Minutes of the 22nd meeting of the INTOSAI Working Group on IT Audit held in Vilnius, Lithuania from 25-26 April 2013
The 22nd meeting of the INTOSAI Working Group on IT Audit was held in Vilnius, Lithuania from 25th to 26th April 2013 in conjunction with the 7th Performance Audit Seminar held from 22nd to 23rd April 2013. The meeting was presided over by Mr. Vinod Rai, the Comptroller & Auditor General of India and the Chairman of the Working Group on IT Audit (WGITA). The list of delegates who attended the meeting is attached as Annexure. The proceedings of the 22nd WGITA meeting are as follows:
Agenda item No. 1: Welcome Address
Ms. Giedrė Švedienė, Auditor General, Republic of Lithuania welcomed Mr. Vinod Rai, Comptroller & Auditor General of India and the Chair of the INTOSAI Working Group on IT Audit, and all other delegates to Lithuania. She thanked the members for giving National Audit Office, Lithuania an opportunity to host the meeting in Vilnius, Lithuania. She also wished the participants success in their deliberations and also an enjoyable stay in Vilnius.
Agenda item No. 2: Opening Remarks
The Chair, Mr. Vinod Rai thanked Ms. Giedrė Švedienė, Auditor General of Lithuania and her staff, for the excellent arrangements made by them in hosting the meeting in Vilnius, Lithuania. He welcomed the SAIs of Korea and Brunei Darussalam as the new member and observer respectively of the Working Group. Mr. Rai also appreciated the valuable contributions made by SAI-Canada, which had opted to withdraw from the Working Group due to other INTOSAI commitments, in furthering the objectives of the WGITA. He also stated that the growth in the membership of the Working Group spoke about the tremendous faith reposed by the INTOSAI community in its achievements. He reminded the delegates that this being the last meeting before the XXI INCOSAI, the focus of the meeting would be to take stock of the developments and achievements of the Working Group for reporting to the INCOSAI in October 2013. He stated that apart from reviewing the achievements for the current period, the members would also take up for discussion and approval, the survey results on identified future projects for initiating the new Work Plan for the period 2014-2016.
Mr. Rai also appreciated the work on research and best audit practices in the new and emerging areas of IT Audit undertaken by the Project Leads with the assistance of members.
The final agenda of the meeting was slightly amended and the Chair placed the Agenda of the meeting which was accepted without comments.
Agenda item No. 3: Inputs from the 7th Performance Auditing Seminar
The Working Group holds working seminars triennially on different themes with the objective of bringing together colleagues from different SAIs who work within the field of IT-performance audit and to further learning in the IT-audit community through the exchange of information and experience. The 7th Performance Auditing Seminar was held from 22nd to 23rd April 2013 and was coordinated by Mr. Madhav Panwar from SAI-USA. During the seminar, following themes were discussed:
- Role of SAIs in Promoting Policy for IT Improvement & Value for Money;
- SAI’s role in Strengthening Value for Money Policy; and
- SAI and Government Oversight Promotion of IT.
Mr. Madhav Panwar of SAI-USA provided inputs from the Performance Auditing Seminar wherein 12 papers were presented covering the broad themes of the Seminar. The Seminar was a great success as reflected by the participation of 84 delegates from 42 countries.
Agenda item No. 4: Updates on ‘into IT’ and website of the Working Group
The Chair, WGITA thanked the National Audit Office of Malaysia for taking on the responsibilities of being the editor of the journal and also maintaining the WGITA website. SAI-Malaysia presented update on ‘intoIT’ and website of the Working Group on IT Audit. SAI Malaysia also requested for contribution of articles for inclusion in future issues of ‘intoIT’.
Agenda item No. 5: Work Plan (2011-2013)
(i) Final report on Project-1, “Key Performance Indicators Methodology for auditing IT Programmes”
Ms. Li YANG of SAI-China presented the final report on the project ‘Key Performance Indicator Methodology for Auditing IT Programmes’ in their capacity as the Project leader. The project had two principal outcomes: a set of specific and measurable IT-related indicators, and a guidance document or manuals describing ways to apply them in the practice of IT auditing. The project leader delivered final guidelines V1.2 in the meeting and the same would be available for use by the entire INTOSAI community shortly.
(ii) Final report on Project-2, “IT Audit planning and detailed audit procedures to review IT controls”
Mrs. Jabulile Nkosi of SAI-South Africa presented the final report of the project. The Project Leader stated that the project group had mapped the iSACA guidelines with ISSAIs and prepared the guidance document on IT Audit Planning. This guidance was being used by IDI in designing their courseware for capacity building programme in IT Audit in AFROSAI-E region. The Working Group had since been finalizing comprehensive IT audit guidance in the form of a handbook.
