Minutes of 26th WGITA meeting

Minutes of the 26th meeting of the INTOSAI Working Group on IT Audit held in Seoul, Republic of Korea from May 22-23, 2017

Download

Draft Minutes

The 26th meeting of the INTOSAI Working Group on IT Audit (WGITA) was held in Seoul, Republic of Korea, during May 22-23, 2017, in conjunction with the Seminar hosted by the Audit Inspection Research Institute (AIRI) of the Board of Audit and Inspection (BAI) of Korea on May 24, 2017. The meeting was presided over by Mr. Shashi Kant Sharma, Comptroller & Auditor General of India and Chairman of the Working Group. The list of delegates who attended the meeting as members and observers is attached as Annexure. The proceedings of the 26th WGITA are as follows:

Agenda item No.1: Welcome Address by Mr. HWANG Chan-hyun, Chairman of the Board of Audit and Inspection (BAI)

Mr. HWANG Chan-hyun, Chairman of the Board of Audit and Inspection (BAI) welcomed Mr. Shashi Kant Sharma, Comptroller & Auditor General (CAG) of India and Chairman of the Working Group and all other delegates to Korea.

He stated that development of IT technology and the expansion of related infrastructure are transforming the audit environment, resulting in broad changes to our social and economic system. Such change serves as a new opportunity for all Supreme Audit Institutions (SAIs) to take a leap forward

Large-scale IT projects and cyber security are emerging as major audit areas due to the ever-increasing public interest in these fields. In terms of the audit operation system, the establishment of the IT-based audit system is enabling more systematic and effective audits.

In order for SAIs to proactively respond to such changes, the Working Group on IT Audit has been focusing on modifying IT audit standards and improving audit techniques.

Mr. Hwang complimented Mr. Sharma, who chaired the group, and wished all participants a fruitful meeting.

Agenda items No.2 and 3: Opening remarks by Mr. Sharma and adoption of Agendas of the 26th WGITA Meeting

Mr. Sharma thanked the Chairman of the BAI and his staff, for the warm and generous hospitality. He also thanked them for the excellent arrangements made for hosting the meeting in Seoul, Korea.

The Chair stated that the membership of the WGITA has grown to 50 (including four observers). He welcomed the SAIs of Fiji, Mexico, Argentina, Rwanda, and Turkey as the new members. The SAI of Norway has opted to withdraw from the group due to other INTOSAI commitments.

Information technology brings not only changes in the processes but also in the dynamics of working across organizations. Along with all their inherent advantages, technologies also bring in new vulnerabilities. This creates a new level of challenges for auditors which have to be addressed. It is necessary for the SAI auditors to keep abreast of the latest developments in the field of IT to be effective auditors. The Working Group on IT Audit is constantly working to support SAIs in developing their capacity and skills in the audit of information technology by facilitating knowledge sharing and encouraging bilateral and regional cooperation.

As the WGITA approved the WGITA Work Plan for the period 2017-2019 in its 25th meeting, a total of five projects on emerging issues of IT audit were identified by the Working Group in this Work Plan for developing further GUIDs/research papers for the next three years. In this meeting, the progress made so far on these five IT Projects, would be reviewed and discussed.

The Chair added that one of the significant decisions taken in the INCOSAI was to grant the Forum for INTOSAI Professional Pronouncements (FIPP) a status of permanent body in INTOSAI and to approve the Strategic Development Plan (SDP) 2017-19 of INTOSAI Framework of Professional Pronouncements (IFPP). WGITA has been included in three projects in the SDP. This meeting will also provide us with an opportunity to discuss the WGITA Work Plan and SDP. The Chair formally declared the meeting open.

The Chair placed the Agenda of the meeting which was accepted without comments.

Agenda item No. 4: Update on the website of the Working Group on IT Audit (SAI of Malaysia)

Mr. Allias Alwi from the SAI of Malaysia made a presentation on the website. He explained about the various documents uploaded relating to this meeting and other WGITA activities. The SAI of Malaysia also uploaded the IDI handbook on IT Audit in English and Arabic. It was stated that there has been a significant increase in the number of visits to the WGITA website in the recent past.

