February 1999

The Intosai IT Journal

Issue 9

Also in this issue:

Country Focus:Oman

SAI India reporton the futureworkplan

Financial AuditSupport Software

INTOSAI EDPCommitteeWebsite

intoIT Issue 9 1

ContentsEditorial 2

Country Focus - Oman 3

The second IT Audit Symposium 10

The work of the INTOSAI EDP Committee 14

Financial Audit Support Software 16

News from around the World 20

The INTOSAI EDP Committee on the Web 21

Internet Addresses 22

Back issues 23

This is the ninth edition of intoIT to be published. intoIT is the IT journal of theINTOSAI EDP Committee. The journal is published twice a year, and aims to provide aninteresting mix of news, views and comment on the use of IT in SAIs around the world.

Material in the journal is not copyrighted for members of INTOSAI. Articles from intoITcan be copied freely for distribution within SAIs, or reproduced in internal magazines, orfor use on training courses.

The Editor welcomes unsolicited articles on relevant topics, preferably accompanied by aphotograph and short biography of the author, and short news items, for inclusion in futureissues.

Contributions should be sent to The Editor of intoIT, National Audit Office,157-197 Buckingham Palace Road, London SW1W 9SP, United Kingdom. E-mailnao@gtnet.gov.uk.

intoIT Issue 92

Editorial

Since the publication of the 8th issue of intoITseveral important developments, relating to theINTOSAI Standing Committee on EDP Audit,have taken place. In November 1998 thecommittee presented to the XVI INCOSAI, atMontevideo, a report of its work and its workplanfor the next three years. The Committee's workdrew wide appreciation and its workplan obtainedgeneral approval. An article, in this issue, providesmore detail. The Committee also established itswebsite. This site among other items will featurethe intoIT publication. We look forward tocomments and suggestions of readers on theWebsite. The committee also produced a CD-ROMcontaining "The Electronic Compilations of SAIMandates", "the EDP Directory" and "The IT AuditCourseware". The CD-ROM was distributed toSAIs during XVI INCOSAI. The producehighlights the tremendous possibilities for storingand distributing large volumes of informationusing a CD. The Swedish National Audit Officehas, on behalf of the committee, published anddistributed proceedings of the Performance AuditSeminar, held in Stockholm in May 1998.

In this issue we have a country focus article onOman, a report by SAI Sweden on thePerformance Audit Seminar and from SAI India onthe future workplan of the Committee. Otherfeatures are an article by SAI UK on "FinancialAudit Support Software and an article on theINTOSAI EDP Committee Website.

During the XVI INCOSAI we received severalenquiries about the "intoIT". This is evidence ofthe significant interest the journal has evokedamong SAIs and their staff. We are certain that theavailability of "intoIT" on the Committee's websitewould give this journal wider reach and aid ourefforts towards information interchange.

The Chairman of the INTOSAI EDP Committee, Mr VK Shunglu reports on thework of the Committee and introduces this issue.

Introduction

Backgroundinformation about theSAI of Oman

The Secretariat General forState Audit (SGSA) came into being, in its presentform, in 1991 through Royal Decree no.129/91,promulgating the State Audit Law, replacing RoyalDecree no.36/85 which hitherto dealt with the StateAudit Function. However, the State Audit Functionin Oman dates back to pre-1970. From aDepartment under the Ministry of Finance, thisoffice became an independent Department underthe Ministry of Diwan Affairs in 1974 and waselevated to a Directorate General in 1981, followedby the Regulation in 1985 organising the StateAudit Function. In 1989, the first Secretary Generalwas appointed by a Royal Decree and in 1991, theState Audit Law was promulgated.

The State Audit Law enjoins the SAI to audit StatePublic Funds in order to (a) protect them,(b) ensure their proper and effective employment,(c) expose cases of financial irregularities, and(d) recommend means of redressing deficiencies infinancial laws, rules and regulations.

Besides Government Ministries and Departments,SGSA's audit jurisdiction extends to PublicAuthorities and other bodies in which Governmenthas a share and/or receives grants from theGovernment.

In addition to auditing accounts, stores and thefinancial dimensions of personnel-relateddecisions, the State Audit Law specifically requiresthe SGSA;

n to monitor the implementation and progress ofprojects falling within the Development Plan toensure that financial allocations are properlyemployed, and

n to evaluate such projects to ensure thatresources are used efficiently andeconomically.

In practice, our work has a predominantlycompliance and VFM rather than attest audit focus.

Our reports are issued, usually after every audit, tothe Ministry concerned. The results of our workthroughout the year are summarised in an AnnualReport that is mandated by law. This report, whichis submitted to His Majesty the Sultan, includes asummary of our audit findings and the action taken

by auditees, observations on the State AnnualAccounts, an evaluation of development projectsand observations on adequacy of financial laws &regulations, records, systems.

SGSA has at present 144 employees; a smallmanagerial cadre is backed by a few technicalspecialists, and two main categories of personnel:auditors and administrative support staff. About40 employees are expatriates. Our annual budget isabout US $4 million; nearly 80% of it is spent onsalaries. About 1.3% is spent on InformationTechnology (IT).

The main office is in the capital, Muscat. A branchoffice is located in the southern city of Salalah,which is about 1000 kilometers away and is theother significant centre of Government activity. Wehave a few resident audit offices in important/largeMinistries and field audit groups for auditing otheragencies.

intoIT Issue 9

Country Focus - Oman

The Secretariat General for State Audit discuss their use of InformationTechnology in Oman

The broad goal isto ensure that, by

the middle of1999, every fieldaudit team hasdial-up access to

audit supportmaterials and

other official data,and the ability to

communicateelectronically with

the main office

3

intoIT Issue 94

Information Technology inSGSA

IT in Oman

The use of IT in Oman is widespread, withGovernment probably being the biggest spender asmost Ministries and Public Bodies use a lot of ITfor their public services and internal operations.State-of-the-art information technologies are alsorapidly being assimilated and deployed.

A significant aspect of the use of IT in Governmentis a centralised accounting system for the entireGovernment, which is run on an IBM mainframecomputer in the Ministry of Finance. A largeamount of information about all Governmentprojects and the entire civil service of theGovernment of Oman is available through thissystem. All Ministries have terminals throughwhich data can be entered and reports obtained.

IT in the Secretariat General forState Audit

IT in SGSA can be discussed under the followingbroad headings:

n The Beginning (1989-96)

n The Big Push (Late 1996 - 1998)

n Future Direction

The Beginning (1989-96)

IT is not new to SGSA. A Wang computer with9 terminals was installed in 1989 primarily to meetour word processing requirements. The year 1992saw a modest improvement, albeit an importantone:

n 4 terminals were installed to provide on-lineaccess to the Government's IBM mainframecomputer and to the government-widefinancial and personnel information in thatsystem,

n a Local Area Network (LAN) was set up in ourmain office with a file-server running NovellNetware 3.11 and 8 PCs with 386 processorswith Microsoft Windows 3.1, and

n an IT department was formed with4 programmers and an IT specialist.

Microsoft Word and Excel gained popularity;applications like payroll, budget andcorrespondence tracking were automated with in-house programmes using Dbase for DOS. As ITskills developed, 6 more Pentium-based PCs wereadded in early 1996 to meet the demand for wordprocessing and database applications.

The Big Push (Late 1996 - 98)

The IT Strategy

In October 1996, recognising that IT can play asignificant role in achieving our mission, wechanged our approach to IT. Drawing upon theINTOSAI EDP Audit Committee's "Guide toDeveloping IT Strategies for SAIs", we drew up anew IT Strategy with the following purposes inmind:

n Provide a statement of direction from the topmanagement.

n Ensure that scarce resources are committed inline with the overall objectives of theorganisation and not on pure technicalconsiderations.

n Make the best use of resources in developingsystems.

