Information System Audit

Published on Mar 01 2017 // Featured, Opinion

Information System Audit is widely practiced across the globe in the recent days. The Office of the Auditor General, Nepal (OAG/N) was established in 1959 as a constitutional body.  According to the Constitution, the Auditor General is appointed by the President upon the recommendation of the the Constitutional Council. The Auditor General has rights and powers to carry out the audit of all government offices with due care of Regularity, Economy, Efficiency, Effectiveness and Propriety. The Auditor General may conduct the special audit like Performance Audit, IT Audit and Environment Audit, among others. Of these special audits, the IT Audit is much more important as all the government offices are using IT applications and software for maintaining database system to some extent. As per the Article 240 and 241 of the Constitution of Nepal 2015, the accounts of the Office of the President, the Vice President, the Supreme Court, Union and Federal Legislature-Parliaments, Provincial Council, local level, constitutional body and its office, court, the Nepalese Army and Armed Police Force, Nepal or the Nepal Police as well as all other government offices shall be audited by the Auditor General in the manner determined by law, with due considerations given to the regularity, economy, efficiency, effectiveness and the propriety thereof.

The Auditor General shall be consulted in the matter of the appointment of auditors for carrying out the audit of any corporate body of which the Government of Nepal owns more than fifty percent of the shares or the assets. The Auditor General may also issue necessary directives setting forth the principles for carrying out the audit of such corporate bodies. The Auditor General shall, at all times, have access to documents concerning the accounts for the purpose of carrying out the functions.

This era of 21st century known is as the century of information communication technology (ICT). In the globalized society and competitive environment, the ICT policy, paperless culture, web-based reporting system, cyber security, IT infrastructure and Human Resources Development (HRD) in government offices are essential to make service delivery better and more effective, efficient and economy. In this regard, data collection, storage, abstraction and utilization are much more needed for the security and privacy point of view. So, the implementation of ICT policy in the Government sector is much more needed.

  1. Information Technology (IT) Audit:  IT Audit is known as “Electronic Data Processing” (EDP) Audit, “Computer Based (CB) Audit”, “Software Based (SB) Audit and “Automated System (AS) Audit and so on. These all are called Information Technology Audit. An IT Audit evaluates the system’s internal control design and effectiveness, efficiency and security processes, controls etc. Specially, the Information Systems (IS) Audit examines the information systems where the inputs, outputs and processing are managed adequately and functioning well. Categorically, the IT audit can be divided as following:

1.1.                            IT Audit through the computer – it is a system based and application control audit

1.2.                            IT Audit around the computer – it is an IT environment and general control audit

  1. IT Audit Cycle: The IT Audit cycle is to start from planning and ends with the follow up. Followings are the basic steps in performing the Information Technology Audit Process:
  2. Planning
  3. Testing and Evaluating Controls
  4. Reporting
  5. Follow-up
  6. IT environment: It is a legal provision for regularization of the recognition, validity, integrity and reliability of generation, production, processing, storage, communication and transmission system of electronic records by making the transactions to be carried out by means of electronic data exchange or by any other means of electronic communications, reliable and secured. And whereas, for controlling the acts of unauthorized use of electronic records or of making alteration in such records through the illegal manner. The Electronic Transactions Act, 2008 be enacted and try to fulfill the gaps of IT system needs. Electronic Transactions Rules 2009describes certification of electronic copy as a person intending to certify the electronic record or the information kept in electronic form by digital signature may certify such record or information by fulfilling the procedures.

The three year interim plan (2013 -15) and Information technology policy of government, 2010 spell out to operate software, IT manpower development, use information technology in the activity of the government offices. Under these provisions the Ministry of Local Development has introduced a policy on automated accounting system, human resource development, Data base management system and so on.

  1. IT Audit Objective: The main objective of IT Audit is to ascertain the appropriateness, completeness and reliability of the software used by the entity. Additional objectives are to analyze the control system, security system and updating system in software application. It also recommends to create IT environment and to provide the suggestions for further improvement through audit report in its application. Specifically, the IT audit objective is directly related to the data quality, security and privacy policy which the government entities desire to maintain the ethical issues.
  2. IT Audit Methodology: IT audit methodology may both process and result oriented. In firstly, obtain the electronic data from the client. Secondly, gather information with consultation to the IT personnel along with financial staff, analyze the collected data through the IDEA software and finally, prepare the report based on the result. Interactive Data Extractions and Analysis (IDEA) software helps us to check the authenticity, mathematical errors, controls and database related to the transactions.

Collected technical and non technical data/information which should be kept as confidential and should not be disclosed without prior approval of OAG/Nepal, use of software as mentioned in the goal are checked, evaluate agreement between the employer and the IT service provider to concentrate their task objectively, evaluate the follow-up action to help for timely corrective action initiate by the service providers. Data Privacy in government sector is given top priority. The government has established GIDC (Government Integrated Data Center) for maintaining data base and back up. Mostly, the government data is related to the collection of money and its expenditure. So, the government should issue the Privacy Policy. The Privacy policy covers the controlling access and use, applicability of privacy policies, Data integrity and quality assurance, Accountability and audit, Data security and data retention. Each of these issues is addressed in the data privacy policy. There are at least two basic models for controlling access to shared databases: a centralized model, in which the central office within the Department determines who may access a particular database and a decentralized model, in which the organization that creates and maintains the database controls access. It is possible to imagine various combinations of the centralized and decentralized systems. These combinations could encompass virtually any mix of the two systems.


