ii nn tt hh ii ss ii ss ss uu ee n C o u n t r y F o c u s : K u w a i t n R e v i e w o f I T p r o j e c t s i n S w e d e n n C l i e n t s e r v e r a u d i t i n g i n t h e U K

IT AudittrainingI N T O S A I T R A I N I N G R E V I E W E D

into ITT H E I N T O S A I I T J O U R N A L

i s s u e 1 1 n m a r c h 2 0 0 0

intoIT has now completed 5years of successfulpublication. It would be

appropriate, to look back atwhat went into 10 issues ofintoIT. We have publishedcountry focus articles from 9countries. These have allowedSAIs to get a soundappreciation of the status ofcomputerisation and also ofthe progress achieved in thearea of IT audit.

Several other articles have dwelt onexperiences of various countries in thefield of IT Audit. Articles on complexareas such as data retrieval and analysis,reviewing IT Security, auditing EDI,auditing IT, outsourcing, IT Performanceauditing, financial audit support softwareand use of IT Techniques in ForensicAudit have sought to provide technicalinsights in these areas. The Year 2000problem was the focus of the 6th andthe 8th Issues and the special 10th issue.The 7th issue was a special issuecarrying the results of a research studyconducted by SAI Sweden onPerformance Audit of IT Systems. Issuesof the intoIT have also served as ameans to keep SAIs informed of theactivities and plans of the Committee. Inits five year existence, intoIT has , withthe support of not only its members butalso of many other SAIs, become animportant medium for informationsharing.

The INTOSAI Standing Committee onEDP Audit, as part of its activitiesdirected towards knowledge and skilldevelopment, produced the INTOSAIIT Audit Courseware in November1997.This issue contains articles fromSAIs who have used and delivered thecourseware. This issue also looks at theCommittee's plans for developingtraining for more expert IT Auditors. Inits feature on "IT Development inCentral Government" - SAI Swedenfocuses on IT projects in thegovernment sector. SAI ,UK presentsthe results of its study on "Auditing in a

Client Server Environment" we alsohave Country Focus articles fromKuwait and Hungary.

The INTOSAI Standing Committee onEDP Audit met at Harare on the 7thand 8th of October 1999. Thirty-ninedelegates from 16 member countriesattended. The most significant outcomeof the meeting was a decision to changeover from "working group" system offunctioning to a organisation of activitiesinto projects. The Committee identifiedall its activities and named projectcoordinators and team members. TheCommittee also reviewed the status ofits various activities and worked out itplans for the next year. An importantplanned activity is the Third ITPerformance Audit Seminar, to be heldin 200, in Slovenia. Through this forum Iwish to request interested SAIs toparticipate in the seminar and sharetheir experiences.

A key decision taken in the 8th Meetingrelates to future issues of intoIT. Thecommittee decided to take a thematicapproach for the next three issues ofintoIT. The present issue focuses on ITAudit training. The 12th Issue will focuson "Government on the Internet" andthe 13th on "IT Security". However,other articles and country focus articleswill continue to be included. It is withthis background that I would like toreiterate my request, to all SAIs, forcontributions to this journal so that thejournal can continue to provide thewidest possible platform for exchangeand sharing of information.

cc oo nn tt ee nn tt ss

Country Focus - Kuwait 4

Country Focus - Hungry 10

INTOSAI IT Audit Coursewareviews and opinions from SAIs 14

Oman: Computers in the Audit Process 16

India: Providing IT Audit training 18

Zimbabwe: 1999 IT Audit course review 20

UK: Using INTOSAI Audit training materials 22

Sweden: IT Audit Training 26

Review of major IT projects by RVV Sweden 28

Auditing in a client server environment 30

News from around the world 33

IntoIT is the IT journal of the INTOSAI EDP

Committee. The journal is normally published

twice a year, and aims to provide an interesting

mix of news, views and comments on the use of

IT in SAIs around the world.

Material in the journal is not copyrighted for

members of INTOSAI. Articles from intoIT can

be copied freely for distribution within SAIs, or

reproduced in internal magazines, or for use on

training courses.

The Editor welcomes unsolicited articles on

relevant topics, preferably accompanied by a

photograph and short biography of the author,

and short news items, for inclusion in future

issues.

e d i t o r i a l a d d r e s sContributions should be sent to The Editor of intoIT,

National Audit Office, 157-197 Buckingham Palace

Road, London SW1W 9SP, United Kingdom. E-mail

nao@gtnet.gov.uk.

into IT editorial

According to article number 151 ofthe State of Kuwait constitution,

the law number 30 for the year1964 was issued concerning the

establishment of the State AuditBureau. Article 1 of that law states

that "there shall be established anindependent commission for Financial

control which shall be called theState Audit Bureau, and shall be

attached to the National Assembly".

Kuwaitcountry focus :

4 n into IT

The main objective of the StateAudit Bureau is to maintain aneffective control over the public

funds based on the specified functionsstated in the establishing law whichinclude its control upon:

1. The Ministries, Departments andPublic Agencies which constitute theadministrative system of the state.

2. The Municipalities and all other localbodies that have a public legal entity.

3. Public commissions, establishmentsand organizations attached to theState, or the municipalities or thelocal bodies that have a public legalentity.

4. Companies and establishments inwhich the State or any other legalentity holds a share of not less than50% of their capital or guaranteesthem a minimum profit.

5. Companies licensed to utilize ormanage one of the State publicutilities or, granted a concession toutilize any of the natural resources inthe State.

The State Audit Bureau follows twoprocedures of financial control. Theyare the Prior control and theSubsequent control. The Prior control isperformed upon contracts and tenderswith values of One hundred thousandKuwaiti Dinars and above. TheSubsequent control is performed uponall the financial transactions carried outby the entities subject to the State AuditBureau Control.

The State Audit Bureau (SAB) has atotal of 450 employees and is expectedto reach 550 employees or more by theyear 2000 due to the increase in dutiesof SAB. Figure (1) shows the topmanagement at SAB.

Establishmentof the IT Department

The wide scope of financial control, theincreasing responsibilities of inspectionsthat the State Audit Bureau (SAB) isassigned to and in order to cope withthe current responsibilities of the priorcontrol procedures and the issuance ofLaw No. (1) for the year 1993regarding safe-guarding of the publicfunds, have necessitated the need todevelop the State Audit Bureau's works

into IT n 5

Figure 1 : SAB Top Management

SAB President

SAB Undersecretary

Assistant Under-secretary for

SupplementaryBodies and

Companies Audit

Assistant Under-secretary for

Independent BodiesAudit

Assistant Under-secretary forMinistries &Government

Departments Audit

Assistant Under-secretary for SAB

Affairs & Pre- Audit

and procedures in its differentdepartments. Because of this and forthe desire of benefiting from theinformation available at the differentgovernmental institutions, anInformation TechnologyDepartment was established inSeptember 1994 for the purpose ofassisting the State Audit Bureau's staff inachieving effective control.

It has three sections:

(1) Technical Support Section, whichsupervise the network support unitand the systems support unit.

(2) Information Systems Auditing &Planning Section, which supervisethe information systems audit unit,the users support unit and thecomputer planning unit. And

(3) Application Development Section,which supervise the projectdevelopment unit and the projectplanning & follow up unit. Figure (3)shows the department organizationchart.

The Goals and Objectives of the IT Department

Goals

n Full support of SAB's staff to achievemaximum benefit from ITdepartment services and resources,by insuring the availability of up-to-date and timely information.

n Building complete and integratedinformation systems, and providinguser support and training services onthe latest Information Technology.

n Performing the IT Audit ofgovernmental projects.

n Cooperation with othergovernmental IT departmentsthrough sharing experience,resources and new ideas.

n Develop and maintain the IT Library,according to the newest and bestdevelopments in the field ofinformation technology. Also toacquire the specialized informationsources needed, and provide accessto in-house materials andinformation resources elsewhere.