An IT Steering Committee was also set up, with acharter to monitor the use of IT and relatedresources.

SGSA's mission, like most other SAIs, is tostrengthen the effective governance of the nation,by fulfilling its mandate with excellence. Toachieve this, we need to improve auditquantitatively and qualitatively, and use auditinsights to address deficiencies in financial lawsand regulations. Shortage of resources, bothfinancial and skilled manpower, makes it essentialfor us to derive the maximum value from thoseresources. The IT Strategy was formulated againstthis backdrop.

Our IT Strategy identified the following goals:

n strengthen the audit function through bettermanagement of resources, use of better audittools and techniques, and improvedinformation support to auditors;

n improve administrative efficiency in order torelease scarce resources to audit, and providesuperior logistic support to field audit teams;and

n build and sustain an Information SystemsAudit function, in view of the large ITinvestments by auditees and the risks posed bysuch investments.

Some important guiding principles were alsoestablished at this stage:

n in-house IT services will be preferred over"outsourcing", in order to build skills internallyto sustain the technological efforts and obviatedependence on external agencies for coreoperations, ensure confidentiality ofinformation, and economise on IT spending;

n existing skills and investments in hardware andsoftware would be protected as far as ispractical; and

n IT skills needed by auditors to use auditsupport materials should be kept to theminimum possible, in order to promotewidespread use of such tools, allow them toconcentrate on audit rather than IT, and reducethe cost of re-training a floating population ofexpatriate auditors.

To implement the strategy, long and short termplans were drawn up. The broad goal is to ensurethat, by the middle of 1999, every field audit teamhas dial-up access to audit support materials andother official data, and the ability to communicateelectronically with the main office

Implementation of the ITStrategy

This can be discussed under the following broadheadings:

n Information Systems Auditing

n IT Awareness - Training

n Upgrading Infrastructure

n Applications

n Other Key Developments

Information Systems Auditing

Recognising that building an IS audit function,which was one of the main goals of our IT strategy,is a long gestation project, we focused on it first.We decided that a systematic approach to buildingthe IS Audit function called for a Strategic IS AuditPlan that would be rolled over once every 3 years.In its infancy, this Plan would have a training bias,as building skills would be the first step. The plan,therefore, addressed the following:

n assessing and documenting the IS Audit skillsthat we will need, based on a quick survey of ITsystems in use among auditees;

n drawing up a training curriculum for IS Audittrainees;

n interviewing and selecting two batches(12 each) of relatively young Omani, graduatestaff for IS Audit training; and

n drawing up an IS Audit approach based onpotentially beneficial audit areas and the skillslikely to be available in the near future.

As a formal survey of the use of IT by our auditeeswould have been time-consuming and taxed ourlimited resources, we interviewed key personnel inthe Ministry of Finance to obtain an overview ofthe use of IT in Government. Those interviewedwere usually involved in different capacities withIT-related matters across the Ministries and otheragencies. Our discussions with them coveredGovernment-wide plans for the introduction of newtechnologies including the establishment ofstandards, with sufficient information to identify

the types of IS audit skills that we would need. Wewere also able to throw some light on potentiallybeneficial areas for audit scrutiny. While this wassufficient for us to move forward quickly, werecognised that it was no substitute for a formalsurvey so we decided that such a survey would beconducted as part of regular audits in future, whenour audit staff are better equipped to perform it.

Based on our assessment of the IS audit tasks aheadof us, we decided to build a large cadre ofgeneralist auditors who can undertake simple ITaudit tasks, and a small group of specialist ITauditors. This approach was prompted by thefollowing considerations:

n Due to the widespread use of IT amongauditees, all auditors would benefit from basicexposure to IT audit; specialist assistance foreach audit would not be practical.

n The IS Audit specialists have to be developedmostly from among the generalist auditors whoshow adequate promise, after their training andfield experience. This would necessarily take time.

Though we are empowered by law to hire externalconsultants to provide expertise not availableinternally, we prefer to hire experts as staff oradvisors, to work with our staff and to train themover time to be eventually self-sufficient. Thisapproach is based on our conviction that an internalpool of IS audit skills is essential to achieveeffectiveness.

We selected 24 young Omani graduates with apositive approach to work and trained themvigorously for over 8 months on both part-time andfull-time courses depending on the course-contentand their availability. The training, adapted fromthe INTOSAI EDP Audit Committee's course-ware, was arranged in two batches. The training forthe first batch was delivered entirely in English to12 trainees who were proficient in English. By thesecond course, we had translated all thepresentations into Arabic; so, the second coursewas delivered entirely in Arabic, though some ofthe handouts continued to be in English.

We also decided that

n trainees showing promise and aptitude wouldbe sponsored for qualifications like theCertified Information Systems Auditor (CISA),and

n on-the-job IS Audit training would be providedto trainees under expert supervision.

To fulfill the latter of these, two important IS auditswere taken up where some of the trainees couldapply their IS audit skills under expert guidance.Encouraged by the success of these audits, some ofthe trainees are now applying their newly acquiredskills independently on other audits. We areconfident that, with growing exposure, theseauditors will provide the core group of IS auditspecialists that we aim to build.

intoIT Issue 9 5

To aid IS auditing, in April 1997, we adopted ACLfor Windows as the standard for audit interrogationsoftware and developed an in-house trainingcourse. The use of ACL for computer-assisted audittechniques (CAATs) has gained popularity,especially among the IS Audit trainees.

In early 1998, we evaluated and decided to adoptthe "Control Objectives for Information andRelated Technologies" (COBIT) as a frameworkfor IS audits as it provides detailed auditguidelines. By May 1998, we also evaluated andpurchased "COBIT Advisor", a software based onCOBIT that acts like an expert system for ISauditing, guiding IS auditors and providingelectronic work-papers.

IT Awareness - Training

We were aware that achievingour goals would dependheavily on building andsustaining appropriate IT skillsinternally. As a prelude to a"training needs analysis" weestablished the standards for desktop software. AsMicrosoft Word and Excel were already popular,we decided to standardise on Microsoft OfficeProfessional (English-Arabic) as the desktop suiteand Windows 95 (Arabic-enabled) as the desktopoperating system. A subsequent assessment of ourtraining needs indicated a substantial demand fortraining. We explored various options including:

(a) sponsoring staff for standard courses offeredcommercially,

(b) providing customised training throughestablished training institutions or IT businesshouses,

(c) licensing computer-based training course-warefrom reputed organisations, and

(d) developing and delivering in-house courses.

The last option was selected as the most convenientand economical as large numbers of staff could betrained quickly through part-time courses, withoutunduly disturbing their regular work.

Beginner and advanced courses were developed forWindows, Word, Excel and Access.To ensurequality and consistency, course-ware wasstandardised. Learning objectives were formulatedand time-tables developed to ensure theirachievement. Each session followed the TELL-SHOW-DO methodology; a powerpointpresentation introduced the subject in Arabic,followed by a Lotus Screencam demo. The demowas available to the trainees for reviewing at theirpace and to use as a reference on the job. Practicalexercises were used to build and test their skills.The use of Lotus Screencam ensured consistency inthe delivery of each session and enabled instructorsto concentrate on delivery. We would greatlycommend this approach to other SAIs; examples of

these screencams are available on our website(http://www.sgsa.com).

While course-ware was being developed, thetraining infrastructure was established. 12 PentiumPCs were purchased in late 1996 and distributedamong users; their older PCs were acquired fortraining with a goal of one PC per trainee. A goodintegrated computer/video projection system wasalso purchased.

