eurosai it working group - 14 october 2004 swiss federal audit office - michel huissoud 1 training...

EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud

1

Training in Portugal (2)Training in Portugal (2)

EUROSAI IT Working Group - 14 October 2004 Swiss federal audit office - Michel Huissoud 2

2 weeks before Workshop

Documentation to study will be

provided on CobiT, self-assessment,

etc..)

The instructor will provide more

information, the structure of your business will be discussed and

then forms will be filled in

The instructor will consolidate the results and a

discussion of the results will

follow

An action plan for the future

will be prepared together and the

exercise will then be

evaluated

The results of the workshop

are then presented to

the top management

of the SAI

Post ws

We will focus on the following points:We will focus on the following points:Get the

right persons

!

Identify the

processes!

Ask the right

questions!

Get a good action plan!

Use the EXCEL sheet

correctly!


Checklist before you start…Checklist before you start…

What is the business of the SAI ? (read the last annual report)

Organigram and list of the staff General budget and IT budget Report of the last peer review (if available) IT strategic plan (if available) Application portfolio and IT configuration plan List of the contracts with IT providers


Get the right person!Get the right person!…………Who do you need?…………Who do you need?o The CIO?

o The person responsible for international affairs?

o The person responsible for help desk?

o The manager of the external IT providers?

o The cook of the SAI?

o The head of the IT audit?

o The President of the SAI?

o The CFO?o The head of Human

Resources?o The person responsible for

document management?o The training manager?o A trainee?o A new auditor?o An old auditor?o An English interpreter?o …?


Identify the processesIdentify the processesby asking about the productsby asking about the products What is published? What kind of documents

are signed every day? What is presented to

Parliament?

Annual report Annual program Reports Decisions Judgments Contracts Articles …

What is paid? Salaries Purchases Fees


First exerciseFirst exerciseUse the EXCEL sheet correctly!Use the EXCEL sheet correctly! Open the file Write a new business process B12 “drink a

coffee” in the BVC Form 1 Write for the participant 8 the note 5 for every

maturity level in the consolidation Cobit Form 2 Have a look at the graphics Copy one graphic into a PowerPoint

presentation Alright?


Second exercise (role-play in Second exercise (role-play in Portuland)Portuland)

Portuland: 650 users in 4 divisionsIT departement: 32 people

The users of the SAI Portuland: John (senior auditor), Maria (chef librarian), Markus (audit director), Katrin (auditor junior)

The IT people of the SAI Portuland:Peter (CIO), Daniel (developer), Kevin (Help desk)

And two moderators of Deutschugal!


Ask the right questions and be cool…Ask the right questions and be cool…

The 7 participants of the role-play get their own profile, the results of the questionnaires and the description of the IT situation in Portuland. They “just” have to play their role.

The two moderators get only the results of the questionnaire. They try to find a consensus about the results or to understand why the consensus is impossible. They identify the most important problems for the next step (action plan).

The other participants get all the information and give feedback to the moderators at the end of the exercise.

10 minutes preparation (look at your profile, at the results of the questionnaires, see consolidations 1 and 2, etc.)

2 X 10 minutes (moderator I and II) discussion “live”


The psychological profile of The psychological profile of each personeach person

the 3 IT people:

Peter: long-term CIO, professional, technocratic, proud of the IT of the SAI, talks a lot

Daniel: developer, a new one, experience of private company, critical

Kevin: help desk, loves the users, emotional, no strategic vision

the 4 users:

John: Senior auditor, very good in IT, develops local applications alone,

Maria: chief librarian, wants more IT, would prefer a female CIO

Markus: long-term director, always problems with the IT, critical, doesn’t want to be in this workshop, aggressive

Katrin: new auditor, good motivation and ideas but no power


Build your workshop on theBuild your workshop on the strengthsstrengths

the 3 IT people:




the 4 users:






Not on the weaknessesNot on the weaknessesyou are not doing an audit!…you are not doing an audit!…

the 3 IT people:




the 4 users:






