*
(Principal Director of Commercial Audit and ex-officio Member Audit
Board, Bangalore, India)
**
(Director (Research & International Relations), Office of the
Comptroller and Auditor General of India)
Audience
The Information Technology revolution is expanding in all countries and spheres of activity at a speed and in a manner that few could have predicted though some may have anticipated. Leading institutions have to capitalise from this revolution to stay in the lead. Supreme Audit Institutions are no exception.
Dealing with the challenges posed by Information. Technology (IT) and converting challenges into opportunities can be a daunting task for SAIs. This article may be of some modest help, by setting up signposts for charting a course or pointing to those who can assist. While this article is primarily aimed at the non-IT auditors in SAIs, it would also be useful reference material for the IT audit specialists.
Impact of IT on Audit/Auditor
Auditors today cannot ignore the presence and impact of the computer on the audit process. For instance:
The need for the new discipline of IT audit is thus no longer questioned. IT auditors are increasingly in demand but difficult to produce quickly, thus creating a problem for SAIs.
Purpose
The decision to form a Standing Committee on EDP Audit was taken at the XIII INCOSAI held at Berlin in 1989 where SAIs discussed how they should respond to the growing use of computers among auditees. This concern was caused by the significant impact that this technology has on audit methods and techniques. The Congress approved the formation of a Standing Committee to address these issues and desired that the Committee should be representative of INTOSAI and include members with and without EDP audit knowledge. A Committee was accordingly constituted in 1992 under the Chairmanship of the SAI of India. The SAIs of Austria, Barbados, Canada, Colombia, Cuba, Ecuador, France, Kiribati, Japan, Kuwait, Russian Federation, Sweden, United Kingdom and Zimbabwe are the other members of the Committee (Recently, the SAIs of Brazil and Costa Rica have also joined the Committee. ). The terms of reference of the Committee approved at the XIV Congress in Washington in 1992, envisage that the Committee would support SAIs in developing their knowledge and skills in the use and audit of Information Technology (IT), by providing information and facilities for exchange of experiences, and encouraging bilateral and regional co-operation.
Areas of activity
There are three main areas of operation of the Committee, each tackled by a separate working group: "Auditing of EDP-based accounting systems and EDP support in auditing", "Performance audit of the use of EDP systems" and "The use of EDP in the SAI's own administration".
The first two groups' contributions involve developing and disseminating guidelines for EDP audit, sponsoring symposia and conferences, reviewing and compiling technical literature, providing training and other support services like deployment of experts, evaluating available software packages, and sponsoring research and development of new packages. The third group is focusing on how to provide training, guidance regarding strategies for computerisation, and support services.
Information is a resource - a powerful one at that - and, paradoxically, becomes more valuable through sharing. The world over, the IT environment is seeing a paradigm shift - empowering the group or team, as opposed to the
individual. Team productivity or group computing is becoming the buzzword. The INTOSAI community is no exception to this influence. The EDP Committee is perhaps a catalyst in this regard; its activities are directed at enhancing knowledge through sharing and building the bases for co-operative ventures between or among SAIs.
The INTOSAI EDP Directory and an IT Journal called "intolT" are the Committee's immediate answer to the problem of effective information interchange.
The INTOSAI EDP Directory, which is based on a multi-lingual survey of SAIs conducted between the end of 1993 and the first half of 1994 - is one of the products through which the Committee expects to provide members, from time to time, with useful information about the IT-related activities and resources of other SAIs and pave the way for mutually beneficial bilateral and multilateral partnerships. The 336-page first edition of the Directory, circulated in December 1994, has been compiled from the responses of 108 SAIs, and contains two major sections, one presenting an IT-profile of each SAI and another presenting information across SAIs on specific IT-related subjects, besides an analytical section.
The first section contains, for each SAI, information about
The second section provides information on the following topics that could enable SAIs to work out bilateral or multilateral arrangements for transfer of skills and knowledge relating to IT audit :-
The Directory also contains a short section dealing with analysis of some important IT aspects of SAIs, covering areas such as :-
The INTOSAI EDP Directory will be updated every three years, to coincide with the triennial INCOSAIs. The next edition of the Directory is scheduled for 1998.