Mr. Sharma, as the Chair of KSC, commented that the INTOSAI Community Portal is being revamped and it is planned to provide a separate page for each of the 11 working groups of KSC in the Portal. He added that the 11 working groups under the KSC are encouraged to utilize the Community Portal as a single window for INTOSAI members to access information. The Portal would ensure that all the working groups use a common template and also save costs and efforts of hosting separate websites by each working group. While thanking the SAI of Kuwait for their willingness to host the website, he added that until the portal is put in place,
SAI of Malaysia could continue to host the website. This proposal was unanimously agreed by the members.

Agenda item No. 5: Work Plan (2017-2019): Progress Report on Project-1 titled “General Capacity Requirements for SAIs for Conducting IT Audits” (SAI of South Africa)

Ms. Catharina Ferreira from the SAI of South Africa, the project leader, presented the progress report of the project. The SAIs of AFROSAI-E, Bangladesh, India, Iran, Iraq, Korea, Mexico, and Poland are members of the project.

The project was initially meant to focus on general conditions for IT support for audits. However, the project will now look at broader issues relating to capacitating SAIs to conduct IT audit. This stance is also confirmed by the “Justification for WGITA project 1” document. The justification for project document further makes reference to sub-section 16, 17, and 18 of section C of
ISSAI 5300, which outlines the following:

  • SAI shall have adequate capacity to conduct IT audits.
  • SAI shall develop adequate capacity, if the same is not available, before commencing an IT audit.
  • SAI shall identify and allocate adequate and competent resources to conduct an IT audit.
  • SAI may consider engaging external resources to conduct an IT audit, if the capacity is not available in-house.

She presented project progress to date, Project Initiation Document (PID) and timeline for the project. Draft project framework was introduced with four chapters: (1) Operating Environments of SAIs, (2) Evolution of the Public Sector and the Impact on the work of SAIs, (3) Capacity Building and Sustainability Strategies and (4) ICT and the Audit Process.

The project will focus on IT audit management, competency, resources and the process, rather than IT auditing itself. The progress report was noted and the project framework and timeline was approved.

Agenda item No. 6: Work Plan (2017-2019): Progress Report on Project-2 titled “Development of Roadmap for future ISSAIs under 5300 Series” (SAI of Pakistan)

Ms. Madeeha Maqbool (SAI of Pakistan), the project leader, presented the progress report of the project. The SAIs of Brazil, China, India, Japan, Korea, Poland, and USA are members of the project.

During project initiation, a list of key areas was circulated amongst the team members. After feedback and changes, the draft PID was circulated amongst members for endorsement by September 27th and was approved on October 23rd, 2016.

Upon finalization of the PID, the WGITA Chair advised to set up a Community of Practice (CoP) to facilitate the sharing of resources. With the help of the SAI of India, this CoP was set up and respective team members were informed of their
usernames and passwords.

As the INTOSAI Framework on Professional Pronouncements (IFPP), was approved by INCOSAI in Abu Dhabi in December 2016, the title of the project was modified according to the IFPP as “Development of Roadmap for future Standards and Guidance under 5300 Series,” and the plan was made according to such changes.

The project plan is to produce a guideline document to facilitate stakeholders in developing standards/guidance for IT Audit currently placed under the 5300 series. The project will keep its alignment with the Strategic Development Plan 2017-19 for IFPP.

During discussion, Mr. Paweł Jan Banaś from the SAI of Poland commented that the INTOSAI systems and guidelines have changed so much. The future work to be done should be very much aligned with FIPP, while being aware that the FIPP is not very specific or concrete at the moment

In response to a question from Mr. Madhav Panwar on the expected outcome of the project, Mr. Subramanian clarified that the Project team will only identify GUIDs that could be developed in future under 5300 series and not actually develop or draft any GUID.

Mr. Subramanian also explained that under the revised IFPP, the Working Groups under KSC are generally expected to produce GUIDs and not Standards. Standards are generally meant to be produced only for the three main streams of audit (Financial, Performance and Compliance audit). Accordingly the project team should focus only on new GUIDs that could be developed.

