eurosai it working group - 14 october 2004 swiss federal audit office - michel huissoud 1 training...
TRANSCRIPT
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud
1
Training in Portugal (2)Training in Portugal (2)
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 2
2 weeks before Workshop
Documentation to study will be
provided on CobiT, self-assessment,
etc..)
The instructor will provide more
information, the structure of your business will be discussed and
then forms will be filled in
The instructor will consolidate the results and a
discussion of the results will
follow
An action plan for the future
will be prepared together and the
exercise will then be
evaluated
The results of the workshop
are then presented to
the top management
of the SAI
Post ws
We will focus on the following points:We will focus on the following points:Get the
right persons
!
Identify the
processes!
Ask the right
questions!
Get a good action plan!
Use the EXCEL sheet
correctly!
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 3
Checklist before you start…Checklist before you start…
What is the business of the SAI ? (read the last annual report)
Organigram and list of the staff General budget and IT budget Report of the last peer review (if available) IT strategic plan (if available) Application portfolio and IT configuration plan List of the contracts with IT providers
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 4
Get the right person!Get the right person!…………Who do you need?…………Who do you need?o The CIO?
o The person responsible for international affairs?
o The person responsible for help desk?
o The manager of the external IT providers?
o The cook of the SAI?
o The head of the IT audit?
o The President of the SAI?
o The CFO?o The head of Human
Resources?o The person responsible for
document management?o The training manager?o A trainee?o A new auditor?o An old auditor?o An English interpreter?o …?
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 5
Identify the processesIdentify the processesby asking about the productsby asking about the products What is published? What kind of documents
are signed every day? What is presented to
Parliament?
Annual report Annual program Reports Decisions Judgments Contracts Articles …
What is paid? Salaries Purchases Fees
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 6
First exerciseFirst exerciseUse the EXCEL sheet correctly!Use the EXCEL sheet correctly! Open the file Write a new business process B12 “drink a
coffee” in the BVC Form 1 Write for the participant 8 the note 5 for every
maturity level in the consolidation Cobit Form 2 Have a look at the graphics Copy one graphic into a PowerPoint
presentation Alright?
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 7
Second exercise (role-play in Second exercise (role-play in Portuland)Portuland)
Portuland: 650 users in 4 divisionsIT departement: 32 people
The users of the SAI Portuland: John (senior auditor), Maria (chef librarian), Markus (audit director), Katrin (auditor junior)
The IT people of the SAI Portuland:Peter (CIO), Daniel (developer), Kevin (Help desk)
And two moderators of Deutschugal!
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 8
Ask the right questions and be cool…Ask the right questions and be cool…
The 7 participants of the role-play get their own profile, the results of the questionnaires and the description of the IT situation in Portuland. They “just” have to play their role.
The two moderators get only the results of the questionnaire. They try to find a consensus about the results or to understand why the consensus is impossible. They identify the most important problems for the next step (action plan).
The other participants get all the information and give feedback to the moderators at the end of the exercise.
10 minutes preparation (look at your profile, at the results of the questionnaires, see consolidations 1 and 2, etc.)
2 X 10 minutes (moderator I and II) discussion “live”
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 9
The psychological profile of The psychological profile of each personeach person
the 3 IT people:
Peter: long-term CIO, professional, technocratic, proud of the IT of the SAI, talks a lot
Daniel: developer, a new one, experience of private company, critical
Kevin: help desk, loves the users, emotional, no strategic vision
the 4 users:
John: Senior auditor, very good in IT, develops local applications alone,
Maria: chief librarian, wants more IT, would prefer a female CIO
Markus: long-term director, always problems with the IT, critical, doesn’t want to be in this workshop, aggressive
Katrin: new auditor, good motivation and ideas but no power
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 10
Build your workshop on theBuild your workshop on the strengthsstrengths
the 3 IT people:
Peter: long-term CIO, professional, technocratic, proud of the IT of the SAI, talks a lot
Daniel: developer, a new one, experience of private company, critical
Kevin: help desk, loves the users, emotional, no strategic vision
the 4 users:
John: Senior auditor, very good in IT, develops local applications alone,
Maria: chief librarian, wants more IT, would prefer a female CIO
Markus: long-term director, always problems with the IT, critical, doesn’t want to be in this workshop, aggressive
Katrin: new auditor, good motivation and ideas but no power
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 11
Not on the weaknessesNot on the weaknessesyou are not doing an audit!…you are not doing an audit!…
the 3 IT people:
Peter: long-term CIO, professional, technocratic, proud of the IT of the SAI, talks a lot
Daniel: developer, a new one, experience of private company, critical