The EDP Audit Committee is bringing out a half-yearly journal entitled intolT, which is intended to keep SAIs abreast of current developments in the use of IT in audit bodies and is also an important vehicle of communication regarding the Committee's work and products, including the adaptation of its products by individual SAIs. As IT changes rapidly, intolT will hopefully bring quickly to SAIs, important news about their audit implications based on the experiences of various SAIs in dealing with such technologies. The Committee has so far published three issues of the Journal, which have been circulated to all members of INTOSAI. SAIs are free to reproduce the whole or part of the Journal in their internal publications.
|
CONTENTS OF THE FIRST THREE ISSUES OF into lT |
||
| 1st issue (January 1995) | 2nd issue (July 1995) | 3rd issue (Under circulation) |
| Country focus - India | Country focus - Zimbabwe | Country focus - Japan |
| The use of IDEA in SAI-Sweden | INTOSAI EDP Directory | IT Audit Seminar in Stockholm |
| Text Retrieval in SAI-UK | Developing IT Strategies | EDI and the Paperless Audit |
| SAI-Canada's Audit Briefcase | Reviewing Information | A Practical Approach to Auditing EDI Transactions |
| News from around the World | Security | Effective Resource Management |
| IT Audit Curriculum for INTOSAI | News from around the World | |
| INTOSAI and the INTERNET | ||
| News from around the World | ||
Why have an IT Strategy ?
Like any business, an SAI can also succeed only if the right information is available when key decisions are required. So, information is a valuable asset that has to be managed properly. The purpose of an IT Strategy is to put together a plan that makes the best use of both information and technology needed to support the business and ensure VFM for IT investments. Using a structured method to develop an IT Strategy ensures that business objectives and needs, rather than pure technological considerations, determine and guide IT decisions.
One of the three main concerns of the EDP Audit Committee is how SAIs can use IT in their own administration. Consequently, a Guide to Developing IT Strategies in Supreme Audit Institutions has been developed, drawing upon the experiences of various SAIs.
Structured Approach
The Guide is primarily aimed at senior management of SAIs concerned with directing the development of an IT strategy. It can also help the staff involved in developing and implementing the IT strategy by helping them to understand their role, the importance of planning for information systems and how they support business activity.
The objective of the guide is to provide SAIs with guidance on the key elements of drawing up their corporate and IT strategies. It advocates a logical and systematic approach to developing the IT strategy, and describes in detail the various stages in developing the Strategy.
Issues considered
The guide has 3 major areas of interest: two for new entrants to IT and one for the experienced. For the new entrants, the Guide deals with the need for an IT strategy and how small bodies with no existing IT can get started. For the
more experienced, the Guide deals with how they should tackle changes in their IT Strategy and how to handle the migration to new systems.
The guide focuses on broad principles, which apply to all audit institutions, whatever their size and IT sophistication and is an attempt to define 'best practice'. Recognising the differences among SAIs in their needs, resources, size, etc., the guide contains suggestions for smaller audit institutions wherever appropriate; further, a separate chapter is devoted to development of IT Strategies in small SAIs, where emphasis is laid on identification of priorities given the limited resources available. The guide also gives some useful tips for success.
IT Audit Curriculum for INTOSAI
The increased use of IT by auditees creates new audit risks to control and accountability which have to be dealt with by developing IT audit skills. The EDP Audit Committee decided to address this problem by first developing an IT Audit Curriculum for INTOSAI rather than developing training courses, because SAIs differ vastly in the levels of IT skills and also because they encounter different types of IT systems among their clients.
The IT Audit Curriculum lists the IT audit tasks which auditors can be expected to carry out, without attempting to prescribe in detail the training need to accomplish such tasks. In effect, it has provided a menu of skills from which individual SAIs can prepare their own "basket", compare with available skills and identify their training requirements.
The Curriculum recognises that it is neither necessary nor feasible for all auditors to have a sound knowledge of IT and IT audit. It is therefore based on three levels of IT audit skills:
The Curriculum however recognises that SAIs may choose to organise their IT audit function differently and also allocate IT audit tasks listed in the Curriculum differently. What is important is that the Curriculum seeks to promote awareness about the full range of skills needed by the IT auditor. These skills are grouped under seven broad categories
SAIs can choose the tasks (and skills) depending on their statutory role, audit approach, IT expertise, etc. For SAIs setting up the IT audit function for the first time, the Curriculum highlights a subset of the Curriculum which they should concentrate on.
