfer:
One of the objectives of the Committee is to support and promote development and transfer of knowledge relating to IT Audit. Advancements in Information Technology tend to be very rapid and the implementation of new technologies by auditees can affect the way audit can be done. The Committee recognizes that the production of "guidance" for SAIs may not always be the most desirable or feasible option; in frontier areas of technology, practical experiences of SAIs may be too limited to warrant the preparation of "guides". With this in mind, the Committee has decided that wherever work done or experience to date does not warrant a "guide", the Committee would opt for the following sequence: Initially, an article in "intoIT" will seek to apprise SAIs about the new developments and their potential implications. A lead paper may then be prepared and circulated to SAIs for comments to gather reactions, opinions and experiences. Thirdly, a Research Study would be undertaken to prepare the foundation for a Guide. Finally, a Guide would be prepared.
In the light of the above objectives and considerations, the Committee plans to undertake the following activities until the XVI INCOSAI in connection with knowledge development and transfer:
- Research on "EDI and the paperless audit environment": Electronic Data Interchange (EDI) may affect many SAIs sooner than anticipated due to the rapid developments in electronic connectivity and create new challenges for SAIs in auditing in a paperless environment The Committee has, therefore, developed a research paper on "Electronic Data Interchange (EDI) and the Paperless Audit". Besides circulating the research paper to SAIs to apprise them of the implications of this new technology and to elicit their reactions and information about their experiences, the Committee is also researching the legal and evidentiary aspects of EDI in various countries. Depending on the outcome of its research and based on the experiences of SAIs in dealing with audit in an EDI environment, the Committee may eventually attempt to formulate a guide on Audit of EDI. Electronic Data Interchange (EDI) may affect many SAIs sooner than anticipated due to the rapid developments in electronic connectivity and create new challenges for SAIs in auditing in a paperless environment The Committee has, therefore, developed a research paper on "Electronic Data Interchange (EDI) and the Paperless Audit". Besides circulating the research paper to SAIs to apprise them of the implications of this new technology and to elicit their reactions and information about their experiences, the Committee is also researching the legal and evidentiary aspects of EDI in various countries. Depending on the outcome of its research and based on the experiences of SAIs in dealing with audit in an EDI environment, the Committee may eventually attempt to formulate a guide on Audit of EDI.
- Research on "Auditing in a client-server environment": The increasing popularity of a new model of computing viz. client-server computing may change the way businesses organize themselves. The Committee, therefore, proposes to have an article in the "intoIT" in early 1996 and probably follow it up with research during the year. This will be an exploratory project whose further course will be decided over the next couple of years.
- Research on "Performance Audit Methods for analysing effectiveness of use of new technologies by auditees": As auditees adapt new technologies to their requirements, auditors would need methods to assess their effects and analyse their effectiveness. Some technologies like EDI and automated (administrative) decision-making are already being used by auditees in some countries and, therefore, the Committee proposes to undertake research in this area; the first draft of a research paper is proposed to be circulated to the Committee members by March 1997 for comments. The follow-up action will be decided thereafter by the Committee.
SUMMARY:
The Committee’s activities till the XVI INCOSAI can be summarised as under:
A. Continuing Products:
The Committee would continue to publish the IT Journal "intoIT" twice every year and update the INTOSAI EDP Directory by the XVI INCOSAI.
B. Research Studies:
The Committee would undertake research regarding the audit implications of new technologies and produce papers on "Electronic Data Interchange and the Paperless Audit", "Auditing in a Client-Server Environment", "Performance Audit Methods for analysing effectiveness of use of new technologies by auditees". While the first two papers would be circulated to the INTOSAI members, the last paper would be considered internally by the Committee in 1997 and a decision regarding follow-up action taken only thereafter.
C. Other projects for development and dissemination of knowledge:
To disseminate knowledge, the Committee would produce a Reference List of Materials on IT Performance Auditing by October 1996. The Committee would also be organizing a seminar in 1998 on the "Performance Audit of the use of EDP".
The Committee would also be developing a Guide on "Audit of IT Systems under Development" by the XVI INCOSAI.
D. Skill Development:
To facilitate skill development for IT Audit, the Committee would be developing the training course-ware, including for training the trainers, for the Level 1 and Level 2 skills identified in the IT Audit Curriculum for INTOSAI. These courses would be tested for quality assurance and made available to all the INTOSAI Regional Working Groups by 1997 and 1998 for Level 1 and Level 2 respectively. As part of the quality assurance, the Committee would also run some of these courses in the SPASAI Region in 1997 and 1998.
Work Plan for EDP Audit Committee
ANNEXURE `A’
List of members of the INTOSAI Standing Committee on EDP Audit
ANNEXURE `B’
List of Members of Working Groups of INTOSAI Standing Committe on EDP Audit