Kevin: help desk, loves the users, emotional, no strategic vision
the 4 users:
John: Senior auditor, very good in IT, develops local applications alone,
Maria: chief librarian, wants more IT, would prefer a female CIO
Markus: long-term director, always problems with the IT, critical, doesn’t want to be in this workshop, aggressive
Katrin: new auditor, good motivation and ideas but no power
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 12
The true situation in the SAI of PortulandThe true situation in the SAI of PortulandB1 Audit Risk Management: old but good application, not integrated with B2 or B3B2 Organize the missions: not the same process in the 4 divisions, very good IT
solution in the division of JohnB3 Analyze the data: different in the 4 divisions, from “nothing” to very good warning
systems and expert systems B4 Test the IT by the IT-Audit: very good but confidential, nobody knows exactly what
the IT auditors are doing; not an integrated approachB5 Report the results to the auditee: Microsoft Office World with good templates and
standardized reports; not integrated with B2, B6 and B9B6 Track the implementation of the recommendations: new and centralized IT solution
(with automatic reminder function)B7 Manage the knowledge: an old project which will perhaps next year be completed B8 Manage finances and human resources: an ERP (Enterprise Resources Planning)
solution, good but Markus has some confidential information about some big mistakes in the interface with the pension fund
B9 Administer and archive the dossiers: there is a concept for record management but all the incoming documents are only available on paper
B10 Publish the results of the audits: good websiteB11 Communicate: Microsoft Office Outlook with very good connections, Intranet portal
for all users of the SAI
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 13
The true situation in the SAI of PortulandThe true situation in the SAI of PortulandDefine a Strategic IT Plan PO1: there is no IT strategy, no strategic committeeManage the IT investment PO5: there is enough money, each division gets a part of the global budgetAssess risks PO9: no risk analysisManage projects PO10: some good and some bad projects, it depends on the project managerIdentify automated solutions AI1: the IT department has no authority, is reactive and gives the users what they want Install and accredit systems AI5: professional execution, the IT department works well and is reliable Ensure continuous service DS4: very good concept; emergency power supply Ensure system security DS5: no problems, just some viruses but not very damaging Identify and allocate costs DS6: there is a good project to identify the costs of the communicationsEducate and train users DS7: some users are very good at IT and frequently follow IT training coursesAssist and advise customers DS8: the help desk is very very good and the users are very happy with Kevin’s teamManage problems and incidents DS10: good description of the process and good reaction time of the IT department Assess internal control adequacy M2: nothing is done, no internal controls, no peer review
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 14
The most important problems of The most important problems of the SAI of Portulandthe SAI of Portuland No strategies No standardization Integrity and accuracy of financial data No transparency about costs and
benefits of the IT Bad knowledge management ???
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 15
What about the What about the strengthsstrengths of the of the SAI of Portuland ?SAI of Portuland ? No major problems in day-to-day
business Enough money Good specialists Good experience in some divisions Readiness to do a self-assessment!
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 16
Third exerciseThird exerciseGet a good action plan!Get a good action plan! 10 minutes to solve the problems of the
SAI of Portuland! What are the typical measures for these
kinds of problems? Who should have the responsibility for
this action?
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 17
Some possible measures Some possible measures Introduce a Risk management in the SAI Appoint one user responsible for each business process
and the corresponding application Initialize a Process reengineering to standardize the
business processes Create (or reactivate) an IT committee to determine the IT
strategy, the IT standards and the IT architecture Link the help desk and the training of the users (learning
organization) Carry out an IT audit of the payroll application Review some projects …
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 18
Some bad measures Some bad measures
Give more money to IT Give the user more authority and resources to develop
their own applications Scan all the documents Outsource the IT Change the CIO Install Team Mate …
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 19
Questions ?
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 20
What we should do nowWhat we should do now
Make a commitment to organize a self-assessment !
Make a commitment to moderate a self-assessment !
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 21
Bulgarie
Cyprus 2005
Czech Rep.
Denmark Norway 2003
Estonia too small
Finland Denmark 2004
France Switzerland 2004
Germany
Hungary Switzerland 2005
Ireland 2005
Lithuania The Netherlands 2003
The Netherlands Switzerland 2005
EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 22
Norway Denmark 2004
Poland 2005
Portugal Spain 2004
Romania 2005
Russian Fed.
Slovakia
Slovenia Spain 2005
Spain Slovenia 2003
Sweden Norway 2005
Switzerland 2005
United Kingtom KPMG 2004 external