On 6 June 2024, the BRICS Supreme Audit Institutions held a seminar on the issues of information security in government agencies and audit methods in this area.

Mr. André Torres Breves Gonçalves, Auditor of the Division for Information Security Assessment of the Federal Court of Accounts of the Federative Republic of Brazil, explained the main stages and methods of auditing the preparedness of government agencies for phishing attacks. SAI Brazil checked whether government employees clicked on potentially malicious links, entered personal data on unfamiliar websites, and downloaded files from unreliable sources. SAI Brazil analysed 14,000 URLs from government agencies at various administrative levels. A matrix of information security risks was drawn up based on the analyses. Following the audits, the auditees submitted plans to improve information security controls.

Mr. Chester September, Cybersecurity Subject Matter Expert at the Office of the Auditor General of South Africa, spoke about cybersecurity audit methodologies in South Africa. To conduct cybersecurity audits, SAI South Africa has designed a cyber maturity audit methodology. These audits include vulnerability assessments and penetration testing. Mr September emphasised the importance of continuous collaboration between government agencies on cybersecurity issues.

The speaker from the National Audit Office of the PRC, Ms. Cui Zhu, outlined the key aspects of cybersecurity audits conducted by SAI China. For instance, when conducting cybersecurity threat prevention audits, SAI China focuses on network architecture security assessment, network access management, cybersecurity log management, and prevention of unauthorised access and malware infiltration. It was noted that the consolidation of existing cybersecurity standards into a single document, as well as the training of qualified personnel, are needed to improve information security auditing in China.

Mr. Denis Strizheusov, Deputy Director of the Financial Audit Department, presented the best practices of the Accounts Chamber of the Russian Federation. The report detailed the three main stages of information security audits of international organisations: review of the organisation's policies and internal regulations, assessment of operational effectiveness, and implementation of technical security audit procedures. The role of the ISO 27001 and ISO 27002 standards in the information security of international organisations was highlighted and an analysis of the application of these standards in the audit was given. Mr. Andrey Shcheverov, Director of the Digital Transformation Department of the Accounts Chamber of the Russian Federation, also took part in the seminar.

Mr. Deepak Raghu, Director of the Department in the Office of the Comptroller and Auditor General of the Republic of India, gave a detailed presentation on the key stages of ensuring cyber security in India and the role of the SAI in this process. Government organisations in India are required to conduct internal cyber security audits themselves, but may also involve external experts. SAI India regularly assesses whether the information security systems of government organisations comply with legal requirements. Mr. Raghu noted that the government's cybersecurity requirements apply not only to government organisations, but also to large private companies in sectors such as telecommunications, healthcare and finance.

SAIs of the states that joined the BRICS grouping from January 2024 took part in the seminar as audience.

The parties agreed to continue the exchange of experiences in cyber security audit and expressed their hope to continue the regular exchange of experiences in the BRICS SAIs format.