The true situation in the SAI of PortulandThe true situation in the SAI of PortulandB1 Audit Risk Management: old but good application, not integrated with B2 or B3B2 Organize the missions: not the same process in the 4 divisions, very good IT

solution in the division of JohnB3 Analyze the data: different in the 4 divisions, from “nothing” to very good warning

systems and expert systems B4 Test the IT by the IT-Audit: very good but confidential, nobody knows exactly what

the IT auditors are doing; not an integrated approachB5 Report the results to the auditee: Microsoft Office World with good templates and

standardized reports; not integrated with B2, B6 and B9B6 Track the implementation of the recommendations: new and centralized IT solution

(with automatic reminder function)B7 Manage the knowledge: an old project which will perhaps next year be completed B8 Manage finances and human resources: an ERP (Enterprise Resources Planning)

solution, good but Markus has some confidential information about some big mistakes in the interface with the pension fund

B9 Administer and archive the dossiers: there is a concept for record management but all the incoming documents are only available on paper

B10 Publish the results of the audits: good websiteB11 Communicate: Microsoft Office Outlook with very good connections, Intranet portal

for all users of the SAI


The true situation in the SAI of PortulandThe true situation in the SAI of PortulandDefine a Strategic IT Plan PO1: there is no IT strategy, no strategic committeeManage the IT investment PO5: there is enough money, each division gets a part of the global budgetAssess risks PO9: no risk analysisManage projects PO10: some good and some bad projects, it depends on the project managerIdentify automated solutions AI1: the IT department has no authority, is reactive and gives the users what they want Install and accredit systems AI5: professional execution, the IT department works well and is reliable Ensure continuous service DS4: very good concept; emergency power supply Ensure system security DS5: no problems, just some viruses but not very damaging Identify and allocate costs DS6: there is a good project to identify the costs of the communicationsEducate and train users DS7: some users are very good at IT and frequently follow IT training coursesAssist and advise customers DS8: the help desk is very very good and the users are very happy with Kevin’s teamManage problems and incidents DS10: good description of the process and good reaction time of the IT department Assess internal control adequacy M2: nothing is done, no internal controls, no peer review


The most important problems of The most important problems of the SAI of Portulandthe SAI of Portuland No strategies No standardization Integrity and accuracy of financial data No transparency about costs and

benefits of the IT Bad knowledge management ???


What about the What about the strengthsstrengths of the of the SAI of Portuland ?SAI of Portuland ? No major problems in day-to-day

business Enough money Good specialists Good experience in some divisions Readiness to do a self-assessment!


Third exerciseThird exerciseGet a good action plan!Get a good action plan! 10 minutes to solve the problems of the

SAI of Portuland! What are the typical measures for these

kinds of problems? Who should have the responsibility for

this action?


Some possible measures Some possible measures Introduce a Risk management in the SAI Appoint one user responsible for each business process

and the corresponding application Initialize a Process reengineering to standardize the

business processes Create (or reactivate) an IT committee to determine the IT

strategy, the IT standards and the IT architecture Link the help desk and the training of the users (learning

organization) Carry out an IT audit of the payroll application Review some projects …


Some bad measures Some bad measures

Give more money to IT Give the user more authority and resources to develop

their own applications Scan all the documents Outsource the IT Change the CIO Install Team Mate …


Questions ?


What we should do nowWhat we should do now

Make a commitment to organize a self-assessment !

Make a commitment to moderate a self-assessment !


Bulgarie

Cyprus 2005

Czech Rep.

Denmark Norway 2003

Estonia too small

Finland Denmark 2004

France Switzerland 2004

Germany

Hungary Switzerland 2005

Ireland 2005

Lithuania The Netherlands 2003

The Netherlands Switzerland 2005


Norway Denmark 2004

Poland 2005

Portugal Spain 2004

Romania 2005

Russian Fed.

Slovakia

Slovenia Spain 2005

Spain Slovenia 2003

Sweden Norway 2005

Switzerland 2005

United Kingtom KPMG 2004 external

eurosai it working group - 14 october 2004 swiss federal audit office - michel huissoud 1 training...

Documents

working group

markus audit director

sai portuland

person responsible

new auditor

right questions

discussion live eurosai

old auditor