Sub-theme IIE - EDP Audit

XVI INTERNATIONAL CONGRESS OF SUPREME AUDIT INSTITUTIONS

Montevideo, Uruguay: November 1998

Theme II - Improving Government Financial Management Through INTOSAI's Standing Committees

Sub-theme IIE - EDP Audit

Theme Chair: Netherlands

Vice-Chair Gambia

Sub theme Chair: India

Group Rapporteur: Barbados

Group Moderator: Kuwait

Group Technical Liaison Officers : Uruguay

The main aim of this subtheme is to provide an opportunity to the INTOSAI Standing Committee on EDP Audit to consult with Supreme Audit Institutions (SAIs). The consultation will assist the Committee in formulating and adopting work plan for a three year period till the 2001 i.e till the next INCOSAI . SAIs will also be exposed to various activities, products and projects - designed to enable SAIs to effectively deploy IT for meeting their varied needs and their mandates.

BACKGROUND

The INTOSAI Standing Committee on EDP Audit was constituted pursuant to a decision of the XIII Congress of INTOSAI at Berlin in June 1989. The central objective of the Committee is to support SAIs in developing their knowledge and skills in the use and audit of Information Technology (IT). Towards this end the Committee is mandated to (i) provide information and facilities for exchange of experiences, and (ii) encourage bilateral and regional co-operation.

A major milestone for the Committee was the adoption of a Work Plan for 1995-98 during the XV Congress of INTOSAI in September-October 1995 at Cairo. This has formed the basis of the committee's activities in the past 3 years. The steady increase in the committees membership is a measure of the growing relevance of the committee - the membership now stands at 18 up from the original 12.The present composition of the Committee is given below :-

India (Chairman)	Austria	Barbados	Brazil
Canada	Colombia	Costa Rica	Cuba
Ecuador	France	Kiribati	Kuwait
Japan	Russian Federation	Slovenia	Sweden
UK	Zimbabwe

AREAS OF OPERATION:

The Committee has three main areas of operation, each of which was originally assigned to a separate Working Group within the Committee :-

* Audit of EDP-based accounting systems and EDP support in auditing

* Performance auditing of use of EDP systems

* Use of EDP in SAI’s own administration

The original convenors of these working groups were Canada, Sweden and UK. The working groups were reconstituted into two at the April Meeting of the Committee in 1997 as follows: -

Working Group I Areas of work: Performance Auditing of the use of EDP Systems : Sweden (Convenor)

This group would cover Performance auditing of the use of EDP systems including the research project on EDI.

Working Group II Areas of Work : Audit of EDP-based accounting systems, EDP audit training and EDP support in auditing : UK (Convenor)

This group would cover the audit of EDP based accounting systems , EDP audit training and EDP support in auditing and include the research project on auditing in a client server environment.

Both the groups activities would include the following:

-developing and disseminating guidelines for EDP audit.
-sponsoring symposia and conferences.
-reviewing and compiling of relevant documentation.
-providing training and other support services.
-evaluating available software packages and development of new packages.

STATUS OF PROJECTS

I.INFORMATION INTERCHANGE:

1. Information Technology Journal: 
   The Committee brings out an Information Technology Journal (called "intoIT") in English twice each year to keep SAIs informed of latest developments in the use of IT in audit bodies. Since the XVth INCOSAI 6 issues of the journal have been completed .
2. The INTOSAI EDP Directory: 
   In 1995 an EDP Directory was compiled to serve as a useful reference for SAIs for bilateral and multilateral co-operation efforts relating to Information Technology. In accordance with the Work Plan the directory has been updated through a survey of all SAIs. The directory contains information with respect to more than 90 SAIs and is available both in printed as well as Electronic Form as a CD.
3. Seminar on IT Performance Audit:
   The second working seminar on IT Performance Audit was held in Sweden on May 12^th and 13^th1998.Thirty participants from twenty SAIs attended the Seminar. The seminar covered the following themes:
   1.New techniques in auditing System Development.
   2.Strategic Planning for IT Performance Audit.
   3.Information Security and Code of Practice.
   4.Specialised Information System Audit Tools.
   5.EDI
   6.IT Development and Operations contracted out to the Private Sector.
   In addition, an impromptu session on the Year 2000 problem was scheduled in view of the topicality of the issue.
   The output of the seminar is proposed for circulation by December 1998.
4. Electronic Compilation of SAI Mandates:
   An electronic compilation of the mandates and statutes governing INTOSAI member SAIs has been prepared on a CD-ROM for use as an electronic reference tool. The compilation has been distributed to all SAIs. This can be accessed in two ways: -
   -using a country-wise listing of mandates of different SAIs.
   –using a listing of 22 selected attributes, covering the SAI’s independence ,its jurisdiction and its auditorial and administrative powers. In its current version the compilation contains mandates of over 125 SAIs.
5. INTOSAI EDP Committee Webpage:
   The committee, recognising the potential of dissemination of information through the Internet, agreed on a proposal for hosting a website by the committee. The Webpage design has been finalised and has been circulated for comments and suggestions. The site would contain background information as well as Committee products. A phased approach has been planned in building the Webpage.