Objectives

n Supervising the analysis of SAB needsfor information technology, andrelated databases. Designing anddeveloping IT systems to meet theseneeds.

n Assuring the quality and integrity ofthe process of collecting andclassifying information related to ITand its applications, and working toincrease the effectiveness of theprimary users.

n Supervising placing specifications andtechnical standards according toauthorized procedures forcontracting.

n Installation, operation andmaintenance of the primary andsecondary information systems.

n Establishing, managing andprotecting database systems.

n Supervising all informationtechnology related functions in theBureau and providing training in thisfield.

n Identifying and describinginformation systems auditingmethods and curriculum and therequired measurement techniquesfor auditing and evaluating how farauditors are complying with theseprocedures through coordinationwith the State Audit Bureau'sdifferent departments.

n Providing technical support to allauditing units in the bureau for'information technology auditing' inall bodies that are subject to thebureau's control.

6 n into IT

Figure 2 : a view of the IT Department

Information Technology Audit

One of the objectives of the ITDepartment is to enhance its overallauditing role in order to meet thechallenges of the different workenvironments in the country. The ITdepartment also assists in thecontinuous addition of new technologiesdepending on the nature of work forevery department and its capacities andobjectives. It is obvious that there aremany risks raised within the automatedwork environment like changing, ormanipulating, or disclosing data andeven deleting or destroying it.Therefore, it is important to protect thesystem and to deal with emergencycases by making plans to face any kindof disaster.

It is known that most of the statebodies, subject to the SAB control, havechanged their financial systems toautomated systems to facilitatesearching and extracting data by theauditor. On the other hand it puts theauditor in an uneasy situation, that iswhether or not the data can be trustedor has gone through all the proceduresthat ensures its soundness and safety, toarrive at the correct results concerningthe financial status.

From this point, the IT departmentrealized the importance of the role ofthe technical auditor qualified ininformation technology, and also the

importance of the department's role insupplementary and independent bodies.The IT department has conducted manymeetings with the departments of thesupplementary bodies to outline theactivities that it could provide. Thedepartment has also trained one of itsstaff members to a high standard, toperform the job "auditing on informationtechnology", to guarantee that it followsthe international standards inperforming its duties. However, thedepartment at present, wishes to trainmore of its staff in this field.

The IT Department plays a major role inconjunction with the Pre-Auditingdepartment through studying thedifferent contracts that come to SAB forapproval. Most of the IT staff contributeto the Pre-Auditing activities, each in hisor her field, whether in networks,databases, developments or operatingsystems. The IT Department has showna great deal in the past 4 years bysafeguarding public funds and efficientlyutilizing them for the aspects they havebeen allocated for.

SAB new Building's Network Design

SAB was proud to announce that thenew 11-story building network is thefirst ATM project in Kuwait, Thebuilding was commissioned in August1996. The IT Department has chosenthe best products available in themarket for both the cabling system andthe network devices. (Figure 4).

Cabling System

For the cabling system, the ITDepartment has chosen the AMPOpen Wiring System. AMP isconsidered the largest manufacturer ofconnectors and connecting equipmentincluding fiber. The cabling system wasdesigned to meet the present and futurerequirements of (SAB), and it followsthe international cabling standards ofEIA/TIA 568A & ISO 11801. The ITDepartment used fiber cables for thevertical backbone and UTP CAT5 cablesfor the horizontal floors.

into IT n 7

Figure 3 : IT Department Organization Chart

Network Design

For the network devices, the ITDepartment has chosen FORESystems, a worldwide leader in ATMLAN and WAN products. The networkdesign is a new architecture ofintelligent multi-protocol, Ethernetswitches to the desktop, and ATMbackbone switches for connecting usersto the network resources. This designprovides the following:

n Modularity

n Flexibility

n Redundancy

n Fault Tolerance

n High speed backbone

n VLAN routing between all logicalvirtual LANs

n No single point of failure

Hardware

The initiation of the IT department in1994 was followed by a rapid growth ofcomputerization in terms of number ofPC's employed and types of applicationscovered. There are 230 PC's availablewithin the different departments in SABand 4 Servers in the computer room.Also, there are 16 Notebookscomputers available at the ITDepartment for any auditor to borrow.The next step for the IT Departmentwill be buying 4 departmental servers.These servers will act as:

1. Development Server

2. Production Server

3. Database Server

4. Web Server

Software

Standard Software: There arenumber of standardized windows-basedsoftware packages that are used in theIT department and other departmentsin SAB, to name a few: Windows95-Arabic enabled, MS Word, MS Excel, MSPowerPoint, MS Access and MS Project.In-House Developed Software:Application software is mostlydeveloped in-house usingPowerBuilder as the front-enddevelopment tool and Oracle as theback-end database engine. Personsshowing aptitude have been trained insystems analysis and design andprogramming and formed into softwaredevelopment teams.

8 n into IT

Internet and Intranet

It is esteemed by SAB, that it isconsidered as one of the foremostgovernmental organizations to haveinitiated active utilization of the Internet.During the establishment of the ITDept. (October 1994), the TechnicalSupport team analyzed and reportedthat extensive and proficient use of theInternet would enhance the latesttechnical knowledge and result in manyimprovements. Hence, SAB began theirown training on Internet and their owncyber research. The machine, whichhosts the Internet Web Server, is aCompaq Proliant 1000 server runningSCO UNIX operating system. The ITDept. staff members have launched asuccessful Website running on theInternet. The new address of the site iswww.sabq8.org (previouslyaudit.kuwait.net). This site includes thefollowing information:

1. Information about Kuwait StateAudit Bureau

2. Collection of related sites that mayhelp the SAB employees in gettinginformation related to their work.

3. A small directory of web pages inKuwait.

4. A list of search engines toconveniently search the web.

5. A list of newspapers and TV stations.

6. A Guest Book for comments andremarks.

The IT Dept, in co-ordination with theSAB training center has organized manytraining sessions to train the SABemployees on using the Internetproperly. A proper procedure has beenwritten to encourage the staff to buildtheir own home pages, offering a varietyof information.

The SAB employees have also beengiven email accounts and are trained onusing the electronic messaging systemefficiently.

Along with the latest advancements intechnology, SAB is also progressingtowards prospective changes. SAB hasnow established an Intranet for theinternal use of SAB's employees. TheIntranet site contains the following:

1. Information and reports

2. Automated services

3. Bulletin Board

4. Access for remote users

5. Address book of Telephone numbersand addresses of SAB and SAB Staff.

Training

To carry out the State Audit Bureautraining strategy in the field of humanresources training, the IT Departmentcoordinated with training, research andinternational organizations to train theSAB staff and to enrich their knowledgeand skills in the IT field. They alsoestablished a training path for each staffmember to create and build strong skillsin each section/unit, such as analysis,planning, technical support, systemsupport, users support, informationauditing and application developmentprojects.

This training plan has resulted innumerous employees receivingcertification in a variety of differentspecialties. At the moment the ITdepartment has skilled and certifiedprofessionals structured as two SCOACE (Advanced Certified Engineer),three CNE's (Certified Novell Engineer)and one CISA (Certified InformationSystems Audit). Meanwhile the other ITstaff members are advancing towardsvarious distinct skilled professionalcertifications, in accordance with thetraining plan.