Over 9 months we endeavoured to keep the trainingroom and PCs continuously occupied training staff!In April 1997 12 new Pentium PCs were added tothe training complement, diverting the older PCs toselected novice-users to enable them to familiarisethemselves with Windows.

As the formal training diminished with focusshifting to on-the-job training we passed most ofthe training PCs back to the users. Trainees are nowgrouped by need and focused short presentationsprovided, followed up by practice sessions on theirown PCs.

As a result of the increased IT awareness, manyemployees purchased PCs for their homes. Weassisted by guaranteeing the repayments of theirloans through deductions from their monthly salary

Infrastructure upgrading

Having set in motion a long process for buildinggeneral IT skills and specialist IT audit skills, wefocused our attention on building IT systems thatwould accomplish our goals and creating an ITinfrastructure that would enable us to run thosesystems. With the IT strategy and plans lendingclarity to our mission, we created a capital budgetfor 1997 that would provide us with a high-speed,reliable local area network as the foundation for ourIT systems.

In order to achieve the goals of our IT strategy, werealised we would need inter-office electronic mail,workflow applications, a reliable relationaldatabase management system and an intranet fordelivering content with a user-friendly interface.Our evaluation of different products suggested thatMicrosoft Back Office might be a very cost-effective solution. It would provide:

n Windows NT Server as a network operatingsystem with a friendly interface,

n Exchange Server for e-mail, workflow andother messaging applications,

n Internet Information Server for web-basedservices,

n SQL server for database applications, and

intoIT Issue 96

n SNA server for replacing the existing IBMterminals with standard PCs connected to theIBM mainframe at the Ministry of Financethrough our LAN.

To ensure that the migration to Back Office wouldbe feasible and worthwhile, we signed up with aMicrosoft Solution Provider for a free pilot run ofMicrosoft Back Office in April 1997. Using astandard Pentium 133MHz PC as a server, we ranNT server, Exchange Server and InternetInformation Server, with 8 PCs connected to theLAN via the existing token-ring cabling. Satisfiedabout its friendliness and utility, we decided to buyMicrosoft Back Office version 2.5. We floated alimited tender for a mid-range server, structuredcabling and Back Office. By June 1997, we placedthe order. By September 1997, our new LAN wasoperational with a Compaq Proliant 2500 serverrunning Back Office on the server and a 100MBPSFast Ethernet network. Voice lines were transferredsmoothly to the new cabling system over aweekend. A fast Ethernet replaced the token-ringnetwork. Users were generally unaware of thechange except for the perceptibly higher responsespeeds and the new cable running from their PC tothe wall outlet.

To take advantage of the new infrastructure weadded 18 new Pentium PCs and 6 of the divertedtraining PCs that were hitherto off-line to the LAN.With this, a PC had reached virtually every desk inthe main office by the end of 1997.

As the usage of our LAN and its criticality grew,we added new hardware; a UPS in January 1998, astand-by server (a Pentium 166MMX PC withadditional memory and disks) in March 98, and athird server (also a Pentium166MMX PC) inJune 1998. In September 1998, we ordered another24-port Hub to support new users in the mainoffice. In order to improve performance andimprove recovery in the event of a disaster, wedistributed different services amongst the servers.

In 1998, we started the next phase of ourinfrastructure implementation. The first phaseprovided PCs with fax/modem capabilities to ourresident audit teams outside the main building, toenable connectivity to our LAN through telephonelines. Three key units; Ministries of Finance andDefence, and the Taxation Department; are nowconnected. The next phase will involve supplyingnotebook computers for all field audit teams withconnectivity to the main office; we expect tocomplete this phase by the middle of 1999.

Applications

Having initiated action for IS audit and general ITtraining, and set in motion the processes for thecreation of a substantial infrastructure to support IToperations by April 1997, we turned our attentionto building the systems that would drive ourorganisation. Budget, payroll andcorrespondence tracking were already operatingsatisfactorily, so we decided to delay theirmigration to a new environment. Of theapplications we had identified as potentialcandidates for automation, the human resourcesmanagement system and the audit managementsystem were given top priority for prototyping.Microsoft Access databases were quickly created,with a completely Arabic interface using Forms.These prototypes were used to familiarise the userswith the new system and make a powerful case forpre-computerisation reforms. They also enabled usto capture historic data.

An asset management database was created tomaintain an inventory of office assets. Databasesfor hardware and software inventories andmanuals were also created. An electronic technicallibrary also began to take shape with executivesummaries of all internal orders from 1989 to date,with on-line retrieval of images of the originals.

With Exchange Server and Microsoft Outlook, wewere able to offer e-mail and group scheduling,both of which were instant hits with staff - youngand old. Simple electronic bulletin boards werealso deployed but the concept did not catch on.

Another significant development was the intranet.We created a broad framework for departmentalwebs and started by building the web pages for theIT department. Distribution of work within the ITdepartment, software standards, procedures forinstalling hardware and software, technicalmanuals, maintenance contacts were included. AnAdministration Department web page providesaccess to information about the building plans,visual phone & personnel directories, etc. TheAudit Department web page provides access totexts of important legislation.

Creating web content in Arabic and indexing themfor searching proved troublesome. In May 1998,we finally adopted "Nashernet" as the Arabic-English web authoring software. We expect ourweb services to gain popularity as more Arabiccontent becomes available.

intoIT Issue 9 7

Key Developments

The Internet

Not to miss out on the Internet Revolution, weacquired an internet account in November 1996,when these became available in Oman. With theexperience gained in creating and managing websinternally, we set up an external Web site inDecember 1997 (www.sgsa.com). In February1998, we extended Internet access to selected userson our LAN through a dial-up connection; we usedMicrosoft Proxy Server, which is part of MicrosoftBackOffice. In August 1998, we decided to use theInternet as a vehicle for gathering data fromauditees, field audit teams and the public. Our website is being refurbished to meet this requirement.

Remote Access to LAN

In March 1998, the first resident audit team outsideour campus was connected to the LAN through atelephone link. Two more teams have since beenconnected. The Secretary General, a few managersand select IT department staff also have remote accessto the network. This facility with appropriate controlswill be extended to other users.

Web-based Querying

Consistent with our goal of demanding minimumIT skills from users, we are progressivelydelivering more information through a browserinterface. Personnel and technical libraryinformation is already being supplied fromMicrosoft Access databases dynamically and userscan query the databases from their browser. Data-entry is not handled through browser interfaces.

Workflow applications

After the initial lack of response to bulletin boardsand shared public folders in Exchange, the conceptof electronic workflow is catching on. Sharedtasks, contacts, knowledge bases, etc. are nowbeing used. Also issue and tracking of softwaremedia and paper files from the central archive arebeing done electronically through Exchangefolders, using bilingual ( English/Arabic) forms.

Systems Management

To simplify and streamline systems managementtasks and improve the management of IT assets, werecently deployed Microsoft's SystemsManagement Server, which is again part ofMicrosoft BackOffice. With this, monthly upgradesof anti-virus software, systems audits for illegal orunauthorised software, inventory of hardware andsoftware, etc. have become simple andmanageable.

We have recently evaluated Microsoft WindowsNT Workstation 4.0 (Arabic-enabled) for thedesktop operating system and are considering thisas a replacement for Windows 95 to provide greaterreliability and centralised management of desktops.

IT Security

Our growing dependence on IT has made securityand business continuity planning important issues.To manage our IT better and to set an example forour auditees, we formalised an IT Security Policyin July 1998. We also set out detailed securityprocedures and drew up a detailed BusinessContinuity Plan that enables us to ensure continuedavailability of IT services in the event of disasters.

