Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

27 views

Published on

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

  1. 1. 0 7 / 1 1 / 2 0 1 9 , S K O P J E SAIS ABILITY TO ADDRESS TECHNOLOGY OPPORTUNITIES AND CHALLENGES Ingrida Kalnina-Junga SAI Latvia Head of IT Audit Sector Ingrida.Kalnina-Junga@lrvk.gov.lv
  2. 2. CONTENT SAIs challenges in IT field: IT audit as a component in: • financial audit • compliance audit • performance audit • IT project performance • E-government performance Audit support tools • Audit management tools • Data analytic tools Infrastructure Challenges and opportunities of carrying-out performance audits related to national programmes in the area of digitalisation, e- government and cybersecurity. Challenges to develop auditing methodology and set up processes, train auditors in IT field. Challenges to introduce audit support tools into SAI everyday processes and opportunities of large- scale data analyzing. Challenges to develop secure internal IT environment and to ensure secure data exchange with auditees.
  3. 3. SAIs challenges in IT field: IT audit as a component in: • financial audit • compliance audit • performance audit • IT project performance • E-government performance Audit support tools • Audit management tools • Data analytic tools • Public survey tools Infrastructure Challenges and opportunities of carrying-out performance audits related to national programmes in the area of digitalisation, e- government and cybersecurity. Challenges to develop auditing methodology and set up processes, train auditors in IT field. Challenges to introduce audit support tools into SAI everyday processes and opportunities of large- scale data analyzing. Challenges to develop secure internal IT environment and to ensure secure data exchange with auditees. IT AUDIT AS A COMPONENT
  4. 4. IT AUDIT AS A COMPONENT in Financial Audits - to assess the correctness and compliance of organization`s financial statements. An examination of controls and business rules adopted in the IS, which are relevant to the capture, storage, processing and delivery of information for financial reporting. in Compliance Audits – to evaluate internal controls . IT audit may consist of an examination of controls and business rules adopted by the audited entity in the IS, which are designed to ensure compliance with the prescribed policy and rules. in Performance Audits - to assess whether the IT systems meet the needs of the users and do not subject the entity to unnecessary risk. Audit of IS - the examination of controls related to IT-driven information systems, in order to identify instances of deviation from criteria, which have been identified based on the type of audit engagement - i.e. Financial Audit, Compliance Audit or Performance Audit [GUID, 5100]
  5. 5. IT AUDIT AS A COMPONENT Application controls DATA General IT controls Process controls Management Strategy and governance General IT controls - high level management controls over the IT function in general. Provide an umbrella of controls over the acquisition, implementation and management of the systems and technologies. IT Governance and Management Strategy, People and Resources, Information Security, Development and Acquisition, Operations, etc. Application controls are specific controls unique to each computerised application. They apply to application segments and relate to the transactions and existing data. Input/Process/Output transacti ons accounts Audit trails Standing data
  6. 6. IT AUDIT AS A COMPONENT II Confidentiality - ensures that only authorized people can access recourses Integrity – prevents unauthorized data modification Availability – ensures that data are available when needed General controls are implemented using a number of tools such as policy, guidance and procedures as well as putting in place an appropriate management structure. Assurance that existing controls are reliable for: - IT governance and management (IS Strategy, IS Security etc.) - Logical access - Physical access - System development - Change management - Back-up and recovery
  7. 7. SAIs challenges in IT field: IT audit as a component in: • financial audit • compliance audit • performance audit • IT project performance • E-government performance Audit support tools • Audit management tools • Data analytic tools • Public survey tools Infrastructure Challenges and opportunities of carrying-out performance audits related to national programmes in the area of digitalisation, e- government and cybersecurity. Challenges to develop auditing methodology and set up processes, train auditors in IT field. Challenges to introduce audit support tools into SAI everyday processes and opportunities of large- scale data analyzing. Challenges to develop secure internal IT environment and to ensure secure data exchange with auditees. PERFORMANCE AUDITS IN IT FIELD
  8. 8. IT AREAS IN THE SAI`s SCOPE
  9. 9. PERFORMANCE AUDITS IN IT FIELD: RISKS IN IT PROJECTS I Whether the policy objectives have been achieved and if this can be attributed to the policy? Whether resources have been put to optimal use? Whether the same or similar results in terms of quality and time could have been achieved with less resources? Whether the cost of resources used are minimised?