The IT department had also started itsin-house training program for SABemployees in 1995 on the differentstandard software packages. Thedepartment has setup 2 computer labsequipped with 18 PC's, projectors anddata shows. Figure (5) shows one of theclasses that are being conductedperiodically in SAB.

Figure (5) An IT class being conductedin SAB premises

So far, the IT department has given 78in-house training courses and about 550employees have benefited from thesecourses. Among these courses areWIN95, MS Word, MS Excel, MSPowerPoint, Internet, OfficeAutomation and Trouble Shooting.

into IT n 9

10 n into IT

Country focus:Hungary

Hungary is a smallcountry in the easternpart of Europe; its

population is scarcely morethan 10 million on a territoryof less than one hundredthousand square kilometres.The country is divided into 20counties, including the capital,Budapest, which is anindependent county-level unitwith a population ofapproximately 2 million.

The State Audit Office is Hungary's SAI,with a total of about four hundred staff.The main offices are located in the capitalin two buildings not far from each other,accommodating 80% of the staff. TheSAO also has local offices in every countycapital throughout the country employingabout one fifth of the staff. The localoffice responsible for the capital (as acounty), is also located in Budapest, butin a different building. Beside this thereare several other buildings at the SAO'sdisposal for special purposes, (e.g.garage, etc.). Beyond that the SAO has amethodological and training centre in aholiday village not far from Budapest,

with hotel accommodation at hand,conference rooms and a computerisedtraining room.

IT - infrastructure and activity at the SAO

As a result of a continuous expansionduring the last ten years, the SAO has arelatively well-developed IT-infrastructure,providing auditors and other employeeswith extensive software services.

The hardware consist of nearly 300 PC'sset up as clients and linked to 10 othermore powerful server machines. Morethan 10 per cent of the client machinesare notebooks, mainly the latest typewhich are provided for individual use.Machines, including the portable PC's,are connected to a LAN in each of themain buildings. The two LANs are alsoconnected, so from a users' point ofview, (and the messaging system) thereappears to be only one LAN. Printers ofvarious types and capabilities are eitherconnected to the LANs or directly toclients machines, depending on theusers' needs and local conditions, (e.g.distance of the office from the printer

on a given floor, number of PC's in anoffice, etc.). Local offices are alsoequipped with one or two machineswith printers connected to them.

Networking services

Networking services are based on fairlyup-to-date tools; structuredcommunication cabling systems in bothbuildings, BICC Brand Rex Cat5 UTPwith Cisco Catalyst 5000 and 5500switching hubs, and a wide variety ofnetwork management tools includingHP Openview, Ciscoworks, NovellManagewise. The main networkoperating system is Novell Netware 5,but all of the workstations use SunSparcStation and Sun Ultra-2 with twoSun Ultra Enterprise-250 machines asapplication servers. One of the serversis used as a dedicated web server.Protecting the internal network fromexternal attacks is a CheckPointFirewall-1 machine running on a SunUltra-1. The SAO documentmanagement system and internalmessaging is based on Lotus Notes,integrated with the internet services.

By Mrs. Edit BAKONYI, Directorof SAO responsible for centralbudget analysis, quality control

and information technology

into IT n 11

The SAO is part of theintergovernmental electroniccommunication system which alsooperates as an internet service providerfor the institutions belonging to it. Thesystems connecting the ministries andother governmental institutionstogether use the standard X.400protocol for intergovernmentalmessaging. The network providesadditional protection for the memberinstitution's internal networks, (e.g. byadditional firewalls to the internet).

The SAO also has direct access to somedatabases of the Hungarian Treasury,containing central budget status data setagainst the proposals.

Software

Workstations are equipped with aunified software environment, based onWIN-98 platform and Lotus Notesdocument management system. Thesoftware available falls within threecategories; supporting audit, centralfunctions and other activities. The mostimportant of these is the software forsupporting the audit.

Audit support software tools

n ready-to-use systems for dataevaluation and analysis:

n IDEA: Interactive Data Evaluationand Analysis software, (from CICA,Canada),

n SAS: Statistical Analysis System,(from SAS Institute Inc., USA andGermany);

These systems are used for analysingstandard statistical databases on thestate budget and local governmentsbalance sheets, (databases are boughtannually from the governmentalinstitutions officially gathering the data);

n analytical programs created on acase-by-case basis by SAO staff foranalysing data received from theaudited institutions in case of an audit;

n work planning and monitoringsystems of audit activity, developedby the SAO or adapted;

n standard software for auxiliarysupport of the audit activity, e.g. lawregisters, company register, nationaltelephone directory, (all are rentedor licenced);

n office automation software tools:word processors, spreadsheets,electronic mailbox etc., mainly MSWord, Excel, PowerPoint, (alllicensed).

Central functions and services

The second group of software providessupport for the central functions andservices of the SAO. There are anumber of different applicationpackages, which have been licensed orrented, for use in different fields, e.g.payroll, inventory, human resources,general ledger, accounts payable and

receivable, invoicing, contracting,financial services and transactions, fixedassets, car services, library services,training activities, etc.

Other activities

Software tools supporting otheractivities include; language courses,electronic dictionaries, spellingdictionary, multilingual spell checkers,typing guide, internal telephonedirectory, directory of the reports madeby the SAO, internal news publication,E-mail and Internet possibilities, anti-virus tools, etc. The SAO also has itsown website at 'www.asz.gov.hu'.

Getting started in IT-development

In the first years the task of gettingstarted with EDP had some easy aspectsand some that were hard. Informationtechnology was regarded by topmanagement as an important tool with

User PC User PC User PC

Novell fileserverfor the institutionalfinancial programs

Novell fileserverfor the users

Lotus Notesserver

Novell fileserverfor the statical

databases

FIREWALL

Router

Router

Router

Hub

Switch

Hub

User PC User PC User PC

Modem

County O

ffices

SUN network-management server

SUN server for SASdatabases

Inter-governmental

Network

Hungarian StateTreasury

LAN of the State Audit O fficeof Hungary in the m ain

bui lding #1

LAN in the mainbuilding #2

Modem

Modem

Modem

SUN X.400mail server

SUN webserver

LAN of the State AuditOffice of Hungary in themain building #1

responsibility having been assigned to oneof the directors and supported from thevery beginning by a number of experts.The number of EDP staff at the end of thefirst year (May 1990) was 4 people, butthis had doubled within one year.

Commitment of the management wasapparent from a board meeting resolutioncontaining a decision on the main strategicguidelines of the IT-developmentproposals and allocation of the necessaryfinancial resources. As a result of thispolicy the SAO had about 50 machineswithin 15 months. The machines weremainly AT-26/386s, connected to a LAN(Ethernet), under the supervision of twoAT-486s working as servers running aNovell network operating system.

To convince the staff of the advantagesof using PCs, instead of conventionaltypewriters, and to train them was ahard and lengthy task, which has notcome to an end even today. At that time

the main uses of EDP were in theproduction of audit reports using acharacter based text editor. A publisherpackage provided the final printingformat before reports were sent tomembers of Parliament. But this activityonly supported the work of assistants ofauditors and secretaries.

A very significant result achieved in thefirst year was gaining on-line access tothe standard databases of central budgetdata (allocated funds, transactions andbalance sheet data), processed onmainframes, at the Ministry of Finance.This enabled auditors to formulatequeries and analyse the accessed datawhen preparing and conducting anaudit. This went a long way towardsmaking the audits more efficient.

Formulating the IT-strategy

The use of EDP at the SAO has beengrowing continuously year by year. As

more machines have been connected tothe LAN and more users given access,more functions have needed support,and more software tools and applicationpackages have had to be provided. Withthese growing needs and limitedresources it had become obvious, that acomprehensive and systematic approachwas needed to obtain the best valuefrom what was available.