Ms. Madeeha assured that these clarifications would be considered by the Project team while proceeding further on the Project.

Agenda item No. 7: Work Plan (2017-2019): Progress Report on Project-3 titled “Data Analytics” (SAI of Indonesia)

Mrs. Ria Anugriani from the SAI of Indonesia, the project leader, presented the progress report of the project. The SAIs of Bangladesh, Brazil, Ecuador, Georgia, India, Iran, Iraq, Japan, Malaysia, Pakistan and USA are members of the project.

The purpose of this project is to develop guidance on data analytics that covers business intelligence and advanced analytics. This project will also cover how to utilize designated tools that are agreed to be used for data analytics in an audit engagement.

Mr. Bálint Tamás Vargha from the SAI of Hungary asked whether this tool can provide analysable data in the case of surveys, too. The project leader answered this tool is intended for auditing and considers Stratified data but not nonStratified or unstructured data. Mr. Madhav Panwar from the SAI of USA remarked that the tool might require a training part perhaps during the pilot stage. The project leader answered that she will reflect the idea on the tool.

Mr. Subramanian remarked that the project should not be confined to SAI Data alone as full potential of Data Analytics can be exploited only if external data is also used. Regarding the timeline, he added that the project is expected to be completed by the third quarter of 2019. However, as there is a possibility of INCOSAI 2019 being held earlier by a few months than other INCOSAIs, the project should be aimed to be completed by 2nd Quarter of 2019.

Mrs. Ria agreed to keep in mind the above suggestions while proceeding further on the Project.

Agenda item No. 8: Work Plan (2017-2019): Progress Report on Project-4 titled “Updating the ISSAI 5310 on Information Systems’ Security Auditing including Cyber Security” (SAI of India)

Mr. Subramanian from the SAI of India, the project leader, presented the progress report of the project. The SAIs of China, Ecuador, Iraq, Kiribati, Poland, USA, and ISACA are members of the project and this project also features in the SDP of IFPP.

In the pre-IFPP framework, series 5300-5399 of ISSAIs was allocated for Guidelines on Information Technology Audit. In the revised IFPP, subject matter specific guidance, now called GUIDs 5000-5999, are intended to support auditors in understanding a specific subject matter and in application of relevant ISSAIs.

The project aims to revise the erstwhile ISSAI 5310 on Information Security as GUID 5310 on Information Security and Audit and that it would be a link between higher level ISSAIs and detailed practitioner level guidance contained in the WGITA-IDI handbook.

The project will also include a new section on Cyber Security. The final GUID 5310 shall be ready for approval at INCOSAI in 2019.

GUID 5310 will be updated by relying upon existing standards, guidelines, and frameworks and other information on systems security, including security for mobile and wireless data networks. Mr. Subramanian explained the project timeline and elaborated that the next steps would be circulation of the Project Initiation Document to WGITA members by July 2017 and to FIPP by October 2017 after approval by WGITA and KSC.

Mr. Panwar from the SAI of USA asked for the justification of the update on ISSAI 5310 and the communication with FIPP. The project leader answered that the project on updating ISSAI (now GUID) 5310 was included in SDP of FIPP because revision of 5310 was long overdue, since it was completed in 1995. Mr. Fredrick Musenge Bobo from AFROSAI-E took a note of harmonization, coordination, and alignment of existing standards, guidelines and frameworks. Mr. Banaś from the SAI of Poland also mentioned that we should consider how our standards are aligned with other organizations’ guidelines and standards. If they are not new or valuable, we can also consider the possibility of their removal. Prof. Krishna Seeburn from ISACA added that one of the ways to move forward is to look at the guidelines which already exist and develop it. The project leader answered that “Standards” are meant for a higher level of scope, whereas the “Handbook” is a detailed level of guidance for the practitioner. Thus, guidance is needed inbetween standard and handbook. GUID 5310 will be updated to bridge the gap. The project proposal and the timeline was approved.