Future Directions

To ensure that all key decisions within SGSAproperly take account of the IT-related aspects ourroad map is broadly defined. Needless to say, thiswill be continually reviewed to take advantage ofnew technologies and user innovations.

Framework for Applications

Our focus will be on increased web-based support for

n managers - including personnel, budgets andaudit management

n mobile audit teams - for on-line access toknowledge databases, audit guidelines, lawsand regulations issued through Royal Decreesand Ministerial Notifications, internalcirculars, audit schedules, government-widefinancial data, etc.

The long term objective is to provide an "electronicbriefcase/toolkit" for auditors and a relativelypaper-free decision support system for managers.

Technological Architecture

Our aim is to provide the non-technical user withone or at most two interfaces; a web-browser and apersonal desktop manager like Microsoft Outlook.Web-based querying of databases will be achievedthrough "ODBC connectivity" as at present;however, we expect to migrate from MicrosoftAccess databases to Microsoft SQL Server 7.0which is expected to provide us proper support forArabic data and greater security as well.

We foresee centralised management of IT assetsusing Systems Management Server and progressiveuse of workflow applications with interchange ofdata between Exchange (messaging database) andSQL Server or Access. SNA Server may bedeployed to bring IBM Mainframe data to theuser's desktop.

Conclusion

We have come a long way in 2 years of sustainedefforts. But we realise that we still have a longway ahead. Sustaining management commitmentand increasing user acceptance remain our biggestchallenges.

intoIT Issue 98

9intoIT Issue 9

1989

1992

October 1996

November 1996

December 1996

April 1997

July - September 1997

October 1997

December 1997

February 1998

April 1998

May 1998

July 1998

September 1998

8

8

8

8

8

18

36

42

44

44

44

46

46

New IT Strategy

Capital Budget for ITInfrastructure

In-house IT trainingstarted

Training for e-mail,browsing, etc. started forall LAN users

Internet Web siteregistered(www.sgsa.com)

Advanced training indesktop applications

IT Security PolicyBusiness Continuity Plan

Training in workflowapplication development

Wang Computer with 9 terminals;mainly word-processing

Novell Netware-based Token-ringLAN. Windows 3.1 clientsTerminals to Ministry of Finance'sIBM mainframe

Standardisation of OperatingSystem (Windows95), DesktopSoftware (MS-Office Professional)

IT Training Lab set up

Pilot project for migration toMicrosoft BackOffice

New Compaq Proliant 2500 server; Structured Cabling in main officebuildings;Fast Ethernet LAN - 100 MbpsHubs with fibre-backbone betweenbuildings;full-scale migration to MSBackOffice 2.5;Wang phased out;Novell Netware phased out.

Separate server for remote dial upaccess and Internet proxy services

Third server set up as Backup DomainController for LAN

Additional Hub to provide morenetwork connections

IS Audit Strategic Plan

Membership of ISACA;ACL chosen as auditinterrogation software

Core modules of IT AuditTraining commenced

Choice of COBIT as IS auditmethodology; Decision tosponsor candidates for CISA

IS Audits commenced

Purchase of "COBITAdvisor"

Period InfrastructureNetworked PCs(Cumulative)

Strategic Frameworkand Skill Upgradation

IS Audit

IT in SGSA - Important Milestones

Introduction

In March 1995 a working seminar on the theme ofPerformance Auditing of the Use of EDP wasarranged by the Swedish National Audit Office(RRV) as part of its work as the convenor ofWorking Group II (Performance Auditing of theUse of EDP systems) in the INTOSAI StandingCommittee on EDP Audit. The seminar proved tobe a success and the Committee decided that asecond seminar should be arranged in Stockholm in1998. The proceedings from the first seminar canbe obtained from the RRV.

For the second seminar the arrangements weresomewhat different. The objective was, as before,to bring together auditors from different SAIs whowork in the field of performance auditing of the useof IT/EDP and to discuss topical issues. Theseissues could be new forms of IT, new types ofinformation systems and new methods for auditing.The main objective was to exchange experience onpractical issues.

The seminar was organised around six themes thatwere presented by:

SAI Canada: Systems under development auditSAI India: Strategic Planning for ITPerformance Audit.SAI Netherlands: Information Security.SAI South Africa: Specialised InformationSystems Audit ToolsSAI Sweden: EDI and auditingSAI United Kingdom: IT Development andOperations Contracted out to the Private Sector.

Several country papers were produced. These, togetherwith the lead papers and a summary of the discussions,were published as "Performance Auditing of the use ofEDP, 2" by the RRV. The proceedings were distributedto all INTOSAI members.

This was the second INTOSAI seminar to focus onthe burning question of performance audit of theuse of EDP. The seminar brought together thirtyparticipants from twenty SAIs. The NATO Boardof Audit was once again invited as an observer. Theseminar was a success. There were many intriguinginputs and useful discussions. A follow-upcommittee meeting decided that a third seminarshould be planned for 2001 in Slovenia.

Six themes

Since the last seminar three years ago there havebeen vast developments in the area of newtechnology and IT applications. Many new audit

issues have arisen and most of the old ones remain.There is a great deal to discuss and even more to dowhen back in the office again.

IT-security

IT security is one of the basic areas in whichauditors will always will have an interest. Oneproblem is that the point of departure of the audit,which may be best practice, is questioned in manyrespects by the auditees. Today there is aninteresting trend towards standardisation andregulation. The British standard BS7799 andISACAS CobIT are two standards which auditorsand others refer to. BS7799 is also underconsideration as a national standard outside Britain.

Standards and regulations provide support for theaudit. It is also easier to convince management ofthe need for a certain level of security. However,regulation or compliance audit against a standard isnot without problems. An agency's problem inmeeting requirements can well be due toshortcomings or other problems with the standarditself.

It was pointed out that it is important to distinguishbetween risk analysis and vulnerability analysis. Riskanalysis makes an assessment of those systems that,if problems occur, can have considerable, undesirableconsequences. Vulnerability analysis is an analysis ofthe "risky" systems identified in the risk analysis toexamine if weaknesses exist.

It has been believed for a long time that mostthreats originate from within the organisation. TheRRV has performed a study on computer crime thatindicates that external threats are becoming morecommon. Figures and the way in which they havebeen calculated can always be discussed but thereis a clear trend. Other SAIs have also seen thistrend. The reason is naturally the increasing use ofdata communication in which the Internet is animportant factor.

Another trend is that the auditees' work on ITsecurity is being done to an increasing extent byconsultants hired for the purpose. One problem isthen how to audit these projects. A new risk couldbe that a private company engaged in IT securitywork on a contract basis could have unauthorisedaccess to all competitive information. The auditor'sstarting point should always be the requirements ofthe organisation. Management's standards shallapply regardless of who has done the work.

intoIT Issue 910

The second IT Audit Symposium

Peter Nilsson reports on the second IT Audit symposium held in Stockholm inMay 1998.

IT development and operationscontracted out to the privatesector

It is becoming increasingly common that agencies(and companies) farm out parts of their IT operationsto IT companies (outsourcing or contracting out). Ifdone in a correct way this procedure can providemany advantages. The costs are visible and it is alsonecessary to define processes. This results in a morestructured and analytical IT operation. However,there are risks. Being dependent on one suppliermeans that the agency's hands are tied. It is easy foran agency to lose control of its IT operations.

One risk is that the supplier or the agency wishes tochange its strategy when the contract expires. Thiscould cause considerable costs and it could also putthe other party in an extremely awkward situation.

