ITWG Newsletter 1/2020
|ISSN 2733-2098 PDF version|
Message of the Chair
The developments of previous months have challenged audit institutions and every auditor individually to set up a new system for exchanging information. The new reality has also forced us to rethink our approach to cooperation with other audit institutions. I believe everyone can imagine that this is a challenging time to take over the chairmanship of an EUROSAI working group as well. Nevertheless, establishing and keeping alive the virtual communication streams with the ITWG members and also with external partners has already brought positive results – we have gained an understanding of the expectations of the members and we see the opportunities that cooperation within EUROSAI and INTOSAI frameworks offers. We hope to be a relevant information provider for our own community and a platform for sharing audit expertise worldwide, a universal source of IT auditing knowledge and best practice. This newsletter is a great indication of the interest our ITWG members are showing towards this group and the values it represents. IT is becoming more and more important in the auditing field and it is great to see how innovative methods are being taken into use even during these critical times. Let us learn from each other and keep the information stream alive – through written or virtual media!
Inside this issue
- Feature story: A common necessity in the heterogenous ITWG
Updates from ITWG members
- EUROPEAN COURT OF AUDITORS: Blockchain for European Union audit
- CYPRUS: Auditing the use of non-competitive procedures in IT procurement
- FINLAND: ICT and digitalization as performance audit targets
- FINLAND: NAOF is accelerating the development of digitalization and data analytics according to its strategy to improve the impact of auditing
- FRANCE: Competent personnel resources in the digital domain within economic and financial ministries
- GERMANY: Auditing IT systems as part of the audit of the annual financial statements
- GERMANY: Implementation of the Online Access Act, case study on the federal digitisation programme
- HUNGARY: Digital transformation experiences
- LITHUANIA: Is cybercrime combated effectively?
- MALTA: ICT across Local Councils
- NETHERLANDS: Audit on algorithms
- NETHERLANDS: Focus on collaborative ICT tools in central government
- NORWAY: Penetration testing as a new tool for SAIs in IT audit?
- NORWAY: Cooperation with African SAIs - The IT Audit Champions Program
- SERBIA: The republic has not yet developed accurate records on real estate at its disposal
- SLOVENIA: Status of IT audit
- TURKEY: Latest IT audit and IT developments at the TCA
News from Secretariat, EUROSAI and INTOSAI
- Upcoming ITWG virtual seminar
- New reports in the CUBE
- Activities of the INTOSAI WGITA
- Cooperation between WGBD and ITWG
- WGISTA and EUROSAI IT Working Group – Collaboration for a Digital Future of SAIs
- GAO invites to contribute to the revision of the WGITA-IDI Handbook on IT Audit
- SIGNALS 2020 Conference
Feature story: A common necessity in the heterogenous ITWG
When I was thinking about a good parallel to taking over the chairmanship of the IT Working Group, the first that came to mind was a 1994 film “Speed”, where the main character had to jump on a speeding bus full of people and take over the wheel. It indeed seems that IT is a speeding bus in the world now and auditors’ community in Europe is in the middle of a digital transformation, having to evaluate the risks behind the technologies their governments are applying. To stay relevant, we have to keep up with the speed of this process.
So what is there for a small NAO of Estonia to put on the plate for this vast community?
EUROPEAN COURT OF AUDITORS: Blockchain for European Union audit
Blockchain technology is relevant for audit. In the near or more distant future, auditors will have to deal with smart contracts executing automatically, with central bank digital currencies (CBDC), with cryptocurrencies and with other digital assets, all of which are based on distributed ledger technologies (DLT). Blockchain-based applications will need to be audited, most probably first by IT auditors. This article is not about auditing blockchain in the future but about its potential use for auditing already now.
CYPRUS: Auditing the use of non-competitive procedures in IT procurement
The national legislation in Cyprus provides Contracting Authorities (CAs) with a selection of procedures for the procurement of goods and services. One of these procedures is the negotiated procedure without prior publication. The selection of this procedure is restricted to exceptional cases, including where, for technical reasons, competition is absent. The Cyprus Audit Office (CAO) is responsible for auditing CAs’ procurement activities on a continuous basis. As part of this task, CAO noticed that an increasing number of subsequent IT contracts were being awarded to the system’s initial provider using the negotiated procedure without prior publication. Due to their high dependency on the provider, the CAs lacked negotiating power which often resulted in significantly increased costs.
In June 2018, CAO initiated a performance audit to assess the use of non-competitive procedures in IT procurement. The audit also reviewed the initial contracts for adequacy, in relation to the expected design life of the system.
FINLAND: ICT and digitalization as performance audit targets
In addition to conventional IT audits, the National Audit Office of Finland (NAOF) also conducts performance audits targeted at ICT and digitalization. In their present form, performance audits with the ICT and digitalization perspective date back to 2006, when the NAOF recruited the first performance auditor specialized in audits of this field. Before this, the NAOF had carried out a few performance audits targeted at IT projects.