Agenda item No. 9: Work Plan (2017-2019): Progress Report on Project-5 titled “Documentation Requirements of an IT Audit including Audit Management System” (SAI of Mexico)

Due to the absence of the SAI of Mexico, the project leader, the project report was presented by the SAI of India, the Chair of WGITA on their behalf. The SAIs of AFROSAI-E, Bangladesh, China, Ecuador, Georgia, India, Indonesia, Iraq, Kuwait, and Mexico are members of the project.

Subproject 1 titled “Documentation Requirements in an IT Audit” would essentially flow from Level 3 ISSAIs (e.g. ISSAIs 100, 200, 300 and 400). The approach of this subproject is to conduct a survey to identify specific adjustments to the documentation process in an IT Audit.

For subproject 2 titled “Audit Management System (AMS),” it was proposed to initiate the project with the identification of a Generic Audit Process, or part of the process that is common, and that would produce value to the majority of SAIs. With the result of the survey, a feasibility analysis for the AMS will be done, and if the AMS is feasible, a business case will be developed.

Mr. Panwar from the SAI of USA noted that the subproject regarding AMS might be outside of the scope that WGITA should be doing. AMS is not just for IT, but for the whole of auditing itself. Since the important questions, such as who will be developing, testing, and customizing it, etc., have not been answered yet, this project will need more discussions to move ahead. Mr. Subramanian from SAI of India answered that this project, was taken up as it emerged as one of the most popular subject for WGITA projects in the survey conducted in 2015. Further, the project presently intends to identify the “requirement” for the AMS by doing
a global survey and that the questions posed by Mr. Madhav Panwar are relevant.Only if the feasibility study of the project team recommends taking up the
development of AMS, will we come to the next stage of decision on developing AMS. Ms. Catharina Ferreira from the SAI of South Africa commented that their IT audit supports financial audit. It is questionable to establish AMS tools without integrating what we are supporting. Mr. Marcelo Nascimento Barbosa from the SAI of Brazil also added that the AMS can be discussed further during the AIRI seminar to be held on May 24, 2017.

It was agreed that the project team could go ahead with the 2 sub-projects and a decision on developing AMS will be made later if the project team considers development of AMS feasible.

Agenda item No. 10: WGITA Work Plan and its alignment with SDP of IFPP: ISSAI 5300&5310 (SAI of India/USA) and Project on “Development of Standard for State Information Systems Audit” (SAI of Russia)

It was agreed that the project team could go ahead with the 2 sub-projects and a decision on developing AMS will be made later if the project team considers development of AMS feasible.

Projects in SDP, which require the WGITA, are to consolidate and improve guidance on understanding internal control in an audit where WGITA is designated as a member to be co-opted for the revision of documents of the Internal Control Subcommittee and revision of ISSAI 5300 and 5310.

Regarding Project in the SDP on Internal Controls, it was explained that clarifications had been sought from the Internal Controls Sub-Committee and FIPP on the exact scope of the project, timeline and the expectations from WGITA. It was agreed that final decision on WGITA participation in the sub-committee would be made after clarifications are received from the Internal Control subcommittee.

Regarding the revision of ISSAI 5300, it was agreed that the WGITA defer revision of ISSAI 5300, considering that ISSAI 5300 was approved only in 2016, just a few months ago and further SAIs have already committed resources on the five projects in the WGITA Work Plan.

Regarding the revision of ISSAI 5310, it was decided to go ahead with the revision, as discussed during Agenda No.8.

It was explained that the Revised Due Process provides for quality assurance of IFPP documents. However, there is no similar mechanism to ensure quality assurance of non-IFPP documents. The three Goal chairs (KSC, PSC and CBC) discussed this issue and accordingly came up with a document to ensure quality of non-IFPP documents. This document specifies 3 different levels of quality assurance statement.

The quality assurance statement for public goods might include either a revision or expiry clause, stating clearly the latest date by which the product will be reviewed and updated, or the date upon which the guidance in the product will cease to be valid. All new public goods published on or after December 1, 2017, should conform to the principles and carry a quality assurance statement indicating the Quality assurance level.