It can be more difficult to achieve operationalobjectives since one relies more or less fully on thecontractor when changes are considered necessaryin the system. It can also become more difficult todiscuss strategic business development. Here therecan also be a political risk: the agency may need toask the company before changes can be made, forexample in the tax system. Furthermore it can bedifficult or even impossible to check that sensitiveinformation is not accessible to unauthorisedpersons. There are examples in which, on accountof these arguments, decisions have been reachednot to farm out entire, or parts of, IT operations.

One factor to observe is that the company which isgiven the first contract in a country is given astrong market position and can become toodominant. Therefore it can be a good thing from thepublic sector perspective not to give too manycontracts to one company.

An important lesson is that management cannotabdicate its responsibility for IT operations evenwhen they are outsourced. The agency must stillpossess certain skills. The case studies show thatthere are bigger risks for smaller agencies sincethey lack the necessary expertise in-house toformulate and exercise controls over outsourcing.

It is instructive and illustrative to compare thebuilding of IT systems with other types ofconstructions, for example a bridge, a boat or anaeroplane. This makes it much more obvious todecision-makers that controls of IT projects mustbe exercised in the same way, as well asexpectations in respect of deliveries. It is also agood comparison as it visualises that what is beingordered is functionality, not a specific design. Thequestion of design can be left to the differentcontenders for the contract and may lead todifferent solutions to the same requirements. But,on the risk side, it might be more complex toevaluate the different solutions. Best value whendeciding whether to develop in-house or outsourceshould be the key concept for local government.

Specialised InformationSystems Auditing Tools

Today developments are taking place in the field ofgeneral IT-supported tools which can be used inaudit work. At the same time there is a trend in thevalue for money analyses of certain SAIs towardsmore extensive quantitative results based on datafrom the agency audited and, for example, crosssystem analyses which combine data from severalsystems as well as simulations of the consequencesof different alternatives. However, developments inthis field are still in their infancy, but moreexamples of applications are emerging.

CAATs (Computer Aided Audit Tools), which aretraditionally a tool for the financial audit, can havemany new application areas. For example absencein an audited organisation can be more easilyanalysed with the aid of this type of instrument.Another area of application which has beenmentioned is Forensic Audit.

However, computerised aids are not entirelywithout problems. Expert systems contain differentrules or information. The issue is then whatinformation or values the system represents and ifthey are relevant for the situation in question. It canalso be difficult for the auditors to have sufficientskills and knowledge in respect of an agency's ITsystems.

Strategic planning for ITperformance audit

Many agencies still regard IT as a technicalproblem and not as a management issue. A lack ofexpertise leads to shortcomings in the agencies'administration of IT issues. Topical areas are ITprocurement and IT strategy and changemanagement. Today IT procurement is a majorissue in North America and the agencies need moreexpertise in the area.

Several SAIs are now extending and developing ITaudit. IT audits are being performed in more areasand several SAIs have indicated that more isneeded.

To meet this development the audit must have theright expertise. The question is what form ofexpertise and how should it be developed andmaintained. Continuous training of IT auditorsafter they have undergone basic training is achallenge and the training budget is oftenconsidered inadequate.

Furthermore discussions are taking place onwhether an IT audit strategy is needed and, if it is,how it should be organised. The audit must knowwhat it wants and must be able to motivate itsprojects. An important issue is how the regularaudit can best be supported.

intoIT Issue 9 11

Professional reinforcement in the form ofconsultants is common but does not existeverywhere. One problem with consultants is thatthey can seek other jobs at the agency they areauditing. One also needs to be able to control thequality of their work.

SAI Japan does not, for example, hire externalconsultants but has 15-20 IT auditors of its own.Under the internal rotation rules they aretransferred after 3-4 years to other units. SAI Omansends its auditors to private firms for general audittraining. For IT Audit the training was adapted totheir requirements from the INTOSAI IT AuditTraining Courseware. About 24 young graduateswere given this training in 2 batches. Some of thetrainees were then deployed on IT audits underexpert supervision. Now, some of them are tryingout IT audits on their own. The NAO in Englandhas 15-20 IT auditors based in line audit unitssupported by a specialist team of 3 at the centre.There is an active programme of training anddevelopment. Other expertise required is bought inon contract which also contributes new expertiseand new insights. In the Netherlands, regionalsections of the professional organisation for ITauditors NOREA (the Netherlands' Order for EDPauditors) organises sessions for permanentprofessional education after office hours. Germanyhas a two-week training programme each year forits IT auditors, Canada accepts rotation of auditstaff to do IT audits for a minimum period of twoyears. One important aspect is that this type ofrotation requires collaboration between managersand the support of top management.

Every IT audit must be regarded as a learningsituation. Timing is important. Training whichcannot be used directly is often of no use. It is alsodifficult to train auditors in advance due todifferences in systems, and change is taking placeall the time. "Just in time" training appears to be asuitable model: take the opportunity when the needarises in a project. If a certain product becomespredominant among the auditees, specialist trainingcan be recommended.

There is a need for training material, for exampleon CD, and reference works. Training materialwhich the committee has produced has beenreceived positively and has been used successfullyin several connections. Courses can be held fromfour to eight weeks depending on the level ofambition. One particular problem is the need totranslate material into the language in question.

Another problem is keeping pace withdevelopment. Different forums and contactnetworks are needed for the further development ofIT audit.

In brief it can be said that IT audits need legitimacyin the form of steering committees and well-motivated management. Strategies, plans andbudgets as well as audit programmes are alsoneeded. Approaches in respect of human resource

management and development of IT staff, the useof consultants, in-house training, exchangeprogrammes etc. must be developed.

EDI and auditing

It is important to point out that this is an issue ofpaperless systems of which EDI is one example.Questions that are being discussed under theheading of EDI also arise in many otherconnections.

Many countries have started EDI programmes,primarily electronic trade. However developmentsare slow in the public sector. If electronic trade is tobe meaningful, a large volume of transactions isrequired. Electronic trade is therefore not necessarilyan important application; development potential inthe public sector is to be found elsewhere. The issueis thus what types of information exchange can beimproved with the aid of EDI.

In most countries there is a need to go through thelegislation which is affected by electronic trade.Many countries have discovered that there aredifficulties in exploiting the potential of EDI to thefull under existing legislation.

Other issues needing solutions are, for example,how standards between the private and publicsector shall be handled, and how agencies shallmanage, organise and secure development projectsfor EDI. An important issue that is easily forgottenis, for example, that receipts for EDI traffic arenecessary.

Systems under developmentaudit

Today operations are changing rapidly. Projectswhich extend over several years have theconsequence that a system is probably not neededor is not adapted to operations when finalised.Experts have estimated that some 50% of theagencies' budgets are spent on correcting errors andmistakes made in earlier and ongoing work. It is aquestion of a large sum of money that could beused more effectively.

Methods are now being produced to administerprojects and consultants. "Earned value" is onemethod that was mentioned. There are othermethodologies.

One of the most common shortcomings indevelopment projects is that project leaders andconsultants lack experience of major projects. Theyare themselves undergoing a learning process.There are also shortcomings in the knowledge ofusers and management, specifications are often ofpoor quality, and there are deficiencies in theestimates of costs and benefits. Furthermore sub-deliveries are often checked but not the processwhich leads to the final result. There are thusshortcomings in quality assurance.

intoIT Issue 912

Skansen

Society is becoming more complex. Agencies aregrowing more dependent on each other and are alsobecoming linked to private companies. One majorprecondition for this situation is, of course, IT. Wecan observe this in the development of datacommunication and the Internet, paperlessapplications such as EDI, expert systems,outsourcing etc. The reason for this development isof course an aspiration to create a more efficientpublic administration and society. Developmentscan be very swift.

