The Strategic Importance of IT for SAIs
description
Transcript of The Strategic Importance of IT for SAIs
The Strategic Importance of IT for SAIs
Vilnius, June 16th, 2005
Paul Mantelaers
June 16th, 2005Strategic Importance of IT for SAI's2
Agenda
• 2 Strategic importance of IT for SAIs
• 3 Seminar programme
• 1 Short introduction:
–1.a Background of the seminar
–1.b The IT Self Assessment project
June 16th, 2005Strategic Importance of IT for SAI's3
Agenda• 1 Short introduction:
–1.a Background of the seminar
June 16th, 2005Strategic Importance of IT for SAI's4
1.a Background of the seminar
IT WG
Moscow, May 2002
launched
The Hague, Oct, 2002
1st meeting
IT training
IT Self Assessment
Training Committee
Bern, March 2004 2nd meeting
Seminars ‘SAIs in control of IT’
Lisbon, Oct, 2004
Vilnius, June 2005
Copenhagen, Nov, 2003
8th meeting
Training Strategy
IT seminar Portugal, 2004
Rome, Oct, 2003
June 16th, 2005Strategic Importance of IT for SAI's5
Agenda• 1 Short introduction:
–1.a Background of the seminar
–1.b The IT Self Assessment project
– The initiation
– The activities
– The product
June 16th, 2005Strategic Importance of IT for SAI's6
1.b The IT Self Assessment Project
Initiation (The Hague, Oct. 2002):
• Objective:
– develop a self assessment tool for all SAIs;
– CobiT-based.
• Enable to measure the maturity of IT control of our own offices; action list.
• Pilot countries.
• Project organisation (6 countries, diversity).
June 16th, 2005Strategic Importance of IT for SAI's7
1.b The IT Self Assessment Project
Why a self assessment?
• It allows « proximity ». Evaluation is carried out by the people:
– who know the subject
– who are interested in solving the problems
• It is confidential. The organization is in control of the results and their distribution.
• External moderation encourages the people to speak freely.
June 16th, 2005Strategic Importance of IT for SAI's8
1.b The IT Self Assessment Project
CobiT is a well accepted standard
CobiT can be downloaded free from www.isaca.org
CobiT is also available in French, German and Spanish
but our group wanted to be sure that CobiT is the best choice ...
Why Control Objectives for Information and related Technology?
June 16th, 2005Strategic Importance of IT for SAI's9
Activities (Jan. 2003 – Aug. 2003)
Various papers (concepts, requirements, etc.)
Studies of other tools:
ISO 9001
European Foundation for Quality Management (EFQM) Excellence Model
ITIL / Process Maturity Self-Assessment & Action Plan
CMM Capability Maturity Model
Common Assessment Framework (CAF): result of the cooperation among EU Ministers responsible for Public Administration
1.b The IT Self Assessment Project
June 16th, 2005Strategic Importance of IT for SAI's10
Contact with specialists:
Philips (The Netherlands),
Swisslife (Switzerland),
Prof. W. van Grembergen (University of Antwerp)
Keep it simple!
E-mail; two meetings
Version 1 (August 2003); pilots: October 2003 – November 2003
Version 2 (February 2004); pilot: March 2004)
ITWG (Bern)
1.b The IT Self Assessment Project
June 16th, 2005Strategic Importance of IT for SAI's11
1.b The IT Self Assessment Project
The product (Bern, March 2004):
• A tested CobiT-based methodology for IT Self Assessment, in terms of:
– A way of working: steps
– A way of modelling: graphs/tables
– A way of supporting: spreadsheets
– A way of presenting: slide-show
– A way of preparing; instructions
• Ready to be used by (and to be improved based on experiences of) IT WG members and other SAIs
June 16th, 2005Strategic Importance of IT for SAI's12
1.b The IT Self Assessment ProjectKey: alignment between business and IT
Two dimensions of the analysis:
• Business processes (users)
– Most important processes in achieving goals; IT-support?
• IT-processes (IT-staff)
– Most important? Maturity levels
Business process 1
Business process N
IT-1
IT-M Communicate!
June 16th, 2005Strategic Importance of IT for SAI's13
Agenda
• 2 Strategic importance of IT for SAIs
• 1 Short introduction:
–1.a Background of the seminar
–1.b The IT Self Assessment project
June 16th, 2005Strategic Importance of IT for SAI's14
2 Strategic Importance of IT
June 16th, 2005Strategic Importance of IT for SAI's15
2 Strategic Importance of IT
June 16th, 2005Strategic Importance of IT for SAI's16
2 Strategic Importance of IT for SAIs
• Group discussion
• Two questions:
–1: Why is(n’t) IT important for SAIs?
–2: If yes: what does that mean?
• Time
• Group formation
June 16th, 2005Strategic Importance of IT for SAI's17
Plenary discussion
• Topic 1: Why is(n’t) IT important for
SAIs?
June 16th, 2005Strategic Importance of IT for SAI's18
Why is(n’t) IT important for SAIs?