The solution was to formulate an IT-strategy, covering all the aspects of IT-support including; business areas,priorities, key activities, systems,hardware, software tools, databases andother data resources required by auditactivities, IT-staff, training and educationof users and IT-experts. The purpose ofthis IT-strategy had been positivelysupported by Recommendation #2 ofthe Inter-departmental Committee forInformation Technology published atthat time (1993-94) on the Guidelinesfor Establishing and Realising an IT-strategy, as well as the experience ofSAI's in western countries, provided tous on this topic.

The strategy itself is based on a long rangevision of the IT-support needed formaking the business of the SAO moreeffective and efficient. The practicalrealisation of the strategy was achieved byindividual projects, each concentrating onthe solution of a particular IT-supportrequirement for a given area of the SAO'sbusiness. Projects are prioritised andinstigated by the Board of the SAOaccording to available resources. Projectsand their current status of realisation areincluded in the SAOs IT-strategydocument, which is valid for two years,but revised every year.

Projects are of different character bytheir nature and most are unique, sothey are included in the IT-strategy onlyonce, because after their realisationthey become operational. Someprojects are present in the IT-strategyevery year under the same name, buttheir contents vary year by year. This isthe case for projects for the purchase of

12 n into IT

CISCO 2500

CISCO 4000

CISCO 1600

Router (Treasury)

FIREWALL

asz (Notes server in the State Treasury)

IntergovernmentalNetwork/ Internet

LAN in themain building #1

DMZ(www, X.400 mail server)

LAN of the State AuditO ffice of Hungary and

it's net w orkconnect ions

Firew al l of the Treasury

CISCO 2600 (main building #2)

LAN in themain building #2

Catalyst 5500 Catalyst 5000

LAN of the StateAudit Office ofHungary and it�snetworkconnections

HW/SW tools, training services, etc. Otherprojects are divided into parts, so if unfinishedfor more than a year they reappear under thesame name, or they take the name of theactual part to be realised in that year.

Towards an integrated MIS

It was obvious almost from the beginning thatthe use of EDP has three basic areas ofapplication:

• providing auditors with data and effectivesoftware tools for analysis work,

• providing office data services (or apackage) for everyone in the SAO whoneeds it,

• providing the management with the latestinformation on what is actually going on (orplanned).

For the first two areas, everyone in the SAObelieves that a great deal has been done andremarkable results have been achieved. Butusers often claim, that they lag behind thepossibilities IT can offer to them in their day today work.

Managers are less satisfied. While theyappreciate the effectiveness and efficiency ofusing IT, they raise the objection that IT-support for managerial activities has fallensignificantly behind what is possible. Theyclaim that within the SAO only a few IT-toolscapable of meeting the demands of managerialwork, (work planning and monitoring, projectand job planning, scheduling, time recording,logging and status reporting, resourcemanagement, etc.) are operational. They alsoclaim that it is not only the tools that need to beprovided but the data for these differentactivities that needs to be captured, gatheredtogether, classified, stored and reported.To meet the demands of managers the SAOdecided to provide an integrated MIS to be builtas the next step in the IT-developmentprogramme.

It will be based on systems and packagesalready operational, supplementing them withany missing parts, and linking them and theirdatabases to each other to produceaggregated management data. The main datasources of the MIS could be the monitoringsystem of the audits planned, possibly coupledwith the incoming document registry, (the basisof a task management and scheduling system),the HR application package, the financialmanagement system and other relatedpackages

The ground has been laid and the first stepshave been made, so we hope the first resultswill be coming soon.

14 n into IT

Developing

IT Auditors

into IT n 15

Introduction

Other articles in thisissue report onexperience in use and

delivery of the INTOSAI ITAudit Courseware. Whilst thisprogramme addresses thetraining needs of generalistfinancial auditors, the EDPCommittee also consider thateach SAI also needs a smallgroup of staff who are trainedas IT audit specialists.

At the 8th meeting of the EDPCommittee held in Harare in October1999, the Committee considered howto take forward the development ofadvanced IT audit training modules,how the modules might be delivered,and how the Committee might lead thedevelopment of an expert IT AuditGroup within the SAI community.

The Committee agreed that aframework for advanced training shouldbe developed around the establishmentof an IT expert audit group, led by theUnited Kingdom National Audit Office.The framework comprises:

n Expanding the EDP Committee'sweb site(www.nao.gov.uk/intosai/edp/home.htm) to host discussion groups andto publish reference material;

n Developing Advanced TrainingModules, flowing from existing workin SAIs and the Committee'sresearch projects;

n Holding expert seminars everythree years or so, possibly startingin 2002;

n Cascading training to other IT auditstaff in SAI's or regions. This wouldflow from those attending theexpert seminars;

n Using the expert group as referencepartners on the EDP Committee'sresearch projects.

This work will be taken forward overthe next few months.

The INTOSAI EDPCommittee's plans fordeveloping more expertIT Auditors

16 n into IT

Computers

Background

During the past three years, theSecretariat General for State Audit(SGSA) - the SAI of Oman - has beenactively focussing on making the bestpossible use of Information Technology(IT) for fulfilling its audit mandateefficiently and effectively by:

n Developing a strategic framework ofplans, policies and procedures foreffective management of IT in linewith the SAI's organisationalobjectives;

n Setting up a reliable but low-cost ITinfrastructure, adequate for thepresent needs, yet capable of beingupgraded easily to meet futurerequirements;

n Equipping staff with appropriateskills in IT as well as IT audit;

n Developing a suite of applicationscovering audit, mail and personnelmanagement as well as for providinginformation support to fieldauditors, with highly user-friendlyweb-enabled interfaces;

n Conducting control reviews andperformance audits of a fewselected high-risk IT systems inclient organisations.

Consequently, when an enquiry from theSecretary General of the ArabOrganisation of Supreme AuditInstitutions (ARABOSAI) was made in late

1998, SAI-Oman offered to organise andconduct a training programme on"Computers in the Audit Process" in1999. It was felt that a trainingprogramme would present anappropriate forum to share SGSA's skillsand experiences in the field of IT and ITauditing with staff from fellow Arab SAIs.The ARABOSAI Secretariat accepted theoffer and the training programme on thesubject "Computers in the Audit Process"was held at Muscat from 1st to 10thNovember 1999.

Course Profile

The programme was targeted atmanagerial or experienced supervisorypersonnel, with experience in planning,supervision and direction of audits,preferably with existing or potentialresponsibility for decision making on ITrelated matters. It was indicated thatsome exposure to, or familiarity withcomputers was desirable, though notessential. Keeping in view the desiredparticipant profile, the programme, whichwould be wholly in Arabic, wouldessentially be at the appreciation /awareness / conceptual level. SGSA wasaware that this course would perhaps notbe able to impart any specific skills to theparticipants. However, given the limitedtime for the programme, the majorobjective was to broaden the participants'perspective of IT and show the traineeswhat was possible to do with IT in an SAI,rather than how to do it. In SGSA'sopinion, specific technical skills would bebetter conveyed through follow-upprogrammes, building on thisprogramme.

The course encompassed four broadareas:

n IT awareness, covering basicconcepts relating to hardware,software, communications andnetworking (including the Internet);

n Auditing through the computer anduse of Computer Assisted AuditTechniques, covering the mainchallenges to auditing in acomputerised environment and theneed for a structured IT controlsframework, different types ofCAATs, and the practical applicationof one CAAT for simple dataanalysis;

n Audit of IT Systems, covering thebasic issues involved in audit of ITcontrols (including security andbusiness continuity planning),performance audit of IT systems andaudit of systems underdevelopment; and

n Use of IT within an SAI, coveringthe need for, and components of, astrategic framework formanagement of IT, as well as the useof IT for audit, personnel and mailmanagement and for providinginformation support to audit teams.