This became apparent to the delegates at theoutdoor museum of Skansen, situated on abeautiful island in central Stockholm. Houses andother buildings from historical Sweden areexhibited there, illustrating among other thingshow early institutions such as banks functioned. Inless than one hundred years Sweden has beentransformed from a poor rural country into one ofthe richest countries in the world. The efficient useof new technology is one important factor in thisdevelopment. The efficient audit of the newtechnology is a precondition for trust in newtechnology and an important tool to deal with thenew risks that emerge in the development ofsociety.

intoIT Issue 9 13

The INTOSAI Standing Committee on EDP Auditwas constituted in June 1989 and has now existedfor 9 years. The central objective of the Committeeis to support the SAIs in developing theirknowledge and skills in the use and audit ofInformation Technology. To meet this goal theCommittee is mandated to provide information andfacilities to provide for the exchange ofexperiences, and to encourage bilateral andregional co-operation.

A major milestone for the Committee was theadoption of a work plan for 1995-98 during the XVCongress of INTOSAI in September-October 1995in Cairo. This has formed the basis of thecommittee's activities in the past 3 years. Thesteady increase in the membership of thecommittee is a measure of its growing relevance.The membership, originally 12, nowstands at 18.

Areas of Operation

The Committee has three main areasof operation, each of which wasoriginally assigned to a separateWorking Group within theCommittee:

n Audit of EDP-based accountingsystems and EDP support inauditing

n Performance auditing of use ofEDP systems

n Use of EDP in SAI's ownadministration

The original convenors of these working groupswere Canada, Sweden and UK. The workinggroups were reconstituted into the following two atthe April Meeting of the Committee in 1997:

n Working Group I: Performance Auditing ofthe use of EDP Systems with Sweden asconvenor.

n Working Group II: Audit of EDP-basedaccounting systems, EDP audit training andEDP support in auditing with UK as Convenor.

The committee has met twice at London andStockholm since the XV INCOSAI where thestatus of various projects were reviewed, prioritieswere established and a plan of action for eachproject determined.

Status of Work

In the area "Information Interchange" severalactivities have taken place.

n The INTOSAI EDP directory has beenupdated and is available both in a printed formand as a CD.

n Eight issues of the journal IntoIT have beenpublished and circulated to all members ofINTOSAI and have been well received.

n The Second Seminar on IT PerformanceAudit was held in May this year and covered6 theme areas. Participants from 20 SAIsattended this seminar. The seminar output wascirculated in November 1998.

nA new product - an ElectronicCompilation of SAI Mandateshas been produced on a CD foruse as a reference tool. Thisincorporates the mandates of over130 member SAIs.

nA website for the committeehas been set up. An article in thisissue gives more detail.

In the area of "Knowledge andSkill Development"

n IT Audit Courseware has beendeveloped and circulated to theRegional Working Groups ofINTOSAI. Course Overviewswere circulated to all SAIs inFebruary 1997.

In the area of "Knowledge Development andTransfer"

n A draft paper was prepared on EDI andPaperless Audit by SAI Sweden and articleshave appeared in the third issue of intoIT.

·n A short paper on Auditing in a Client ServerEnvironment has been prepared and circulatedfor suggestions and comments. This will befollowed up with an article in intoIT.

n A research paper on Performance AuditMethods for Analysing Effectiveness of Useof New Technologies has been produced bySAI Sweden and has been published as thespecial 7th issue of intoIT.

intoIT Issue 914

A Report on the Status of Work and theFuture Work Plan of the INTOSAIstanding Committee on EDP Auditby SAI India

Eight issues ofthe journalIntoIT have

been publishedand circulated toall members ofINTOSAI andhave been well

received.

n Though not part of the work plan, the Year2000 Problem, on account of its topicality andits potential impact, was taken up as a project.Articles on the subject featured in the 8th issueof intoIT. The topic was also discussed duringthe 2nd Performance Auditing Seminar.

Work Plan of the Committee tillthe XVII INCOSAI

We will continue to group all planned activities andprojects under the three broad areas namely

n Information Interchange

n Knowledge and Skill Development and

n Knowledge Development and Transfer.

In the field of Information Interchange

n The committee plans to continue publication oftwo issues of intoIT annually.

n Beginning from the 8th issue intoIT will alsofeature on the Committee's Webpage.

n The EDP Directory has been appreciated forits contribution in furthering bilateral andregional co-operation by providing aninformation base for SAIs. The 3rd update ofthe directory should be available in 2001.

n As part of the established practice of dealingwith complex issues through periodic seminars,it is planned to organise another Seminar onPerformance Audit in 2001 in Slovenia.

n The Committee Webpage will be furtherdeveloped after taking into account the viewsof members.

n The current Compilation of SAI Mandateswill be updated to include mandates for theremaining SAIs and also to reflect any changesin the mandates. Members are requested to

apprise us of their mandates and any changes toenable us to periodically update thiscompilation.

On the activities relating to Knowledge and SkillDevelopment

n Feedback will be obtained from differentregions on their experiences in using the ITAudit Courseware and based on this, thecourseware can be updated.

n Building on the basic IT Audit Courseware, thecommittee will prepare Advanced TrainingModules in selected and specialised areas.

n The Reference List of Materials on ITPerformance Auditing will be kept updated,throughout the next 3 years, through articles inintoIT and the Committee Webpage.

The committee plans to continue with its activitiesin pursuance of its declared objective of supportingand promoting development and transfer ofknowledge relating to IT audit.

n The work on the project EDI and the PaperlessAudit will continue and EDI and its auditimplications will be the focus of a future issueof intoIt.

n As regards the study Auditing in a ClientServer Environment, a revised paper will beprinted as an article in intoIT.

n The Year 2000 problem will be kept in focusthrough articles and news items in intoIT andon the Internet Webpage of the Committee.

n The committee also plans to initiate three newstudies in the areas of Audit implications ofIT infrastructure Management, Detectionand Prevention of IT related fraud andComputer related CommunicationsSecurity.

intoIT Issue 9 15

Our goals when developing FASS were mainly toseek improvements in the efficiency of producingaudit documentation and providing auditors withquick access to reference information. A sub-goalwas to improve and standardise auditdocumentation as far as possible. Other goals havearisen along the way including flexibility, an issuethat auditors and managers place great emphasis on.

Three years ago we revised our Audit Manual and theNAO adopted Windows 95 and Microsoft applicationsfor general use. FASS was rebuilt to incorporate andtake advantage of these changes, introducing simplersolutions than had previously been possible.

Overall Design

The core building blocks of FASS are the Microsoftapplications Word, Excel and Access.

To reduce problems of installation andmaintenance all entities and code are contained inTemplates. When these are revised they are placedon a server and automatically downloaded tomachines when the user next logs on to thenetwork. No special configuration of machines isrequired, considerable effort having been made toensure that the system works on the standard NAOset up.

FASS integrates with other NAO systems ratherthan replicating their functions. The main links are

to our Resource Management System and Merlinan Intranet that provides access to manuals,reference material and much more. File control isprovided by user permissions from the serverswhich run Microsoft NT.

To minimise the amount of training and additionalknowledge auditors need we have made FASS workin the same way as the Microsoft applications it uses.The tool to create and roll forward documentation isin the form of a Wizard accessed from a worddocument and special functionality is provided byFASS toolbars in documents and spreadsheets.

Creating and Rolling ForwardDocumentation

FASS enables the creation of financial audit documentsets tailored to the requirements of the audit. Thedegree of tailoring is not excessive as auditors andmanagers like to retain considerable freedom in howthey go about an audit, making fine tuningsuperfluous.