Auditee:
CentralGovernment+
Auditor(SAI)
Decisionmakers
IT
1
22
1
June 16th, 2005Strategic Importance of IT for SAI's19
Why is(n’t) IT important for SAIs?
1. SAI:
•Mission, objectives
•Primary processes:
•Audit process
•Knowledge exchange
•Secondary processes:
•Personnel
•Finance
•IT
Audit proposal
Audit programme
Policy framework
Presentation
publication
Publication text
Clearance procedure
Draft report
reporting
Report design
Four-way consultation
implementation
preparation
planning
selection
Report of findings
June 16th, 2005Strategic Importance of IT for SAI's20
Why is(n’t) IT important for SAIs?
1. SAI:
Informationintensity
of theproduct
Information intensityof the process
Low
HighLow
High
Cement industry
Oil refinery
SAI
Banking
June 16th, 2005Strategic Importance of IT for SAI's21
Benefits of IT….. and risks
• Increased productivity
• Improved quality of products (user satisfaction)
• Improved decision-making ability
• Enhanced communication (internal and external)
• Enhanced goodwill of employees
• Risks: huge investments, expectations vs. reality,
vulnerability, system shutdowns, poor integration,
manage service providers, not enough training….
June 16th, 2005Strategic Importance of IT for SAI's22
Why is(n’t) IT important for SAIs?
Auditee:
CentralGovernment+
Auditor(SAI)
Decisionmakers
IT
1
22
1
June 16th, 2005Strategic Importance of IT for SAI's23
Why is(n’t) IT important for SAIs?
2. AUDITEE:
G2G:
G2C:
June 16th, 2005Strategic Importance of IT for SAI's24
Why is(n’t) IT important for SAIs?
2. AUDITEE:
• Has a very high information intensity
(process and product)
• Any audit involves information (processing)
and will increasingly involve IT(-auditing)
• Benefits of IT…. and risks
• IT-control maturity?
June 16th, 2005Strategic Importance of IT for SAI's25
Why is(n’t) IT important for SAIs?
CONCLUSION:
IT is important for SAIs because:
– Their primary and secondary processes can benefit from the application of IT. IT contributes to organisational performance. Risks need to be managed.
– In their auditing work, SAIs will be increasingly faced with IT.
June 16th, 2005Strategic Importance of IT for SAI's26
Plenary discussion
• Question 2: If IT is important for SAI’s:
what should that bring about?
June 16th, 2005Strategic Importance of IT for SAI's27
If yes: what does that mean?
IT
SAI
AUDITEE
Point of departure:
June 16th, 2005Strategic Importance of IT for SAI's28
If yes: what does that mean?
• SAIs should organize their:
–IS-function
• IS-function: the totality of activities (and
accompanying resources) that needs to
be performed to provide for IS
IT
SAI
AUDITEE
June 16th, 2005Strategic Importance of IT for SAI's29
If yes: what does that mean?
• SAI’s should organize their:
–IS-function
–IS-audit-function
• IS(-audit)-function: the totality of
activities (and accompanying resources)
that needs to be performed to provide
for IS(-audits)
IT
SAI
AUDITEE
June 16th, 2005Strategic Importance of IT for SAI's30
If yes: what does that mean?
Skills
Strategy
Shared values
Structure
Staff Style
Systems
Organize: SAI:
Skills
Strategy
Shared values
Structure
Staff Style
Systems
IS-function:
Skills
Strategy
Shared values
Structure
Staff Style
Systems
IS-audit-function:
June 16th, 2005Strategic Importance of IT for SAI's31
Organize the IS-function
• 4 domains:
–Planning and organization
–Acquisition and implementation
–Delivery and support
–Monitoring
• Guideline to (re-)determine the level of
control over IT
June 16th, 2005Strategic Importance of IT for SAI's32
Organize the IS Audit function
Positions: pure (specialise)– mixed (integrate)?
Organisational units: staff - line
Organisation (SAI): externalise:
Three design decisions:
June 16th, 2005Strategic Importance of IT for SAI's33
Summary
• IT is important for SAIs due to:
–the information intensity of their own processes and products
–the importance of IT for their auditees
• That is why SAIs need to:
–organize their IS-function; performing an IT Self-Assessment
–organize their IS-audit-function
June 16th, 2005Strategic Importance of IT for SAI's34
Agenda
• 2 Strategic importance of IT for SAIs
• 3 Seminar programme
• 1 Short introduction:
–1.a Background of the seminar
–1.b The IT Self Assessment project
June 16th, 2005Strategic Importance of IT for SAI's35
3 Seminar programme
Importance of IT for SAIs
IS function
IT Self AssessmentDay 2:
IS-audit function
CobiTDay 1:
IS Auditing
CobiT
MassimoMagnini
DainiusJakimaviciu
s
Rune Johannessen
Børre LagesenErik
Guldentops
June 16th, 2005Strategic Importance of IT for SAI's36
Summary
• IT Self Assessment is necessary!