Impacts of the self-Impacts of the self-assessment on the SAIsassessment on the SAIs

Dainius Jakimavičius Director Information Technology

Department

2

Progress of the self-Progress of the self-assessment – 18 assessment – 18

countriescountries– Bulgaria– Cyprus– Croatia– Czech

Republic – Denmark– Finland– France– Germany– Hungary

– Lithuania– Norway– Portugal– Russian

Federation– Slovenia– Spain– Switzerland– The Netherlands– United Kingdom

3

The most important IT The most important IT processesprocesses

PO1 Define a strategic IT plan AI3 Acquire and maintain

technology infrastructure AI6 Manage changes DS4 Ensure continuous

serviceDS5 Ensure system security DS7 Educate and train usersDS10 Manage problems and

incidentsM1 Monitor the processes

P02 Define the information architecture

P03 Determine the technological direction

P010 Manage projectsAI1 Identify automated

solutionsAI2 Acquire and maintain

application SWAI4 Develop and maintain

proceduresDS11 Manage dataP09 Assess risks

4

IT processes with relative IT processes with relative high maturity levelhigh maturity level

P0 3 Determine the technological directionAI 2 Acquire and maintain application softwareAI 3 Acquire and maintain technology

infrastructure AI 4 Develop and maintain procedures AI 6 Manage changes DS 5 Ensure system security DS10 Manage problems and incidentsDS11Manage data

5

IT processes with relative IT processes with relative low maturity levellow maturity level

P01 Define a strategic IT plan P02 Define the information architectureP010Manage projects P09 Assess risks AI1 Identify automated solutionsDS4 Ensure continuous service DS7 Educate and train usersM1 Monitor the processes

6

“He can maintain your house... but to build the new one, he needs a plan and a client!”

Michel Huissoud, Presentation at EUROSAI IT WG 3-rd Meeting, Nikosia, 14 February 2005

7

Action Plans - 1Action Plans - 1

Enforcement of IT-strategy (PO1):alignment between business processes and the functional aspects of information systems

: Create a proactive IS-strategy or policy, and not just react to IT problems

: Improve integration of systems, processes and data between departments

8

Action Plans - 2Action Plans - 2Improvement of IT-function organisation (PO4): -

Allocate responsibilities for certain parts of the IT function

Improve communication between users and IT (i.e. make a user responsible for business processes or IT applications)

Focus IT more on solving business problems, less on technological solutions

Define functions to be performed by IT personnel and to be performed by users.

9

Action Plans - 2Action Plans - 2Improvement of IT-function organisation (PO4): - cf. Defined Process

Defined roles and responsibilities for the IT organisation and third parties exist. The IT organisation is developed, documented, communicated and aligned with the IT strategy. Organisational design and the internal control environment are defined. There is formalisation of relationships with other parties, including steering committees, internal audit and vendor management. The IT organisation is functionally complete; however, IT is still more focused on technological solutions rather than on using technology to solve business problems. There are definitions of the functions to be performed by IT personnel and of those which will be performed by users.

10

Lithuania: Practical Lithuania: Practical exampleexample

IT Development Strategy (September 2002)• main aspects for IT development until 2006• oriented more on technological potential,

less on business needs

Mid-sized office• over 300 working places (230 notebooks -

auditors, 80 desktops – administration & audit management)

• 6 remote locations (branch offices)• less posibilities for ad-hoc management

11

ObjectivesObjectives

Introduce principles (practices ?) of corporate IT governance by integration of the main office processes with IT processes

as well as• increase awareness of the main office processes

owners consolidating their inputs for IT development

• disclose the most important IT processes supporting the main office business processes

• set priorities for subsequent actions in the NAO

12

Pilot in Lithuania, Pilot in Lithuania, October October 20032003

8 persons in the target group: •2 from IT•6 from business

Some knowledge on self-assessment, minor knowledge about COBIT

Duration: 2 half-days + presentation of the Action Plan to the Auditor General on the 3-rd day

13

Most important IT Most important IT processesprocessesPO1 Define a Strategic IT Plan 15/18

AI1 Identify Automated Solutions 14/18

DS5 Ensure Systems Security 14/18

PO10

Manage Projects 12/18

AI6 Manage Changes 12/18

DS4 Ensure Continuous Service 12/18

DS6 Identify and Allocate Costs 12/18

M2 Assess Internal Control Adequacy

12/18

14

ShortcomingsShortcomings

PO1: Indicated Shortcoming: Policy not known, no business planning system

AI1: Indicated Shortcoming: No methodology and business requirements

DS5: Indicated Shortcoming: No security plan & procedures, no testing

15

AActionction Plan Plan

Actions:• Policy creation, Procedures & Priorities

for Allocation of Resources (importance ranking: 10)

• Setting up Business Requirements• Introduce Security Policy (including

security control procedures)

16

Enforcement -1Enforcement -1Establishment of LT NAO Strategic Management & Risk Management Commission (November 2003). IT Management – among 7 most important risk areas

Approval by LT NAO Council Implementation Plan of LT NAO IT Strategy (January 2004):

• IT Infrastructure Development• System Policies & Procedures• Business Software• Remote access & direct links to NAO clients

17

Enforcement - 2Enforcement - 2

Approval by LT NAO Council of outline of the new LT NAO information system (March 2004)

Establishment of WG for elaboration proposals for development of future audit management and documentation system (May 2004). Representatives – mainly from business side

Establishment of IT Management Committee (February 2004) - sharing responsibility for IT development with owners of the main processes (auditors)

18

Practical HintsPractical Hints

Mixing auditors & IT professionals – corporate nature of IT management

Closing seminar – summing up things to be done

Involvement of Head of SAI at the very early stage of self-assessment – demonstrating importance of the issue

Other Added Values

Recognition of SAI by ISACA community (locally). Presentation of self-assessment to the ISACA LT Chapter meeting (February 2004)

Demonstrating IT awareness to SAI clients