PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

0 7 / 1 1 / 2 0 1 9 , S K O P J E
SAIS ABILITY TO ADDRESS
TECHNOLOGY OPPORTUNITIES
AND CHALLENGES
Ingrida Kalnina-Junga
SAI Latvia
Head of IT Audit Sector
Ingrida.Kalnina-Junga@lrvk.gov.lv

CONTENT
SAIs challenges in IT field:
IT audit as a component in:
• financial audit
• compliance audit
• performance audit
• IT project performance
• E-government performance
Audit support tools
• Audit management tools
• Data analytic tools
Infrastructure
Challenges and opportunities of
carrying-out performance audits
related to national programmes in
the area of digitalisation, e-
government and cybersecurity.
Challenges to develop auditing
methodology and set up processes,
train auditors in IT field.
Challenges to introduce audit
support tools into SAI everyday
processes and opportunities of large-
scale data analyzing.
Challenges to develop secure
internal IT environment and to ensure
secure data exchange with auditees.

• financial audit
Audit support tools
• Public survey tools
Infrastructure
IT AUDIT AS A COMPONENT

in Financial Audits - to assess the correctness and compliance of
organization`s financial statements. An examination of controls and
business rules adopted in the IS, which are relevant to the capture,
storage, processing and delivery of information for financial reporting.
in Compliance Audits – to evaluate internal controls . IT audit may
consist of an examination of controls and business rules adopted
by the audited entity in the IS, which are designed to ensure
compliance with the prescribed policy and rules.
in Performance Audits - to assess whether the IT systems meet the
needs of the users and do not subject the entity to unnecessary risk.
Audit of IS - the examination of controls related to IT-driven information systems, in
order to identify instances of deviation from criteria, which have been identified
based on the type of audit engagement - i.e. Financial Audit, Compliance Audit or
Performance Audit [GUID, 5100]

Application controls
DATA
General IT controls
Process controls
Management
Strategy and governance
General IT controls - high level
management controls over the IT
function in general. Provide an
umbrella of controls over the
acquisition, implementation and
management of the systems and
technologies.
IT Governance and
Management
Strategy, People and
Resources, Information
Security, Development and
Acquisition, Operations, etc.
Application controls are specific
controls unique to each
computerised application. They
apply to application segments and
relate to the transactions and
existing data.
Input/Process/Output
transacti
ons accounts
Audit
trails
Standing
data

IT AUDIT AS A COMPONENT II
Confidentiality - ensures that only authorized
people can access recourses
Integrity – prevents unauthorized data
modification
Availability – ensures that data are available
when needed
General controls are implemented
using a number of tools such as
policy, guidance and procedures
as well as putting in place an
appropriate management
structure.
Assurance that existing controls are reliable
for:
- IT governance and management (IS
Strategy, IS Security etc.)
- Logical access
- Physical access
- System development
- Change management
- Back-up and recovery

• financial audit
Audit support tools
Infrastructure
PERFORMANCE AUDITS IN IT FIELD

PERFORMANCE AUDITS IN IT FIELD:
RISKS IN IT PROJECTS I
Whether the policy objectives have
been achieved and if this can be
attributed to the policy?
Whether resources have been put to
optimal use? Whether the same or similar
results in terms of quality and time could
have been achieved with less resources?
Whether the cost
of resources used
are minimised?

• Policy planning documents do not set - clear objectives, main tasks and
activities to be carried out, expected results, deadlines, cost
calculations, responsible institutions.
• Policy planning documents are not comprehensive but are prepared
according to available funding – only development of an IS is planned but
not necessary equipment, infrastructure and licenses
• All participating institutions are not identified and all needs are not
recognized. Related systems are not studied prior to development. It leads to
integration problems with existing IS and risk increases that new developed IS
will not support all necessary processes.
• Deadlines are not harmonized - the system is delivered, but the institution
continues state procurement for purchasing the user equipment.
• Work tasks are planned for 1 year and there is no strategic plan for a longer
period. IT plan is isolated from plans and goals of the institution. Users are not
informed about changes.
RISKS IN IT PROJECTS I
Planning
Usage &
Results
• Implementation of IT projects is finalized with development and acceptance,
nor implementation.
• The system is unusable as there are no historical data transferred.
• Usage of the developed IS is not integrated into the institution's work processes.
• User training and IS piloting was not provided.
• Output results are achieved but not outcome.

