SIGNIFICANCE OF INTRODUCING IS AUDITING INTO THE GOVERNMENT AUDIT SYSTEM IN TURKMENISTAN
SIGNIFICANCE OF INTRODUCING IS AUDITING INTO THE GOVERNMENT AUDIT SYSTEM IN TURKMENISTAN
Auditor, Ministry of Finance and Economy,
The paper deals with the issues related to the implementation of Information system auditing (IS auditing) within the framework of Government auditing which has not previously been the object of scientific research in Turkmenistan. The article also focuses on studying legal mandates, competencies as well as human capital of Government audit organization to conduct IS auditing. When stressing the importance of IS auditing, the author refers to the requirements of relevant international standards and experiences of developed countries in respective field.
Keywords: government audit, audit of information systems, digital economy.
Today, the worldwide transformations associated with the digital system contribute to the integration of Turkmenistan into this global phenomenon as well. The first important step in this direction is the adoption of the Program of the President of Turkmenistan on Socio-Economic Development for 2019-2025, as well as the Concept for the Development of the Digital Economy in Turkmenistan for 2019-2025, approved in November 2018. As well, along with the development of digital economy in Turkmenistan, issues regarding widespread use of communication technologies, including the provision of transparency for citizen-to-government (G2C) relations in socio-economic sector of the country are gaining utmost importance. Digitalization of public services in the social sphere and the health care system will ensure the availability, efficiency and inclusiveness of these services providing transparent and timely response of a government to meet the needs of the population for services.
On the other hand, the improvement of the digital system, along with the positive impact on the economy, identifies issues such as protection of personal data, integrity and accuracy of information as well as cybersecurity of IS systems which have to be properly addressed. These questions are general issues of a digital system. In addition to them, you can find risks and difficulties inherent in each major. For instance, the digitalization of public and corporate governance facilitates accelerated transition of works and services carried out at enterprises, including financial and accounting reports to digital automated systems and integration of organizations and enterprises to the global Internet space in order to maintain online relations with each other. (B2B, G2B) or with customers (B2C, G2C). As a result of the automation of work processes at enterprises, it is believed that some difficulties may arise when government audit organizations conduct audit using traditional methods.
In this context, solving issues related to information technology that may arise in the functioning of the government audit system, along with the development of the digital economy, is one of the important tasks facing government audit organizations. In particular, at the second stage of the implementation of the Concept for the Development of the Digital Economy in Turkmenistan for 2019-2025, that is, as a result of the widespread introduction of modern information and communication technologies in the public and corporate governance of the country, the necessity for establishing information system auditing function aimed to assure the adequacy and compliance of IT governance with respect to accounting and financial reporting is emerging. For the sake of achieving this task, in accordance with the rich experiences of some developed countries, an approach is applied to establish an Information system auditing function at relevant government audit organizations. In accordance with “GUID 5100 Information Technology Audit Guidelines for Supreme Audit Institutions” adopted by IT audit working group of the International Organization of Supreme Audit Institutions (INTOSAI), information systems audit is defined as an audit conducted to evaluate the existing control measure aimed at protection, integrity, confidentiality and the reliability of digital data of organizations and enterprises, as well as to eliminate the risks associated with the information system. Under this guidance, mandate of Supreme Audit institutions to conduct Information system auditing derives from the authority granted to Supreme Audit Institutions to conduct financial, compliance and performance audits in the Lima Declaration ISSAI-1, adopted in 1977 by the International Organization of Supreme Audit Institutions (INTOSAI). For example, the manual states that if the Supreme audit institution conducts a tax audit, then it is also allowed to audit the information system of the automated portion of this process.
In addition, Information system auditing is widely reflected in other international standards, especially with the development of digital government in the modern world. For example, the International Organization for Standardization (ISO), together with the International Electrotechnical Commission (IEC), adopted the ISO/IEC 27007 standard “Information Security, Cybersecurity and Information Data Protection - Information Security Management System Audit Guidelines” in 2020.