  1. IT Audit Issues: OAG has commenced to carry out the IT audit in 2009. Firstly, the IT audit of ASYCUDA software was conducted. And then, we have conducted the IT audit of Treasury Single Account (TSA) Software, e-Governance master plan, e-licensing of Transport Management Office software, Financial Management Software of DDC FAMP. In the auditing point of view, the major issues of the use of IT system in government sector are as follows:

6.1.        A sound IT physical infrastructures trained human resource should be confine only arranged in regular basis in the office. IT administration training programs should also be carried out for staffs to sharpen them for up keeping. As information provided, trainings program for Staffs weren’t sufficient. IT administration training programs aren’t conducted in regular basis. Likewise, there is lack of short and long term IT development plan and human resource development plan.

6.2.        It control system related to the general control, specific control and application control are needed in IT system. General control refers to the IT environment, specific control refers to the particular transaction of the database and application control refers to the database system. However, the government entities don’t pay attention to the holistic approach for the control system. Protecting data through appropriate safeguards, controls and training is essential to the IT personnel.

6.3.        Data are statistical facts that have some message. Data are of high quality “if they are fit for their intended uses in operations, decision making and planning. Alternatively, the data are deemed of high quality if they correctly represent the real-world construct to which they refer. Furthermore, apart from these definitions, as data volume increases, the question of internal consistency within data becomes paramount, regardless of fitness for use for any external purpose. The data quality can be defined as the degree of excellence exhibited by the data in relation to the actual scenario, the state of completeness, validity, consistency, timeliness and accuracy that makes data appropriate for a specific use. The features and characteristics of data bear on their ability to satisfy a given purpose. The processes and technologies involved in ensuring the conformance of data values to business requirements and acceptance criteria.

6.4.        Automated electronic system needs back up security; Password security and Power back up security for smooth operation, maintenance and protection and keep away from threat, theft, damage or loss of software and database. Hot security (online security system) system as well as cold security (manual security system) both systems should be managed attentively. Data security should protect against the unauthorized use, disclosure, access, destruction, modification and loss of data. As information provided by the client, the back up security at the end of the day managed without online back up security. Password is given to the concern authority only for operating module and relation to maintain the password security. Confidential password security and regular monitoring on password both are very necessary. User and password security has been maintained properly. The power problem needs to be addressed.

6.5.        There should be a strategic IT plan for the organization based on business needs and it should be approved. The approved IT plan is to be conducted by the IT section with well defined roles and responsibilities. The reporting system to the top management and concerned ministry is to be developed and managed accordingly. There is no strategic IT plan to operate the software, data base management, human resource development and IT resource management. There also not to clear the well defined roles and responsibilities, reporting system to top management and concerned Ministry.

6.6.        The privacy rights of individuals about collecting, maintaining and using the data depends on the quality of the information – its completeness, accuracy, relevance and timeliness. When information is shared outside the component that originally collected it, there is increased potential for misunderstanding its relevance and context, introducing inaccuracies, and allowing it to become outdated. Furthermore, the quality of the new information product obtained by combining data on an individual from multiple components is dependent on that of its sources, with any shortcomings potentially multiplied and magnified by the act of combination. We assume that the data consisting of the results of queries will reside not in the hub, but instead in the databases of the users, who would bear the responsibility for quality assurance.

  1. Conclusion: Government is a provider, monitor, promoter, facilitator and so on in service delivery to its citizen. In the point of view of service delivery, the citizen wants to get quality service in low cost. So, the use of IT application in government sector is much more important. However, the government is facing some challenges to use and manage the IT application. Some challenges are deliver customer service with low cost, expand innovative to end customer service, deliver efficient IT solution and etc. The major problems in the use ofICT in government sector arelack of policy consistency, no bridging between policy and program, lack of coordination among government agencies, lack of physical infrastructure, lack of budget, lack of skilled and trained manpower and etc. The value of the use of IT application brings work quality through the relevant, user-friendly, accurate and timely information and reports to their legislatures and other stakeholders, which enable auditees to take action to address the issues concerned and improve the governance of the public sector. The ICT implementing within the organization include the desire to obtain business value through reduce cost, greater effectiveness and enhance efficiency. The IT audit should focus to the data quality, security and privacy policy for managing database system which directly reflected in the service delivery by the government. The records of the software update must be maintained as available facility. IT infrastructure development policy and norms or standards is to be developed for durability and sustainability of the use of IT resources. Short and long term IT development and human resource development plan and policy must be formulated and implemented accordingly. IT related budget for maintaining and operating the software and create IT friendly environment should be incorporates in the annual budget and program.


 e-Governance master plan, Government of Nepal

  1. Electronic Transaction Act, 2008 and Rules, 2009 Government of Nepal
  2. Information system Audit Guidelines, ASOSAI, September 2012
  3. IT Policy, 2010 Government of Nepal
  4. The Constitution of Nepal, 2015

(Writer Maheshwar Kaphle and Netra Poudel) The article was taken from the Annual Publication of Personnel Training Academy.



Leave a Reply