• Fragmented process digitalization (different automatization level of processes)
• Insufficient data exchange, especially in municipalities
• Investment duplications (institutions create their own payment and
authorization modules nor using already developed tools )
• E-government tools are developed but institutions avoiding using them
• Poor IT project management (postponed implementation, significant changes
after implementation, increasing costs during project)
• Low uptake of digital services (poor planning on value for money)
• Citizens have no access to the developed e-services:
• do not have access to the internet
• do not have sufficient computer literacy
• an access is limited by e-signature which is less popular than ibanking authorization
RISKS IN E-GOVERNMENT PROJECTS

CASE STUDY: HAS PUBLIC ADMINISTRATION USED ALL
OPPORTUNITIES FOR EFFICIENT MANAGEMENT OF IT
INFRASTRUCTURE?
Auditor`s expectations
Auditor`s findings
#http://www.lrvk.gov.lv/en/revizija/ha
s-public-administration-used-all-
opportunities-for-efficient-
management-of-ict-infrastructure
How much does it cost to maintain a data
center?
Aren't we overpaying for maintaining
server rooms?
Are data centers fully loaded?
How much can we save after optimizing the
number of data centers?

• Unified security requirements of IT infrastructure and data
centers are not established for processing information
according to its importance.
• Security threats exist in most server rooms – data centers are
not sufficiently protected from physical access and
environmental risks.
• Important IS are hosted even in low level data centers.
• There are high-level server
rooms available in some
institutions, which are not
used to their full capacity.
• Optimising the number of
server rooms would allow
not only to reduce IT
placement expenses, but
also to provide a sufficient
security level at a lower
cost.
INFRASTRUCTURE? II

INFRASTRUCTURE? II
Security threats exist in most server rooms and for their prevention investments are
required:
Scenario 1 – to improve server rooms containing increased level and integrated
information systems – EUR 247 000 (fireproof doors, diesel generator, two internet
connections, ventilation solutions, etc.);
Scenario 2 – the improvement of all audited server rooms requires investment of at
least EUR 765 000.
Scenario 3 – before to reduce necessary investments we should reduce the number
of data centers and promote more effecient usage of unladen, high level data
centers.
247 th. 800 th. 1.3 m.Relocation
to the
single data
center
of increased
level and
integrated IS
of all ICT
infrastructure
refusing from
outsourcing

• financial audit
Audit support tools
Infrastructure
AUDIT SUPPORT TOOLS

Team
Mate
Latvia, France, Denmark, Estonia, Ireland
MKInsight United Kingdom (since 2012), Sweden,
Georgia, Wales, Northern Ireland
Pentana
Vision
Bulgaria
Sicr Italy
Developed
software
Germany
Czech Rep.
Romania
Albania
Macedonia
AUDIT SUPPORT TOOLS
FOR AUDIT MANAGEMENT
To support the SAI on
the audit processes:
• resource planning;
• utilization of time;
• audit documenting;
• quality assurance;
• recommendation
tracking.
#Bosnia and Herzegovina
Questionnaire on July 2018
15 th.
to 100
th./year
290 th.
to
1.4 M

AUDIT SUPPORT TOOLS
FOR DATA ANALYZING
Understanding of IT impact on the financial statment or subject matter.
Draw conclusions on areas which are affected by IT controls.
Understanding of actions for the purpose whereof IT is being used (entering,
processing, storage, automated conducting of transactions, calculations).
Understanding of data and data source used in calculations - manually
entered data, data from other (internal or external ) data bases.
Understanding of IS participating in the processing of data significant for the
financial statement or subject matter.

