Information System Audit is widely practiced across the globe in the recent days. The Office of the Auditor General, Nepal (OAG/N) was established in 1959 as a constitutional body. According to the Constitution, the Auditor General is appointed by the President upon the recommendation of the the Constitutional Council. The Auditor General has rights and powers to carry out the audit of all government offices with due care of Regularity, Economy, Efficiency, Effectiveness and Propriety. The Auditor General may conduct the special audit like Performance Audit, IT Audit and Environment Audit, among others. Of these special audits, the IT Audit is much more important as all the government offices are using IT applications and software for maintaining database system to some extent. As per the Article 240 and 241 of the Constitution of Nepal 2015, the accounts of the Office of the President, the Vice President, the Supreme Court, Union and Federal Legislature-Parliaments, Provincial Council, local level, constitutional body and its office, court, the Nepalese Army and Armed Police Force, Nepal or the Nepal Police as well as all other government offices shall be audited by the Auditor General in the manner determined by law, with due considerations given to the regularity, economy, efficiency, effectiveness and the propriety thereof.
The Auditor General shall be consulted in the matter of the appointment of auditors for carrying out the audit of any corporate body of which the Government of Nepal owns more than fifty percent of the shares or the assets. The Auditor General may also issue necessary directives setting forth the principles for carrying out the audit of such corporate bodies. The Auditor General shall, at all times, have access to documents concerning the accounts for the purpose of carrying out the functions.
This era of 21st century known is as the century of information communication technology (ICT). In the globalized society and competitive environment, the ICT policy, paperless culture, web-based reporting system, cyber security, IT infrastructure and Human Resources Development (HRD) in government offices are essential to make service delivery better and more effective, efficient and economy. In this regard, data collection, storage, abstraction and utilization are much more needed for the security and privacy point of view. So, the implementation of ICT policy in the Government sector is much more needed.
- Information Technology (IT) Audit: IT Audit is known as “Electronic Data Processing” (EDP) Audit, “Computer Based (CB) Audit”, “Software Based (SB) Audit and “Automated System (AS) Audit and so on. These all are called Information Technology Audit. An IT Audit evaluates the system’s internal control design and effectiveness, efficiency and security processes, controls etc. Specially, the Information Systems (IS) Audit examines the information systems where the inputs, outputs and processing are managed adequately and functioning well. Categorically, the IT audit can be divided as following:
1.1. IT Audit through the computer – it is a system based and application control audit
1.2. IT Audit around the computer – it is an IT environment and general control audit
- IT Audit Cycle: The IT Audit cycle is to start from planning and ends with the follow up. Followings are the basic steps in performing the Information Technology Audit Process:
- Testing and Evaluating Controls
- IT environment: It is a legal provision for regularization of the recognition, validity, integrity and reliability of generation, production, processing, storage, communication and transmission system of electronic records by making the transactions to be carried out by means of electronic data exchange or by any other means of electronic communications, reliable and secured. And whereas, for controlling the acts of unauthorized use of electronic records or of making alteration in such records through the illegal manner. The Electronic Transactions Act, 2008 be enacted and try to fulfill the gaps of IT system needs. Electronic Transactions Rules 2009describes certification of electronic copy as a person intending to certify the electronic record or the information kept in electronic form by digital signature may certify such record or information by fulfilling the procedures.
The three year interim plan (2013 -15) and Information technology policy of government, 2010 spell out to operate software, IT manpower development, use information technology in the activity of the government offices. Under these provisions the Ministry of Local Development has introduced a policy on automated accounting system, human resource development, Data base management system and so on.
- IT Audit Methodology: IT audit methodology may both process and result oriented. In firstly, obtain the electronic data from the client. Secondly, gather information with consultation to the IT personnel along with financial staff, analyze the collected data through the IDEA software and finally, prepare the report based on the result. Interactive Data Extractions and Analysis (IDEA) software helps us to check the authenticity, mathematical errors, controls and database related to the transactions.
- IT Audit Issues: OAG has commenced to carry out the IT audit in 2009. Firstly, the IT audit of ASYCUDA software was conducted. And then, we have conducted the IT audit of Treasury Single Account (TSA) Software, e-Governance master plan, e-licensing of Transport Management Office software, Financial Management Software of DDC FAMP. In the auditing point of view, the major issues of the use of IT system in government sector are as follows:
6.1. A sound IT physical infrastructures trained human resource should be confine only arranged in regular basis in the office. IT administration training programs should also be carried out for staffs to sharpen them for up keeping. As information provided, trainings program for Staffs weren’t sufficient. IT administration training programs aren’t conducted in regular basis. Likewise, there is lack of short and long term IT development plan and human resource development plan.
6.2. It control system related to the general control, specific control and application control are needed in IT system. General control refers to the IT environment, specific control refers to the particular transaction of the database and application control refers to the database system. However, the government entities don’t pay attention to the holistic approach for the control system. Protecting data through appropriate safeguards, controls and training is essential to the IT personnel.
6.3. Data are statistical facts that have some message. Data are of high quality “if they are fit for their intended uses in operations, decision making and planning. Alternatively, the data are deemed of high quality if they correctly represent the real-world construct to which they refer. Furthermore, apart from these definitions, as data volume increases, the question of internal consistency within data becomes paramount, regardless of fitness for use for any external purpose. The data quality can be defined as the degree of excellence exhibited by the data in relation to the actual scenario, the state of completeness, validity, consistency, timeliness and accuracy that makes data appropriate for a specific use. The features and characteristics of data bear on their ability to satisfy a given purpose. The processes and technologies involved in ensuring the conformance of data values to business requirements and acceptance criteria.
6.4. Automated electronic system needs back up security; Password security and Power back up security for smooth operation, maintenance and protection and keep away from threat, theft, damage or loss of software and database. Hot security (online security system) system as well as cold security (manual security system) both systems should be managed attentively. Data security should protect against the unauthorized use, disclosure, access, destruction, modification and loss of data. As information provided by the client, the back up security at the end of the day managed without online back up security. Password is given to the concern authority only for operating module and relation to maintain the password security. Confidential password security and regular monitoring on password both are very necessary. User and password security has been maintained properly. The power problem needs to be addressed.
6.5. There should be a strategic IT plan for the organization based on business needs and it should be approved. The approved IT plan is to be conducted by the IT section with well defined roles and responsibilities. The reporting system to the top management and concerned ministry is to be developed and managed accordingly. There is no strategic IT plan to operate the software, data base management, human resource development and IT resource management. There also not to clear the well defined roles and responsibilities, reporting system to top management and concerned Ministry.
6.6. The privacy rights of individuals about collecting, maintaining and using the data depends on the quality of the information – its completeness, accuracy, relevance and timeliness. When information is shared outside the component that originally collected it, there is increased potential for misunderstanding its relevance and context, introducing inaccuracies, and allowing it to become outdated. Furthermore, the quality of the new information product obtained by combining data on an individual from multiple components is dependent on that of its sources, with any shortcomings potentially multiplied and magnified by the act of combination. We assume that the data consisting of the results of queries will reside not in the hub, but instead in the databases of the users, who would bear the responsibility for quality assurance.
e-Governance master plan, Government of Nepal
- Electronic Transaction Act, 2008 and Rules, 2009 Government of Nepal
- Information system Audit Guidelines, ASOSAI, September 2012
- IT Policy, 2010 Government of Nepal
- The Constitution of Nepal, 2015
(Writer Maheshwar Kaphle and Netra Poudel) The article was taken from the Annual Publication of Personnel Training Academy.