a broader view of internal audit for nsis
DESCRIPTION
A broader view of internal audit for NSIs. - application in Ireland and issues to consider Keith McSweeney, Central Statistics Office (CSO), Ireland Q2008 Conference, Rome, 11July08. Introduction - context for presentation. Internal Audit - useful for NSIs - PowerPoint PPT PresentationTRANSCRIPT
1
Q2008 Conference, Rome, 11July08
A broader view of internal audit for NSIs
- application in Ireland and issues to consider
Keith McSweeney,
Central Statistics Office (CSO),
Ireland
Q2008 Conference, Rome, 11July08
2
Q2008 Conference, Rome, 11July08
Introduction - context for presentation
• Internal Audit - useful for NSIs
• Gap in IT Controls and End-User Computing ?
User Confidence in Data quality
SOX
Public corporations NSIs
ESS Code of Practice
3
Q2008 Conference, Rome, 11July08
Modern IA - what is it?
• IA development
• TOTALITY OF RISKS that an organisation faces in the achievement of its objectives
• Risk-based auditing• Reputational risk (particularly important for
NSIs)
Financial only All risks
4
Q2008 Conference, Rome, 11July08
CSO - our IA/Quality structure
• Risk-based auditing (Corporate Risk Register)
• Q: What other developments are out there in the IA world and what are the implications for NSIs?
Strategic Reputational Operational Financial
Data quality
Quality & Audit function
Private sector Civil Service
5
Q2008 Conference, Rome, 11July08
SOX (Sarbanes-Oxley)• Why SOX ? - User Confidence (ENRON, WORLDCOM)
Auditorindependence
Corporateresponsibility
Internalcontrols
Fraudaccountability
White collarcrime penalty
Accountingpolicies
Anti-fraud programmes
IT controls Overall control
environment
IT controlenvironment
Programmedevelopment
& change by end-users
Computeroperations
Access to systems& data
6
Q2008 Conference, Rome, 11July08
End User computing (EUC) - what risks to NSIs?
• The IT issues to manage are common to all types of systems. More prevalent with EUC ? Question to ponder.
Testing / peer review before ‘go live’?
Documentation ?
Change & version control?
Access control?
System development done to standard?
Staff trained to set up and maintain systems?
7
Q2008 Conference, Rome, 11July08
Implications for NSIs of End-User Computing
Questions NSIs should answer:• Scale of EUC issue - what and where• What controls are in place to manage EUC?• Testing of systems before ‘go live’?• Code written to standard?• Systems documented? • EUC - may be necessary in some cases but it is
still a RISK that needs careful management
8
Q2008 Conference, Rome, 11July08
Implications for ESS Code of Practice
• 2 main inputs to produce results - staff (Principle 7- Sound Methodology) & IT (where explicitly?)
• No explicit mention that our IT systems need to be to standard
• P12 (Accuracy) “Data…outputs are assessed and validated”
• How can results be validated without reference to the systems used to produce them?
9
Q2008 Conference, Rome, 11July08
Conclusion
• IT systems - critical input for our work • IT systems need to be to standard • Can we use the Code of Practice to help drive
improvements in this area?• Need to make explicit what standard we expect
our IT systems to be at - implications for any future self-assessment/peer review exercise
10
Q2008 Conference, Rome, 11July08
Where is your organisation regarding IT Systems & Controls?
Positive
• EUC Central IT
Negative
Controls in place?
Flexibility Standards
Standards Flexibility
11
Q2008 Conference, Rome, 11July08
What do you think? Is it an issue?
12
Q2008 Conference, Rome, 11July08
Thank you
• Thank you for your attention
• Any questions or comments?
• Email: [email protected]