As the impact of the rapid spread of information systems (IS) implementation grows in Korea, the importance of the IS audit has gradually increased as one of the methods used to enhance the qualities of information systems. Introduced to successfully execute national-level IS implementation projects, Korea first developed its Information Systems Audit (ISA) framework in the 1980s. Since then, studies on audit methods have been conducted continuously in Korea, primarily through the National Computerization Agency (NCA), now renamed the National Information Society Agency (NIA). Recently, compulsory legislation regulating public organizations to follow the ISA framework has been established.
Similar to many other IS process frameworks, such as Control Objectives for Information and related Technology (COBIT), Capability Maturity Model Integration (CMMI), ISO 15504 (SPICE, Software Process Improvement and Capabilities dEterminant), Project Management Body of Knowledge Guide (PMBOK), and the IT Infrastructure Library (ITIL), the ISA framework was developed to target different domain and purpose types. The ISA framework was optimized for software development projects, and it might be regarded as a method for assessing activity to search and supervise rationality, validity, reliability, safety and efficiency for all stages of planning, development and operation, from a technological point of view, for the purposes of maximizing project outcomes.
The ISA framework sets a target scope for the audit of software development projects that focuses on inspecting and improving IS problems. Under the ISA framework, an emphasis is placed on the establishment of objectivity within the IS audit program from a third-party perspective. For these reasons, the desired outcomes for an organization, including carrying out management-oriented activities using IT governance, intraorganizational evaluation and process improvement, are not always achieved.
This article is intended to contribute to the understanding by auditors worldwide of Korea’s ISA framework, by presenting the audit history of Korea, the ISA framework and the recent status of IS audit responsibility legislation in Korea.
History of the ISA Framework
The ISA framework’s development began in Korea in the 1980s, slightly after development of similar frameworks began in the US, when the Board of Audit and Inspection of Korea began to arrange and operate a technical audit team for information systems to develop efficiency in executing national budgets. In 1986, as the necessity of conducting audits for national IS implementation projects was recognized, the NCA was legally obliged to audit the Administration Computerization Network Project according to the Act for the Distribution and Expansion of the Computerization Network and the Promotion of Its Use. That was the first step in using an IS audit, and it was conducted by the professional ISA firm, the organization that serves as the external information audit service. From that point on, the NCA systematized an IS audit to meet the Korean environment, while continuing in its obligation toward auditing information systems.
The efforts that contributed to the development of the ISA framework can be classified into four periods: the hastening period (1987-1991), the base constructing period (1992-1994), the jumping period (1995-1997) and the vitalization period (1998-present).
During the hastening period, audits were conducted across the Administration Computerization Network to accelerate the implementation process of the ISA framework throughout the Korean public sector. In the beginning stages, NCA attempted to adopt, introduce and apply the IS audit models of advanced countries and acquire relevant know-how. However, the results were not satisfactory. The results dealt only with aspects relating to project management, which were applied to the formal and basic levels, and lacked in terms of quality orientation. Therefore, the need to establish a localized ISA framework that suited the Korean situation was recognized. This became the goal/object of the Administration Computerization Network, and an adequate audit system was prepared by NCA.
As a result, the objectives of the ISA framework were expanded from the national backbone computerization network to other public sectors during the base constructing period, and the center of gravity was moved from accounting auditing to technology auditing. As information systems were recognized as social overhead capital, the understanding of the need for audits increased. With the progress of IS implementation throughout society, the criminal behavior of the abuse and leaking of information grew. This helped create the need to combat the reverse function of IS implementation from the point of view of possible breaches of national security and personal information. Furthermore, the scope of the audit was also expanded. From then on, in addition to improving efficiency and efficacy, security was added as an important goal of the ISA framework.
Demand for audits began to rapidly increase during the jumping period. Transferring the auditing functions to the private sector was considered, and nurturing auditors and auditor qualification systems began to sprout private audit firms. During this time, the Broadband Information Communication Construction Project began. This project was intended to transport large amounts of voice, data and multimedia information at super-high speeds. Furthermore, the trend of system integration and the sharing of information through networks became increasingly evident in the process of the computerization of administrative work across departments. The trend emerged as one in which a great deal of trust was placed in system integration companies—these companies were fully equipped with project management experience and system integration technologies. As demand for audits began to exceed the capacity of the NCA, it was necessary to transfer audit work to the private sector.
The vitalization period began when the policy of transferring audit work to private sectors started and audit firms were established. Large-scale IS construction projects, such as the Incheon International Airport Information Systems Construction project, began and the audit market was vitalized. As private sector auditors began to conduct audits, the NCA became more capable of processing deeper research into, and operations on, auditing systems. In 2005, the Act on the Efficient Establishment and Operation of Information Systems was enacted and public organizations’ auditing obligations for information systems began to be regulated.
Korean ISA Framework
For Korea, its ISA framework defines the type of content to be checked by each project and from what viewpoint. Its purpose is to detect problems and points of improvement for IS implementation projects from an auditing perspective (see figure 1). The ISA framework was developed based on IS implementation project types (see figure 2).