Course Design and Delivery

The programme was organised atMuscat, which is the capital city of theSultanate of Oman, from 1st to 10thNovember 1999, spanning eightworking days. 30 staff members from

into IT n 17

ARABOSAI Training Programme - a report by SAI-Oman

in the Audit Process

the Supreme Audit Institutions ofAlgeria, Egypt, Jordan, Kuwait, Libya,Mauritania, Morocco, Palestine, Qatar,Saudi Arabia, Sudan, Syria, Tunisia, andUnited Arab Emirates, besides the hostcountry, participated in the programme.

The training courseware was adaptedfrom the IT Audit Training Coursewaredeveloped by the INTOSAI StandingCommittee on EDP Audit in 1997.SGSA translated much of thecourseware into Arabic and tested itduring an in-house IT audit trainingcourse. On the basis of the feedbackreceived and the analysis thereof, thecourseware was customised to suitregional requirements with local casestudies and examples. The faculty forthe programme consisted wholly oflocal staff members of SGSA.

The methodologies for course deliveryincluded computer-based presentations,group discussions, practical hands-onsessions and case studies. In addition,participants presented country paperson their SAI's experiences with IT, ITauditing and audit through thecomputer. The highlight of theprogramme was a CAATS project usinga leading generalised audit softwarepackage - ACL for Windows - duringwhich participants conducted analyticaltesting of sample databases. The coursealso included presentations on SAI-Oman's strategic framework for IT andlive demonstrations, using dial-upremote access connectivity, of SGSA'sIntranet and key application systems.

Feedback and Follow Up

The training programme was highlyappreciated by the participants, as wellas the ARABOSAI Secretariat, both forthe quality of the presentations, as wellas its practical nature. For manyparticipants, this represented their firstexposure to the field of IT. Participantsespecially appreciated the opportunityprovided to them for using a CAAThands-on. However, they felt that thecourse was a little too short, andexpressed a desire for follow-upprogrammes, which would provide indepth coverage of the areas covered inthis course.

In view of the feedback from theparticipants as well as the faculty, SGSAwould recommend that the ARABOSAISecretariat conduct a formal survey oftraining needs of member SAIs in theareas of IT and IT auditing. This wouldenable the Secretariat to assess betterthe scope and coverage of future ITtraining programmes, which could focuson specific areas.

Overall, the training programme provedto be mutually beneficial and rewarding,and turned out to be a learningexperience both for the participantsand SAI-Oman. This was the firstinternational training programmeconducted by SGSA since its inception.The programme provided SGSA's staffan opportunity to learn from theexperiences of other SAIs regarding thedifficulties faced by them inimplementing IT systems as well as inreviewing client IT systems and theapproaches adopted in tackling suchdifficulties.

For more information, please contact:State Audit, P.O. Box 727, Postal Code113, Muscat, Sultanate of Oman; Fax -(968) 740264; E-Mail -sages@omantel.net.om .

The INTOSAI StandingCommittee on EDP Auditwas established following

the XIII INCOSAI in June 1989.

A key aspect of the Committee's work isto support Supreme Audit Institutions indeveloping their knowledge and skills inthe use and audit of InformationTechnology by providing information andfacilities for exchanges of experiences,and encouraging bilateral and regionalcooperation. A critical sphere of activity isknowledge and skill development.Towards this end one of the first productsof the committee was the INTOSAI ITAudit Curriculum. This provided theframework for developing trainingmodules designed to cover the IT AuditTraining needs of generalist auditors andlevel 1&2 IT Auditors. Thereafter, as partof the work plan of the Committee forthe three year period from 1995, it was

decided to develop a full fledged IT AuditCourseware. Responsibility fordeveloping the courseware was primarilywith the National Audit Office of UK asthe convenor of Working Group III (laterWorking Group II) of the EDP AuditCommittee. This product was discussedin the group's meeting at Barbados in1996 and again at the Committee'smeeting at London. Based on thefeedback of these meetings theCourseware and a Course Overview wasfinalized in November 1997.The CourseOverview was circulated to all SAIs andthe Courseware to all Regional WorkingGroups. During the XVI INCOSAI atUruguay the courseware in electronicformat was circulated in a CD to all SAIs.

In this background of the Committee'swork we now look at SAI India's effortsat training in the area of IT Audit. Large-scale training in IT Audit was conducted

with the assistance of the National AuditOffice of the UK. This training wasfunded under the Colombo Plan by theODA of UK. It was organized by theNAO in collaboration with some otherexpert agencies like KPMG and CCTAand was conducted for three groups ofofficers in three different years. As aresult SAI India developed a core groupof IT Audit Trained persons numbering45 . Each batch of trainees came backwith a complete set of training materialconsisting of Leader's guides, studentnotes, presentations and case studies.Over these courses the training packagewas gradually developed and refined andthe last batch of trainees were trainedwith material that closely approximatedthe final INTOSAI IT Audit Courseware.

The Core group of officers of the IndianSAI were trained not only with the ideaof preparing them to conduct and

18 n into IT

SAI India's Experience of providing IT audittraining

supervise IT Audits but also to trainother personnel of the SAI in India. Forthis purpose the training material wassuitably modified and tailored to localneeds. The main mechanism fordelivering the training to a large crosssection of audit personnel was thenetwork of Regional Training Institutes.In all 350 audit personnel have beentrained in IT Audit through coursesorganized by these institutes. Furthereach year the coverage will increase asmore officials get trained in this area.

In addition Courses have also beenorganized for Middle Level Officersaimed at imparting skills both toconduct and direct IT Audit. About 70officers have been trained so far.Whereas, these have been focussed atofficers with a basic knowledge of ITsystems, courses on IT Audit Awarenesshave been held for a larger audiencewith the aim of sensitizing them aboutthe basic requirements of IT Audit. Offlate various functional wings have begunconducting IT Audit Courses basingsuch courses on a closer identification ofaudit needs of their clients and thetraining needs of their personnel. In thepast year the wing responsible forauditing government companies andcorporations has organized three ITAudit Courses on a regional basis.

Most of these courses have beenconducted with the help of facultydrawn from officers trained at NAO,UKand other officers trained domestically.

These courses have been sufficientlybroad based and have covered areassuch as :

n IT Awareness,

n IT Controls,

n System Development Life Cycle,

n Audit of Developing Systems,

n CAATS, Data downloading andConversion,

n Performance Audit of IT Systems,

n IT Audit Planning.

The SAI of India has also been conductingIT Audit Courses for Internationalparticipants drawn from various SAIs.These courses have attracted participantsfrom SAIs in the Asian, African and Pacificregions. A basic knowledge in the field ofInformation Technology was a prerequisite for participation in thesecourses. Four such courses have beenheld and a total of 75 persons weretrained. These courses were delivered byfaculty drawn up from the Indian SAI andother organizations in the forefront ofInformation Technology. The last twocourses were broadly patterned on theINTOSAI IT Audit Courseware. Amongthe areas covered were:

n IT Awareness.

n IT Methods, awareness and issuesinvolved in Audit of IT Systems.

n IT Controls

n Business Continuity Planning.

n Audit of Systems underdevelopment.

n Performance Audit of IT Systems.

n Audit of databases.

n Audit of IT Infrastructuremanagement, change managementand Service Level Agreements.

n Data downloading, conversion andanalysis and CAATS.

