The XIII INCOSAI held in Berlin in June, 1989 decided that a Standing Committee be constituted to lend a focus to the efforts of the INTOSAI in responding to the challenge posed by the proliferating IT applications in the audit environment. Subsequently, the INTOSAI Governing Board in its 35th meeting held in October 1991 in Washington appointed the Comptroller & Auditor General of India to assume the functions of the Chair of the Committee.
The Governing Board in its 36th meeting held in Washington approved the terms of reference of the Committee which envisaged that the Committee will support Supreme Audit Institutions in developing their knowledge and skills in the use and audit of Information Technology by providing information and facilities for exchange of experiences and encouraging bilateral and regional cooperation in all relevant areas including training. The terms of reference were presented to the XIV INCOSAI held in October 1992 in Washington.
The INTOSAI Governing Board in its 50th meeting held at Vienna in October 2002 approved the change in the name of the Committee to the ‘INTOSAI Standing Committee on IT Audit’.
Initially, the Committee was constituted with twelve members namely, Austria, Barbados, Canada, Ecuador, France, India, Japan, Kiribati, Kuwait, Sweden, United Kingdom, and Zimbabwe.
The growing interest of SAIs in IT as also the high benefits derived from the activities of the Committee is evident in the fact that we now have 32 members.
The committee website www.intosaiitaudit.org is being administered by NAO of UK. All the products of the committee are available on the website.
The ISCITA Journal “IntoIT” is a vehicle for information interchange amongst SAIs. The journal is published in English twice a year. Twenty-two issues of the Journal have been brought out so far. The Journal has focused on several key areas such as Developments in Information Systems Auditing, Editorials, Electronic Data Interchange (EDI), E-Government, Information Security, IT Audit training, Millennium Matters, Performance Audit of IT, Use of Computers in Audit and Use of Computers for Audit Support. In addition there have been country focus articles. NAO of UK has been publishing the Journal on behalf of the Committee.
The first INTOSAI EDP Directory was published in 1994. The Directory is intended to serve as a useful reference for bilateral and multi-lateral co-operation efforts relating to Information Technology. Towards this broad purpose, the information has been presented under various sections as follows:
Profile of the SAIs: This section provides an
idea of the IT Status of each SAI and contains SAI-wise collection of the
complete questionnaires.
Topic-wise analysis: This section enable SAIs
looking for particular types of information, assistance or association to
seek out suitable partners or identify appropriate sources of information.
General analysis: This section contains a
descriptive analysis of some important IT aspects of SAIs. Illustratively,
this section highlights the IT strategies followed by SAIs who use IT
relatively extensively, the typical use of common software packages for
audit purposes, the type of assistance that would be available to SAIs
seeking to build up the IT functions, etc.
Miscellaneous section: This section contains addresses of SAIs and the Glossary of Terms.
This is an electronic compilation of the mandates and statutes of member SAIs of the INTOSAI. This compilation has been prepared on the basis of statutes made available by SAIs.
This compilation can be accessed in the following ways :-
Brief Write-ups:
This is a Compendium of Write-ups on SAI Mandates. A
model questionnaire was sent out to member SAIs and from the responses
received, brief write-ups have been prepared.
Country-wise:
There is a country-wise listing of the mandates of
different SAIs, where the user can select the country to study its mandates
Attribute-wise: sets of 22 attributes have been identified, covering various facets of the SAI's statutes. The mandates listed attributes wise in respect of different SAIs facilitate comparative analysis across SAIs.
The IT audit curriculum aims to describe the main competencies and skills which auditors will need if they are to be able to provide a proper audit response to their clients’ computerization. The curriculum recognizes that it is neither feasible nor desirable to require all auditors to have a deep knowledge of IT and of IT audit. The Curriculum therefore is based on three levels of IT audits skills viz. the generalist, the IT auditor and the expert IT auditor. The curriculum aims to specify the main tasks of IT audit in different areas.
One of the important functions performed by the Committee is to build standardised courses for training auditors in IT Audit. An IT Audit Courseware has been developed. The module in the courseware include IT Awareness, Business Continuity Planning, IT Method Awareness, IT Controls, Computer Assisted Audit Techniques, Data Downloading and Conversion, Audit of developing IT systems, IT security, Value for money audit and IT Audit Organisation & Management. These modules are currently further been revised and updated. Based on this IT Courseware IDI has taken up the development of a 20 hour e-learning course module on “Auditing IT Controls”.