  10. 10. • Policy planning documents do not set - clear objectives, main tasks and activities to be carried out, expected results, deadlines, cost calculations, responsible institutions. • Policy planning documents are not comprehensive but are prepared according to available funding – only development of an IS is planned but not necessary equipment, infrastructure and licenses • All participating institutions are not identified and all needs are not recognized. Related systems are not studied prior to development. It leads to integration problems with existing IS and risk increases that new developed IS will not support all necessary processes. • Deadlines are not harmonized - the system is delivered, but the institution continues state procurement for purchasing the user equipment. • Work tasks are planned for 1 year and there is no strategic plan for a longer period. IT plan is isolated from plans and goals of the institution. Users are not informed about changes. PERFORMANCE AUDITS IN IT FIELD: RISKS IN IT PROJECTS I Planning Usage & Results • Implementation of IT projects is finalized with development and acceptance, nor implementation. • The system is unusable as there are no historical data transferred. • Usage of the developed IS is not integrated into the institution's work processes. • User training and IS piloting was not provided. • Output results are achieved but not outcome.
  11. 11. • Fragmented process digitalization (different automatization level of processes) • Insufficient data exchange, especially in municipalities • Investment duplications (institutions create their own payment and authorization modules nor using already developed tools ) • E-government tools are developed but institutions avoiding using them • Poor IT project management (postponed implementation, significant changes after implementation, increasing costs during project) • Low uptake of digital services (poor planning on value for money) • Citizens have no access to the developed e-services: • do not have access to the internet • do not have sufficient computer literacy • an access is limited by e-signature which is less popular than ibanking authorization PERFORMANCE AUDITS IN IT FIELD: RISKS IN E-GOVERNMENT PROJECTS
  12. 12. CASE STUDY: HAS PUBLIC ADMINISTRATION USED ALL OPPORTUNITIES FOR EFFICIENT MANAGEMENT OF IT INFRASTRUCTURE? Auditor`s expectations Auditor`s findings #http://www.lrvk.gov.lv/en/revizija/ha s-public-administration-used-all- opportunities-for-efficient- management-of-ict-infrastructure How much does it cost to maintain a data center? Aren't we overpaying for maintaining server rooms? Are data centers fully loaded? How much can we save after optimizing the number of data centers?
  13. 13. • Unified security requirements of IT infrastructure and data centers are not established for processing information according to its importance. • Security threats exist in most server rooms – data centers are not sufficiently protected from physical access and environmental risks. • Important IS are hosted even in low level data centers. • There are high-level server rooms available in some institutions, which are not used to their full capacity. • Optimising the number of server rooms would allow not only to reduce IT placement expenses, but also to provide a sufficient security level at a lower cost. CASE STUDY: HAS PUBLIC ADMINISTRATION USED ALL OPPORTUNITIES FOR EFFICIENT MANAGEMENT OF IT INFRASTRUCTURE? II
  14. 14. CASE STUDY: HAS PUBLIC ADMINISTRATION USED ALL OPPORTUNITIES FOR EFFICIENT MANAGEMENT OF IT INFRASTRUCTURE? II Security threats exist in most server rooms and for their prevention investments are required: Scenario 1 – to improve server rooms containing increased level and integrated information systems – EUR 247 000 (fireproof doors, diesel generator, two internet connections, ventilation solutions, etc.); Scenario 2 – the improvement of all audited server rooms requires investment of at least EUR 765 000. Scenario 3 – before to reduce necessary investments we should reduce the number of data centers and promote more effecient usage of unladen, high level data centers. 247 th. 800 th. 1.3 m.Relocation to the single data center of increased level and integrated IS of all ICT infrastructure refusing from outsourcing