Lectures were supplemented by casestudies and field visits. Additionally sometopical issues such as EDI and the Year2000 issue were also included.

The training course was evaluated bythe participants and some of the broadresults of the evaluation of the lastcourse held in 1999 are as follows:

a) Topics which could have beenincluded:

n Practical sessions on datadownloading and conversion,

n Manpower management of IT Audit.

n Sessions on SQL.

b) Some of the most useful topics:

n Data downloading and conversion,

n IT Controls, SDLC

n CAATs and hands on sessions inIDEA

n Performance Audit

n Audit of Databases.

c) Some other comments on the coursewere:

n Course duration should be longer

n There should be more practicaltraining,

n A module on assisting SAIs in use ofIT in their own office should beincluded.

The overall rating for the course andthe course structure was very good.Encouraged by the positive response tothese courses SAI India proposes toorganize another course on this subjectin the 2000-2001.

into IT n 19

Course Background

A few years ago a regional trainingprogram for the English SpeakingAfrican Supreme Audit Institutions wasdeveloped within the context of theINTOSAI Development Initiative (IDI).The Regional Training Committee of theAssembly of English Speaking AfricanSAI's set up a Technical Working Groupon IT Auditing.

This Technical Working Group, made upof the Audit Office South Africa, theNetherlands Court of Audit , and AuditOffice Zimbabwe, met in Harare inMarch 1999 to discuss the IT AuditCourse which was to be held inMauritius in October 1999. TheTechnical Working Group agreed tofollow the INTOSAI curriculum for ITAudit Courses and to adapt the trainingmaterial for the two-weeks course. Thefollowing are some of the adjustmentswhich were made to the originalcourse:

n reduction of overlap betweenmodules;

n introduction of more cases andexercises;

n more use of video;

n reduction of lectures and slide shows;

n integration of modules, resulting in 8modules.

The members of the Group wereallocated areas for developing casestudies to supplement the INTOSAI

case studies. It was also agreed at thismeeting that the delegates from EnglishSpeaking Supreme Audit Institutions(SAIs) would write a two-hour multiplechoice examination at the end of thecourse. Some of the multiple-choicequestions were extracted from theNational Audit Office UK's database ofquestions and answers and the otherquestions and answers were developedby the members of the TechnicalWorking Group.

Official Opening of the IT Audit Course

Dr. the Honourable Vasant K.Bunwaree, the Minister of Finance,officially opened the course on MondayOctober 18, 1999 at the ConferenceRoom of the Pearl Beach Hotel Flic-en-Flac. In his speech he mentioned theimportant role of IT and stressed theimportance of auditing informationsystems.

List of Trainers andSAIs represented at the Course

The resource people for the coursewere Walter Kelly from the NationalAudit Office UK, Tobie Bruyns fromSouth Africa, Hans Benner (courseleader) and Peter Paans from theNetherlands and Vongai Shiri fromZimbabwe.

Twenty four delegates came from 14countries, which are Ethiopia, Gambia,Kenya, Lesotho, Malawi, Mauritius,Mozambique, Namibia, Nigeria,Seychelles, Swaziland, Uganda, Zambiaand Zimbabwe.

20 n into IT

IT Audit Course held in MTraining for English speaking African Audit Institutio

Course Outline

The course consisted of the followingmodules:

n IT awareness

n IT methods

n IT audit organisation and management

n IT Controls

n Audit of developing systems

n CAAT's and data downloading

n IT Security and continuity planning

n Value for money audit of IT

In addition a presentation was given bythe customs department Mauritius.

Impressions and experiences during the course

The support of the Audit Office ofMauritius, that hosted the event, wasexcellent and included among other things:

n the receiving of course material andtransportation to the course location;

n all arrangements regarding thecourse venue;

n transport;

n arrangements for the opening andclosing ceremony;

n a full time assistant at the course location;

n full time availability of a soundtechnician in the conference room;

n availability of necessary equipment;

n availability of materials;

n recreational arrangements.

Although some requirements wereformulated in the course announcement,the background and level of theparticipants varied significantly. It alsoappeared that some of them expectedthat the course would mainly consist of'hands on training' in the use of computersfor (IT) auditing. In the course howeverthere were only a few demonstrations ofthe use of computer assisted auditingtechniques. The presentation of theCustoms Department of Mauritius, whichis not a standard element of the course,was well received.

Examination and closing

The examination at the end of thecourse was meant as a test to check ifthe objectives of the course had beenmet. For the participants the results ofthe examination indicated areas in whichthey may need some more self-study.The results also showed that most ofthe participants were quite able toreproduce and apply their newlyacquired knowledge of IT Audit.

All the participants received a certificateafter the completion of the course. TheDirector of Audit for Mauritius, Mr.Moussa Taujoo, officially closed the course.

Evaluation

After the completion of each modulethe participants were asked to givefeedback using evaluation forms. Theappreciation of the various modulesdiffered, but on average the modulesand the presentation were consideredto be good. All modules were at theleast evaluated as satisfactory.

The remarks of the participantsindicated that a further reduction oflectures and slide shows would beappreciated. The participants also askedfor more practical examples, cases,exercises and discussions. The use ofvideo presentations proved to be auseful method to introduce morevariety in the course.

At the end of the course every participantwas asked to complete a final evaluationform indicating their overall opinion aboutthe course and their comments for furtherimprovements. In general the participantswere satisfied with the course and thecourse venue. Many participants indicatedthat they would like the course to last afew days longer to have a more in depthdelivery of some modules.

The Future

The Technical Working Group on ITAuditing intends to conduct anothercourse in Zimbabwe during year 2000.The experiences with the course held inMauritius will be very useful for furtherimprovements to the course and howmaterial is presented.

into IT n 21

Mauritiusons - a report by SAI Zimbabwe

Using the INTOSAI IT Audit Training MaterialsUK NAO

22 n into IT

The components of INTOSAI's IT audit training material

The INTOSAI training materials wereprepared by the UK NAO and finalisedby the EDP Committee in April 1997.The course consists of a guide to usageand training modules covering:

n organisation and management of anIT audit function;

n awareness of information systemsinfrastructure;

n information system management andmethods;

n controls;

n audit of developing informationsystems;

n business continuity planning;

n performance audit of clients' IT;

n use of computer assisted audittechniques; and

n downloading data from clients'systems.

Each module is supported by slides,speaker's notes and student notes.

All of the materials have beendistributed to INTOSAI regional centresand can be freely copied to all INTOSAImembers. The materials will shortly beavailable on the EDP Committee website (http://www. nao. gov.uk/intosai/edp/home. htm).

Identifying training needs

An essential part of the development oftraining programmes, is the accurateidentification of the training needs. Aneffective Training Needs Analysis willenable staff to be trained to do a job toa defined standard or level ofcompetency.

An analysis is the end result of a processwhich initially examines the needs ofstaff by identifying where improvementsin effectiveness are required. From thispoint it can be determined if trainingwill be an appropriate means ofachieving the required improvements,and subsequently, what that trainingshould consist of.

A Training Needs Analysis will:

n provide an analysis of relevantinformation to confirm whether ornot training is a suitable and cost-effective method of meetingorganisational needs;

n identify the "Gap" between currentand required levels of Knowledge,Skills and Aptitude , and thereforewhat the training should address;

n help determine what the generalcontent of the training should be,(what staff should be able to do as aresult of it);

n form a foundation for thesubsequent design and delivery ofthe training to meet these needs;

n provide an indication of "successcriteria", and a foundation for theevaluation of the training.