Mr. Alexander Narukavnikov from the SAI of Russia presented updates on the Standard for State Information Systems and Remote Access Audit. Initially, the SAI of Russia proposed two new projects to be included in the WGITA Work Plan. However, when several details were sought on these two projects, SAI Russia requested some more time to provide clarifications on the issues. The Chair suggested that the meeting could take note of concerns regarding the proposal by the SAI of Russia and take no decision at this meeting. It was agreed by the SAI of Russia and the participating SAIs.

Agenda item No. 11: Progress Report on updating the WGITA-IDI Handbook on IT Audit and demonstration on IT Handbook Electronic Concept (SAI of USA)

Mr. Panwar from the SAI of USA presented the progress report on IT Audit Handbook and its electronic tool. The IDI Handbook on IT Audit was released in 2014. It has been about 4 years since the content building process was started. It is time to update the document and bring it in line with the current IFPP framework.

The SAI of USA had requested all WGITA members to provide input to the
original Handbook. The SAIs of Brazil, Indonesia, Iceland, Lithuania, Poland, USA,
and Portugal provided input.

The SAIs of Poland and Portugal jointly devised the automated tool and incorporated the idea of Cases (list of actions and steps) as a “Plug In.” Comments provided by the respective SAIs have been integrated as a Plug In.

The Plug In contains a description of the areas (e.g. Financial System Upgrade, Land Registry, e-Services Rollout, etc.) and all associated audit matrices, including required information, analysis method, etc., to conduct the audit

The electronic version of the Plug in is available now on the WGITA website thanks to the support of the SAI of Malaysia.

The Plug-in will be the way forward on any new technical projects to add, share knowledge, or provide new areas of IT Audit. The IT Audit Guide along with the associated Plug In would be an acceptable mechanism to share knowledge and provide succinct IT Audit information to SAI members.

A tutorial video clip was introduced to show how to utilize the Plug In during the meeting. Any of the interested member SAIs are welcome to join and participate in this effort.

The SAI of Georgia asked how the standard template in the automated system can be updated if there is a better format of template. Those who have not had a standard template can use it, and also, those with the better version will be able to upload the template to make it accessible to everyone. Mr. Panwar answered that it is very easy to create the Plug In, but approval to incorporate it into the tool will be required. Mr. Ho Jinwon from the SAI of Korea remarked that as any member SAI can add up its own knowledge and experience, it is important to have a quality control process to maintain a certain level of standards. Standard template might be better to be based on XML instead of Excel for future reference.

It was agreed that the WGITA-IDI Handbook will remain outside the IFPP.

Agenda item No. 12: Report of the Working Group on Big Data (SAI of China)

Mr. Yin Qiang from the SAI of China presented the report on the Working Group on Big Data. He mentioned that the Chair of KSC put forward the motion to be approved at the 22nd INCOSAI in 2016 for the formation of a new working group. The Working Group, chaired by the SAI of China, is the most newly established INTOSAI entity and is composed of 19 member SAIs and 1 observer. It is a formal

Mr. Yin Qiang from the SAI of China presented the report on the Working Group on Big Data. He mentioned that the Chair of KSC put forward the motion to be approved at the 22nd INCOSAI in 2016 for the formation of a new working group. The Working Group, chaired by the SAI of China, is the most newly established INTOSAI entity and is composed of 19 member SAIs and 1 observer. It is a formal platform to share knowledge and experience on a topic of critical importance to many SAIs.

The first meeting of the Working Group was hosted by the SAI of China from 18 to 19 April 18-19, 2017 in Nanjing, China. The next meeting will be hosted by the SAI of USA

Agenda item No. 13: Report of AFROSAI-E on cooperation with WGITA (AFROSAIE)

It was explained that AFROSAI-E is committed to cooperating with and supporting its member SAIs to enhance their institutional capacity to successfully fulfill their audit mandates, thereby making a difference to the lives of citizens.

Mr. Fredrick Musenge Bobo from AFROSAI-E explained that we are living in a ITdriven society, which runs ahead of us and we are like blind people having no vision to see the entire elephant. Although many countries in the AFRICAN region have the Financial Management Information System (FMIS), the system is not thoroughly understood and never audited extensively.

In conclusion, he asked the WGITA members to take a more prominent stance on what is affecting the citizens of the digital world.

