A broader view of internal audit for NSIs

1
A broader view of internal audit for NSIs

• - application in Ireland and issues to consider
• Keith McSweeney,
• Central Statistics Office (CSO),
• Ireland
• Q2008 Conference, Rome, 11July08

2
Introduction - context for presentation

• Internal Audit - useful for NSIs
• Gap in IT Controls and End-User Computing ?

User Confidence in Data quality
SOX
ESS Code of Practice
Public corporations
NSIs
3
Modern IA - what is it?

• IA development
• TOTALITY OF RISKS that an organisation faces in
  the achievement of its objectives
• Risk-based auditing
• Reputational risk (particularly important for
  NSIs)

All risks
Financial only
4
CSO - our IA/Quality structure

• Risk-based auditing (Corporate Risk Register)
• Q What other developments are out there in the
  IA world and what are the implications for NSIs?

Private sector
Civil Service
Strategic
Reputational
Operational
Financial
Data quality
Quality Audit function
5
SOX (Sarbanes-Oxley)

• Why SOX ? - User Confidence (ENRON, WORLDCOM)

Auditor independence
Corporate responsibility
Internal controls
Fraud accountability
White collar crime penalty
Accounting policies
Anti-fraud programmes
IT controls
Overall control environment
Access to systems data
Programme development change by end-users
Computer operations
IT control environment
6
End User computing (EUC) - what risks to NSIs?

• The IT issues to manage are common to all types
  of systems. More prevalent with EUC ? Question to
  ponder.

Access control?
Testing / peer review before go live?
Staff trained to set up and maintain systems?
Documentation ?
System development done to standard?
Change version control?
7
Implications for NSIs of End-User Computing

• Questions NSIs should answer
• Scale of EUC issue - what and where
• What controls are in place to manage EUC?
• Testing of systems before go live?
• Code written to standard?
• Systems documented?
• EUC - may be necessary in some cases but it is
  still a RISK that needs careful management

8
Implications for ESS Code of Practice

• 2 main inputs to produce results - staff
  (Principle 7- Sound Methodology) IT (where
  explicitly?)
• No explicit mention that our IT systems need to
  be to standard
• P12 (Accuracy) Dataoutputs are assessed and
  validated
• How can results be validated without reference to
  the systems used to produce them?

9
Conclusion

• IT systems - critical input for our work
• IT systems need to be to standard
• Can we use the Code of Practice to help drive
  improvements in this area?
• Need to make explicit what standard we expect our
  IT systems to be at - implications for any future
  self-assessment/peer review exercise

10
Where is your organisation regarding IT Systems
Controls?

• Positive
• EUC Central IT
• Negative
• Controls in place?

Flexibility
Standards
Standards
Flexibility
11
What do you think? Is it an issue?
12
Thank you

• Thank you for your attention
• Any questions or comments?
• Email keith.mcsweeney_at_cso.ie