View
212
Download
0
Category
Preview:
Citation preview
Impacts of the self-Impacts of the self-assessment on the SAIsassessment on the SAIs
Dainius Jakimavičius Director Information Technology
Department
2
Progress of the self-Progress of the self-assessment – 18 assessment – 18
countriescountries– Bulgaria– Cyprus– Croatia– Czech
Republic – Denmark– Finland– France– Germany– Hungary
– Lithuania– Norway– Portugal– Russian
Federation– Slovenia– Spain– Switzerland– The Netherlands– United Kingdom
3
The most important IT The most important IT processesprocesses
PO1 Define a strategic IT plan AI3 Acquire and maintain
technology infrastructure AI6 Manage changes DS4 Ensure continuous
serviceDS5 Ensure system security DS7 Educate and train usersDS10 Manage problems and
incidentsM1 Monitor the processes
P02 Define the information architecture
P03 Determine the technological direction
P010 Manage projectsAI1 Identify automated
solutionsAI2 Acquire and maintain
application SWAI4 Develop and maintain
proceduresDS11 Manage dataP09 Assess risks
4
IT processes with relative IT processes with relative high maturity levelhigh maturity level
P0 3 Determine the technological directionAI 2 Acquire and maintain application softwareAI 3 Acquire and maintain technology
infrastructure AI 4 Develop and maintain procedures AI 6 Manage changes DS 5 Ensure system security DS10 Manage problems and incidentsDS11Manage data
5
IT processes with relative IT processes with relative low maturity levellow maturity level
P01 Define a strategic IT plan P02 Define the information architectureP010Manage projects P09 Assess risks AI1 Identify automated solutionsDS4 Ensure continuous service DS7 Educate and train usersM1 Monitor the processes
6
“He can maintain your house... but to build the new one, he needs a plan and a client!”
Michel Huissoud, Presentation at EUROSAI IT WG 3-rd Meeting, Nikosia, 14 February 2005
7
Action Plans - 1Action Plans - 1
Enforcement of IT-strategy (PO1):alignment between business processes and the functional aspects of information systems
: Create a proactive IS-strategy or policy, and not just react to IT problems
: Improve integration of systems, processes and data between departments
8
Action Plans - 2Action Plans - 2Improvement of IT-function organisation (PO4): -
Allocate responsibilities for certain parts of the IT function
Improve communication between users and IT (i.e. make a user responsible for business processes or IT applications)
Focus IT more on solving business problems, less on technological solutions
Define functions to be performed by IT personnel and to be performed by users.
9
Action Plans - 2Action Plans - 2Improvement of IT-function organisation (PO4): - cf. Defined Process
Defined roles and responsibilities for the IT organisation and third parties exist. The IT organisation is developed, documented, communicated and aligned with the IT strategy. Organisational design and the internal control environment are defined. There is formalisation of relationships with other parties, including steering committees, internal audit and vendor management. The IT organisation is functionally complete; however, IT is still more focused on technological solutions rather than on using technology to solve business problems. There are definitions of the functions to be performed by IT personnel and of those which will be performed by users.
10
Lithuania: Practical Lithuania: Practical exampleexample
IT Development Strategy (September 2002)• main aspects for IT development until 2006• oriented more on technological potential,
less on business needs
Mid-sized office• over 300 working places (230 notebooks -
auditors, 80 desktops – administration & audit management)
• 6 remote locations (branch offices)• less posibilities for ad-hoc management
11
ObjectivesObjectives
Introduce principles (practices ?) of corporate IT governance by integration of the main office processes with IT processes
as well as• increase awareness of the main office processes
owners consolidating their inputs for IT development
• disclose the most important IT processes supporting the main office business processes
• set priorities for subsequent actions in the NAO
12
Pilot in Lithuania, Pilot in Lithuania, October October 20032003
8 persons in the target group: •2 from IT•6 from business
Some knowledge on self-assessment, minor knowledge about COBIT
Duration: 2 half-days + presentation of the Action Plan to the Auditor General on the 3-rd day
13
Most important IT Most important IT processesprocessesPO1 Define a Strategic IT Plan 15/18
AI1 Identify Automated Solutions 14/18
DS5 Ensure Systems Security 14/18
PO10
Manage Projects 12/18
AI6 Manage Changes 12/18
DS4 Ensure Continuous Service 12/18
DS6 Identify and Allocate Costs 12/18
M2 Assess Internal Control Adequacy
12/18
14
ShortcomingsShortcomings
PO1: Indicated Shortcoming: Policy not known, no business planning system
AI1: Indicated Shortcoming: No methodology and business requirements
DS5: Indicated Shortcoming: No security plan & procedures, no testing
15
AActionction Plan Plan
Actions:• Policy creation, Procedures & Priorities
for Allocation of Resources (importance ranking: 10)
• Setting up Business Requirements• Introduce Security Policy (including
security control procedures)
16
Enforcement -1Enforcement -1Establishment of LT NAO Strategic Management & Risk Management Commission (November 2003). IT Management – among 7 most important risk areas
Approval by LT NAO Council Implementation Plan of LT NAO IT Strategy (January 2004):
• IT Infrastructure Development• System Policies & Procedures• Business Software• Remote access & direct links to NAO clients
17
Enforcement - 2Enforcement - 2
Approval by LT NAO Council of outline of the new LT NAO information system (March 2004)
Establishment of WG for elaboration proposals for development of future audit management and documentation system (May 2004). Representatives – mainly from business side
Establishment of IT Management Committee (February 2004) - sharing responsibility for IT development with owners of the main processes (auditors)
18
Practical HintsPractical Hints
Mixing auditors & IT professionals – corporate nature of IT management
Closing seminar – summing up things to be done
Involvement of Head of SAI at the very early stage of self-assessment – demonstrating importance of the issue
Other Added Values
Recognition of SAI by ISACA community (locally). Presentation of self-assessment to the ISACA LT Chapter meeting (February 2004)
Demonstrating IT awareness to SAI clients
Recommended