210 likes | 225 Views
Detailed insights on IT auditing, policies, challenges faced, and recommendations issued by the Auditor General's Office to improve IT services and governance in the Zambian government.
E N D
Office of theAuditor General – Zambia7th Performance Auditing Seminar of INTOSAI Working Group onIT Audit ‘Role of SAI's in Promoting Policy for IT Improvement & Value For Money’
Presentation Overview • Background and evolution of computing in Government • Information Technology Auditing in OAG-Z • Adoption of Generally Accepted IT Policies in other Government Agencies • Recommendations issued by OAG and implemented by auditees • OAG Recommendations that have improved the process of Acquisition of IT Services • Challenges • Conclusion Specialised Audit Department
Background • Information Communication Technology (ICT) in Zambia started in the 1980s. • Advancements in technology enhanced efficiency and effectiveness of business processes and service delivery. • Government implemented some systems Specialised Audit Department
Background continued…… • Systems implemented were; • Payroll Management Establishment Control (PMEC) System • Land Information Management System (LIMS) • Revenue Systems (ITAS, ASYCUDA) • Transport Information System – Zambia Transport Information Systems (ZAMTIS) • Utilities System • Banking Systems - (National Savings and Credit Bank), and more recently; • Integrated Financial Management Information System (IFMIS) Specialised Audit Department
Background continued……. • Initially, country had no appropriate policy to guide ICT in the country • Government later enacted: • Telecommunication Act of 1994 • Formulated ICT policy (in April 2006) • Information and Communications Technology Act of 2009 • The Electronic, Communication and Transport Act of 2009 Specialised Audit Department
IT Auditing in OAG-Z • OAG-Z restructured in 2005 and established: • MIS section • IT Audit section • The IT Audits Section is responsible for carrying out information technology audits. • Produced seventeen (17) IT audits reports, out of which nine (9) have been tabled in Parliament. Specialised Audit Department
Adoption of Generally Accepted IT Policies in Government Agencies • Adopted ISACA standards • Integrated auditing approach As a result: • The audit scope and recommendations have been enhanced. Specialised Audit Department
Participation at meetings of international and regional groupings • Recommendations made resulted in clients making improvements to their systems or they have acquired and implemented new systems using these standards. • Realization of value for money for the clients’ operations. Specialised Audit Department
What recommendations has the Office Issued on IT and seen Implemented • IT Governance • IT Security • Audit Trail • Change Management • Business continuity and backup procedures Specialised Audit Department
IT Governance • Implementation of ICT Policy and Strategic Plans. e.g. The Ministry of Finance and the National Savings and Credit Bank • Adoption of internationally recognized standards e.g. ZESCO Limited, Zambia Revenue Authority have adopted the COBIT Framework • Elevation of ICT to policy making level. E.g Some MPSAs and water utility companies have restructured their organizations and ICT functions and in addition, segregation of duties has been enhanced. Specialised Audit Department
Security • Physical and environmental, logical and network controls have either been implemented or strengthened in institutions such as Road Transport and Safety Agency, Payroll Management Establish Control and water utility companies (billing systems). Specialised Audit Department
Audit Trail • The LIMS, PMEC and NATSAVE have implemented audit trails. Specialised Audit Department
Change Management • Implementation of documented Change Management procedures e.g. Ministry responsible for Finance (IFMIS), Zambia Revenue Authoriry (ITAS), University of Zambia and NATSAVE have documented and implemented change management procedures. Specialised Audit Department
Business Continuity Plans and Backup Procedures • Development and implementation of the business continuity plans and backup procedures. e.g ZESCO Limited, Zambia Revenue Authority, University of Zambia, Ministry of Lands and NATSAVE Bank Specialised Audit Department
Recommendations that have been Issued by the Office that have improved the Acquisition of IT Services • Alignment of IT Strategic Plan with overall Strategic Plan to ensure that acquisition of IT systems are in line with business objectives • Establishment of IT Steering or Technical Committee to ensure good governance of the IT projects and resources Specialised Audit Department
Continued…. • IT representation at the Decision Making Level to ensure that management recognizes IT opportunities and risks that exist in organization’s operations. • Clients/IT units entering into Service Level Agreements with end users and vendors to ensure services are delivered to desired expectations. Specialised Audit Department
Challenges • The high costs associated with IT auditing training and tools, • Inadequate awareness and appreciation of IT audits by some stakeholders and clients. Specialised Audit Department
Way forward • Continuous IT training (both short and long term) • Sensitization of stakeholders Specialised Audit Department
Conclusion • With the above developments and the Office’s close collaboration and coordination with INTOSAI, ISACA, Cooperating Partners and key stakeholders’ great strides have been achieved in IT auditing. • The Office sensitization campaigns of Cabinet Ministers, Members of Parliament, Chief Executive Officers and senior Government officials has had an impact in promoting policy for IT improvement within the public sector in Zambia. Specialised Audit Department
Continued…. • There has been a remarkable increase in the response rate to audit queries and management letters by Controlling Officers, Chief Executive Officers and Heads of Departments. • The IT audit work plans have been executed timely and the audit reports produced, tabled and discussed by Parliament and most of the recommendations have been implemented by the clients. • Our clients have appreciated our work such that they have invited us to be part of the technical committees responsible for Acquisition of IT systems and interviewing panels. Specialised Audit Department
Thank you Specialised Audit Department