II.KNOWLEDGE AND SKILL DEVELOPMENT:

1. IT Audit Courseware:
   An important product programmed for the 1995-98 period was the development of a comprehensive IT Audit Courseware aimed at Level 1 and Level 2 skills. This was taken up as a natural corollary of the IT Audit Curriculum developed in 1995 and was also in consonance with the the committee’s primary objective of supporting SAIs in the development of skills in the audit of IT. The courseware was finalised in July 1997.The courseware has been made available in print as well as electronic format to the Regional Working Groups of the INTOSAI, the INTOSAI Secretariat and the IDI. Copies of the Course Overview have been circulated to all members of the INTOSAI. SAI UK has used the courseware for a training course for SAI-China and proposed its use for a course for SAI-Pakistan. SAI Netherlands proposes its use for English speaking African SAIs. SAI-Brazil and SAI-Oman have translated the courseware into Portuguese and Arabic respectively.
2. Reference List of Material on IT Performance Audit:
   This was another product envisaged in the 95-98 Work Plan as part of the committees’ efforts towards knowledge and skill development especially in the complex area of Performance Auditing. The List was prepared and circulated in Feburary 1997 to all INTOSAI members. The list was found to be very valuable and it has been decided to keep the list updated through intoIT and the Internet.
3. Guide on Audit of IT Systems under development:
   This guide was envisaged in view of the large and growing levels of investments in IT by the auditees. Detailed guidance about Audit of Systems under Development can be obtained from the courseware on the subject.

III Knowledge Development and Transfer:

1. EDI and Paperless Audit:
   A draft paper was prepared on this subject by SAI Sweden and articles have appeared in the Third Issue of intoIT. EDI The Second Seminar on IT Performance Auditing also addressed the topic.
2. Auditing in a Client Server Environment:
   This area was chosen for possible research in view of its increasing popularity. A short paper on the subject has been prepared and circulated in the committee for suggestions and comments. This will be followed up by an article in intoIT.
3. Performance Audit Methods for Analysing Effectiveness of Use of New Technologies:
   A research paper has been produced by SAI Sweden and has been published as a special one item issue of intoIT(7^th issue).The paper focuses on the problem of setting objective measures of IT value and sets out a method of examining specific IT investment.

1. Year 2000 Problem:
   Though not part of the Workplan the issue, on account of its topicality and its potential impacts, was taken up as a project. The reconstituted Working Group 2 would work on the subject. Articles on the subject would feature in the 8^th Issue of intoIT. The topic was also discussed during the 2^nd Performance Auditing Seminar.

WORKPLAN TILL XVII INCOSAI:

The workplan for the next 3 years have been structured in the same manner under three broad headings as was done for the last Work Plan.

I.INFORMATION INTERCHANGE:

Provision of information and facilities for exchange of experiences forms an important function of the committee and the following products have been envisaged as the principal mechanisms towards this end.

