Revised Draft INTOSAI GUID 5101 – Guidance on Audit of Information security

Summary

Dear colleagues,

As you are already aware, the purpose of this project is to supplement GUID 5100 (Audit of Information systems) by providing additional guidance on the audit of Information security, in compliance with the Fundamental Principles of Public Sector Auditing (ISSAI 100) as well as with the Compliance Audit Principles (ISSAI 400).

The project will support auditors in understanding how to apply the relevant ISSAIs for the subject matter of security of information systems during the planning, conducting, reporting and follow-up stages of the audit process.

The original draft GUID (Document A) was exposed for comments earlier this year with a deadline of 3 June 2024. Whilst several comments were received by this date (Document B), it seems that due to a technical error, not all SAIs received the invitation to comment. So as not to disadvantage anyone and to fully respect due process, the Working Group has decided to extend the exposure period by a further 30 days until 12 August 2024.

After the first exposure, the colleagues from the working group, thinking the exposure process had been successfully completed, integrated the comments received and passed the draft GUID to the Forum for INTOSAI Professional Pronouncements (FIPP) for its consideration (Document D). Noting that the exposure process had not been fully respected, the FIPP did not yet approve this integrated version.

So as not to discard the work already carried out, it has been agreed that for the extended exposure period the Working Group will seek comments on this new integrated version only, i.e., the original exposure draft incorporating the comments received.

We thus ask you to consider the explanatory memorandum (Document C) and provide your comments on Document D by 12 August 2024.