  15. 15. SAIs challenges in IT field: IT audit as a component in: • financial audit • compliance audit • performance audit • IT project performance • E-government performance Audit support tools • Audit management tools • Data analytic tools • Public survey tools Infrastructure Challenges and opportunities of carrying-out performance audits related to national programmes in the area of digitalisation, e- government and cybersecurity. Challenges to develop auditing methodology and set up processes, train auditors in IT field. Challenges to introduce audit support tools into SAI everyday processes and opportunities of large- scale data analyzing. Challenges to develop secure internal IT environment and to ensure secure data exchange with auditees. AUDIT SUPPORT TOOLS
  16. 16. Team Mate Latvia, France, Denmark, Estonia, Ireland MKInsight United Kingdom (since 2012), Sweden, Georgia, Wales, Northern Ireland Pentana Vision Bulgaria Sicr Italy Developed software Germany Czech Rep. Romania Albania Macedonia AUDIT SUPPORT TOOLS FOR AUDIT MANAGEMENT To support the SAI on the audit processes: • resource planning; • utilization of time; • audit documenting; • quality assurance; • recommendation tracking. #Bosnia and Herzegovina Questionnaire on July 2018 15 th. to 100 th./year 290 th. to 1.4 M
  17. 17. AUDIT SUPPORT TOOLS FOR DATA ANALYZING Understanding of IT impact on the financial statment or subject matter. Draw conclusions on areas which are affected by IT controls. Understanding of actions for the purpose whereof IT is being used (entering, processing, storage, automated conducting of transactions, calculations). Understanding of data and data source used in calculations - manually entered data, data from other (internal or external ) data bases. Understanding of IS participating in the processing of data significant for the financial statement or subject matter.
  18. 18. AUDIT SUPPORT TOOLS DATA ANALYZING IN FA budget appropriations expenditures of the auditee Budget planning system Accounting system (inventory, fixed assets, payroll etc.) Analytical data systems Billing system payments to budget Analytical data systems Employee register Document work flow system Enterprise register Citizen register
  19. 19. Review and approval of the plan Choosing methods to gather audit evidence Setting the audit criteria Defining the scope of the audit Defining the audit objective(s) and audit questions Understanding what is audited Assessing auditability What kind of audit evidences should be obtained to get answers on audit questions? Is necessary data processed in an information system and available in structured format? Is data integrity ensured by: • IT general controls? • application controls? • data exchange with an external register? Does the data contain sensitive information about a person or a company? How long does it take to get and to analyze data? Can we rely on data analyses results? AUDIT SUPPORT TOOLS DATA ANALYZING IN CA&PA
  20. 20. 3E Challenge – money is spend properly and provide value for money. • Economy means minimising the costs of resources. The resources used should be available in due time, in and of appropriate quantity and quality and at the best price. • Efficiency means getting the most from the available resources. It is concerned with the relationship between resources employed and outputs delivered in terms of quantity, quality and timing; • Effectiveness concerns meeting the objectives set and achieving the intended results.
  21. 21. AUDIT QUESTIONS AND CRITERIA criteria1 criteria1 criteria1 criteria1 criteria2 criteria1 criteria1 criteria1 criteria2 criteria2 criteria2 criteria2 criteria2 criteria2 criteria1 criteria2 criteria3 criteria3 criteria4 criteria3 criteria3 criteria3 criteria1 criteria2 criteria3 criteria4 criteria3 Auditee data source 1 Auditee data source 2 Auditee Data source 3 Auditee data source 4 Auditee data source 5Non- auditee data Non- auditee data Non- auditee data Non- auditee data
  22. 22. CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT I What do regulations define? Regulations define the requirements for obtaining the status of a poor and low-income person or family. Risк 1: Municipalities have granted status and has paid benefits to persons and families in which: • the income per family member exceeds 128.06 EUR per month; • more than 1 property is in the possession; • more than 4 vehicles are in the possession; • a person or member of the family has capital shares in an enterprise or is an official of the enterprise; • a person is in custody; • family member is died. Risk 2: A person or family has received simultaneously support from different local governments.