1. IntoIT.
   This journal has been an important vehicle for regularly and quickly disseminating information to SAIs. The committee plans to continue publication of two issues of the journal annually. The 9^th issue would contain a country focus article on SAI Slovenia and articles on Performance Audit seminar. Other features would be on the Work Plan, the millennium issue, Financial audit software support, IT audit training and the Committee webpage. Beginning from the 9^th issue intoIT will also feature on the Committee's webpage.
2. EDP Directory.
   The directory has been appreciated for its contribution in furthering bilateral and regional co-operation by providing an information base for SAIs .In tune with the decision to updated the directory every three years the 3^rd update would be available in 2001 for which a survey will be conducted in 2000.
3. Third Performance Audit Seminar.
   As part of the established practise of dealing with complex issues through periodic seminars it is planned to organise another seminar on this subject in 2001 in Slovenia. Preparatory work for the seminar will commence in 1999.
4. Committee Webpage.
   By the time of the current INCOSAI the basic design for the proposed webpage would have been developed. The webpage would be further developed taking into account views of members.
5. SAI mandates.
   The current compilation would be updated to include mandates of remaining SAIs as also to reflect any changes in the mandates. This version could be planned for production in 2001.

II.KNOWLEDGE AND SKILL DEVELOPMENT:

Support to SAIs in developing their knowledge and skills in the use and audit of IT has been a focus area for the committee. In pursuance of which the committee has planned the following activities.

1. IT audit courseware:
   Feedback would be obtained from different regions on their experiences in using the courseware and the committee would take stock in 1999 on the need for updating the courseware. The possibility of producing a CD-ROM version of the courseware would also be explored.
2. Advanced Training Modules:
   Building up on the basic IT Audit Courseware the committee will prepare advanced training modules in areas such as risk management, quality management etc. Possible topics will be identified in 1999 and training modules would be developed in 2000.
3. Reference List of Materials on IT performance Auditing:
   The Reference List of Materials on IT Performance auditing will be kept updated throughout the 3 years, through articles in intoIT and the Committee webpage.

III.KNOWLEDGE DEVELOPMENT AND TRANSFER:

The committee plans to continue with its activities in pursuance of its declared objective of supporting and promoting development and transfer of knowledge relating to IT audit. The methodology of work in this area would follow the sequence enunciated during the last INCOSAI in view of the rapid changes in the field of IT.The work will commence with an article in intoIT and will be followed up by a lead paper to be circulated amongst SAIs for reactions and opinions. In the 3^rd stage research study will commence which will form the basis for a guide which will be the final product . Among the activities envisaged in the area of knowledge development and transfer some are projects continuing from the previous workplan and some are new.

1. EDI and the Paperless Audit:
   EDI and its audit implications will be the focus of a future issue of intoIT.
2. Auditing in a Client Server Environment:
   A short paper on the subject was circulated .Based on the comments and suggestions on this received from members of the committee a revised paper will be printed as an article in the intoIT.
3. Year 2000 problem:
   The issue will be kept in focus through articles and news items in intoIT, as also on the Internet webpage of the Committee.

New Studies. :

1. IT Infrastructure management and its audit implications:
   Organisations are getting increasingly dependent on IT to satisfy organisational aims and business needs . Hence the management of IT Infrastructure assumes great significance. The management of IT Infrastructure will cover areas such as organisation, hardware, software, and computer related communications upon which application systems and IT services are built and run. The study will commence with a short paper in the latter half of 1999 and will be followed by an article in intoIT in 2000 and thereafter a full research paper.
2. Detection and Prevention of IT related Fraud.
   IT systems have certain inherent features that make them vulnerable to risks and susceptible to fraud. Some of the risks are reduced accountability due to anonymity of users; possibility of unauthorised and unrecorded amendments to data; absence of visible audit trail; possibility of duplication of data and distributed data storage and processing. It is essential that measures to counter these risks are built into systems and are reviewed by auditors.The study would consist of an approach paper in 2000 followed by articles in intoIT and a final research paper/guide in 2001.
3. Computer related Communications Security:
   There has been a phenomenal increase in the use of Communications in IT Systems deployed by auditees.These include use of Internet,E-Mail,EDI,LANs and WANs.The use of these give rise to several risks especially with regard to security.It is proposed to study security issues related to these systems.The study will follow our accepted approach of short papers, articles in intoIT and will culminate in a final research paper.

 

---

 

ANNEXURE:

Work Plan for EDP Audit Committee

Workplan for INTOSAI EDP Committee.

 

 

 

Work Plan for EDP Audit Committee