Impacts of the self-assessment on the SAIs

1. Impacts of the self-assessment on the SAIs Dainius Jakimavičius Director Information Technology Department

2. Progress of the self-assessment – 18 countries • Bulgaria • Cyprus • Croatia • Czech Republic • Denmark • Finland • France • Germany • Hungary • Lithuania • Norway • Portugal • Russian Federation • Slovenia • Spain • Switzerland • The Netherlands • United Kingdom

3. The most important IT processes PO1Define a strategic IT plan AI3 Acquire and maintain technology infrastructure AI6 Manage changes DS4Ensure continuous service DS5 Ensure system security DS7Educate and train users DS10 Manage problems and incidents M1Monitor the processes P02 Define the information architecture P03 Determine the technological direction P010 Manage projects AI1 Identify automated solutions AI2 Acquire and maintain application SW AI4 Develop and maintain procedures DS11 Manage data P09 Assess risks

4. IT processes with relative high maturity level P0 3 Determine the technological direction AI 2 Acquire and maintain application software AI 3 Acquire and maintain technology infrastructure AI 4 Develop and maintain procedures AI 6 Manage changes DS 5 Ensure system security DS10 Manage problems and incidents DS11 Manage data

5. IT processes with relative low maturity level P01 Define a strategic IT plan P02 Define the information architecture P010 Manage projects P09 Assess risks AI1Identify automated solutions DS4 Ensure continuous service DS7Educate and train users M1 Monitor the processes

6. “He can maintain your house... but to build the new one, he needs a plan and a client!” Michel Huissoud, Presentation at EUROSAI IT WG 3-rd Meeting, Nikosia, 14 February 2005

7. Action Plans - 1 Enforcement of IT-strategy (PO1): alignment between business processes and thefunctional aspects of information systems : Create a proactive IS-strategy or policy, and not just react to IT problems : Improve integration of systems, processes and data between departments

8. Action Plans - 2 Improvement of IT-function organisation (PO4): - Allocate responsibilities for certain parts of the IT function Improve communication between users and IT (i.e. make a user responsible for business processes or IT applications) Focus IT more on solving business problems, less on technological solutions Define functions to be performed by IT personnel and to be performed by users.

9. Action Plans - 2 Improvement of IT-function organisation (PO4): - cf. Defined Process Defined roles and responsibilities for the IT organisation and third parties exist. The IT organisation is developed, documented, communicatedand aligned with the IT strategy. Organisational design and the internal control environment are defined. There is formalisation of relationships with other parties, including steering committees, internal audit and vendor management. The IT organisation is functionally complete; however, IT is still more focused on technological solutions rather than on using technology to solve business problems. There are definitions of the functions to be performed by IT personnel and of those which will be performed by users.

10. Lithuania: Practical example IT Development Strategy (September 2002) • main aspects for IT development until 2006 • oriented more on technological potential, less on business needs Mid-sized office • over 300 working places (230 notebooks - auditors, 80 desktops – administration & audit management) • 6 remote locations (branch offices) • less posibilities for ad-hoc management

11. Objectives Introduce principles (practices ?) of corporate IT governance by integration of the main office processes with IT processes as well as • increase awareness of the main office processes owners consolidating their inputs for IT development • disclose the most important IT processes supporting the main office business processes • set priorities for subsequent actions in the NAO

12. Pilot in Lithuania, October 2003 8 persons in the target group: • 2 from IT • 6 from business Some knowledge on self-assessment, minor knowledge about COBIT Duration: 2 half-days + presentation of the Action Plan to the Auditor General on the 3-rd day

13. Most important IT processes

14. Shortcomings PO1: Indicated Shortcoming: Policy not known, no business planning system AI1: Indicated Shortcoming:No methodology and business requirements DS5: Indicated Shortcoming:No security plan & procedures, no testing

15. Action Plan Actions: • Policy creation, Procedures & Priorities for Allocation of Resources (importance ranking: 10) • Setting up Business Requirements • Introduce Security Policy (including security control procedures)

16. Enforcement -1 Establishment of LT NAO Strategic Management & Risk Management Commission (November 2003). IT Management – among 7 most important risk areas Approval by LT NAO Council Implementation Plan of LT NAO IT Strategy (January 2004): • IT Infrastructure Development • System Policies & Procedures • Business Software • Remote access & direct links to NAO clients

17. Enforcement - 2 Establishment of IT Management Committee(February 2004) - sharing responsibility for IT development with owners of the main processes (auditors) Approval by LT NAO Council of outline of the new LT NAO information system (March 2004) Establishment of WG for elaboration proposals for development of future audit management and documentation system (May 2004). Representatives – mainly from business side

18. Practical Hints Involvement of Head of SAI at the very early stage of self-assessment – demonstrating importance of the issue Mixing auditors & IT professionals – corporate nature of IT management Closing seminar – summing up things to be done Other Added Values Recognition of SAI by ISACA community (locally). Presentation of self-assessment to the ISACA LT Chapter meeting (February 2004) Demonstrating IT awareness to SAI clients