Advanced Training information on “IT methods” and “ Cost estimation and Analysis” is available on the committee web site as PowerPoint presentation.
The Project on ‘IT Infrastructure Management’ was initiated by the Committee at its 8th meeting in October 1999. The committee felt a need for an audit tool focusing on the overall management of IT infrastructure in public administration. The main objective of the project was to provide efficient and effective process for auditing IT infrastructure management, with an aim to be useful at several levels of IT infrastructures. The Project resulted in guidelines for ‘Auditing IT Service Management’.
This guide describes the policies, strategies and management frameworks that organizations should consider developing in order to support the delivery of quality IT services to their customers, regardless of whether these are internal or external (e. g. citizens) to the business. It also represents a tool for assisting in the audit of IT service management in public administrations based on risk assessment and risk management principles.
This guide is aimed at senior management concerned with directing the development, monitoring and review of an IT strategy. The focus of this guide is on broad principles to define `best practice’. It draws on the experience of Supreme Audit Institutions in developing and implementing their IT strategies. The principles involved apply to audit institutions whatever their size and IT sophistication. The logical and systematic approach advocated in the guide is the main feature of an IT strategy
The topics covered in the Guide are: the stages in developing an IT strategy, planning IT strategy development, develop the business model, identifying business systems, ranking systems and identifying benefits, review of current technology and data and resource availability, drawing up systems development plan, drawing up business impacts, drawing up implementation and training plan, planning post implementation activity, - monitoring, maintenance and enhancement, strategy for migration, advice for SAIs implementing major systems or strategy changes, advice for small audit institutions- getting started and Tips for success.
The main aim of the work is to create an audit model for communication security in public sector. Depending on the audit responsibilities of various SAIs this can be essen tials to determine if operations have been performed efficiently and in compliance with applicable laws and regulations.
The report incorporated important standards in the field of communication security, a model for auditing communication security, experiences from testing the audit model, etc.
At the 8th meeting of the INTOSAI EDP Audit Committee held at Harare, Zimbabwe in October 1999, the need for a research study on how SAIs can use intranet for getting better value out of IT was discussed. It was felt that a research study would be beneficial to SAIs with or without extensive experience in the use of IT.
The scope of the study has a managerial rather than technical focus. The research covered areas including what is an intranet, features and benefits of intranets, how to set up an intranet, strategic planning, pilot project, detailed framework and implementation, management and maintenance, value for money of the intranet, experiences of SAIs with intranet.
The project concluded that if properly planned, implemented and managed, intranets can prove to be extremely powerful tools for information distribution, from which the organisation can benefit substantially, with impressive returns on the resources invested. It is important to note that for an Intranet, “content is king” – functionality is much more important than jazzy looks. Relevant, useful and up-to-date content, combined with speed of retrieval and simplicity are the key factors for a successful Intranet.
This guidance lists out the main causes of failure which includes design and definition failures, decision making failures, project discipline failures, supplier management failures, people failure and each of their impact on IT projects. The guide also lists out key questions to be asked before a project is approved.
The guide was issued in 1995 to assist SAIs that have such a mandate to review information system security programmes put in place by various government organizations. It can also be used by SAIs to set up comprehensive and cost effective security programmes covering key information systems in their own office.
The guide introduces a two-tier approach to information system security reviews. It suggests that SAIs first use a top-down, manual, management view of information security. SAIs should proceed to the second phase, a very detailed analysis aimed at a monetary valuation of information exposure to risk, only if management needs the monetary precision to support its decision or if specific technical exposures are being examined.
The use of Information and Communication Technologies, and particularly Internet as a tool for the online exchange of government information with, and the delivery of services to, citizens, businesses and other government agencies is growing day by day. It has posed a challenge to the Public Auditors. To meet this challenge effectively, the Committee has undertaken a research project on ‘Auditing e-Government’. The task force constituted for the project has brought out a document on life-cycle risks of e-government projects. A database of the reference material of the work of SAIs and others in the e-government area has been posted on the committee web site.
In order to provide worthwhile and up-to-date range of information of interest to the IT audit community, the Committee has compiled a reference list for material on IT performance audit.
With the objective of bringing together colleagues from different SAIs who work within the field of IT-performance audit and further learning in the IT audit community through exchange of information and experience, working seminar are being held by ISCITA triennially.