The Strategic Importance of IT for SAIs

The Strategic Importance of IT for SAIs

Vilnius, June 16th, 2005

Paul Mantelaers

June 16th, 2005Strategic Importance of IT for SAI's2

Agenda

• 2 Strategic importance of IT for SAIs

• 3 Seminar programme

• 1 Short introduction:

–1.a Background of the seminar

–1.b The IT Self Assessment project


Agenda• 1 Short introduction:



1.a Background of the seminar

IT WG

Moscow, May 2002

launched

The Hague, Oct, 2002

1st meeting

IT training

IT Self Assessment

Training Committee

Bern, March 2004 2nd meeting

Seminars ‘SAIs in control of IT’

Lisbon, Oct, 2004

Vilnius, June 2005

Copenhagen, Nov, 2003

8th meeting

Training Strategy

IT seminar Portugal, 2004

Rome, Oct, 2003


Agenda• 1 Short introduction:



– The initiation

– The activities

– The product


1.b The IT Self Assessment Project

Initiation (The Hague, Oct. 2002):

• Objective:

– develop a self assessment tool for all SAIs;

– CobiT-based.

• Enable to measure the maturity of IT control of our own offices; action list.

• Pilot countries.

• Project organisation (6 countries, diversity).



Why a self assessment?

• It allows « proximity ». Evaluation is carried out by the people:

– who know the subject

– who are interested in solving the problems

• It is confidential. The organization is in control of the results and their distribution.

• External moderation encourages the people to speak freely.



CobiT is a well accepted standard

CobiT can be downloaded free from www.isaca.org

CobiT is also available in French, German and Spanish

but our group wanted to be sure that CobiT is the best choice ...

Why Control Objectives for Information and related Technology?


Activities (Jan. 2003 – Aug. 2003)

Various papers (concepts, requirements, etc.)

Studies of other tools:

ISO 9001

European Foundation for Quality Management (EFQM) Excellence Model

ITIL / Process Maturity Self-Assessment & Action Plan

CMM Capability Maturity Model

Common Assessment Framework (CAF): result of the cooperation among EU Ministers responsible for Public Administration



Contact with specialists:

Philips (The Netherlands),

Swisslife (Switzerland),

Prof. W. van Grembergen (University of Antwerp)

Keep it simple!

E-mail; two meetings

Version 1 (August 2003); pilots: October 2003 – November 2003

Version 2 (February 2004); pilot: March 2004)

ITWG (Bern)




The product (Bern, March 2004):

• A tested CobiT-based methodology for IT Self Assessment, in terms of:

– A way of working: steps

– A way of modelling: graphs/tables

– A way of supporting: spreadsheets

– A way of presenting: slide-show

– A way of preparing; instructions

• Ready to be used by (and to be improved based on experiences of) IT WG members and other SAIs


1.b The IT Self Assessment ProjectKey: alignment between business and IT

Two dimensions of the analysis:

• Business processes (users)

– Most important processes in achieving goals; IT-support?

• IT-processes (IT-staff)

– Most important? Maturity levels

Business process 1

Business process N

IT-1

IT-M Communicate!


Agenda






2 Strategic Importance of IT


2 Strategic Importance of IT for SAIs

• Group discussion

• Two questions:

–1: Why is(n’t) IT important for SAIs?

–2: If yes: what does that mean?

• Time

• Group formation


Plenary discussion

• Topic 1: Why is(n’t) IT important for

SAIs?


Why is(n’t) IT important for SAIs?

Auditee:

CentralGovernment+

Auditor(SAI)

Decisionmakers

IT

1

22

1



1. SAI:

•Mission, objectives

•Primary processes:

•Audit process

•Knowledge exchange

•Secondary processes:

•Personnel

•Finance

•IT

Audit proposal

Audit programme

Policy framework

Presentation

publication

Publication text

Clearance procedure

Draft report

reporting

Report design

Four-way consultation

implementation

preparation

planning

selection

Report of findings



1. SAI:

Informationintensity

of theproduct

Information intensityof the process

Low

HighLow

High

Cement industry

Oil refinery

SAI

Banking


Benefits of IT….. and risks

• Increased productivity

• Improved quality of products (user satisfaction)

• Improved decision-making ability

• Enhanced communication (internal and external)

• Enhanced goodwill of employees

• Risks: huge investments, expectations vs. reality,

vulnerability, system shutdowns, poor integration,

manage service providers, not enough training….



Auditee:

CentralGovernment+

Auditor(SAI)

Decisionmakers

IT

1

22

1



2. AUDITEE:

G2G:

G2C:



2. AUDITEE:

• Has a very high information intensity

(process and product)

• Any audit involves information (processing)

and will increasingly involve IT(-auditing)

• Benefits of IT…. and risks

• IT-control maturity?



CONCLUSION:

IT is important for SAIs because:

– Their primary and secondary processes can benefit from the application of IT. IT contributes to organisational performance. Risks need to be managed.

– In their auditing work, SAIs will be increasingly faced with IT.


Plenary discussion

• Question 2: If IT is important for SAI’s:

what should that bring about?


If yes: what does that mean?

IT

SAI

AUDITEE

Point of departure:



• SAIs should organize their:

–IS-function

• IS-function: the totality of activities (and

accompanying resources) that needs to

be performed to provide for IS

IT

SAI

AUDITEE



• SAI’s should organize their:

–IS-function

–IS-audit-function

• IS(-audit)-function: the totality of

activities (and accompanying resources)

that needs to be performed to provide

for IS(-audits)

IT

SAI

AUDITEE



Skills

Strategy

Shared values

Structure

Staff Style

Systems

Organize: SAI:

Skills

Strategy

Shared values

Structure

Staff Style

Systems

IS-function:

Skills

Strategy

Shared values

Structure

Staff Style

Systems

IS-audit-function:


Organize the IS-function

• 4 domains:

–Planning and organization

–Acquisition and implementation

–Delivery and support

–Monitoring

• Guideline to (re-)determine the level of

control over IT


Organize the IS Audit function

Positions: pure (specialise)– mixed (integrate)?

Organisational units: staff - line

Organisation (SAI): externalise:

Three design decisions:


Summary

• IT is important for SAIs due to:

–the information intensity of their own processes and products

–the importance of IT for their auditees

• That is why SAIs need to:

–organize their IS-function; performing an IT Self-Assessment

–organize their IS-audit-function


Agenda


• 3 Seminar programme





3 Seminar programme

Importance of IT for SAIs

IS function

IT Self AssessmentDay 2:

IS-audit function

CobiTDay 1:

IS Auditing

CobiT

MassimoMagnini

DainiusJakimaviciu

s

Rune Johannessen

Børre LagesenErik

Guldentops


Summary

• IT Self Assessment is necessary!

The Strategic Importance of IT for SAIs

Documents

Transcript of The Strategic Importance of IT for SAIs