INTOSAI Development Initiative

Supporting effective, accountable and inclusive Supreme Audit Institutions

Independent SAIs Work Stream

WGITA-IDI Handbook on IT Audit for Supreme Audit Institutions (v. 2022)


The audit of information technology systems, controls, and processes, also referred to as an IT audit, has become one of the central themes of audits being conducted by Supreme Audit Institutions (SAIs) across the world. This is a natural response to the critical reliance on IT systems to support government and public sector organisations. The IT systems being used should protect the organisation’s data and assets as well as support mission, financial, and other specific goals.

While the increasing use of IT has led to improved business efficiency and more effective service delivery, it has also brought with it risks and vulnerabilities associated with, for example, the digitalisation of services and the increased connectivity to other internal and external systems and networks. The role of IT audit in providing assurance that appropriate processes are in place to manage the relevant IT risks and vulnerabilities is essential if the SAI is to report meaningfully on the efficiency and effectiveness of government and public sector operations.

In 2014, the International Organization of Supreme Audit Institutions (INTOSAI) Working Group on IT Audit (WGITA) and the INTOSAI Development Initiative (IDI) jointly worked to produce the first Handbook on IT Audit with the goal to provide SAI auditors with standards and universally-recognised good practices on IT audit. This 2022 version of the handbook provides an update to the explanations of the major areas that IT auditors may be required to look into while conducting IT audits.

The WGITA/IDI handbook follows the general auditing principles as laid down under the International Standards for Supreme Audit Institutions (ISSAI). The handbook also draws from the internationally recognised IT frameworks, including ISACA’s COBIT framework, International Standards Organisation (ISO) standards, and IT guides and manuals of some of the SAIs, in an attempt to provide the users with essential information and key questions needed for the effective planning and performance of IT audits.

The project to update this handbook was led by the chair of WGITA, namely SAI India, SAI of the United States of America, and the IDI. WGITA and the IDI wish to thank the individual members of the team who worked relentlessly in developing this guidance. IT auditors from the SAIs of Australia, Brazil, Fiji, India, Kuwait, Philippines, Tanzania, and the United States of America have contributed valuably by providing IT audit report examples. Many thanks also go to the SAIs that provided their valuable feedback and comments on the handbook.

IDI and WGITA will conduct a light touch review of this handbook on a biennial basis. If there are substantial changes to be made, IDI-WGITA may decide to work on a revised version of the handbook. Such decisions will be taken on the basis of the biennial review.