The conceptual model is used to execute audits to construct a check-up system based on project types and was designed with possible expandability and enhancing systematic safety in mind, to be flexibly applied to changes such as the emergence of new project types (see figure 1). Based on the conceptual model, the ISA Check-up Framework (see figure 2) and the Basic Checklist Table and Guidelines for each audit domain were inferred (see figure 3) as construction elements of a project type-based inspection framework.
The ISA framework construction includes the three major components (project type/audit phase, audit domain and audit perspective/check-up standards):
- Project type/audit phase—The project type can be classified as enterprise architecture construction, information strategy planning, system development, database construction as practice, system operation and system maintenance as controls. These categories are based on the life cycle of the IS implementation project in question. The audit phase proposes adequate timing required for regular audits by referring to the methodologies used in audit cases previously performed. In the case of system development projects, the audit phases are classified, with methodology models commonly used for recent IS implementation projects, specifically into the structuredinformation engineering development model and the objectoriented component-based development model.
- Audit domain—Enables consistent audits to be conducted by classifying the target objects of standardized units (areas) of audits into audit domains based on project type/audit phase. In the case of system operation, the service areas of ITIL and British Standard (BS) 15000 were considered as references.
- Audit perspective/check-up standards—In conducting an audit, a lack of consistency may result. This is due to different interpretations of auditor views based on their experiences, techniques and know-how, even for the same check-up matters. Since this is an important factor that influences the quality of an audit, this concept was introduced to increase audit consistency. With this concept in mind, an auditor views the target project from the viewpoint of the methodology and the procedure relevant for the target project, the product produced as a result, the performance of the original project goal and any effects anticipated:
- Procedures are composed of the criteria required to check if the methodologies and guidelines for both the plan and project execution of IS-implementation-related projects have been established appropriately and if the execution organization adequately observes all those relevant issues.
- Product—the produced result through an established procedure—refers to the information system itself and includes documents, application programs and data, as well as information services provided through the information system. Product inspection criteria are constructed by considering the characteristics of each outcome.
- Performance is constructed using criteria to check if the original goal of the project is possible to be achieved in reality and to inspect that the project fits the goal.
IS audit standards provide audit execution procedures, IS audit basic checklist tables and other forms (audit plans, audit reports) necessary for the efficient execution of any auditing work. Korea established the Information Systems Audit standard and the Act on the Efficient Establishment and Operation of Information Systems. Under this standard, audit firms or organizations conducting audits must check whether or not the concerned information systems are being developed adequately and appropriately and constructed accordingly. The resulting Korean Audit Execution Procedure is composed of seven stages, beginning with an audit agreement and concluding with checking action details according to the audit results (see figure 4).
The ISA framework’s basic checklist table includes essential checklists inferred according to the ISA framework. It provides an outline of the audits and all the necessary inspection items per each audit domain, classified based on I N E each audit phase. The practical core of the ISA framework is the ISA standard itself. The ISA standard provides a basic auditing checklist table to illustrate that the ISA framework comprehensively accounts for all the viewpoints from higher levels (taking account of the entire project) and from lower levels, viewing the inner elements of the project on a one-byone basis. The Manual of ISA Standards has been prepared to help the auditor understand the needs of the basic check-up list. General and detailed IS audit guidelines may help explain the essential checklist items suggested in the ISA framework’s basic checklist tables, by classifying them into inspection items and inspection target products, respectively.
ISA Legislation Status
The Needs of Obligatory ISA Systems
Since 1995, the Korean government has worked to strengthen its investment and efforts in IS implementation, while also launching a variety of IS implementation projects to construct a super-high-speed information communication infrastructure. Since 2000, the size of the investment in IS implementation has exceeded 1 percent of the government’s total national finance budget. As its financial commitment grows, it is important for the government to secure the efficacy of its IS implementation investment. Furthermore, as issues such as project results or the impact of reverse functions increasingly influence the general lifestyle of the community, given increasing dependence on IT, the significance of any efforts to resolve the problems posed by technology will grow. Additionally, the need for strong management and supervisory functions is widely understood to enable the performance of the information systems, according to their original purposes. This understanding has ensured that invested money has not been wasted and has helped secure the nation’s competitive power.
The recent e-government project is a case in point. Greatly affecting issues of the life and assets of the citizens, it is one of the most important elements of infrastructure in the daily lives of the public, providing, for example, convenience in life, civil services, medical services, financial services, and fire prevention and control services.
Until recently, the auditing of information systems in the public sector was advisory only, decided upon by the organizations themselves, irrespective of the importance or impact of the information systems concerned. Therefore, an effort was made to make audits for IS development projects at public sector organizations an obligatory matter rather than advisory matter.