There are many useful sources ofinformation on training needs including:

n staff appraisals

n interviews

n discussions with top management

n questionnaires

n customer comments

n focus groups

n comments from external bodies(such as regulators)

into IT n 23

Other methods for gatheringinformation include:

n Workshops. Where experiencedjob holders/line managers andtraining staff can get together towork through the process, asdescribed earlier of establishing thejob roles, responsibilities and tasks,and produce the Overall Objectivesetc.

n "Brainstorm". A process where agroup of jobholders and possibly

training staff "brainstorm" what thetrainees would need to be able todo or know, and what attitudes theyshould have at the end of thetraining programme;

n Work diaries. Where staff keep arecord of their daily job activitiesover a specified period which is thenanalysed to determine the maintasks etc;

n Observation. Where someoneobserves the job holder in actionand records the tasks, and how eachone is completed (the activities).

n Research of written material.Desk instructions or other writteninstructions or specificationsregarding jobs and tasks may beavailable for examination andanalysis. The accuracy and validity ofthese have only then to beconfirmed with current job holdersand/or line managers.

In order to be able to assess trainingeffectiveness the expected impact onthe performance of attendees should beidentified prior to the training andreviewed after the course.

Use of INTOSAI IT audit course materials

The UK National Audit Office have usedthe course material as part of oursupport to:

n the SAI India IT audit trainingprogramme;

n the SAI China IT awarenessprogramme;

n the scoping study for SAI's Pakistan'sIT audit training programme;

n support to the SAI Netherlandssatellite IDI project to deliver ITaudit training to the English speakingsouthern African community (thefirst course is to be delivered inOctober 1999 in Mauritius - seearticle); and

n support to NAO audit courses (seebox for the UK NAO motivation).

At their October 1999 meeting the EDPCommittee were pleased to note thatthe course materials had already beenused to train staff from nearly 100countries and hope that availability ofthe course materials via the EDP

Committee web page will help promoteeven more widespread use.

The principles set out in the coursewareseem to have remained current as therehave been no proposed amendments todate.

At the October 1999 EDP Committeemeeting Zimbabwe agreed to co-ordinate the future maintenance of theexisting training materials with supportfrom Brazil, India, the Netherlands,Oman and the UK.

Advanced training

The London EDP Committee meetingin 1997 agreed that the need foradvanced IT audit training could be metthrough sharing briefing papers, settingup an international IT audit groups andholding seminars.

The UK is leading on the maintenanceof the EDP Committee web page, thedissemination of advanced coursematerials and the organisation of an ITaudit seminar scheduled for 2002. Wewill promote the EDP Committee Webpage as a means to supplement thecourse materials and intoIT by acting asthe cement to glue together aninternational IT Audit Group. Wealready have plans to expand the website to meet this need.

24 n into IT

into IT n 25

UK IT audit awareness programmeIn 1997 the UK NAO embarked on a major information systems awarenessprogramme driven by the Government's proposals to modernise public sectorservice delivery. The "Modernising Government" White Paper was published inMarch 1999. The White Paper sets out an agenda for improving the quality ofpublic service delivery by focusing on the needs of the citizen rather than thestructure of the organisations involved. Information and communicationtechnology are identified as one of the keys to delivering improved services.

The idea is that the consumer of public services willbe able to choose when, where and how to takedelivery of the service. Making this a reality meanstransactions entering the public sector throughunconventional channels such as banks, homecomputers, digital TVs and supermarkets and inunconventional forms such as voice, email and webforms.

We recognised that auditing in the information age would require all of ourauditors to understand the principles of information systems controls and for ourexisting IT auditors to be developed further so that they could fulfil the role ofexpert consultants to assist in the audit of complex or innovative business systems.The process of developing the INTOSAI training materials has been a usefulbackground to the delivery of internal IT audit courses and the internal coursesand briefings have in turn led to additional reference material that we plan tomake available to INTOSAI via the EDP Committee Web page.

26 n into IT

IT Audit Training in Sweden

TThhee SSwweeddiisshh NNaattiioonnaall

AAuuddiitt OOffffiiccee

AAuuddiitt DDiirreeccttoorr

MMrr BBeennggtt EE WW AAnnddeerrssssoonn

into IT n 27

The Financial AuditDivision provides IS/IT-audit training as a part of

its certification trainingprogram for financial auditors.The goal for the two IS/ITcourses provided, togetherwith other audit trainingprograms, is to give theauditor the IS/IT auditknowledge set out in thestandards issued by theINTOSAI Standing Committeeon EDP Audit.

The first course is a basic one, giving theauditor, with two years experience infinancial auditing, a more generalknowledge about concepts and methodsin the area of auditing informationsystem and the use of IT. The coursecovers common controls, applicationscontrols, the impact of IT on planningand analysing the risks in the field ofactions with sections on security mattersin general and their application in somespecific IT-environments. Currentquestions concerning IT and itsimplications for the audit are alsocovered including the use of IT as anaudit support tool, for example IDEA.The course is presented using a mixtureof both theory and practise.

The goal for the second course is to givemore experienced financial auditorsdeeper IS/IT audit knowledge. Thismeans that the auditor will get forinstance the skills to independentlyperform evaluation of controls infinancial information systems. Theauditor should also acquire anunderstanding of the factors that havean impact on common controls in an IT-environment. Part of the course focuseson how to audit on-going IT-development project and the role of anauditor in such a project. The coursealso includes more examples of the useof IT-support in audit activities. Again amixture of theory and practise are usedin presenting the course.

During autumn 1999 the PerformanceAudit Division discussed a new ITAudit training program. The basis forthis program is a specification showingthe level of skills and knowledgerequired by the Performance AuditDivision. All together ten areas of skillsand knowledge were identified, such asthe function of government, methodsfor gathering data, IT Audit, IT-supportin audit projects etc. For each of theseareas there is a description of content,target group, method for thedevelopment of skills, time required,material and literature and costs.

The training program states that themore experienced PerformanceAuditors should have a deeperknowledge about the Government's useof IS/IT and how to perform different ITaudit projects. This means knowledgeabout IT, both as an important factorand tool, to help improve theeffectiveness and efficiency ofGovernment activities. Also knowledgeabout the importance of well managedand implemented IS/IT-strategies andIS/IT-plans, and about how to audit theconditions for, consequences of and thecosts of the use of IS/IT. The auditorshould have the skills to assess if anagency's choice of IT-solution is a goodone from a cost-benefit perspective andif its use of IT is secure. The auditorshould also be able to assess if theagencies are acting in accordance withthe Government's IT-policy and shouldbe able to involve IT-consultants andexpertise to obtain a deeper analysis ofIT solutions and have the ability tointerpret such analysis.

All Performance Auditors should have aEuropean Computer Driver Licence(ECDL) to ensure that the auditor has thebasic skills to be able to use the potentialin the office IT-tools in the audit programs.

The Financial and Performance AuditDepartments co-operate in the field oftraining, e.g. the auditors can participatein the other department's courses.

Training Program for Auditing Information Systems and the Use of IT (IS/ITAudit Projects) at the Swedish National Audit Office

28 n into IT

Monitoring ITdevelopments incentral government

into IT n 29

Audit question

There has been a lack of an overallpicture for the IT projects ofgovernment agencies for a long time;the scope of the projects, their focus,how common it is that they areaffected by problems etc. And in caseswhere problems do arise; what are therisk factors, what types of projects areparticularly vulnerable, etc? Thesequestions emerged from the RRV'smonitoring activities of special subjectareas.

Selection of methods/ approaches

The RRV chose to send a firstquestionnaire to 70 government agenciesat the end of 1997. A secondquestionnaire was sent at the end of 1998with the aim of following updevelopments in IT projects. The agenciesselected are classified as "agencies of greatimportance for individuals, companies andthe economy ".

