Research & Training Hub

As audit institutions are increasingly expected to evaluate and audit the risks related to new technologies, it is becoming vital for every public-sector auditor to have basic IT knowledge – they must understand IT-related risks and use different IT tools for auditing.

Furthermore, in this dynamic environment, IT auditors are expected to be the experts who empower their institutions with a thorough understanding of IT security and operations. These developments are relevant for all audit types. For example, as financial auditing requires giving an assessment of the integrity and level of protection of financial assets stored today mainly in IT systems, specific IT expertise (e.g. application controls, IT security measures, IT-Grundschutz and ISO 27000 series) need to be developed.

To enhance SAIs’ impact, the Moscow declaration encourages SAIs to nurture the auditors of the future who can employ data analytics, artificial intelligence tools, and advanced qualitative methods as well as enhance innovation and act as strategic players, knowledge exchangers, and producers of foresight.

Research and Training Hub focuses on capacity building of SAI's in the field of IT auditing. It relies on the cooperation between ITWG experts for research and comparison of IT auditing tools and methodologies in different guidelines and practices.

Training programme "Introduction to Public Sector IT Audit"

The purpose of the training programme "Introduction to Public Sector IT Audit" is to increase the quality and impact of contemporary audits that frequently include IT components. Therefore, non-IT-auditors would benefit from basic knowledge about IT auditing provided in the training programme. Training programme consists of 7 modules in total.

An overview of modules

The first module IT Audit in a Supreme Audit Institution has five chapters, it starts with an overview of SAI audits with IT components followed by addressing IT components in SAI audits, standards and frameworks relevant to the IT audit, planning of an audit with an IT component, and IT auditing methods.

The second module IT Systems, Software and Data has six chapters - it gives an overview of IT infrastructure, systems, software, and services. In addition, it introduces risks related to data quality, and outlines IT standardization and auditing aspects.

The third module IT Governance has five chapters - it gives an overview of IT governance and related issues, including management. Additionally, it covers IT governance premises and components, frameworks and standards, IT governance in the public sector, as well as auditing aspects of IT governance.

The fourth module Information Security, Protection of Personal Data, and Business Continuity has been developed by colleagues from Bundesrechnungshof (SAI Germany). The study material is available in English, and additionally, German version is also available. It covers topics such as governance in information security management and information security risk management. The study module also gives an overview of operational information security management and business continuity management. Finally, it introduces the design of an information security audit by a supreme audit institution.

The fifth module Procurement and Outsourcing has five chapters. It covers an overview of life cycle, processes and activities of IT procurement and outsourcing. Also, it introduces specific management and technical issues related to IT procurement and outsourcing and related legislation, standards and frameworks. Finally, auditing aspects of IT procurement and outsourcing are presented.

The sixth module IT Development has five chapters. It includes an overview of system and software development processes, life cycles and models, core processes of a representative life cycle model, standards and frameworks relevant from the IT development viewpoint and SAI audits involving components related to IT development.

The seventh module IT Operation and Application Management has five chapters. It opens main concepts of IT operation and application management. and introduces standards and frameworks related to the topic. Also, processes related to IT operation and maintenance are explained and information security aspects, including proper IT administration and change management practices, are covered. Additionally, SAI audits involving components related to IT operation and application management, are being discussed.

A joint certificate will be issued for those who have passed all the modules and collected all badges of the course package "Introduction to Public Sector IT Audit". 

The EUROSAI ITWG Moodle is operated by the EUROSAI ITWG Secretariat / the National Audit Office of Estonia. To take the training programme, please go to https://training.eurosai-it.org and create your account.

Training programme "Auditing AI in the Public Sector"

Module 1: Introduction to AI and Its Implications in Government

Module 2: Security and Data in AI Systems

Describes the threat landscape of AI systems so that auditors could understand basic attack vectors and different ways to mitigate them. Special emphasis is put on the topic of governing and protecting the data that the AI systems are using for learning and for operation, as well as have a look at information security considerations important in AI systems; also, how privacy-enhancing technologies (PETs) can make AI systems more secure. In the last chapter, will have a look at AI in cyber defence, currently a hot topic for governments worldwide.

Module 3: Auditing AI Systems: Frameworks and Methodologies

Covers the practical audit process itself, first introducing the AI-specific considerations in IT auditing and then delving into specific elements like planning the audit of governance and management of AI systems, risk management, cyber security and in even more specific detail, AI models and algorithms themselves.

Module 4: Future Trends and Continuous Learning

Equips public sector auditors with insights into emerging AI trends and elaborate through practical examples and tips on the importance of continuous learning to stay ahead in AI auditing.