Impacts of the self- assessment on the SAIs Dainius Jakimavičius Director Information Technology Department

2 Progress of the self- assessment – 18 countries – Bulgaria – Cyprus – Croatia – Czech Republic – Denmark – Finland – France – Germany – Hungary – Lithuania – Norway – Portugal – Russian Federation – Slovenia – Spain – Switzerland – The Netherlands – United Kingdom

3 The most important IT processes PO1Define a strategic IT plan AI3 Acquire and maintain technology infrastructure AI6Manage changes DS4 Ensure continuous service DS5Ensure system security DS7 Educate and train users DS10 Manage problems and incidents M1Monitor the processes P02Define the information architecture P03Determine the technological direction P010Manage projects AI1Identify automated solutions AI2Acquire and maintain application SW AI4Develop and maintain procedures DS11Manage data P09Assess risks

4 IT processes with relative high maturity level P0 3Determine the technological direction AI 2Acquire and maintain application software AI 3 Acquire and maintain technology infrastructure AI 4Develop and maintain procedures AI 6Manage changes DS 5Ensure system security DS10 Manage problems and incidents DS11Manage data

5 IT processes with relative low maturity level P01Define a strategic IT plan P02Define the information architecture P010Manage projects P09Assess risks AI1Identify automated solutions DS4Ensure continuous service DS7Educate and train users M1Monitor the processes

6 “He can maintain your house... but to build the new one, he needs a plan and a client!” Michel Huissoud, Presentation at EUROSAI IT WG 3-rd Meeting, Nikosia, 14 February 2005

7 Action Plans - 1 Enforcement of IT-strategy (PO1): alignment between business processes and the functional aspects of information systems : Create a proactive IS-strategy or policy, and not just react to IT problems : Improve integration of systems, processes and data between departments

8 Action Plans - 2 Improvement of IT-function organisation (PO4): - Allocate responsibilities for certain parts of the IT function Improve communication between users and IT (i.e. make a user responsible for business processes or IT applications) Focus IT more on solving business problems, less on technological solutions Define functions to be performed by IT personnel and to be performed by users.

9 Action Plans - 2 Improvement of IT-function organisation (PO4): - cf. Defined Process Defined roles and responsibilities for the IT organisation and third parties exist. The IT organisation is developed, documented, communicated and aligned with the IT strategy. Organisational design and the internal control environment are defined. There is formalisation of relationships with other parties, including steering committees, internal audit and vendor management. The IT organisation is functionally complete; however, IT is still more focused on technological solutions rather than on using technology to solve business problems. There are definitions of the functions to be performed by IT personnel and of those which will be performed by users.

10 Lithuania: Practical example IT Development Strategy (September 2002) main aspects for IT development until 2006 oriented more on technological potential, less on business needs Mid-sized office over 300 working places (230 notebooks - auditors, 80 desktops – administration & audit management) 6 remote locations (branch offices) less posibilities for ad-hoc management

11 Objectives Introduce principles (practices ?) of corporate IT governance by integration of the main office processes with IT processes as well as increase awareness of the main office processes owners consolidating their inputs for IT development disclose the most important IT processes supporting the main office business processes set priorities for subsequent actions in the NAO

12 Pilot in Lithuania, October persons in the target group: 2 from IT 6 from business Some knowledge on self-assessment, minor knowledge about COBIT Duration: 2 half-days + presentation of the Action Plan to the Auditor General on the 3-rd day

13 Most important IT processes PO1Define a Strategic IT Plan15/18 AI1Identify Automated Solutions14/18 DS5Ensure Systems Security14/18 PO10Manage Projects12/18 AI6Manage Changes12/18 DS4Ensure Continuous Service12/18 DS6Identify and Allocate Costs12/18 M2Assess Internal Control Adequacy12/18

14 Shortcomings PO1: Indicated Shortcoming: Policy not known, no business planning system AI1: Indicated Shortcoming: No methodology and business requirements DS5: Indicated Shortcoming: No security plan & procedures, no testing

15 Action Plan Actions: Policy creation, Procedures & Priorities for Allocation of Resources (importance ranking: 10) Setting up Business Requirements Introduce Security Policy (including security control procedures)

16 Enforcement -1 Establishment of LT NAO Strategic Management & Risk Management Commission (November 2003). IT Management – among 7 most important risk areas Approval by LT NAO Council Implementation Plan of LT NAO IT Strategy (January 2004): IT Infrastructure Development System Policies & Procedures Business Software Remote access & direct links to NAO clients

17 Enforcement - 2 Approval by LT NAO Council of outline of the new LT NAO information system (March 2004 ) Establishment of WG for elaboration proposals for development of future audit management and documentation system (May 2004). Representatives – mainly from business side Establishment of IT Management Committee (February 2004) - sharing responsibility for IT development with owners of the main processes (auditors)

18 Practical Hints Mixing auditors & IT professionals – corporate nature of IT management Closing seminar – summing up things to be done Involvement of Head of SAI at the very early stage of self- assessment – demonstrating importance of the issue Other Added Values Recognition of SAI by ISACA community (locally). Presentation of self-assessment to the ISACA LT Chapter meeting (February 2004) Demonstrating IT awareness to SAI clients