Agenda item No. 14: Report of IDI on cooperation with WGITA (IDI)

Due to the absence of an IDI representative, the report was presented by the SAI of India, the Chair of WGITA, on behalf of the IDI

About 100 participants completed the IDI-WGITA Program on IT Audit. 41 SAIs completed pilot IT Audits. The IDI also collected feedback on the IT Audit Handbook and on program delivery.

As of January 2017, after all SAI draft audit reports were reviewed at the review meeting, 8 SAIs published audit reports. The SAI of Nepal and Turkey initiated a new IT audit after the program.

Regarding the WGITA-IDI IT Audit Handbook, the IDI has participated in the revision and will provide practical guidance. It was mentioned that the handbook needs a flexible solution for updating the document. Updating and qualityrequirements can be determined jointly as per the discussion paper on Quality Assurance currently proposed in cooperation with joint goal chairs.

Agenda item No. 15: Discussion on Venue for the 27th meeting of WGITA (SAI of Australia)

The 27th meeting of WGITA will take place in Sydney, Australia across three days either during April 10-12, 2018, or April 17-19, 2019: WGITA meeting (one and a half days), half-day social program and one day Workshop.

Agenda item No. 16: Discussion on Venue for the 28th meeting of WGITA

It was decided that the SAI of Fiji will host the 28th meeting in 2019, and the SAI of Slovenia will host the 29th meeting in 2020.

Agenda item No. 17: Country Paper presentations and discussions thereon by
member SAIs (Australia, China, Japan, Korea, Kuwait and South Africa)

Cyber Security and Cyber Resilience (SAI of Australia)

Australian Government Information Security Core Policy requires that agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently, in accordance with the level of required security.

Entities that prioritize cyber security are better positioned to achieve cyber resilience. Being cyber resilient will help entities to effectively deter and respond to cyber attacks while still focusing on delivering business outcomes.

Entities that do not manage cyber security as a strategic priority and that do not have effective governance arrangements in place will find it increasingly difficult to be cyber resilient.

National Audit under the Big Data Environment (SAI of China)

National audit is regarded as an important part and a main tool of national governance. Our common challenge is how to play our role in national governance supervision under the big data environment to promote sustainable development of the national economy.

CNAO’s audit work is facing comprehensive transformation under the big data environment, which includes six outstanding areas: (1) Transformation from single point discrete audit to multi-point linked audit, (2) Transition from partial audit to full-coverage audit, (3) Change from static audit to combination of static and dynamic audit, (4) Change from post-audit to combination of post-audit and concurrent audit, (5) Transition from on-site audit to combination of on-site and off-site audit and (6) Transformation from micro audit to combining micro audit with macro audit.

A recent IT Audit Case from the SAI of Japan’s Audit Reports (SAI of Japan)

The Cabinet of Japan decided in 2013 that the government will shift all information systems into cloud computing before 2022, except for systems with special circumstances. Expected outcomes of the common platform are to integrate IT Budget, reduce number of servers, maximize IT Resources and improve availability, reliability, and security.

However, the Audit examination revealed that the number of servers had actually increased. Necessary functions were not provided in the “Platform.” No costreduction benefits were expected.

A Recommendation was made that the Ministry of Internal Affairs and Communications (MIC) and other Ministries should be responsible for all phases from requirement definition to operations to achieve cost cuts by means of integration into the “Platform.” The MIC should be responsible for the utilization of virtualization technology; Ministries should estimate the necessary amount of server resources.

Ministries should analyze logs for risk analysis; the MIC should consider sharing information as to risk analyses or system audit findings. The Government should be responsible for future necessity of data coordination.

Introduction of IT Audit Group and U-check (SAI of Korea)

In response to the changes in the audit environment, the BAI established an information system to support auditing. Additionally, it has established an IT audit group composed of 3 divisions and 32 staff members. Out of the 32 members, 11 are IT specialists.

The “U-Check” application is based on MS Access, which has the ability to use simple methods to quickly handle a variety of data. The functions of MS Access that are often utilized in audit works are packaged so that the users can easily apply them. However, the file format the MS Access uses to load is limited, so the program is to be improved to be able to load most of the other file formats.

