The series 5300-5399 of ISSAIs is allocated to the Guidelines on Information Technology (IT) Audit under the ISSAI framework. However, till date, only one ISSAI, ISSAI 5310, on Information Security Audit existed. This ISSAI had also become due for revision. While deliberating upon the modalities of updating ISSAI 5310 as part of WGITA’s work plan to be presented in Vilnius, Lithuania (2013), the member SAIs recognised that this ISSAI should flow from an umbrella ISSAI, ISSAI 5300, the first in the series that addressed basic postulates of IT Audit, and delineates areas that IT Audit covered. In such a schema, ISSAI 5310 of Information Security Audit was a natural corollary.
While substantial guidance had existed on the subject of Information Technology audit that had been developed under the aegis of WGITA, there was also a growing sense amongst the IT Auditor community of the INTOSAI for an overarching, general principles IT Audit guidance under the ISSAI umbrella that could pave way for more specific guidance on different aspects of IT Audit. Against this background, the Project - Development of ISSAI 5300: Guidelines on Information Technology Audits – was deliberated upon and included in the WGITA’s work plan 2014-16 in Vilnius, Lithuania (April 2013). The Project recognised a felt need to have a ‘first principles’ ISSAI to cover the gamut of issues related to IT Audits conducted by SAIs across the world outlining generic IT Audit Process/ methodology. The Project also recognised that the extent and scope of IT implementation across countries was different, the scope of IT Audits by SAIs was a function of the extent of IT implementation in that country and that the capacity of the SAI to undertake IT audits was an important factor in determining the extent and scope of IT audit undertaken by that SAI. As per the Project initiation Document of ISSAI 5300 that was approved by WGITA in Kuwait in 2014, the proposed ISSAI included in its scope, the following:
- Fundamentals of IT Audit;
- Practical issues that SAIs across the world face while conducting IT Audits;
- How IT Audit is related to other types of audit;
- How IT audit can be used as a part of or in conjunction with non-IT audits; and any other practical issues that SAIs may come up against while conducting IT Audits Thus,
ISSAI 5300 was from the very beginning conceived as a basic document that provided the basis for framing of more specific guidelines in the form of a series of ISSAIs on different facets of IT Audit. The ISSAI was also designed to act as a guide for SAIs to conduct IT Audits, develop IT Audit capacity and utilize limited IT Audit resources to provide an assurance to the audited entities, government and the people of a country on integrity, reliability and value for money on IT implementations. The Development Life Cycle To carry forward the project, a Project Team led by SAI India and comprising SAIs of Japan, the US, Poland, Indonesia and Mexico was constituted. This team, interacting mainly through emails and a face to face meeting in Delhi (2015), finalised the draft right from exposure draft to the final Endorsement version. The developmental process went through several milestones right up to the approval stage by INCOSAI in 2016, each milestone serving as an important stage for stock taking, reviewing the progress and calibrating future developmental path. Some of the notable milestones in the developmental process are:
i. The WGITA meeting in Kuwait (April, 2014) which approved the Project Initiation Document that spelt out the details of the project, probable timelines, milestones and expected deliverables.
ii. The KSC (Cairo, Egypt) in October 2014 which approved the associated Project Proposal and timelines.
iii. 24th WGITA meeting (Warsaw, Poland) in June 2015 which reviewed the timelines of the Project in view of a. multiple levels of approvals and endorsements required b. complexity involved in arriving at a universally acceptable draft and decided that the future approvals of the draft ISSAI 5300 from WGITA and KSC would be sought through email exchanges ISSAI 5300 took 45 months to acquire its final shape. In this period, the drafting proceeded largely based on collaboration over emails. Over 55 SAIs responded with their comments and suggestions at various stages of approvals in this period.
The developmental path is depicted in the following diagram: The Project Development Approach ISSAI 5300 was developed by conducting review of existing standards, guidelines, and related material pertaining to IT Audits/ Information Systems Audits. The review focused extensively on National and International Auditing Standards, especially the ISSAIs. One of the important aspects of the developmental approach was to ensure that the ISSAI 5300 was fully synchronized with the IT Audit Handbook approved by INCOSAI at Beijing.
Development of ISSAI 5300 also factored in the levels of maturity of Information Systems in government sector and the maturity level of IT Audits in different SAIs across the member countries. The exposure draft and the Endorsement Version of ISSAI 5300 were developed and peer reviewed amongst the participating SAIs in the project multiple times. The final Exposure Draft and Endorsement Versions of ISSAI 5300 were put through the INTOSAI Due Process prescribed for development of ISSAIs to ensure that the quality parameters prescribed by INTOSAI were followed in the development of the ISSAI. The Project Team lead also ensured that all the feedback at different stages of the project were duly considered for incorporation in the draft. A strong documentation policy was adopted to ensure preservation of all exchanges and their outcomes. IT Audit Survey The developmental process featured a very comprehensive IT Audit survey. The Project Team developed and circulated (December 2014) in the INTOSAI, an exhaustive questionnaire covering audit practices, standards and manuals in use, etc. in order to determine the maturity and usage profile of SAIs world-wide in this area. The areas covered by the Survey included areas such as IT Governance Setup in the country, Recognition of IT Audit at a conceptual level in member SAI, Mandate of the SAI, Maturity of IT Systems in the country, The IT Audit Process and Capability of the SAI in conducting IT Audits. In all, 62 SAIs responded.
The responding SAIs represented a very wide range of IT Audit practices and processes, mandates and capabilities. This data on maturity and usage profile was subsequently employed in determining the granularity the ISSAI 5300 in order to ensure a wide acceptability of the ISSAI amongst the INTOSAI community. Relationship between ISSAI 5300 and the WGITA IT Audit Handbook ISSAI 5300 is the overarching ISSAI which delineates the general principles of IT Audit. Subsequent ISSAIs in this series would address key areas such as capacity development in SAIs in the area of IT Audits, reporting an IT Audit, IT Governance, Information Security and other domains which have been mentioned in the ISSAI 5300. The future ISSAIs in this series would comprise areas where broad principles are required. Further, detailed guidelines on major IT Audit issues, and on emerging areas in this field are already contained in the WGITA IDI Handbook on IT Audit which is supposed to be updated every two years. Thus, this Handbook would take care of real time changes in the IT environment and how they impact upon IT audit.
Team leader – Project Team for development of ISSAI 5300