Project
Put in practice the “WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions”
“IT Audit is an examination of implementation of IT systems to ensure that
they meet the organization’s business needs without compromising security,
privacy, cost, and other critical business elements.”
(WGITA – IDI HANDBOOK ON IT AUDIT FOR SUPREME AUDIT INSTITUTIONS)
“Audit of Information Systems may be defined as the examination of controls
related to IT-driven information systems, in order to identify instances of deviation
from criteria, which have in turn been identified based on the type of audit
engagement - i.e. Financial Audit, Compliance Audit or Performance Audit.”
(GUID 5100 PARAGRAPH 3.2)
Objectives
Consider the tool developed by the project not as an ended product but as a prototype. It follows closely the approach defined in WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions.
The main objective is to provide the users with practical guidance, essential technical information and key audit questions needed for effective IT Audit planning and conducting.
Active
The ideas was to change the existing WGITA-IDI IT Audit Handbook into electronic Active IT Audit Manual. “Active” means here:
- presenting practical guidance, essential technical information and key audit questions in an interactive way, which changes a handbook into a tool
- easy to update
- gradually customized to specific needs of user – i.e. taking into account lessons learnt from real life audits
- supporting mandatory obligations related to audit procedures of particular SAIs
International
The works on the concept and first versions were conducted during the twinning project of Polish and Albanian SAIs (2016-2018) and next were continued by the eGovernment Subgroup of the EUROSAI IT Working Group and INTOSAI experts.
From the very beginning, the Polish SAI, who animated the project invited to collaboration experts of other SAIs, and the Active Manual has the today’s shape thanks to this international group. These were:
- Najwyższa Izba Kontroli of Poland (concept and tech solutions)
- Tribunal de Contas of Portugal (concept and tech solutions)
- National Audit Office of Estonia (testing)
- US Government Accountability Office (plug-ins concept)
- Icelandic National Audit Office (pre-audit assessment concept)
- Albanian SAI (first users and partners in conceptual discussions)
Free and Open
Our aim was not to build an audit support software but to make SAIs ready to do it effectively in future, if so decided. To make it easy to use and adapt, the desktop version of the Manual can be used with two well known and broadly available packages of productivity software, supported by major desktop ecosystems: MSOffice and LibreOffice. Data are stored in XML format, which makes the tool open to other solutions – the present and future ones.
For coding we use Visual Basic for Applications (VBA) and the BASIC LibreOffice scripting language – available to all experts who would like to develop the tool further on or to tailor it to their needs.
ISSAI 100 Logic
To ensure that the audit process is preserved to enable subsequent verification, monitoring and share of the audit analysis procedures (ISSAI 100 PARAGRAPH 42), the tool produces:
- A template activity plan, which includes the subject, criteria and scope
- Audit matrices to help performing the audit work and recording the findings
- A central point to help the auditor interpreting and judging against the audit questions previously raised at the planning stage.
Step-By-Step
One of the WGITA-IDI IT Audit Handbook’s aims was to open access to the IT audit to broader group of auditors. Breaking down the ‘black box’ into clearly defined domains of the IT audit and the step-by-step journey through all of them, proves that a lot of risks and auditee problems are similar to those of other domains of organisation: in governance, operations, outsourcing, security, acquisition and development. Of course – some of the problems need high level of IT expertise – but the Manual helps to identify them and recognise the difficulty level, which is the first step of finding the experts and to communicate with them efficiently.
This ‘problem mapping’ approach was the one we wanted to apply effectively in the Active version too. Its user receives the table of risk domains, subareas and frequently spotted issues. The list turns out to be quite extensive, so the base risk audit approach must be applied too.
Open For Other Tools
The map of risks can be supported with data received from auditee in the pre-assessment phase (mechanism already implemented) and from previous audits in close areas. A second mechanism is planned to be developed in cooperation with another project of the same EUROSAI ITWG subgroup: "Control space of e-Government" (CUBE: egov.nik.gov.pl).
Architecture of both tools is based on XML at present, which reduces problems on the technology side. The both tools however handle a lot of meaningful audit related ideas and notions. What more, they are both under recurring development, so what we perceive as a critical problem is: coherent semantic model. This is why we look with hope at the INTOSAI Subcommittee on Internal Control (ics-intosai.nik.gov.pl). T he internal control relates to virtually each management task, and thus it is under scrutiny of all types of audits.
Support Of Audit Process
The tool supported from the very beginning the concept of customization, allowing SAI's to tailor the templates provided to their own necessities and image. Customization can be done through script languages for supported type of Office packages. For the moment being, we prepared exemplary templates for:
- audit programme (based on selection of risks to be verified during the audit)
- key findings (a form used to register the key findings for knowledge management purposes)
- executive summary, starting version (based on the key findings of the audit)
The charts below present the key findings register:
and the executive summary generated from the findings content:
Audit Matrices
The Active version implements the core idea of the IT Audit Handbook, which are audit matrices. They let auditors to deal with one issue at once, identifying audit objective in this regard, and advising information sources, as well as possible tests.
The chart depicts one of the 80 standard audit matrices:
Plug-Ins
The plug-ins for the Active IT Audit Manual were developed and implemented to answer the request of frequent updates (so common and intense in the IT world). They can also help in enriching the Manual with experiences coming from various SAIs, promoting share and reuse knowledge among auditors. The plug-ins can be created from results of an interesting audit as well as a result of the analysis of an interesting problem, enabling to address new and emerging areas of interest for IT auditors.
A plug-in consist of a description and set of a additional audit matrices. The Active Manual integrates one or more of them, ready to be used by the auditor, if decided.
Below you can see the risk analysis table with two plug-ins added ("E-Government" and "Open Data")
Languages
A support tool to help the content translation from english to other languages was added to the desktop version of the Active Manual. It can be used also for future updates or new versions of AITAM published by the EUROSAI ITWG.
Development
The core part of the the Active IT Audit Manual developers are members of the EUROSAI ITWG e-Government Subcommittee. The Subcommittee deal with both the CUBE and the Active Manual, looking for synergies coming from cooperation between the tools. During the last meeting in Opole, Poland in October 2018 were discussed directions of further development. It seems that in realistic plan the CUBE can provide SAI community with:
- graph analysis, which can support auditors in looking for gaps among related findings
- mechanism of analysis of auditee’s documentation.
In the case of the Active Manual we foresee:
- broadening scope to other (non-IT) topics
- covering full process of audit, i.e. adding further support for planning, audit documentation and reporting.