The questionnaires contained questionson the agencies' IT strategies, the fivelargest IT projects run by each agency,the aims of the projects, their focus,project times, costs, consultant inputs,quality assurance, revision of plans, andproblems. Projects concerning the year-2000 problems were not included.

There were certain limitations inestablishing general conclusions basedon the IT projects concerned; not allagencies were included, thequestionnaire covered only a sample ofIT projects, the Swedish Armed Forceswas not included, not all developmentprojects were included, implementationcosts were probably underestimated,there were uncertain boundariesbetween development projects andoperations, there could be someuncertainty in respect of project startand completion times.

Results/outcome

The results of the questionnaire surveyare:

n The RRV has obtained a database ofIT projects which it can use as abasis for the selection of individualIT projects for studies,

n The answers to the audit questionshave been presented in an auditreport.

n The database will be published to ain part on the internet. The aim ofthis is to make it easier for agenciesrunning IT projects to exchangeexperience with each other.

The RRV report (1999:16) states that:

n Most agencies have several ITprojects in operation at the sametime. Some projects are very large.Each year agencies invest some SEK2 billion in IT projects.

n Most agencies work in accordancewith an IT strategy.

n The majority of the projects refer tothe specific responsibilities of theagencies. Rationalisation is still themost common objective. Theprojects run for at least two years.

n More than half of the projects havebeen affected by serious problemswhere time schedules and budgetsare concerned. There seem to begreat difficulties in remedying thesedelays. If a project has onceencountered budget problems theproblems often recur. This appliesmainly to old projects. The use ofconsultants is still very extensive.

n Structured quality assuranceprocedures provide no guarantee byitself that problems will be avoided.The organisations andimplementation of quality assuranceis of decisive importance.

n In almost two-thirds of the projectsthe systems selected are finishedproducts available on the market.The difficulties in keeping to timeschedules and budgets are relativelysmall in these projects

A review of 231 major IT projects by RRV Sweden

30 n into IT

Auditing in a Client Server Environment

into IT n 31

Introduction

1. This area was chosen by theINTOSAI EDP Audit Committee forpossible research in view of itsincreasing popularity. A short paperentitled "Auditing in a Client ServerEnvironment" was prepared by theUK National Audit Office (NAO)and circulated to committeemembers for suggestions andcomments.

2. The paper described the features ofclient server environments that hadmade them so popular in the last 5years or so and gave examples oftypical applications that auditorshave encountered. It attempted todraw out the unique features of aclient server environment and offeradvice to the auditor on approachesto work in this area.

Unique features of CS environment

3. The paper identified three crucialareas of difference:

n The distribution of the application,programs and data, across differentcomputers. Discrete parts of theapplication run on separatecomputing platforms, for example acombination of UNIX based serverand Windows based PCs is common;

n The centrality of the network. Thenetwork does not just allow accessto the application but is vital to theapplication functioning at all;

n The existence of significantcomputing power and business datain the hands of "ordinary" users, notIT specialists.

Some Audit Issues

4. The paper recognised that theauditor will need a additional skills todeal with the complexities of a C-Senvironment. However the auditapproach is not fundamentallydifferent even if the environment is.

5. It is necessary to take a holisticapproach to the systems and theauditor should take time to developa good knowledge of theenvironment, all the computers andthe network, and the application(s)running on them. It is no longersufficient to focus solely on thecontrols within the central server.

6. Given the distribution of processing,generally physical controls are lessimportant (but not unimportant!)than logical controls over access tothe environment and application.The auditor should examine thecontrols over user access to theenvironment and application as wellas the controls which ensure thatonly authorised transactions flowbetween parts of the environment.

7. When considering access controls,the auditor should be aware of thedangers of copies of business databeing held in relatively insecure partsof the environment (such as PCs).

8. Both management and auditors will beconcerned about the controls over theuse of powerful processing tools suchas spreadsheet packages. These couldbe used to rework accounting andother data inappropriately.

9. The auditor should consider theadequacy of change controlprocedures. Inadequate operationof change control may result inunintended and untested operations.

Profile John Thurley is currently auditing the (several hundred) IT systems underpinning the UKMinistry of Defence's Departmental Resource Account, he also has experience of developing client server systems for theNAO. [All of which have made him a fan of the well established disciplines of computing in a mainframe environment.]

Research for the INTOSAI EDP Audit Committee

News from Around the WorldUnited Kingdom National Audit Office IT strategy projects

The United Kingdom National AuditOffice has recently started work onthree projects to help determine futureIT strategy:

n Mobile Computing - looking at whatnetworked services should bedelivered to a remote worker, theadvantages and disadvantages variousmethods of delivering remoteservice, and the impact on both taskand human resource management ofhaving staff away from the office forextended periods. The aim is to runa pilot scheme in 2000-01 whichtests the options and servicesidentified for a small number of auditteams;

n E21 - a project to replace existingsoftware tools developed in house

to support financial audit with apackage solution. We plan to pilotthis software in 2000-01. Ifsuccessful, full implementation willtake place in 2001-02.

n Improved information management -this project has two keycomponents:

n Public records management -developing an electronic recordsmanagement policy, and addressingthe cultural issues so that proceduresare followed as a matter of course;

n Improved use of Internet/Intranettechnology, through personalisingcontent, better access to externalsources of information, defining"knowledge management" and itspotential application I the NAO, andwider use of scanning and imagingtechnology.

These three projects overlap to adegree, and the overall work is beingco-ordinated by the NAO ITCommittee.

United Kingdom Committee of PublicAccounts Report - "Improving the Delivery of IT Projects"

The UK Committee of Public Accountspublished its Report "Improving theDelivery of IT Projects" on 5th January2000. The report draws lessons formmore than 25 cases examined by theCommittee and the National AuditOffice in the 1990s, whereimplementation of IT systems hasresulted in delay, confusion andinconvenience to the citizen, and has , inmany cases, resulted in poor value formoney to the taxpayer.

The report identifies around 30 keylessons. Many of these are familiar to

32 n into IT

those involved in IT, but the sameproblems arise time and time again, andthere is clearly scope for improvementsto be made. The main issues are:

n decisions about IT are crucial to thedevelopment and success of thepublic bodies, and cannot be treatedin isolation from other aspects oftheir work. Key decisions on ITsystems are, therefore, businessdecisions, not technical ones, and soshould involve senior management;

n projects are conceived and growfrom identified business needs. Inaddition, the end users must beidentified before the projectcommences so that their needs aretaken into account fully duringdesign and development;

n the scale and complexity of projectsis a major influence on whether they

succeed or fail, and departmentsshould consider carefully whetherprojects are too ambitious toundertake in one go;

n the management and oversight of ITprojects by skilled project managersis essential for ensuring that projectsare delivered to time and budget,although successful implementationcalls for imagination and well-conceived risk management, as wellas sound project managementmethodologies;

n the increasing use of complexexternal contracts for the delivery ofmajor public sector IT projects andthe supply of strategic IT serviceshas highlighted the need for a highdegree of professionalism in thedefinition, negotiation andmanagement of IT contracts; and itis essential that organisations learn

lessons from the projectsundertaken, and examine whetherthe project has met its businessobjectives, user expectations andtechnical requirements.

In addition to this work, the UKGovernment has commissioned areview to improve Governmentperformance in this sector, lead by MrIan McCartney, Minister of State at theCabinet Office. The review is looking atways of improving the way in which theUK Government approaches andmanages projects, and will considerissues raised by the handling of majorprojects for the development of theGovernment's Corporate IT Strategy.

into IT n 33