210 likes | 335 Views
The Power of Recommendations. Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013. First steps. First IT Audit
E N D
The Power of Recommendations Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013
First steps First IT Audit “Regarding results of assessment of activities of establishing and development information systems in terms of economy, efficiency, and effectiveness” (2001) • traditional performance criteria - economy, efficiency, and effectiveness • looking at the most common problems of development of information systems in 14 ministries and the Department of Statistics • similar problems identified • Recommendations: • to link IT strategy plans of ministries and agencies with the strategic plan of information society development for Lithuania • to strengthen inter-ministerial coordination and control of IT projects and initiatives
IT Audit at the National Audit Office of Lithuania ITAudit Performance Audit IT internal controls IT Performance Audits IT general controls IS development controls Application controls Financial Audit
COBIT: possibility to implement control practices • COBIT: • processes • maturity models • management (control) practices • IT Assurance Guide • How to apply COBIT instruments to the state level ? Business processes Auditor’s judgment Recommendations how to improve IT internal controls
Inputs from EUROSAI IT Working Group: ITSA Information technology self-assessment (ITSA) at the Supreme Audit institutions (since 2002) : • method: COBIT framework: • processes • maturity models • process: expert judgment: • selecting business processes • linking business with COBIT • selecting most important COBIT processes • assessing selected COBIT processes • action plan + implementation
Auditing state level – IT audits of 2006 and 2007 • General Control of State Information Systems. State and Institutional Levels, (2006) • first attempt to apply COBIT instruments for the state level • Management of Information Systems of Public Institutions in the Context of E-Governance, (2007) • using inputs from financial audits of 76 government and municipal institutions of Lithuania • recommendations addressed to the Government • Recommendations of those audits gave a push for the Law on Information Resources Management (2011)
General Control of State Information Systems. State and Institutional Levels, (2006) Does the state have adequate legal and managerial capacities/mechanisms to assure effective and efficient governance of IT function ? • The main findings : • Regulation of State information resources was not comprehensive: due to absence of laws, regulations issued by the Government were applied only to ministries and institutions which report to the ministries. • IT strategic planning should be enforced and necessary IT strategic planning instruments (for example, IT strategic planning committees) introduced to assure that IT development initiatives are subordinated to institutional development needs. • Ministries/ governmental agencies having responsibility for certain aspects of state regulation (responsibility for management of information systems or responsibility for security regulation of information systems) do not have sufficient power of administrative control.
Management of Information Systems of Public Institutions in the Context of E-Governance, (2007) The main areas for the audit “Management of Information Systems of Public Institutions in the Context of E-Governance” (2007) were chosen: • Strategic planning of IT function at the state level • Information systems control and monitoring at the state and institutional levels • Management of IT investments • Set up and development of information systems • Management and security of information systems • Education of top-management in IT governance
Management of Information Systems of Public Institutions in the Context of E-Governance, (2007) The main recommendations for the Government (because there were no state institutions to cover those functions): • To review, update and assure compatibility of long-term IT strategic documents andto assure control of implementation of planned results • To review and update methodological documents for planning IT investments • To assure continuous monitoring of IT investment projects considering their efficiency and effectiveness
Lessons learnt from the audits of 2006-2007 • Distribution of tasks between financial (generalist) and IT auditors and using inputs from financial audits • COBIT: examples of governance/management practices and possibility to go beyond compliance by introducing effectiveness/efficiency criteria for general controls; applying COBIT to the state level • Using self-assessment mechanisms for internal IT function at SAIs (lessons from EUROSAI ITWG): • probing instruments for increasing IT function effectiveness/efficiency on ourselves before suggesting to the others. This creates trust in actions and instruments we recommend
Enforcing legislation: Audit Governance of State information Resources” (2013) Aim: • To examine the situation at the state level after the Law on Information Resources Management was passed (2011) • To suggest ways how the new legal framework may be used for improvement of the following areas: • IT governance model • Financial instruments • IT services
Conclusions: IT governance model • concepts, requirements and classification systems are inconsistent and uncoordinated => a risk that similar objects can be classified using diverse classification systems instead of using one universal system • alignment of IT policies, high-level planning and other documents is not assured, existing monitoring systems are not coordinated, monitoring criteria are not standardised • strategic documents lack appropriate consideration mechanisms => could tend to reflect interests of different sectors • governance of information resources is not efficient, weak or non-existing evaluation and monitoring components in the governance scheme
Conclusions: Financial instruments • Financial instruments are not sufficient to assure that funds for information resources are used in reasonable and cost-effective way, and IT projects are aligned with the main directions of information society development. • Funds allocated for information resources in public sector should be used in more efficient way, by adapting already existing IT systems or solutions and applying unified management processes.
Conclusions: IT services • IT services are unattractive and distantly used due to complexity of service catalogues, while necessary level of information security is not always assured. • Lack of integration prevents from centralised use of state information resources therefore technical capacities are not fully used.
Recommendations to the Government (1) • To improve IT governance model by applying governance methods suggested by Lithuanian and international standards and recommendations of the best practices: • to develop consistent classification scheme of state information resources, based on common principles; • to complement the plan of implementation of the Law on Management of State Information Resources including provisions of review and conformity of existing legal acts; • to develop and apply unified targets and performance criteria for IT management and security across all areas of governance.
Recommendations to the Government (2) • To assure common policies for governance of information resources : • to foresee measures for better coordination of implementation of information resources policies; • to appoint institution responsible for coordination of classified information and to compile inventory of such information; • to assure that priorities for IT investments should be established at the level of the Government; • to compile and publish information on state-owned information networks.
Recommendations to the Government (3) • To assure efficient use of financial resources and alignment of investments to the main trends of development of information society, to elaborate: • regulatory and control measures for centralised planning of the most important IT projects; regulatory and control measures should assure cost-effectiveness; technological compatibility, evaluation of impact and monitoring at the state level; • requirements to evaluate possibility of adapting already existing IT systems or solutions at the public sector; • requirements for planning of IT financial resources.
The law is enforced, what’s next ? • Is the public sector ready to implement new legal requirements ? • Are there are any problems in implementation .... ? • problems at institutional level (difficult to implement?) • recommendations to institution – to assure compliance + a little of best practices to make life easier • problems off institutional level (legislation doesn’t match practices) • recommendations to the government (introduce new practices to legislation which makes more efficient framework for IT) • ... or no problems at all ?
Thank you for your attention Questions ?