(iii) Final report on Project-3, “Optimising IT value in Government Organisations”
Mr. Madhav Panwar of SAI USA presented the final report of the above project on behalf of SAI-Canada (the project leader) which had withdrawn from the membership from the Working Group. Mr. Panwar stated that the project objective was to research and share best audit practices in the area of achieving the best value from IT investments. As IT investments bring both value and risk, he defined the various challenges faced by Government departments and IT auditors. Six sub-projects were undertaken for the preparation of the project report. The group has been collecting useful reference material which would be hosted on the website shortly and hyperlinked to the source documents.
(iv) Final report on Project-4, “Green IT”
Mr. Arthur Lio of SAI Norway, the project leader, presented the final report of the project. He stated that the Green IT project would describe Green IT and provide SAIs with a set of audit approaches to keep a focus on environmental aspects in auditing IT in different aspects to motivate governments to ensure an environmental approach, both to reduce negative effects and achieve positive effects from IT investments and use of IT-tools. The outcomes of the project include the production of a list of important questions to ask and areas to cover when auditing IT.
(v) Final report on Project-5, “Cloud Computing and Virtualisation”
Mr. Madhav Panwar of SAI USA presented the project report. Mr. Panwar stated that the project group had defined cloud computing and described its advantages like providing shared services as opposed to local servers or storage resources, enabling access to information from most web-enabled hardware and cost savings on reduced facility, hardware/software investments and support. The project group had also identified major risks and audit questions related to auditing cloud computing and virtualization and had prepared a draft guide and handbook on Cloud Computing, which would be incorporated in the detailed IT Audit guide and handbook being prepared by WGITA in collaboration with IDI.
After discussing the final products, all the above five projects were successfully closed.
Agenda item No. 6: Country Paper Presentations:
Three member SAIs viz. India, Japan and Russian Federation presented country papers on the following topics related to IT Audit.
- ‘ERP Audit: The Indian Experience’ by SAI-India;
- ‘Recent Audit cases concerning IT system’ by SAI-Japan; and
- ‘Development of Key Performance Indicators Methodology for Auditing IT programmers’ by SAI-Russia Federation.
All the country paper presentations were appreciated by the members.
Agenda item No.7: Project on development of overarching ISSAI 5300
Mr. Saurabh Narain of SAI India made a presentation on development of an overarching ISSAI-5300 to be included in the WGITA Work Plan (2014-2016) covering the general principles, approach and methodology of IT Audit which would then provide a natural succession to more specialised standards such as ISSAI-5310 on Audit of security of Information Systems and other areas of IT Audit.
The ISSAI series 5300-5399 has been allocated to guidelines on Information Technology Audits under ISSAI framework. ISSAI-5310 is the only ISSAI in the field of IT Audit. Thus, the 5300 series of ISSAIs lacked an overarching, general principles, generic standard on IT Audit of which Information Systems Security is a subset. Therefore, there was a need to develop a “first principles” standards covering the general principles, approach and methodology of IT Audit which could then provide a natural succession to more specialised standards such as ISSAI-5310 on Audit of security of Information Systems and other areas of IT Audit.
Based on the presentation made and the discussions thereafter, the Working Group decided to include this project in the WGITA Work Plan (2014-2016).
Agenda item No. 8: Review of ISSAI 5310 related to IT Audit
The ISSAI-5310 related to IT Audit was due for updating this year. The concepts delineated in ISSAI-5310 had undergone substantial changes in view of technological advances that had taken place in the field of Information Systems’ security since 1995, when this ISSAI was first developed. In particular, the use of networks such as internet for electronic transactions and also e-governance had increased manifold, the vulnerabilities facing the Information Systems round the World. Further, the development of many internationally accepted IS Security frameworks such as ISO-27000 and IEC-17999 had also overtaken the ISSAI-5310.
Accordingly, SAI-India, being Chair of WGITA, undertook a review of the ISSAI-5310. A brief presentation on the areas to be updated was presented by Mr. Saurabh Narain.
Based on the presentation made and the discussions thereafter, the Working Group decided to include this project in the WGITA Work Plan (2014-2016). The project has been planned to be completed by the XXI INCOSAI.
Agenda item No. 9: IT survey results and future projects for WGITA Work Plan (2014-2016): Results of the ranking analysis and formation of project teams
The subject was introduced by Mr. Jagbans Singh of SAI India. In order to identify the projects for the purpose of inclusion in the next Work Plan of WGITA for the period 2014-2016, SAI-India had conducted a survey requesting the member SAIs to give feedback on the previous products of the WGITA and intimate details of the probable projects that could be taken up. Based on the information received from the member SAIs, 20 most common projects were shortlisted for ranking analysis. All WGITA members were then requested to rank the above 20 projects along with an expression of their intent to either lead or participate in the projects. SAI India presented the results of the survey. Mr. Jagbans Singh also presented the expected composition of the project teams based on information collected through ranking analysis.
In addition, SAIs of Russian Federation and the People’s Republic of China also expressed an interest to propose one project each for consideration of the Working Group for inclusion in the Work Plan. SAI of Russian Federation proposed a project on ‘Development of Standards for State Information Systems and Project Audit’. The SAI of People’s Republic of China also proposed to take up a project on ‘Development of Data Interface Standard for Accounting Software’. Based on the discussions, the Working Group decided to include both these projects in the Work Plan as well.