  23. 23. State Revenue Service Data from the tax information system on the income of individuals State Social Insurance Agency Data about individuals who received pensions, unemployment benefits and sickness money Rural Support Service Information on agricultural and rural development subsidies paid to individuals State Land Service Land and Real Estate register on objects owned by individuals and related transactions State Vehicle register – owned vehicles Support Guarantee Fund Budget payments for children Information on social benefits from 119 local governments CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT II OBTAINED DATA
  24. 24. The status of a poor or low-income family is determined unreasonably and social benefits were paid for persons and families in which: - income per family member exceeded 128.06 euros. There have been cases where the income per family member was 3,000 euros; - 23 households owned 5 to 11 vehicles; - identified such households in the possession of which were even 14 units of real estate; - 3400 cases when a member of a poor or low-income family seven owned part of the capital of an enterprise; - 5470 cases when a poor person has capital shares or is an official of an enterprise; - 349 people were in custody; - calculated benefits were not reviewed in 4334 after the death of a family member; - persons received support simultaneously from 2-3 municipalities. Risk1Risk2 CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT III CONCLUSIONS
  25. 25. CASE STUDY: AUDIT ON THE ISSUANCE OF BIOMETRIC PASSPORTS II WORKLOAD INTENSITY ESTIMATION 0 50000 100000 150000 200000 Issued Passports Applications received Documents processed Criteria: Office hours are defined from Monday to Friday. Are passports issued outside working hours? Finding: 3685+65 documents were issued on Sa/Sun. Conclusion: Internal control procedures do not prevent potential fraud on issuing sensitive documents.    Finding: Most of the documents were issued in July (total 157 573), and almost two times less in November (total 76 456). Whether the capacity between the units is in balance? ?
  26. 26. Criteria: Some local units are overloaded and citizens stand in long lines. Conclusion: During the year, with a slight change in the number of employees, the workload of the Office changes twice, which indicates the ability of the employees to work much more productively in certain periods. Criteria: For the delivery of a passport you within 10 days you need to 28 euros, within 2 days - 56 euros. Are 10 working days necessary for producing and delivery of passports? Finding: In fact, the Office can produce and deliver passports for issuance on average within 4 days. Conclusion: Residents do not receive documents as soon as possible or overpay, because instead of the stipulated 10 working days, documents are ready for issuance within 4 days. CASE STUDY: AUDIT ON THE ISSUANCE OF BIOMETRIC PASSPORTS II WORKLOAD INTENSITY ESTIMATION
  27. 27. AUDIT SUPPORT TOOLS PRECONDITIONS FOR DATA ANALYZING Defined problem and clear criteria Understan- ding of the business processes, IS and data significant for audit The existence of structured data in electronic form and unique ID Appropriate IT controls to ensure data quality Capable IT staff of the auditee to prepare requested data Auditee`s capability The SAI`s capability The SAI`s capability - to use CAAT - to support audit teams - to ensure quality - to ensure security - to extend audit schedule (data may be incomplete, incorrect, wrongly selected)
  28. 28. CENTRALIZED OR DECENTRALIZED DATA ANALYZING pros cons Centralized data obtaining and analyzing Clear indications on risks an d areas to be checked. Auditors may concentrate on detailed testing. Auditors may not see overall picture and assess the impact of identified errors. Decentralized data obtaining and analyzing Each audit team develops detailed understanding of processes and data related to the statement. Data analysis can be applied to specific risks. Different approaches to data analysis may be used in one SAI, consequently, overall results may not be comparable. • process description for data obtaining, processing and deleting • secure data delivery from auditee • ensured limited access to obtained data bases • documenting on data analysis and results • the SAI`s register on received data bases Internal requirements
  29. 29. AUDIT SUPPORT TOOLS: GEO SPATIAL DATA ANALYZING Software, allowing users to analyze spatial information. Usefull tool: - to identify overlapping infrastructure objects - to determine the distance between infrastructure objects - to calculate routes - visualization of information and relationships (over multiple periods) - to check spatial data quality in public register Preconditions: - data availability in specific format (data transformation) - specific software and skilled auditors - the coordinate system used - metadata - more powerful hardware
  30. 30. DO WE COVER THESE AREAS? DO WE HAVE A STRATEGY TO COVER? Internal challenges Auditors trained in IT field IT competence centre Audit support tools •Audit management tools •CAAT Infrastructure External challenges Auditees` full transition to the digital environment Development of E- government • E-ident ificat ion •E-signature and E-document •E-services and State Portal •E-archiving •Open data
  31. 31. QUESTIONS AND REMARKS

×