According to the International Standard on Auditing 315 (ISA 315), developed by the International Federation of Accountants (IFAC), in order to conduct financial auditing in an enterprise, the auditor must have an understanding of information systems and control mechanisms. However, as a result of today's dependence on information systems in the implementation of financial and economic activities of enterprises and the complexity of the information infrastructure, the auditor may feel in his work the need for an expert opinion on a given topic. In such cases, the International Standards on Auditing (ISA) provides for the audit of an enterprise information system by three different parties. Firstly, if the information infrastructure of the enterprise is simple and, as a result, there is no need for the conclusion of a specialized IT specialist, the financial auditor can himself draw a conclusion about the compliance of the information system. Secondly, if the financial auditor does not have sufficient technical ability to audit complex information systems at the enterprise, the ISA 220 standard also notes the possibility of including an information systems auditor in the audit team in order to audit the computerized financial statements of the enterprise as part of financial auditing. Third, in accordance with ISA 620, the work of the financial auditor can be assisted by an independent IT professional who is not involved in the audit team and is appointed from outside. IT professionals are not financial auditors, but they act on the instructions of the financial auditor and submit the results of IT assurance test to the auditor. As part of a financial audit, the auditor himself decides to involve one of the above parties in the audit of information systems or to conduct it independently in accordance with the structure of the information infrastructure, as well as according to a predetermined program.
Currently, the creation of an audit of information systems in our country depends mainly on two factors, namely, on improving the regulatory framework for Information system auditing, as well as on the training of auditors competent in the field of information technology. Improving the regulatory framework may include empowering public auditors in this area and adopting national standards for this type of audit, based on the aforementioned international standards. Also in the world, a number of international organizations specialize in training, consulting and certification of specialists in this area. For example, the Information Systems Audit and Control Association (ISACA) grants auditors who are involved in this area and have 3-5 years of work experience based on the results of exams, internationally recognized certificates “Certified Information Systems Auditor”. In the context of the Fourth Industrial Revolution (Industry 4.0), which means the formation of modern information systems and automation of production, auditors of Government audit organizations have to be able to extract, clean and analyze a large amount of data (Big data) at enterprises and institutions, and as a result, clearly visualize them in their reports. From this point of view, auditors should also be proficient in using computer assisted audit tools (CAATs) for conducting data analytics. Data analytics within the framework of an audit serve as an important process for understanding the activities of the audited organizations and for assessing the risks associated with it. Information and analytical work, for example, provides an analysis of electronic accounting reports, large-scale financial and economic activities and the validity of offenses in them on accurate evidence (ISA 315).
As noted in the third phase of the Concept for the Development of the Digital Economy in Turkmenistan for 2019-2025 adopted in our country, it is planned to introduce artificial intelligence technologies in various sectors of the economy by 2024-2025. In this regard, the role of government audit in ensuring the proper implementation of technologies based on artificial intelligence, information security and confidentiality is important. In some developed countries of the world, significant work is being done in this direction. An example of this is “Auditing Artificial Intelligence Algorithms: Guide for Government Auditors”, jointly prepared by SAIs of Norway, Germany, Finland and the Netherlands. This guide mainly talks about auditing the integrity and neutrality of information used to develop artificial intelligence algorithms introduced for digital government services (International Journal of Government Auditing, No. 1, 2021).
Given the rapid transition to the digital economy in the country and in order to keep pace with the requirements of this process, it is important to study the trends of the above tasks in world practice and consider the possibility of their implementation in our country.
- Concept for the Development of the Digital Economy in Turkmenistan for 2019-2025, (2018)
- ISSAI-1 “The Lima Declaration” (INTOSAI, 1977)
- GUID 5100 – “Guidance on Audit of Information Systems” (INTOSAI, 2019)
- International Journal of Government Auditing, No. 1, 2021
- ISO/IEC 27007 standard on “Information Security, Cybersecurity and Information Data Protection - Information Security Management System Audit Guidelines” (2020)