[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Principles
Auditees’ data (e.g. database data, documents) must be collected and used at the ECA in compliance with the rules in force both at the auditee and at the ECA, particularly those concerning data security, handling of information and personal data protection.
We ask only for data we need and that we are allowed to ask for by our mandate.
Data must retain its integrity while it is being manipulated.
Instructions
Unless otherwise specified, the instructions concern database data, electronic as well as physical documents.
Before asking for data
The need for data from the auditee should be identified as soon as possible. The need is driven by the analysis that the audit team wants to perform. For instance, to perform a [link title="Monetary%20Unit%20Sampling" link="%2Faware%2FGAP%2FPages%2FCA-FA%2FPlanning%2FAudit-sampling.aspx%23Statistical-sampling" /]
the team only needs two "columns" for each item: an identifier and the monetary amount. For advanced analysis the team could need several tables that can be related through some fields. If the analysis absolutely requires personal data, it can imply a higher data classification level for the auditee and thus reinforced security procedures during collection and use and the team has to inform the Data Protection Officers of the ECA and of the auditee before collecting the personal data.
[toggles]
[toggle title="Data%20tokenization%20can%20minimize%20the%20risk%20of%20exposure%20of%20sensitive%20data"]
One technique to use sensitive or personal data with reduced risks is to
[link new-window title="tokenize" link="https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FTokenization_(data_security)" icon="external-link" /]
the data. This means replacing the sensitive or personal data with a value (a token) calculated from it, for example an encryption of the data. Tokenized data can be analysed in the same way as the original data because the same token always replaces the same data. For example, we could find several beneficiaries with the same address, without knowing what the address is. However, tokenization requires expertise and effort on the part of the auditee. There is a risk that they might refuse to do it.[/toggle]
[/toggles]
[link title="data%20request" link="%2Faware%2FDocuments%2FData-collection-tips.docx" icon="file-word-o" /]
. Being precise when requesting data will help to reduce the risks that data is complicated to use.
[toggles]
[toggle title="Assessing%20the%20reliability%20of%20data%20-%20key%20elements"]
Determine the extent of the assessment:
- What level of assurance is needed (is this material or supporting evidence)?
- Is it possible to corroborate the data with other sources?
- Has this data source been used before?
- Are there any audit reports concerning this IT system available from other auditors?
- What are the risks of using the data?
Collect information needed for the assessment:
- What level of assurance is needed (is this material or supporting evidence)?
- Is it possible to corroborate the data with other sources?
- Has this data source been used before?
- Are there any audit reports concerning this IT system available from other auditors?
- What are the risks of using the data?
If you need additional assurance, the following general IT controls at the auditee could be checked:
- Data management
- User management
- Change management
- Risk management
[/toggle]
[/toggles]
[link title="IT%20audit%20page%20of%20AWARE" link="%2Faware%2FGAP%2FPages%2FAuditing-IT-environment.aspx" /]
or ask the DQC IT audit team for support.
Actual collection
The team should agree with the auditee the transport method appropriate for the data classification and size and decide whether it needs to go to the auditee's premises to supervise the extraction or transport of the data.
The auditee should extract the data. The auditors should only exceptionally access the auditee applications and data, and then only after formal authorisation and under supervision.
The team should apply security measures (encryption, custody) during transport to the ECA to protect the data from disclosure:
- The most secure way to transport data to the ECA is by strongly-encrypted media under custody.
- Encrypted emails can be used to receive (or send) files in a secure way. We should avoid using non-encrypted e-mails.
- If the files are too big (>10mb), we should use the secure online file sharing but before uploading the files, use a tool to encrypt them. For example winZip with a strong password and communicate the password by other means (phone call, encrypted email or SMS). Download the auditees’ files immediately to Assyst. Never leave files on the secure online file sharing.
- If data will be sent by post/courier on a removable media (CD, memory stick), the team should agree an appropriate protocol, with the approval of the security officers of the ECA and the auditee. For sensitive data, this could involve encrypting the data with a single use key plus sending the key only when the media has reached the ECA.
Data or documents obtained from auditees cannot be shared with the national Supreme Audit Institution (SAI), unless the auditee itself decides to share it with them directly. Only SAIs coordinating the reply process for shared management audits have direct access to the data and documents provided by the member state authorities.
Data Reception
The team should agree with the auditee the security measures appropriate for the data classification. For data needing stronger security than “ECA-USE", consult the Information Security Officer.
The moment the database data is received by the team, a few checks called "Data Reception" must be done on each file:
- Opening the file and checking the overall format (Excel, readable text) and checking that the file contains the requested fields with adequate format (e.g. decimal points, date formats); and
- Checking data integrity to ensure that data did not lose integrity during extraction and defining checksums that will be used to verify data integrity throughout treatment. The minimum items to check are: the number of records and the total of the monetary columns. Checking the total of some other numerically coded columns (e.g. postcode, budget line, ID) can be used to detect changes to values in that column.
Use of data
While manipulating the database data remember to:
- keep track of the manipulations done to the data so that they can be checked or reproduced. ACL does this tracking automatically.
- keep checking the data integrity controls to detect any alteration to the data.
After use, make sure any auditee's data is still stored, archived and later disposed of safely. CDs and DVDs should be sent to the Information Security Officer for safe destruction.
Resources
[icons-list icon-size="2" separator="line" icon-vertical-alignment="middle" vertical-alignment="middle"]
[icon-list-item title="Tips%20how%20to%20specify%20database%20data%20you%20need" description="" link="%2Faware%2FDocuments%2FData-collection-tips.docx" icon="file-word-o" /]
[icon-list-item title="Confidentiality%20levels%20in%20different%20institutions" description="compares%20the%20levels%20in%20the%20ECA%2C%20the%20Council%20and%20the%20Commission." link="%2Faware%2FDocuments%2FConfidentiality-levels.docx" icon="file-word-o" /]
[/icons-list]
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]
[standards]
[link new-window title="GUID%205100%2F6.4-5" link="https%3a%2f%2fwww.issai.org%2fwp-content%2fuploads%2f2019%2f09%2fGUID-5100-Guidance-on-Audit-of-Information-Systems.pdf%23page%3D12" /]
[/standards]
[/panel]
[/column]
[/row]
[row]
[column 12][/column]
[/row]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]
