The Strategic Importance of IT for SAIs

1
The Strategic Importance of IT for SAIs
Paul Mantelaers

• Lisbon, October 13th, 2004

2
Agenda

• 2 Strategic importance of IT for SAIs

3
Agenda

• 1 Short introduction
• 1.a Background of the seminar

4
1.a Background of the seminar
Training Committee
5
Agenda

• 1 Short introduction
• 1.a Background of the seminar
• 1.b The IT Self Assessment project
• The initiation
• The activities
• The product

6
1.b The IT Self Assessment Project

• Initiation (The Hague, Oct. 2002)
• Objective
• develop a self assessment tool for all SAIs
• CobiT-based.
• Enable to measure the maturity of IT control of
  our own offices action list.
• Pilot countries.
• Project organisation (6 countries, diversity).

7
1.b The IT Self Assessment Project

• Why a self assessment?
• It allows proximity . Evaluation is carried
  out by the people
• who know the subject
• who are interested in solving the problems
• It is confidential. The organization is in
  control of the results and their distribution.
• External moderation encourages the people to
  speak freely.

8
1.b The IT Self Assessment Project
Why Control Objectives for Information and
related Technology?

• CobiT is a well accepted standard
• CobiT can be downloaded free from www.isaca.org
• CobiT is also available in French, German and
  Spanish
• but our group wanted to be sure that CobiT is the
  best choice ...

9
1.b The IT Self Assessment Project

• Activities (Jan. 2003 Aug. 2003)
• Various papers (concepts, requirements, etc.)
• Studies of other tools
• ISO 9001
• European Foundation for Quality Management (EFQM)
  Excellence Model
• ITIL / Process Maturity Self-Assessment Action
  Plan
• CMM Capability Maturity Model
• Common Assessment Framework (CAF) result of the
  cooperation among EU Ministers responsible for
  Public Administration

10
1.b The IT Self Assessment Project

• Contact with specialists
• Philips (The Netherlands),
• Swisslife (Switzerland),
• Prof. W. van Grembergen (University of Antwerp)
• Keep it simple!
• E-mail two meetings
• Version 1 (August 2003) pilots October 2003
  November 2003
• Version 2 (February 2004) pilot March 2004)
• ITWG (Bern)

11
1.b The IT Self Assessment Project

• The product (Bern, March 2004)
• A tested CobiT-based methodology for IT Self
  Assessment, in terms of
• A way of working steps
• A way of modelling graphs/tables
• A way of supporting spreadsheets
• A way of presenting slide-show
• A way of preparing instructions
• Ready to be used by (and to be improved based on
  experiences of) IT WG members and other SAIs

12
1.b The IT Self Assessment Project

• Key alignment between business and IT

Communicate!
13
Agenda

• 2 Strategic importance of IT for SAIs

14
2 Strategic Importance of IT
15
2 Strategic Importance of IT
16
2 Strategic Importance of IT for SAIs

• Group discussion
• Two questions
• 1 Why is(nt) IT important for SAIs?
• 2 If yes what does that mean?
• Time
• Group formation

17
Plenary discussion

• Topic 1 Why is(nt) IT important for SAIs?

18
Why is(nt) IT important for SAIs?
Auditor (SAI)
Decision makers
1
Auditee
2
Central Government
19
Why is(nt) IT important for SAIs?

• 1. SAI
• Mission, objectives
• Primary processes
• Audit process
• Knowledge exchange
• Secondary processes
• Personnel
• Finance
• IT

20
Why is(nt) IT important for SAIs?
1. SAI
High
Banking
SAI
Information intensity of the product
Cement industry
Oil refinery
Low
High
Low
Information intensity of the process
21
Benefits of IT.. and risks

• Increased productivity
• Improved quality of products (user satisfaction)
• Improved decision-making ability
• Enhanced communication (internal and external)
• Enhanced goodwill of employees
• Risks huge investments, expectations vs.
  reality, vulnerability, system shutdowns, poor
  integration, manage service providers, not enough
  training.

22
Why is(nt) IT important for SAIs?
Auditor (SAI)
Decision makers
1
Auditee
2
Central Government
23
Why is(nt) IT important for SAIs?
2. AUDITEE
24
Why is(nt) IT important for SAIs?
2. AUDITEE

• Has a very high information intensity (process
  and product)
• Any audit involves information (processing) and
  will increasingly involve IT(-auditing)
• Benefits of IT. and risks
• IT-control maturity?

25
Why is(nt) IT important for SAIs?

• CONCLUSION
• IT is important for SAIs because
• Their primary and secondary processes can benefit
  from the application of IT. IT contributes to
  organisational performance. Risks need to be
  managed.
• In their auditing work, SAIs will be increasingly
  faced with IT.

26
Plenary discussion

• Question 2 If IT is important for SAIs what
  should that bring about?

27
If yes what does that mean?
Point of departure
28
If yes what does that mean?

• SAIs should organize their
• IS-function
• IS-function the totality of activities (and
  accompanying resources) that needs to be
  performed to provide for IS

29
If yes what does that mean?

• SAIs should organize their
• IS-function
• IS-audit-function
• IS(-audit)-function the totality of activities
  (and accompanying resources) that needs to be
  performed to provide for IS(-audits)

30
If yes what does that mean?
Organize
SAI
31
Organize the IS-function

• 4 domains
• Planning and organization
• Acquisition and implementation
• Delivery and support
• Monitoring
• Guideline to (re-)determine the level of control
  over IT

32
Organize the IS Audit function
Three design decisions

• Positions pure (specialise) mixed (integrate)?

33
Summary

• IT is important for SAIs due to
• the information intensity of their own processes
  and products
• the importance of IT for their auditees
• That is why SAIs need to
• organize their IS-function performing an IT
  Self-Assessment
• organize their IS-audit-function

34
Agenda

• 2 Strategic importance of IT for SAIs

35
3 Seminar programme
Importance of IT for SAIs
36
Summary

• IT Self Assessment is necessary!