Standard Setting in INTOSAI WGITA-The Indian ExperienceBy Mr. Saurabh Narain, Accountant General (Eco.& Revenue Sector Audit), Uttar Pradesh, Lucknow

About INTOSAI WGITA

Working Group of Information Technology Audit (WGITA), an INTOSAI working group of SAIs, set up in the XIII INCOSAI in Berlin in 1989 to address Supreme Audit Institutions’ (SAIs) interests in the area of IT Audit, and comprising 47 member countries and four observers, provides a collaborative platform for development and dissemination of guidance, development of skill sets, sharing of best practices, and providing facilities for regional and international collaborations among the SAIs in the area of use and audit of Information Technology and Information Systems. Comptroller and Auditor General of India has been heading the WGITA since its inception.

The WGITA fulfils its mission and mandate by implementing a triennial work plan which consists of the various goals and projects.  Projects are selected after reviewing the needs of SAIs and the deliverables range from best practice guides to website related information and other audit material.Since 2013, WGITA has also taken up projects to identify and develop INTOSAI Guidance at level 4 of ISSAIs (now GUIDs under FIPP). These projects have been driven by India.

Evolution of Standard Setting in INTOSAI and its impact upon WGITA

Till 2016, the 5300 series in level 4 ISSAIs (now Subject Matter Guidance or GUIDs under the IFPP) was reserved for IT Audit related guidance. Till 2013, ISSAI 5310 on Information System Security Audit, developed and adopted in 1995, was the sole guidance available in this series. In 2016, INCOSAI also approved ISSAI 5300, a first principles guidance on IT Audit.

There were two related developments in 2016 INCOSAI at Abu Dhabi. It was decided to revise the IFPP or the INTOSAI Framework for Professional Pronouncements. The new framework distinguished between ISSAIs which were high level mandatory principles, and GUIDs or guidance which were clear and consistent enabling principles that supported implementation of ISSAIs. The due process for drafting of INTOSAI guidance was also made more rigorous. FIPP or Forum for INTOSAI Professional Pronouncements was also set up in 2015 to guide movement to revised IFPP. The FIPP came up with a Strategic Development Plan or SDP which assessed all existing standards and guidance, including ISSAI 5300. It recommended substantial revision of existing material by 2019 for migration into new IFPP. For this, the FIPP also revised the INTOSAI Due Process for developing or revising the GUIDs. The FIPP, through the Liaison Officers that it appointed for each Project, also reviews the developmental process of the guidance material at each stage, to ensure that the final deliverables are consistent with the IFPP.

Of particular importance to WGITA was the SDP’s Project 2.8 which laid down that all IT Audit related guidance pronouncements (GUIDs)(5100-5109 series) in the revised framework should be revised in accordance with the Fundamental Principles of Public Sector Auditing outlined in ISSAI 100. Further, the existing ISSAI 5300, approved in 2016, and now recognised as a GUID, also had to provide a clear linkage with the three type of Audit – Financial Audit, Performance Audit or Compliance Audit. The Project also envisaged a revision of ISSAI 5310.

The present Work Plan 2017-19 of WGITA was therefore amended to provide for development of guidance on Audit of Information Systems, and Audit of Security of Information Systems, in line with ISSAI 100. As the chair of WGITA, the above changes meant significantly higher responsibilities for SAI India in the run up to INCOSAI 2019. The following sections bring out how SAI India has guided the whole process since 2013.

Standard Setting Projects of WGITA

Since 2013, SAI India has led the WGITA initiative to develop INTOSAI guidance and standard setting in the field of IT Audit within the ISSAI framework of professional audit pronouncements (now IFPP post INCOSAI 2016).

The Genesis of ISSAI 5300

As of 2013, former ISSAI 5310 on Information System Security Audit was the only ISSAI in the 5300 series of ISSAIs in force in the IT Audit field. It was adopted in October 1995. It outlined the Information System Security review methodology was due for updating in 2013. SAI India, as the Chair of INTOSAI WGITA, therefore decided to take the lead in proposing updating of the ISSAI to the WGITA Assembly that met in Vilnius, Lithuania in April, 2013.

An internal exercise by SAI India determined that the ISSAIs lacked an overarching, general principles, generic standard on IT Audit of which IS Security Audit was a subset. Further, the existing ISSAI 5310 was an old guidance which, though informative, went beyond the audit of Information Systems’ security. It also gave detailed information to SAIs on how Information System Security could be implemented. However, it had become outdated and needed to be reworked in light of rapid changes in information and network which increased manifold, the vulnerabilities facing the Information Systems round the world. The development of many internationally accepted IS Security frameworks such as ISO 27000 and IEC 17799 had also overtaken the Guidance. Further, over time, many SAIs had developed expertise in audit of Information Systems’ Security, and were no longer expected to continue to audit “around” the systems, treating them as black boxes. SAI India also recognised that there was also a need to develop a ‘first principles’ standard covering the general principles, approach and methodology of IT Audit which would then provide a natural succession to more specialised standards such as ISSAI 5310 on Audit of security of Information Systems and other areas of IT Audit.

