The Japanese Ministry of Economy, Trade and Industry (METI) published the System Audit Standard and the System Management Standard in 2004. Despite significant changes to the IT environment after that date, no updates to these materials were published. Needless to say, they had become quite outdated.
The System Management Standard is a complement to the System Audit Standard. Their relationship is similar to the one between ISACA’s audit standards and a combination of its IT Audit Framework (ITAF) and COBIT.
Updated Project Started
In December 2016, METI called the Japanese Society for System Audit (JSSA), the System Auditors Association of Japan (SAAJ), the ISACA Tokyo (Japan) Chapter and ITGI Japan to the preliminary phase of preparing to update the 2 standards. The objectives of this phase were to set policies for the update, establish the update system, determine the division of roles and carry out other necessary preliminary activities. For the policy-setting activity, many interviews with knowledgeable persons and related organizations (e.g., the Japanese Institute of Certified Public Accountants [JICPA] and the Institute of Internal Auditors—Japan [IIA-J]) were conducted.
METI launched the formal project in April 2017, the start of the new fiscal year. A main project team and 2 working groups (WGs) were established. One WG was assigned the writing of the System Audit Guideline, and the other WG was formed to write the System Management Standard. Many discussions and drafts went into updating these 2 standards. Draft materials were completed by the end of February 2018, and public comments were gathered through early March. Final revisions were completed by the end of March.1, 2, 3, 4
The following update policies were established:
- The project would undertake a complete renewal of the materials.
- The primary targeted users for the updated materials are small and medium-sized enterprises (SMEs).
- The updated content must be easy to use and contain all applicable material, as far as possible.
- No guide book should be necessary to use the revised standards.
Main Update Points
The following points were key areas updated:
- In the preamble of the System Audit Standard, the need for and the value of system audits were written in easy-to-understand language, especially for top management.
- IT governance-related descriptions were added. These descriptions are based on JIS Q 38500 (the Japanese version of International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] 38500) and COBIT 5. The importance and value of IT governance are described in detail.
- A guideline for auditing of Agile development was added.
Structure of New Standards
The structure of the updated System Audit Standard consists of the standard itself, a description of the standard and a guideline for interpretation. The previous version included only the enumeration of the standards without any information of why each standard existed and how to understand it.
The structure of the updated System Management Standard consists of the management activity, its description and guidance on understanding the rationale behind it. As with the System Audit Standard, the previous version listed only the activities without any reference to “why” or “how.”
Utilization of COBIT Family and Other ISACA Materials
The updated System Audit Standard referenced ISACA’s IS Audit and Assurance Standards and ITAF.
The IT governance-related sections of the updated System Management Standard cited content from the COBIT 5 framework and COBIT 5: Enabling Processes (the Evaluate, Direct and Monitor [EDM] domain). The updated standard’s Planning and Acquisition sections also referenced COBIT 5 Enabling Processes, specifically the Align, Plan and Organize (APO) and Build, Acquire and Implement (BAI) domains.
Future plans include establishing a system and processes for continuously updating these materials. Special focus will be given to adding guidance on auditing cloud computing, Internet of Things (IoT), artificial intelligence (AI) and other emerging technologies.
Because 4 organizations (JSSA, SAAJ, ISACA Tokyo Chapter and ITGI Japan) were involved in the project, coordination processes were often challenging. The ISACA Tokyo Chapter and ITGI Japan share a knowledge base, but JSSA and SAAJ have different knowledge bases. Therefore, portions of the final materials reflect the products of compromise. Nevertheless, it is clear that the COBIT 5 family and other ISACA knowledge products have, yet again, proven very useful.
Masatoshi Kajimoto, CISA, CRISC
Is vice president of ITGI Japan. He was president of the ISACA Tokyo Chapter from 2003 to 2005.
1 The System Audit Standard and the System Management Standard were formally released by METI on 20 April 2018.
2 Ministry of Economy, Trade and Industry, News From METI, Japan, 2018
3 Ministry of Economy, Trade and Industry, New System Audit Standard, Japan, 2018
4 Ministry of Economy, Trade and Industry, New System Management Standard, Japan, 2018