Progress Report on the activities of the INTOSAI Working Group on IT Audit

1. Progress Report on the activities of the INTOSAI Working Group on IT Audit Chair: SAI India Comptroller and Auditor General of India

2. About WGITA WGITA represented by 39 members/observers as on date. • Set up to provide support to member SAIs in developing their knowledge and skills in the use and audit of Information Technology. • Fulfills its mission and mandate by implementing a triennial work plan. WGITA Work Plan (2014-2016) has already been approved by the Working Group in its 22nd meeting in April 2013 at Vilnius, Lithuania. • Since XX INCOSAI held in November 2010, SAIs of Cambodia, Indonesia, Iraq and Korea have joined this Working Group as members whereas SAI of Brunei Darussalam has joined as an observer. • SAIs of Netherlands, Sweden and Canada have opted to withdraw owing to other commitments in INTOSAI. Comptroller and Auditor General of India

3. About WGITA • Annual meetings where members present the status of ongoing projects and discuss their progress. • A triennial IT Audit seminar held in conjunction with the annual meeting, using a theme that is current and relevant to most members. • Works closely with INTOSAI Development Initiative (IDI) in meeting the capacity requirements in IT audit. • Held three meetings since the XX INCOSAI 2010.; • 20th meeting in Sun City in April 2011 • 21st meeting in Kuala Lumpur in January 2012 • 22nd meeting in Vilnius in April 2013 Comptroller and Auditor General of India

4. Activities of the WGITA Main activities grouped under three main categories; • Information interchange, • Knowledge and skill development, and • Development and transfer of knowledge. Comptroller and Auditor General of India

5. Information Interchange • Main platforms for information interchange are; • Journal ‘intoIT’, • Working Group website (www.intosaiitaudit.org), and • The Triennial Performance Auditing Seminars. • National Audit Department of Malaysia hosts the website and publication of ‘intoIT’ Journal

6. Knowledge and Skill Development • Cooperating with IDI and AFROSAI-E to support SAIs in that region to strengthen their capacity in the area of IT auditing • The output of this cooperation is a programme on IT Audit that covers both technical and auditing areas and focuses on the SAI staff engaged in carrying out such audits.

7. Development and transfer of knowledge Successfully undertook the following five research projects related to its Work Plan for the period 2011-2013: Project 1: Key Performance Indicators Methodology for auditing IT Programmes (Project Leader: SAI-China; Members: SAIs of Bhutan, Japan, Kuwait, Poland, Russia and USA) The project group prepared guidelines on Key Performance Indicators methodology for auditing IT programmes. The guidelines would be available for use by the entire INTOSAI community on approval in the XXI INCOSAI. Comptroller and Auditor General of India

8. Development and transfer of knowledge Project 2: IT Audit planning and detailed audit procedures to review IT controls (Project Leader: SAI-South Africa; Members: SAIs of Bangladesh, Bhutan, Sri Lanka and Tunisia) • The project group has mapped the iSACA guidelines with ISSAIs and is expected to provide the guidance document on IT Audit Planning. • This guidance used by IDI in designing their courseware for capacity building programme in IT Audit in AFROSAI-E region. • The Working Group and IDI, in a joint effort, has also elaborated on this courseware and has prepared a comprehensive IT audit guidance in the form of a handbook. • The IT Audit Handbook would be presented before XXI INCOSAI for approval. Comptroller and Auditor General of India

9. Development and transfer of knowledge Project 3: OptimisingIT value in Government Organisations (Project Leader: SAI-Canada; Members: SAIs of Brazil, Norway, Poland, Sweden and United Kingdom) • The project objective was to research and share best audit practices in the area of achieving the best value from IT investments. • As IT investments bring both value and risk, the various challenges faced by Government departments and IT auditors were looked into. • Six sub-projects were undertaken for the preparation of the project report. • The group has collected useful reference material which would be hosted on the website and hyperlinked to source documents. Comptroller and Auditor General of India

10. Development and transfer of knowledge Project 4: Green IT (Project Leader: SAI-Norway; Members: SAIs of Austria, Canada, India and Sweden) • The project describes Green IT and provides SAIs with a set of audit approaches to keep a focus on environmental aspects in auditing IT systems to motivate governments to ensure an environmental approach to IT investments and use of IT-tools. • The outcomes of the project include the production of a list of important questions to ask and areas to cover when auditing IT. Comptroller and Auditor General of India

11. Development and transfer of knowledge Project 5: Cloud Computing and Virtualisation (Project Leader: SAI of the United States of America; Members: SAIs of Australia, Canada, India, Norway, Sweden, Turkey and United Arab Emirates) • The project defines cloud computing and describes its advantages like providing shared services as opposed to local servers or storage resources, enabling access to information from most web-enabled hardware and cost savings on reduced facility, hardware/software investments and support. • The project team had prepared a draft guide and handbook on Cloud Computing which has been incorporated in the detailed IT Audit handbook prepared by WGITA in collaboration with IDI. Comptroller and Auditor General of India

12. Draft Work Plan (2014-2016) Based on the IT survey and discussions in the 22nd meeting of the Working Group on IT Audit at Vilnius, Lithuania in April 2013, the following four projects have been identified by the Working Group for the next Work Plan (i.e. 2014-2016): Comptroller and Auditor General of India

13. Draft Work Plan (2014-2016) • Above projects due for completion before XXII INCOSAI in 2016 in UAE. • The ISSAI 5310 on Information Systems’ Security Audit was due for review in 2013. Hence, review taken up by the Working Group, for endorsement in the XXI INCOSAI. • A project on development of an overarching ISSAI-5300 covering the general principles, approach and methodology of IT Audit also taken up. • ISSAI 5300 to provide a natural succession to more specialised standards such as ISSAI-5310 on Audit of security of Information Systems and other areas of IT Audit. Comptroller and Auditor General of India

14. Draft Work Plan(2014-2016) • ISSAI-5300 would thus significantly impact the framing of all subsidiary ISSAIs, including ISSAI-5310. • New drafting conventions for ISSAIs and audit guidelines recently circulated by PSC. • The introduction of these conventions necessitate substantial re-drafting of the existing ISSAI-5310. • In view of these developments, the updated version of ISSAI 5310 to be ready only by the XXII INCOSAI in 2016. Comptroller and Auditor General of India

15. Proposal for approval of KSC Steering Committee WGITA requests approval of the following two documents: • WGITA-IDI IT Audit Handbook • Key Performance Indicators methodology for auditing IT systems

16. THANK You Comptroller and Auditor General of India