SAIs can use the Curriculum to develop, commission or obtain specific training courses and materials from various sources like IDI and other SAIs. IDI has been conducting the following workshops from time to time, in all the INTOSAI Regions:
| Workshop Title | Target Audience |
| Computers in the Audit Process Workshop | Operational deputy heads of SAIs and other senior staff with policy and decision making responsibilities on audit of computer systems and introduction and use of computers in the SAI |
| Computer Auditing Workshop | Experienced audit practitioners who have audit supervisory responsibilities |
ASOSAI has also been conducting workshops on computer auditing from time to time, with the objective of enabling exchange of information and experiences relating to IT audit, and exposing member SAIs to the use of audit software packages. The EDP Directory also abounds in offers from SAIs for various forms of assistance in training:
High-quality, standard training course-ware is essential for imparting the skills identified in the Curriculum. The EDP Audit Committee is therefore developing training courses for the Level 1 and Level 2 skills identified in the Curriculum, separately for Financial Attest Audit and Performance Audit. This will also include material for "training the trainers". This course-ware will be made available to all the Regional Working Groups of INTOSAI for the use of their members. No training courses are planned for Level 3 skills because it is felt that these skills are best addressed through seminars and participative workshops.
Importance
With the growing dependence on information systems, Government Organisations and even SAIs which use such systems have to pay attention to information security. The failure or non-availability of critical information systems can have serious effects on an organisation's performance or survival; hence information security become an important concern. Those who plan and secure their systems are better insured than those who do not.
Reviewing IT Security - A Methodology
The EDP Audit Committee has produced a guide for reviewing Information System Security in Government Organisations. This guide -Information System Security Review Methodology (ISSRM) - is intended to assist SAIs in reviewing the auditee's information system security programme. Equally, it can assist SAIs in setting up appropriate security programmes in their own offices covering their key information systems.
The Guide advocates a two-tier approach to security reviews that presents SAIs a choice of methodologies and provides a gradual and manageable migration path from a less sophisticated to a very formalised and resource-intensive methodology, depending on need and capabilities.
The first tier is simple and involves conducting a top-down review of information systems security from a senior management perspective. The information that is carried or processed by the information system is more important than the technology supporting it. So, for each system, some standard threats are rated high, medium or low; their business impacts are also rated high, medium or low. Using a simple matrix, these two results are combined to provide an overall security exposure level for each system, based on which recommendations are made to management regarding countermeasures. This method is simple and does not require extensive resources. Staff with basic knowledge of IT and security principles can use the method effectively. In most cases, this first-tier assessment may be sufficient to obtain timely results and sufficient evidence to support the recommendations to management.
The second tier involves a detailed and quantitative analysis of information system assets and attempts to measure the net monetary impact of security exposures and of the countermeasures. This sophisticated method generally requires the use of software tools that are commercially available but which may need adaptation to suit each country's circumstances.
Training on how to use the ISSRM
The first method may require more practice than training ( For any specific queries or assistance in this regard, readers may contact Mr. John Adshead, Principal, Computing and Informatics Section, Office of the Auditor General of Canada.). The second method generally needs-software support and the necessary training support comes along with such software packages. To name a few such packages - CCTA Risk Analysis and Management Method (CRAMM), Riskwatch, PW-Risk, Marion etc. The EDP Directory also contains a list of packages used by SAIs for security evaluations.
The problem
IT systems that fail to deliver results in time and within budget are fairly commonplace. Auditors the world over have learnt that poor project management plagues most IT projects. The auditing of Strategic Planning and Management produces excellent results and is surprisingly not very demanding for the auditor. Similarly, reviewing planned and realised benefits is productive and yet not difficult, except when anticipated benefits are long-term and ambiguously articulated. Nevertheless, performance audit of IT systems or their use is an admittedly difficult task, demanding a high order of skills.