Agenda item No. 10: Finalisation of the Draft WGITA Work Plan (2014-2016)
Based on the proposals to develop an overarching ISSAI-5300 and updating ISSAI-5310, proposals of the SAIs of Russia and China and the ranking analysis and discussions, the following five projects were included in the next Work Plan (2014-2016) of WGITA:
# | Name of the project | Project leader SAI | Project member SAIs | ||||||||||||||||||||||||
1. | IT Governance | Brazil | USA, Kuwait, Kiribati, Lithuania, Malaysia, South Africa, India | ||||||||||||||||||||||||
2. | Data Mining as a Tool in Fraud I
nvestigation |
South Africa | USA, Korea, Kuwait, India, China | ||||||||||||||||||||||||
3. | Development of Standards for State Information Systems and Project Audit | Russian Federation | South Africa, USA, Poland, Slovakia, Japan, India | ||||||||||||||||||||||||
4. | Development of Data Interface Standard for Accounting Software | China | South Africa, Kiribati, USA, Malaysia, Indonesia, India, Poland | ||||||||||||||||||||||||
5. | Development of ISSAI-5300 on ‘Guidelines on IT Audits’ and updating ISSAI 5310 on Information Systems’ Security Audit | India | Indonesia, Poland, USA, South Africa, Japan, Brazil and Norway |
The Chair requested all project teams to initiate their respective projects at the earliest. The projects are expected to be completed before the XXII INCOSAI except project on ‘Updating ISSAI-5310 on Information Systems’ Security Audit’ which is to be completed before XXI INCOSAI. The project teams were also requested to furnish progress report of the project undertaken by them from time to time to the Chair, WGITA.
Agenda item No. 11: IDI’s Report on cooperation with WGITA
Ms. Shefali Andaleeb from INTOSAI Development Initiative (IDI) presented IDI’s report on cooperation with WGITA. IDI gave an outline of the programme design and milestones related to capacity building programme on IT Audit. Ms. Andaleeb further stated that the IDI would cooperate with WGITA and AFROSAI-E in piloting this programme in the AFROSAI E-region.
Agenda item No. 12:Draft Report for XXI INCOSAI to be held at Beijing, China in October 2013
The XXI INCOSAI is scheduled to be held in Beijing, China in October 2013. The draft report for the XXI INCOSAI was presented by Mr. Jagbans Singh of SAI-India before the WGITA members for information. The draft report highlighted the achievements and the future Work Plan of the Working Group. The Working Group adopted the draft report for the XXI INCOSAI with the understanding that developments subsequent to the Working Group meeting would be suitably incorporated in the report to INCOSAI.
Agenda item No. 13: Discussion on preparation for the 23rdmeeting of WGITA
SAI-Kuwait gave an update on the preparations for the next meeting proposed to be held in Kuwait from10-12 February 2014. It was decided that SAI-Kuwait, after consultation with the Chair, would communicate the exact dates for the meeting later this year.
Agenda item No. 14: Discussion on venue for the 24th meeting of WGITA
SAI-Poland indicated its willingness to host the 24th WGITA meeting in 2015. Consequently, it was decided that the 24th WGITA meeting would be hosted by SAI-Poland in 2015. The venue and the date for the meeting would be decided later. The Chair thanked SAI-Poland, on behalf of all WGITA members, for so graciously agreeing to host the 24th meeting of the Working Group in 2015. SAI-Brazil offered to host the WGITA meeting in 2016.
Mr. Madhav Panwar of SAI-USA congratulated Mr. Vinod Rai on successful completion of his tenure as Comptroller and Auditor General of India on 22nd May 2013. He mentioned with appreciation the many contributions made by Mr. Rai as Chair of WGITA and the landmark achievements of the Working Group under Mr. Rai’s leadership. He wished Mr. Rai all success in his future endeavours.
There was no other issue for discussion at the meeting.
Agenda item No. 16: Closing Remarks and summing up
At the end, the Chairman, Mr. Vinod Rai, mentioned that the annual meetings of the INTOSAI Working Group on IT Audit were an important forum for collaboration on projects and exchange of information and ideas. He stated that the decisions taken during this meeting would guide the Working Group in achieving the objectives for which it was constituted. The Chair summarized the discussion held during the meeting. He also stated that the Working Group had finalized its Work Plan for the period 2014-2016. He expressed his satisfaction over the fact that a wide cross section of SAIs present in the Working Group was represented in the projects identified for the Work Plan.
He thanked Ms. Giedrė Švedienė, Auditor General, Republic of Lithuania and her officers for organizing and hosting the meeting, and expressed his gratitude to all the members of the Group for their active participation and support to the proceedings. He also thanked IDI for their cooperation with the Working Group in preparation of the IT Audit Guide and Handbook.
The Chairman of the Working Group declared the meeting closed.
**********************