Details of the Legislation Progress
The legislation related to ISA emerged, along with the process of IS auditing, after the establishment of the NCA. It followed the passing of the Act for the Distribution and Expansion of the Computerization Network and the Promotion of Its Use in 1986. The NCA endeavored to develop audit guidelines and complete a scheme for a systematized audit framework. Accordingly, the National Computerization Network Project Audit Standards II, in which settlement criteria of administrative computerization network development costs were presented, and the Computerization Audit Standards, suggested as a comprehensive ISA framework to distribute the ISA to the private sector, were established. In 1999, the Framework Act on IS Implementation Promotion, legislated in 1995, was revised, and the ISA standard was established accordingly. The advisory regulations for organizations in the public sector were included in the previously mentioned Framework Act. An effort to nurture the transfer of IS auditing to private sector organizations was developed under the ISA qualification system. In 2005, the Act on the Efficient Establishment and Operation of Information Systems was legislated. In the following year, its enforcement decree and enforcement ordinance were enacted. Through these initiatives, IS audits of public organizations became an obligatory matter. Figure 5 illustrates the history of IS auditing legislation in Korea.
The Major Content of the Legislation
Content related to IS auditing is contained in the Act on the Efficient Establishment and Operation of Information Systems (Act No. 7816), the Enforcement Decree (Presidential Decree No. 19598), Enforcement Ordinance (Ministry of Information and Communication Ordinance No. 198) and Notification (Ministry of Information and Communication Notification No. 2006-42).
The major content of legislation (acts, enforcement decrees and enforcement ordinances) is comprised of three distinct groups. First, the obligation for an IS audit is regulated such that the head of a public organization must conduct an audit to enhance the quality of information systems and to secure safety, reliability and efficiency in the organization’s network. Second, the qualifications of audit firms and auditors are regulated to prevent unreliable audits and to enable the clear assessment of the responsibilities assumed for poor-quality audits. This is an important step as the demand for quality audits continues to increase. Third, the efficacy of the registration system for auditing firms has been secured, enabling the prevention of any activities that may lead to unreliable audit results. The Notices on Information Systems Audit Standards and the Qualifications and Education of Information Systems Auditors both apply to IS auditing firms. As previously explained, the ISA standard deals with the audit execution procedure, the IS auditing basic checklist and other forms of efficiently performing audits. The Notice on Qualifications and Education of IS Auditors pertains to issues regarding the qualification criteria required for auditors, carrier acknowledgment criteria, registration procedures and methods, completion and exemption of education criteria, details of special measures required for the prevention of the deprivation of property rights, and the protection of the rights of existing workers. These were formed in response to the expanded conditions imposed on qualifications. Figure 6 illustrates the summary of the major content of the legislation.
The ISA framework in Korea was generated and developed along with the progress of national IS implementation. The ultimate goal of the auditing regime is to secure the effectiveness (efficiency and efficacy) and safety of information systems, and to optimize the systems of IS implementation projects.
The Korean ISA framework, which is optimized for software development projects, has been constructed to inspect processes and products, and deals with the content within a narrower scope in comparison with other auditing frameworks. However, there is a need for further development in terms of referencing other auditing frameworks and best practices.
After the legislation of obligatory audits for public organizations, institutional and technological efforts are required to prevent unreliable audits and research on other audit frameworks should be accompanied to further develop the ISA framework.
National Computerization Agency, The ISA PR material, Korea, December 2001
National Computerization Agency, “A Study on Ways to Obligate the Performance of an IT Audit,” Korea, December 2002
National Computerization Agency, “A Study on the Enhancement of the IS Audit Framework,” Korea, December 2003
National Information Society Agency, Twenty Year History of National Information Society Agency, “Embrace IT and get into the World,” Korea, January 2007
National Information Society Agency, The IS Auditor Basic Education and Professional Education Textbook, March 2007
Government of Korea, Act on the Efficient Establishment and Operation of Information Systems, Its Enforcement Decree, and Enforcement Ordinance (Law No. 7816, Presidential Decree No. 19598, and the Ministry of Information and Communications Ordinance No. 198), 2005
Government of Korea, Notice on the Qualifications and Education of IS Auditors (Ministry of Information and Communications Notice No. 2006-34), 2006
Government of Korea, IS Audit Standards (Ministry of Information and Communications Notice No. 2006-42), 2006
National Information Society Agency, General IS Audit Guidelines v2.0, Korea, February 2007
is a senior researcher at the NIA in Korea. He is a professional engineer of information communication and a professional IS auditor.
Changmin Lee is a senior researcher at NIA. He is an IS auditor and is responsible for educating IS auditors.
is a senior researcher at NIA. He has consulted extensively in both the private and public sector on design and implementation of information systems. He has worked as a senior consultant on the Information Technology and Policy Assistance Program, which imports ICT development at the government level.
is a principle researcher at NIA. He played a major role in developing ISA-related law, standards and guidelines.
is a senior researcher at NIA. She is responsible for improvement of the ISA framework and the empirical study on effectiveness of IS auditing. She is also a professional engineer of information communication and a professional IS auditor.
is an IT audit team leader at NIA. He played a major role in drawing up the legislation that requires obligatory audits for public-sector organizations.
is an information security consultant and an IS auditor. She is a vice president of the ISACA Korea Chapter.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.