The WGITA, therefore, decided in 2013 to first develop a ‘first principles’ ISSAI 5300 on IT Audit and aimed for its adoption by 2016 INCOSAI. The Project was led by India and also comprised Indonesia, Poland, USA, Japan, and Brazil as members.

The ISSAI 5300 Project Development Path 2013-16

As per the Project Initiation Document of ISSAI 5300, the Guidance was, from the very beginning, conceived as a basic document that provided the basis for framing of more specific guidelines in the form of a series of ISSAIs on different facets of IT Audit. The ISSAI was also designed to act as a guide for SAIs to conduct IT Audits, develop IT Audit capacity and utilize limited IT Audit resources to provide an assurance to the audited entities, government and the people of a country on integrity, reliability and value for money on IT implementations.

The ISSAI 5300 Development Life Cycle

ISSAI 5300 took 45 months to acquire its final shape. In this period, the drafting proceeded largely based on collaboration over emails. Over 55 SAIs responded with their comments and suggestions at various stages of approvals in this period.

The developmental path is depicted in the following diagram:

The ISSAI 5300 Project Development Approach

ISSAI 5300 was developed by conducting review of existing standards, guidelines, and related material pertaining to IT Audits/ Information Systems Audits. The review focused extensively on National and International Auditing Standards, especially the ISSAIs. One of the important aspects of the developmental approach was to ensure that the ISSAI 5300 was fully synchronized with the WGITA IDI IT Audit Handbook approved by the INCOSAI at Beijing. The WGITA IDI Handbook on IT Audit which is supposed to be updated every two years, carries detailed instructions for field level practitioners. Thus, this Handbook would take care of real time changes in the IT environment and how they impact upon IT audit.

The Project Team lead also ensured that all the feedback at different stages of the project were duly considered for incorporation in the draft. A strong documentation policy was adopted to ensure preservation of all exchanges and their outcomes.

Post INCOSAI 2016 developments – Development of GUIDs on IT Audit and Information System Security Audit

Revision of former ISSAI 5300

Project 2.8 (part of WGITA’s current Work Plan) aims at revising the former ISSAI 5300. The FIPP, while reviewing the existing Guidance, noted that the text of ISSAI 5300 was of high quality and provided a better basis for the new GUID on IT audit than any other existing texts. However, the existing ISSAI could not be preserved in the IFPP beyond 2019 unless it was revised in line with the purpose and format for GUIDs, and the new distinction between standards and guidance. The FIPP also required that the project should also provide reference to different aspects of IT Audit for which subject specific GUIDs are proposed to be developed e.g. IT Security Audit. FIPP has also observed that “there is also a general need to reduce the overall volume of text and reduce the technical level of detail.”

A Project Team led by India and comprising Australia, Poland, Russia and the US was constituted in 2017. The Team recognized at the very beginning that the former ISSAI 5300, with detailed sections on macro- and micro-level planning of IT Audits, and distinct ‘Requirements’ portions, gave an impression that IT Audit was a distinct type of audit. This was a critical consideration for the FIPP in recommending that the guidance be reviewed. The Team therefore decided that while the content of the former ISSAI 5300 would be preserved largely, the proposed update would aim to define, elaborate, and harmonize how Information Technology (IT) Audits relate to and support Financial, Performance, and Compliance Audits, highlighting the linkages with the higher level ISSAIs related to the three types of audit, ensuring that IT Audit is treated as a specific subject matter in such audits.

The Team has since prepared a Project Proposal (November 2017) for the revision exercise, keeping in view the FIPP’s concerns. It also prepared an outline of the Guidance (March 2018) which was subsequently approved by the FIPP. Currently, the Project Team is working upon the Exposure Draft.

Revision of the former ISSAI 5310

Project 2.8 of the SDP also required the WGITA to have a look at ISSAI 5310 on the Audit of Security of Information Systems. The existing guidance had to reviewed, updated, and brought in line with the ISSAI 100. The WGITA, recognising that increasingly Cyber Security constituted a major part of Information Security, or in fact had replaced the Information Security in a major part owing to technological advancements, wanted the specific focus of the guidance to be upon Cyber Security. Other requirements were that the guidance should be linked to the overarching GUID (former ISSAI 5300) on IT Audit, and should aim providing a bridge with the detailed practitioner level guidance contained in the WGITA IDI IT Audit Handbook.

A Project Team led by India and comprising China, Ecuador, Iraq, Kiribati, Poland, the USA, and the ISACA (Associate Member) was set up by WGITA to revise and update the former ISSAI 5310. While approving the Project Proposal and the associated detailed outline of the Guidance (March 2017), the FIPP observed that the GUID should not be voluminous, it should not be too technical and focus more on audit issues of IT Security, and that it should stand the test of time and not require frequent updates. The Project Team is now finalising the Exposure Draft of the new guidance.