Open Government Data in State of Kuwait (SAI of Kuwait)

Open data is a concept of publishing data into a public layer. It can be used freely without any legal constraints, reused and republished with respect to its legal license. Adopting the concept of government open data will have an impact on increased accountability and will work to achieve the highest levels of transparency.

The SAI of Kuwait supports the opening of government data by publishing the annual reports. Its reports are available on the SAI’s homepage without any restrictions, such as registration on the site to obtain a copy or even restrictions preventing reuse. Reports are available to citizens or residents without discrimination

After discussing the reports of the Bureau in the National Assembly and in the presence of the members of the Council of Ministers, the Bureau is entitled to publish its reports.

Kuwait laws and agreements tend to promote/encourage transparency and open government data in a way that does not contravene the rights or reputations of individuals and the protection of national security. However, several enhancements for current government policies and framework should have more specifications to improve the concept of OGI in Kuwait, as in Saudi Arabia, UAE, Bahrain and Oman for OGD and encourage government organizations to cooperate and participate with international data dissemination initiatives to ensure applying list of all standards that benefit the process of unifying work and supporting the transparency and accountability standards

Approach to Supporting Financial Audits on Resources, Payroll and Supply
Chain Management through the Use of Data Analytics (SAI of South Africa)

The SAI of South Africa is comprised of 167 employees. The unit is headed by the business executive, supported by two deputy business executives and 14 senior managers. The majority of the staff members hold post-graduate degrees and 80 are certified information systems auditors (CISA).


Due to the large volume of audits (approximately 810 audits), some are outsourced to audit firms in order to meet the audit coverage. Audits are either contracted in or contracted out.


Some of the milestones achieved are the involvement in the assessment of the shortcomings in IT alignment to service delivery with the outcomes of the assessment being currently implemented by relevant role players in the IT landscape of government. The SAI of South Africa is also involved as an external assurance provider on the implementation of the Integrated Financial Management System (IFMS), which aims to replace the transversal systems that are currently in use at different ministries in South Africa

Agenda item No. 18: Report of ISACA on cooperation with WGITA (ISACA)

ISACA is a global and a non-profit professional association for individuals and enterprises. ISACA and Protiviti partnered to conduct the 6th Annual IT Audit Benchmarking Survey in the third and fourth quarters of 2016. This global survey, conducted online, showed 5 key findings: (1) Cyber security is viewed as the top technology challenge (2) There appears to be more executive-level interest in IT audit (3) More Chief Audit Executives (CAEs) are beginning to carry leadership for IT audit directly (4) Most IT audit shops have a significant or moderate level of involvement in key technology project and (5) Most perform IT audit risk assessments, though a majority do so annually or less frequently.


ISACA sought the next step for future cooperation with WGITA and how ISACA can support the work of the WGITA.

Agenda item No. 19: Any other item for discussion with permission of the Chair (SAI of India)

ISACA sought the next step for future cooperation with WGITA and how ISACA can support the work of the WGITA.

Agenda item No. 19: Any other item for discussion with permission of the Chair (SAI of India)

There was no other issue for discussion at the meeting.

Agenda item No. 20: Closing Remarks and summing up (SAI of India)

The Chair expressed his gratitude to all members of the Group for their active participation and support to the proceedings. He also conveyed his sincere gratitude to the SAIs of Australia, Fiji and Slovenia for agreeing to host the 27th, 28th, and 29th WGITA meetings, respectively.


On behalf of this Working Group, he thanked the BAI of Korea for organizing and hosting this meeting. He mentioned that it is due to their support that this meeting has been so successful.


The Chair formally closed the meeting.