Documentation can be created and accessed onservers, standalone PCs or laptop computers.Documents are stored in folders (directories) andindividual documents can be opened using Exploreror file open dialog boxes within the applications.

Rolling forward document sets to the next year is asimple process but can have significant rewards.Whilst text in documents is not changed by theprocess, headers are amended to the new yearsinformation but more importantly client financialinformation is transferred to prior year.

After a roll forward entering current year budgetsenables a full set of planning documentation to beproduced very quickly. Of course auditors willneed to do more than just this. The roll forwardprocess has enabled auditors to gain more time tothink about their clients and how to go about theaudit than would otherwise have been possible.Knowing that they probably have most of the basicinformation in last year's documentation includingany impending changes to clients business orsystems, gathered during the course of theirprevious audit, they can spend more effort onrefining and optimising the current audit.

The process of creating or rolling forwarddocumentation sets uses a dialog box built in aword template. The example in Fig. 1 is set for rollforward and both the source and destination of thedocumentation set have been selected. Headerdetails can be changed as required for the nextyear's documentation.

intoIT Issue 916

Financial Audit Support SystemOver the last 5 years the National Audit Office has developed a Financial AuditSupport System designed to meet auditor's needs to create auditdocumentation and maintain information about our clients and audits.

Figure1 FASS Creationand Roll Forward

Tony Andersonjoined the NAO

in 1979, andafter working ona wide range offinancial andperformance

audits joined theNAO IT sectionto develop andimplement IT

projects for auditpurposes.

The DocumentationSet

The documentation set is dividedinto a series of folders as shown inthe 'Open' dialog box in Figure 2.

In this example only one accountarea has been created, 'C1Account Area' but auditors cancreate as many as they require.They can also add other folders,standard documents ordocuments they have created tomeet their requirements.

Each folder is populated with anappropriate set of documentationincluding an index document(Figure 3) for the folder. The indexis necessary, as we have yet tomoved to a fully computerisedsystem; documentation is still mainly reviewed onpaper. The index does provide some other benefits, asthe entries, which are generated automatically, arehypertext links to the other documents in the folderproviding a means of quick access. Each entry alsoshows the date and time of the last update to eachdocument.

A typical document is shown in Figure 4(overleaf). When first created documents contain alist of headings with references to the appropriateauthorities and standards. Documents also have acommon toolbar that provides quick access toreference and example (EG) documentationcontained on our intranet Merlin and to otherinformation about the client held in Section Files.

Documents can also contain links to otherdocuments and to an Audit Information Databaseunique to each audit. A number of tables containingAID information are built into the standarddocuments and others can be added as required.These tables can be refreshed to capture the latestinformation held in AID. Other functions availablefrom the toolbar enable tables to be flipped toimprove presentation and a button to send selectedtext to another document such as points formanagement letters. The latter provides most of thefunctionality of a far more complex cross-referencing system but is quick and simple to use.

intoIT Issue 9 17

Figure 2 FASS Folders

Figure 3 Index Document

Audit Information Database

AID is built in Microsoft Access. It provides ameans of storing collections of information aboutclients and audits with a selection of functions andtools to perform many audit requirements quicklyand accurately. Use of the database, which can addsignificantly to the amount of work involved, is notcompulsory.

Client financial information in the form of budgetsand outturns can be imported from a variety ofsources. The file interrogation package Idea, whichis a core package used by our auditors, is thegeneral source of such data but client informationin a wide variety of formats can also be handled.

Clients Charts of Accounts or Ledger structures canbe used but most auditors use simplified versions toreduce complexity. Account Areas can be definedas required down to any level contained in thefinancial information. Figure 5 opposite shows theAccount Area Definition screen.

Clicking the tabs displays the various accountingand audit definitions each with many to one links tothe succeeding level. The buttons provide forimporting data, access to other screens and returnto the Word document currently being worked on.

At first appearance the rather detailed structurewhich includes Sub Account Areas seemsexcessive but for simpler accounts it is possible toremove layers by using the replicate button.Motivations for the structure stem from a numberof sources, the main ones were to enable auditors toview the impact of errors at any level especially

Financial Statements (Account Balances) and toprovide flexibility for auditors to refine their audits.

The Audit screen provides for calculatingmateriality, sample size and evaluating errors (seeFigure 6 opposite). Other screens (not shown) arethe Financial screen which allows for importing orinputting client financial information at the level ofdetail required and a General screen formaintaining information about legislation, risksand other less specific collections of information.

Word documents and Excel spreadsheets cancontain links to AID. The links normally displaytables that can be refreshed when necessary toshow the latest information. Any information inAID can be incorporated into documents in thisway. We have created a number of standard linksthat provide basic information for most parts of theaudit. The information selected is often based ondocument properties so only information relevantto a particular document will appear. For exampledocuments in an account area folder will only showAID information specific to that account area.

Other elements of FASS

A number of spread sheet templates are available tohandle a variety of matters including a set of thedifferent account formats used by our clients andone to provide links to our Resource ManagementSystem. These and various Word documents havebeen created by others not necessarily computerexperts to provide useful functionality whilst fittingin with the FASS system. This was possiblebecause of the simple template structure of FASSwhich is now not so much a ridged system but more

intoIT Issue 918

Figure 4 A typical document

intoIT Issue 9 19

Figure 6: Audit screen

Figure 5: Account Area Definition screen

a collection of basic building blocks and tools theauditor can assemble, both adding to andsubtracting from, to best meet their needs.

Mobile Computing

We have now been given the challenge ofdeveloping a Mobile Computing strategy for theNAO. FASS or its successor will hopefully be oneelement in this. FASS currently takes advantage ofMicrosoft Briefcase to enable auditors to takedocumentation on audits on notebook computersand synchronise their working papers and AIDinformation when they return. But the demand inthis area is very high and use of the Internet andGovernment Secure Internet will no doubt figurehigh on the list of audit priorities.

intoIT Issue 920

News Item

The INTOSAI Standing Committee on EDP Auditplayed an important role during the XVIINCOSAI, held at Monte video, Uruguay from7th - 14th November 1998. The Deputy CAG ofIndia Mr P K Lahiri, presented a report on theCommittee's activities, during the 44th Meeting ofthe INTOSAI Governing Board on 7th November1998. This report highlighted the Committee''work since the last GB Meeting in 1997 and alsoits work plan for the next 3 years. The Congressopened on 8th of November 1998 and theChairman of the Committee, Mr V.K. Shunglu -CAG of India, presented his report to the FirstPlenary. This report detailed the committee's workin the past three years and presented its workplanfor the next three years. The Committee alsopresented a paper, which formed the basis fordiscussions during the sessions on Sub Theme II E,which related to the EDP Audit Committee.Mr Doussari from SAI KUWAIT moderated thediscussion. Mr Griffith, Head of SAI of Barbados,acted as rapporteur. The Chairman of theCommittee set the tone for the discussions with hisopening remarks. During the discussions the CDcontaining three Committee products wasdemonstrated. On the 13th of November 1998 theChairman of the Committee presented the resultsof the discussions as a report to the SecondPlenary.

intoIT Issue 9 21

Information on the INTOSAI Standing Committeeon Electronic Data Processing Audit is nowavailable on the Internet. The website is beinghosted by the UK National Audit Office (as is theINTOSAI Working Group on the Audit ofPrivatisations) and is intended to give a clearpicture of the past, present and future work of thegroup in a format which is easy to use and whichcan be viewed by any browser.