Seminars
Recognising the difficulties in conducting IT performance audits, the EDP Audit Committee organised a-seminar on "Future Risks and Opportunities in the Field of IT Performance Auditing" at Stockholm in March 1995. Representatives from 15 SAIs and the NATO Board of Auditors participated in this seminar, where 16 papers were presented and discussed on four sub-themes. Both past audit experiences and future trends were discussed. The seminar was intended to provide an opportunity for SAIs to share their experiences, but even theoretical analyses were accepted to afford an opportunity to those with a little or no practical experience to interact and gain from such interaction. To extend the benefits of the seminar to a larger audience, the Committee has published the papers presented at the seminar including conclusions from, and summaries, of the discussions in the form of a book "Performance Auditing of the use of EDP -Future Challenges" and circulated it to all INTOSAI members (For additional copies of this book, readers may contact Mr. Peter Nilsson, Assistant Director in the Swedish National Audit Office.). Another seminar on the same theme is scheduled to be held in 1998 in Sweden.
Reference List under preparation
Those who are new to IT performance audits will be gladdened by a "Reference List of Materials on IT Performance Auditing" which is being developed by the EDP Audit Committee. The Reference List will be in two parts. The first part will be based on information retrieved electronically by searching through various public databases. The second part will be based on responses received from a survey of several identified SAIs. The list is expected to provide an introduction to this new field. Besides a list of literature scanned and relied upon, the list will contain a synopsis of the materials scanned and could be used as text book on the subject. The Reference List is expected to be produced by October 1996.
Guide on Audit of Systems Under Development
Auditors the world over have been finding more and more instances of significant cost overruns, long delays and questionable benefits as Government investments in IT systems grow. The complexity of new solutions in complicated environments and rapidly changing technologies increase the risk of failure substantially. Considering the significant impact that such investments have on the way the auditees do their business and the new risks that they pose, the auditor has to be concerned about auditing systems under development and security-related issues. The EDP Audit Committee proposes to develop a Guide on "Audit of IT Systems under Development" by the XVI INCOSAI. In selecting this Guide as a project, the Committee feels that an SAI can add value by raising issues and problems before costs are incurred or irreversible decisions are taken instead of highlighting failed systems and the costs of such failures. The Guide is likely to address such issues as the point or points of time at which audit should be undertaken, the audit criteria that may have to be developed or used, etc.
Research on "EDI and the paperless audit environment"
Electronic Data Interchange (EDI) is the electronic exchange of data between computer applications in a structured format, using a communication link. EDI helps improve storage and retrieval and allows many users to access the information simultaneously. EDI has facilitated electronic commerce and may affect many SAIs sooner than anticipated due to the rapid developments in electronic connectivity especially by creating new challenges in auditing in a "paperless" environment. The EDP Audit Committee has, therefore, developed a research paper on "Electronic Data Interchange (EDI) and the Paperless Audit", which will be circulated to SAIs to apprise them of the implications of this new technology and to elicit their reactions and information about their experiences. The Committee is also researching the legal and evidentiary aspects of EDI in various countries. Depending on the outcome of its research and based on the experiences of SAIs in dealing with audit in an EDI environment, the Committee may eventually attempt to formulate a guide on Audit of EDI ( For more information on this topic, readers may refer to the 3rd issue of into lT, which carries two articles on auditing of EDI ).
Client-Server
In recent years, a new model of computing called client-server computing has become increasingly popular. Its greatest implication is that it is expected to change the way businesses organise themselves, impacting the traditional concerns of auditors regarding controls, accountability and auditability. The EDP Audit Committee, therefore, proposes to publish an article in the IT Journal this year about the audit implications of this model of computing. This will probably be followed up with research on this topic. Currently, this is seen as an exploratory project, whose further course will be decided over the next couple of years as the Committee progresses with its research.
Effectiveness of use of new technologies
As auditees adapt new technologies to their requirements, auditors would need methods to assess their effects and analyse their effectiveness. Some technologies like EDI and automated (administrative) decision-making are already being used by auditees in some countries and, therefore, the Committee proposes to undertake further research in this area.
The EDP Committee's activities to date exhibit how the INTOSAI community can enrich themselves through information exchange among its members. Lessons learnt the hard way can substantially alter the learning curve for others following suit. Adaptation of solutions to new variants of the problems in other SAIs can throw fresh light on the core issues. The most discernible trend in the IT industry is towards "networking"; who hasn't heard of the INTERNET -the network of networks ? SAIs too can benefit more from networking, not only through the INTERNET (The INTOSAI General Secretariat is presently undertaking a project on electronically linking SAIs through the INTERNET. ), but also intellectually and professionally.