The number of personnel at the NAOF has equalled approximately 150 person-years. The maximum number of performance auditors focused on ICT and digitalization-related topics that have been simultaneously employed by the NAOF has been five. Both an applicable doctor's degree and certifications in auditing (e.g. CISA) have been considered assets in the recruitments.
FINLAND: NAOF is accelerating the development of digitalization and data analytics according to its strategy to improve the impact of auditing
The digitalization of societies is proceeding at an ever-increasing pace. The COVID-19 pandemic has highlighted the impact of digital technology on service provision even under exceptional circumstances.
FRANCE: Competent personnel resources in the digital domain within economic and financial ministries
The availability of qualified personnel is one of the major challenges for public administrations to succeed in their public transformation. The French Court of Accounts has carried out a survey, published in the 2020 annual public report, on the resources of personnel with digital skills in the economic and financial ministries (see page 173, report available here: https://www.ccomptes.fr/system/files/2020-02/20200225-RPA-2020-tome-II.pdf). This survey integrates the transformation strategy adopted by the State in April 2019, entitled "TECH.GOUV", and the action plan that followed, one of the challenges of which is to attract talent, and to retain skills.
GERMANY: Auditing IT systems as part of the audit of the annual financial statements
Due to the digitalisation of accounting and payment processes in the federal administration, auditing IT systems has become an essential part of the German SAI’s mandatory audit of federal accounts. To conduct these IT system audits, we utilise a risk-based audit approach related to the International Standards on Auditing (ISA). In Germany, the ISA are transposed into national audit standards by the Institut der Wirtschaftsprüfer e.V. (Institute of Public Auditors in Germany, Incorporated Association – abbr. IDW) and published as IDW Auditing Standards (IDW PS).
GERMANY: Implementation of the Online Access Act, case study on the federal digitisation programme
To better shape digital transformation and address the associated technological challenges and changes that affect everyday life of the citizens, in 2017, the German government adopted legislation to enhance online access to public services. This is the Act to Improve Access to Administrative Services, short title: Online Access Act. Legislation stipulates that by the year 2022, a total of 575 user-focused public services shall go online in Germany. Future public service users expect to manage their needs easily and in a user-friendly way.
The German SAI has selected digital transformation as a focus area for its work. In 2018 and 2019, we studied as to how the Federal Ministry of the Interior, Building and Homeland Affairs (the Ministry) has implemented the law. On the one hand, the Ministry holds sole responsibility for offering federal government services online (federal digitisation programme). On the other hand, the Ministry synchronises service implementation across multiple government levels.
HUNGARY: Digital transformation experiences
We are all living in a continuously changing, transformative environment. While digital transformation of business processes at auditees are progressing at a rocket pace, there is a high uncertainty of what SAIs should do with these and what innovations of digitalization-answers will be successful and needed in a longer term.
LITHUANIA: Is cybercrime combated effectively?
The COVID-19 pandemic has led to ever greater digitisation of the society: use of services, remote work, e-commerce, and financial transactions. Also, the number of possibilities for committing criminal offence in cyberspace have increased.
The scale of cybercrime threats is high and growing, with cyber incidents almost doubling in recent years and the number of people exposed to cybercrime increasing as indicates the audit “Is cybercrime combated effectively” carried out by the National Audit Office of Lithuania (NAOL).
MALTA: ICT across Local Councils
In March 2020, the National Audit Office (NAO) of Malta published an IT audit report regarding ICT across Local Councils (LCs). This IT audit covered various aspects of IT in Local Councils (LCs) across Malta and Gozo. There are 68 elected LCs, spread over six regions each run by the related Regional Council (RC) and supervised by the Local Government Division (LGD). The National Audit Office (NAO) reviewed 15 of the 68 LCs. The IT aspects considered in this audit included IT management, software applications and IT operations.
NETHERLANDS: Audit on algorithms
Why are we auditing algorithms?
The Netherlands Court of Audit is launching an audit into the governments use of algorithms. The impact of algorithms on the way the Government acts and performs is ever increasing, which in turn impacts the public and business. Therefore, it is important for the Netherlands Court of Audit to gain better insights into the types of algorithms used by the Government, for which activities they are being used, their impact on society and how to best assess them.
In line with our strategy, Trust based on Understanding, we will assess independently how the government’s algorithms work in practice and identify areas where improvements can be made. This is the Court’s very first audit of the societal effects of algorithms.
NETHERLANDS: Focus on collaborative ICT tools in central government
Modern employees need more than just access to email and a network drive in order to work from home. Video conferencing, text messaging, online file sharing – hundreds of applications are available to work remotely with colleagues. However, not all of them are suitable for every kind of work. Some cannot guarantee, for instance, that confidential information will remain confidential. We want to know what ICT applications central government is using to facilitate working from home and what the policy is.
Why are we carrying out this investigation?
The corona crisis has shown that the Netherlands has the infrastructure necessary to work en masse from home. Civil servants and politicians are using many kinds of user-friendly, efficient and productivity-boosting ICT applications and services such as WhatsApp, Skype and WeTransfer. Some of these services, however, are being used outside the usual secure and backed-up workspaces.