The home page (reproduced above),which can be found athttp:\\www.open.gov.uk\nao\intosai_edp\home.htm shows the five main areas of coverage:

n background information includes detailedsections on the aims of the Committee, writeups of projects, knowledge development andtransfer, and the Committee's terms ofreference;

n reports from the Committee to the GoverningBoard of INTOSAI for the past five years, aswell as several documents relating toINCOSAI in 1992 and 1995;

n IntoIT editions seven and eight (with thisedition [number 9] and all subsequent editionsbeing added in the week of publication);

n the IT strategy guide ("Guide to Developing ITStrategies in Supreme Audit Institutions"),with sixteen chapters from "Why have an ITstrategy?" to "Tips for success"; and

n the EDP Committee directory, with contactdetails of representatives from the 18 membercountries.

The EDP Committee website will not be standingstill. Plans are already well in place to provide alink to the State Audit Institution of Oman, whichwill be hosting Arabic versions of the keydocuments, and a total redesign is envisaged forlater in 1999 to ensure that the site is making themost of web technology developments whilemaintaining the basic principles of ease of use andaccessibility.

The INTOSAI EDP Committee on the Web

Patrick Callaghan, Information Centre, National Audit Office, UK

intoIT Issue 922

SAIs E-Mail Addresses and World Wide Web home pages

Country Organisation Email Address WWW Home page

Australia Australian National Audit Office ag1@anao.gov.au http://www.anao.gov.au

Austria INTOSAI General Secretariat,Rechnungshof rh.into@magnet.at http://www.intosai.magnet.at/intosai/

Brazil Tribunal de Contas da União-TCU sergiofa@tcu.gov.br http://www.tcu.gov.br

Bangladesh Office of the Comptroller and Auditor General saibd@citechno.net

Canada Bureau du Vérificateur Général du Canada desautld@oag-bvg.gc.ca http://www.oag-bvg.gc.ca

China National Audit Office cnao@public.east.cn.net

Croatia State Audit Office dur@zg.tel.hr http://www.revizija.hr

Costa Rica Contraloria General de la República xcisnado@casapres.go.cr

Denmark Rigsrevisionen rigsrevisionen@rigsrevisionen.dk http://www.rigsrevisionen.dk

El Salvador Corte de Cuentas de la Republica cdcr@es.com.sv

Estonia Eesti Vabariigi Riigikontroll riigikontroll@sao.ee http://www.sao.ee

Germany Bundesrechnungshofe brh_ffm@t-online.de

India Office of the Comptroller and Auditor General cag@giasdl01.vsnl.net.in http://www.cagindia.org

Japan Kaikeikensain asosai@ca.mbn.or.jp http://www.jbaudit.admix.go.jp

Jordan Jordanian Audit Bureau Audit_b@amra.nic.gov.jo

Korea (Republic of) Board of Audit and Inspection (BAI) gsw290@blue.nowcom.co.kr

Luxembourg Chambre des Comptes chaco@pt.lu

Malaysia Pejabat Ketua Audit Negara jbaudit@po.jaring.my

Malta Audit Office joseph.g.galea@magnet.mt

Mauritius Audit Office auditdep@bow.intnet.mu

Netherlands Algemene Rekenkamer BJZ@Rekenkamer.nl http://www.Rekenkamer.nl

New Zealand Office of the Controller and Auditor General http://www.netlink.co.nz/oag/index.htm

Nicaragua Contraloria General de la Republica continf@lbw.com.ni

Norway Riksrevisjonen intersec@sn.no

Oman Office of the Secretariat General for Audit sages@gto.net.om

Pakistan Office of the Auditor General of Pakistan mohsin%auditgenpk@sdnpk.undp.org

Paraguay Contraloría General de la República director@astcgr.una.py

Peru Contraloria General de la República dcI00@condor.gob.pe

Portugal Tribunal de Contas dg.tcontas@mail.telepac.pt

Russian Federation Accounts Chamber sjul@gov.ru

Singapore Audit Office audgen@cs.gov.sg http://www.gov.sg/ago

Slovenia Racunsko Sodisce audgen@cs.gov.sg http://www.gov.sg/ago

South Africa Kantoor van die Ouditeur-Generaal / yvonne@agsa.co.za

Office of the Auditor-General

Spain Tribunal de Cuentas TRIBCUENTAS@adv.es

State of Qatar State Audit Bureau qsab@qatar.net.qa

Sweden Riksrevisionsverket email@rrv.se http://www.rrv.se

Switzerland Swiss federal Audit�s sekretariat@efk.admin.ch

United Kingdom National Audit Office nao@gtnet.gov.uk http://www.open.gov.uk/nao/home.htm

United States of America General Accounting Office lehmanp@gao.gov http://www.gao.gov

Uruguay Tribunal de Cuentas de la Republica tribinc@adinet.com.uy

Venezuela Contraloría Général 102213.3237@compuserve.com

Yemen Central Organisation for Control and Auditing coca@y.net.ye

Please inform the Editor of intoIT, at the address on the Contents Page, of any additions or amendments to this list. He will then publishthe information in a future issue. Please also inform the INTOSAI Secretariat of any changes.

23intoIT Issue 9

Issue 1 -January 1995 Country Focus - IndiaThe use of IDEA in the Swedish National Audit Office Text Retrieval at the UK National Audit OfficeThe OAG Audit Briefcase (Canada)News from around the World (Japan, Kuwait, Sweden, United Kingdom, Zimbabwe)

Back IssuesA small number of copies of back issues are available from the Editor at the address on page 1. The maincontent of the previous issues are

Issue 2 - July 1995 Country Focus - ZimbabweThe INTOSAI EDP DirectoryDeveloping Information Technology Strategies (UK)Reviewing information security (Canada)IT Audit Curriculum for INTOSAI (UK)INTOSAI and the InternetNews from around the World (Ecuador, France, Kuwait, Netherlands,

Sierra Leone, Sweden, United Kingdom, Zimbabwe)

Issue 3 - January 1996 Country Focus - JapanThe IT Audit Symposium in Stockholm (Sweden)EDI and the Paperless Audit (Canada)A Practical Approach to Auditing EDI Transactions (Norway)Effective Resource Management (UK)News from around the World (Brazil, India, Netherlands, Peru, United Kingdom)

Issue 4 - July 1996 Country Focus - KiribatiIDI - Strengthening Legislative Audit Institutions in Developing

Countries (Canada)IT Audit Training in IndiaTraining to support audit (Costa Rica)Control of Information Security (Netherlands)The use of computers in auditing (Sierra Leone)News from around the World (Barbados, Cyprus, Hungry, INTOSAI, United Kingdom)

Issue 5 - Spring 1997 Country Focus - ColumbiaPerformance Audit of IT Systems (India)The Argentine National Bank case Going on-line (UK)The use of EDP (Belgium)Audit IT outsourcing (UK)News from around the World (Columbia, Sweden, United Kingdom)

Issue 6 - Winter 1997-98 Country Focus - BarbadosEDP Performance Audit (Sweden)Audit Computerisation in New ZealandMillennium Matters (UK)The Information Telecommunications System of the Accounts

Chamber of the Russian FederationNews from around the World (Estonia, Netherlands)

Issue 7 - May 1998 - Performance Audit of the Use of IT

Issue 8 - Summer 1998 Country Focus - Brazil, SloveniaAuditing and Computerisation in New Zealand - Part 2Modernisation and Development at the Court of Auditors of PortugalMillennium update (UK)Forensic Audit - IndiaTackling Public Sector Fraud (UK)News from around the World (India)

intoIT Issue 924

The tenth issue of INTO-IT will be published in Summer 1999.

The editor welcomes articles and news items for inclusion in the journal. Please send contributions to theaddress on page 1.