List of Participants

>NO Country Name Job Position E-mail
1 1.Australia Ms Vandana Singh Senior Director [email protected]
2 2.Bangladesh Mrs Tanzila Chowdhury Director [email protected]
3 3.Bhutan Mr Tshering Kezang Auditor General [email protected]
4 Mrs Sonam Delma Deputy Chief ICT Officer [email protected]
5 Ms Samdrup Dolma Audit Officer [email protected]
6 4.Brazil Mr Marcelo Nascimento Barbosa Auditor [email protected]r
7 5.Cambodia Mr Chhay Nuppakun Department Director [email protected], [email protected]
8 6.China Mr LU Tao Deputy Director [email protected]n
9 Mr YIN Qiang Deputy Director [email protected]n
10 7.Ecuador Mr Manuel Angel Ortega Expert Supervisor [email protected]
11 Ms María Augusta Recalde Expert Supervisor [email protected]
12 8.Fiji Mr Ajay Nand Auditor General [email protected]
13 9.Georgia Mr David Shavgulidze Head of IT Audit Unit [email protected]
14 Ms Marika Natsvlishvili Head of State Budget Analysis & Strategic Planning Department [email protected]
15 Mr Girsheli Chokhonelidze Senior IT Auditor [email protected]
16 Ms Taia Tsiskarauli IT auditor [email protected]
17 10.India Mr Shashi Kant Sharma Comptroller and Auditor General [email protected]
18 Mr Anadi Misra Secretary to the Comptroller and Auditor General [email protected]
19 Mr Subramanian Krishnan Sangaran Director General [email protected]
20 11.Indonesia Mr Bahrullah Akbar Vice Chairman [email protected]
21 Mrs Sri Mulyani Secretary of Board Member [email protected]
22 Mrs Ria Anugriani Director of IT Bureau [email protected]
23 Ms Zikra International Relations Officer [email protected], [email protected]
24 Mr Anthon Merdiansyah Head of Secretariat of Vice Chairman [email protected]
25 12.Iran Mr Gholamreza Bazgosha Deputy Director General [email protected], [email protected]
26 13.Japan Mr Hideki Fujii Director [email protected]
27 Mr Masahiro Amitani Assistant Auditor [email protected]
28 14.Kiribati Mr Lucas Paul Tatireta Senior IT Auditor [email protected]
29 15.Kuwait Mrs Sumaia Jaber Al-Ghurair IT Specialist [email protected], [email protected]
30 Ms Meriam Jassim Al-Hassawi Senior Information Technologist [email protected], [email protected]
31 Mrs Rawan Barak Al-Subaie Auditor [email protected], [email protected]
32 16.Malaysia Mr Allias Alwi Director [email protected]
33 17.Pakistan Ms Madeeha Maqbool Assistant Director [email protected]
34 18.Poland Mr Paweł Jan Banaś Advisor to President [email protected], [email protected]
35 19.Qatar Mr Fahad Mohamed Al-Mansoori Director of IT Audit Department [email protected]
36 20.Republic of Korea Mr Ho Jinwon Senior Researcher [email protected]
37 Mr Kim Hyun Pyo Director [email protected]
38 21.Russia Mr Alexander Narukavnikov Director [email protected]
39 Ms Olga Pankova Deputy Head [email protected]
40 Ms Olga Terekhina Deputy Head [email protected]
41 22.Rwanda Mr Laurien Ukurikiyimfura Senior Principal IT Auditor [email protected], [email protected]
42 Mr Edson Gato Principal IT Auditor [email protected], [email protected]
43 23.South Africa Ms Catharina Petronella Ferreira Business Executive [email protected], [email protected]
44 Mr Phere Jacob Motau Manager [email protected]
45 24.Turkey Mr Davut Özkul Director of IT&ITA Department [email protected]
46 Mr İhsan Çulhaci Principal Auditor [email protected]
47 25.USA Mr Madhav Panwar Senior Level Technologist (Director) [email protected]
48 26.Zambia Mrs Phales Chilala Phiri Deputy Auditor General [email protected]
49 Mr Brighton Mpatisha Principal Auditor [email protected]
50 Observer) AFROSAI-E Mr Fredrick Musenge Bobo IT Audit Manager [email protected]
51 Observer) ISACA Prof. Krishna Seeburn ISACA / WGITA Liaison [email protected]
52 Observer) ISACA Mr Barkley Hill Joe Manager, Global Partnerships [email protected]
53 Special Invitee) Hungary Mr László Domokos President [email protected]
54 Mr Bálint Tamás Vargha trainee auditor [email protected]

Download