NORWAY: Penetration testing as a new tool for SAIs in IT audit?
In the last four to five years, penetration testing has become an integral component of the IT security audits that the OAG carries out in the public administration. The penetration tests have exposed serious discrepancies that we have reported both to the audited organisation and in the AG’s annual report to Parliament.
NORWAY: Cooperation with African SAIs - The IT Audit Champions Program
OAG Norway has had a cooperation with the African Organisation of English-speaking Supreme Audit Institutions (AFROSAI-E) for many years. In 2016, the cooperation was expanded to include IT audit. AFROSAI-E had observed significant differences in the area of IT audit between the SAIs in the region. Many SAIs had not yet started conducting IT audits, and only a few had established dedicated IT audit units. The challenges faced by these SAIs included inadequate number of IT auditors and ability to build capabilities to audit critical public information systems.
SERBIA: The republic has not yet developed accurate records on real estate at its disposal
The Republic of Serbia has not yet developed accurate records on the real estate at its disposal, although the Law on Public Property was adopted in 2011. Total of 230,000 real estates were recorded, but estimates on the final number of all types of real estate cannot be determined – that was presented in the Performance Audit Report "Efficiency of the Information System for the Public Property Register" of the State Audit Institution of Serbia (SAI).
SLOVENIA: Status of IT audit
Court of Audit of the Republic of Slovenia has more than 15 years of IT audit experience. In the past, we have audited several large IT projects for which we have mostly adopted a tailored made IT performance audit approach. In most cases we have assessed the efficiency of IT support for important new government initiatives (like eHealth, land register, tax collection) as well as many different large and small areas that need strong IT support (state budget, judiciary system, health insurance, blood transfusion, election commission).
TURKEY: Latest IT audit and IT developments at the TCA
Information systems are powerful tools contributing to the successful fulfilment of an entity’s duties. Lately there have been many IT and IT audit developments at the Turkish Court of Accounts (TCA).
Updates from ITWG members
Upcoming ITWG virtual seminar
On 12 November 2020, the e-Seminar “SAIs and the Digital Turn: Developing IT skills and IT audit capacity” will be held online, hosted by the Secretariat of EUROSAI ITWG. Participants will have a chance to hear the experiences of selected SAIs in developing IT/IT-audit skills of their staff as well as a relevant keynote address and a panel discussion of SAI dignitaries about the strategic perspectives on SAIs’ capacity building in IT.
New reports in the CUBE
Control Space for e-Government Audit project (or the CUBE) is a tool for facilitating audits of e-government and is handled by one of the subgroups of EUROSAI IT Working Group. As an innovation, the CUBE not only compiles reports on e-governance related audits conducted in European countries, but also seeks to provide an overview of all new audit projects in the world.
Activities of the INTOSAI WGITA
The mission of the INTOSAI Working Group on IT Audit (WGITA) is to support INTOSAI community to develop knowledge and skills in the use of IT audits by
- developing standards and guidance,
- facilitating exchange of experiences, best practices and,
- encouraging cooperation among SAIs across INTOSAI Regions.
Cooperation between WGBD and ITWG
Established in December 2016, the INTOSAI Working Group on Big Data (WGBD) aims to determine the opportunities and challenges faced by the Supreme Audit institutions in the era of big data. More importantly, it also promotes the information sharing and experience exchange around big data among the audit institutions in different countries. WGBD has successfully organized three times annual meetings from 2017 to 2019 with the theme of big data audit experience sharing, the role of big data audit in the realization of national sustainable development goals and audit reform under the big data environment.
WGISTA and EUROSAI IT Working Group – Collaboration for a Digital Future of SAIs
It hardly needs an emphasis that technology will shape our lives in significant ways as we are now living in times, because of Covid-19, when every profession is under spotlight of technology readiness. Though not aware of future in precise terms, but INCOSAI 2019 did approve creation of INTOSAI Working Group on Impact of Science and Technology on Auditing (WGISTA) with the understanding that science and technology will impact profession of public sector auditing. And post Covid-19 world will only bear witness to the collective wisdom of INTOSAI community.
GAO invites to contribute to the revision of the WGITA-IDI Handbook on IT Audit
A WGITA project for evaluating the future direction of the INTOSAI WGITA-IDI Handbook on IT Audit is undergoing, led by U.S. GAO. As the project nears its completion, US GAO would like to connect with EUROSAI ITWG members to get their perspectives on the Handbook at a virtual meeting on Wednesday, November 18 at 14:00 UTC. A link to the meeting will be sent via e-mail to all ITWG contacts.
SIGNALS 2020 Conference
The National Audit Office of Lithuania (NAOL) is holding the 4th Conference on Sustainable Development SIGNALS 2020 on 25 November for Lithuanian public sector representatives. SIGNALS 2020 will invite to discuss the importance of data in making vital national decisions, the actions that need to be taken to reduce the impact of climate change, and the role of education in closing the achievement gap and reducing the digital divide.
News from Secretariat, EUROSAI and INTOSAI