AUDIT SUPPORT TOOLS
DATA ANALYZING IN FA
budget
appropriations
expenditures
of the auditee
Budget
planning system
Accounting system
(inventory, fixed assets,
payroll etc.) Analytical
data systems
Billing system
payments
to budget
Analytical
data systems
Employee
register
Document
work flow
system
Enterprise
register
Citizen
register

Review and approval of the plan
Choosing methods to gather audit evidence
Setting the audit criteria
Defining the scope of the audit
Defining the audit objective(s) and audit questions
Understanding what is audited
Assessing auditability What kind of audit evidences
should be obtained to get
answers on audit questions?
Is necessary data processed in
an information system and
available in structured format?
Is data integrity ensured by:
• IT general controls?
• application controls?
• data exchange with an
external register?
Does the data contain sensitive
information about a person or
a company?
How long does it take to get
and to analyze data?
Can we rely on data analyses
results?
AUDIT SUPPORT TOOLS
DATA ANALYZING IN CA&PA

3E
Challenge – money is spend properly and provide value for money.
• Economy means minimising the costs of resources. The resources used should be
available in due time, in and of appropriate quantity and quality and at the best
price.
• Efficiency means getting the most from the available resources. It is concerned
with the relationship between resources employed and outputs delivered in terms
of quantity, quality and timing;
• Effectiveness concerns meeting the objectives set and achieving the intended
results.

AUDIT QUESTIONS AND CRITERIA
criteria1
criteria1
criteria1
criteria1
criteria2
criteria1
criteria1
criteria1
criteria2
criteria2
criteria2
criteria2
criteria2
criteria2
criteria1
criteria2
criteria3
criteria3
criteria4
criteria3
criteria3
criteria3
criteria1
criteria2
criteria3
criteria4
criteria3
Auditee
data
source 1
Auditee
data
source 2
Auditee
Data
source 3
Auditee
data
source 4
Auditee
data
source 5Non-
auditee
data
Non-
auditee
data
Non-
auditee
data
Non-
auditee
data

CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT I
What do regulations define?
Regulations define the requirements for obtaining the status of a poor
and low-income person or family.
Risк 1:
Municipalities have granted status and has paid benefits to persons and
families in which:
• the income per family member exceeds 128.06 EUR per month;
• more than 1 property is in the possession;
• more than 4 vehicles are in the possession;
• a person or member of the family has capital shares in an enterprise or is an
official of the enterprise;
• a person is in custody;
• family member is died.
Risk 2:
A person or family has received simultaneously support from different
local governments.

State Revenue Service Data from the tax
information system on the income of
individuals
State Social Insurance Agency Data about
individuals who received pensions,
unemployment benefits and sickness
money
Rural Support Service Information on
agricultural and rural development
subsidies paid to individuals
State Land Service Land and Real Estate
register on objects owned by individuals
and related transactions
State Vehicle register – owned vehicles
Support Guarantee Fund Budget
payments for children
Information on social
benefits from 119
local governments
CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT II
OBTAINED DATA

The status of a poor or low-income family is determined unreasonably
and social benefits were paid for persons and families in which:
- income per family member exceeded 128.06 euros. There have
been cases where the income per family member was 3,000 euros;
- 23 households owned 5 to 11 vehicles;
- identified such households in the possession of which were even 14
units of real estate;
- 3400 cases when a member of a poor or low-income family seven
owned part of the capital of an enterprise;
- 5470 cases when a poor person has capital shares or is an official
of an enterprise;
- 349 people were in custody;
- calculated benefits were not reviewed in 4334 after the death of a
family member;
- persons received support simultaneously from 2-3 municipalities.
Risk1Risk2
CASE STUDY: USING DATA ANALYSIS IN A SOCIAL ASSISTANCE AUDIT III
CONCLUSIONS

CASE STUDY: AUDIT ON THE ISSUANCE OF BIOMETRIC PASSPORTS II
WORKLOAD INTENSITY ESTIMATION
0
50000
100000
150000
200000
Issued
Passports
Applications
received
Documents
processed
Criteria: Office hours are defined from Monday to
Friday. Are passports issued outside working hours?
Finding: 3685+65 documents were issued on Sa/Sun.
Conclusion: Internal control procedures do not
prevent potential fraud on issuing sensitive
documents.



Finding: Most of the documents were issued in
July (total 157 573), and almost two times less in
November (total 76 456).
Whether the capacity between the units
is in balance? ?

Criteria: Some local units are overloaded and
citizens stand in long lines.
Conclusion: During the year, with a slight change in
the number of employees, the workload of the
Office changes twice, which indicates the ability of
the employees to work much more productively in
certain periods.
Criteria: For the delivery of a passport you within 10
days you need to 28 euros, within 2 days - 56 euros.
Are 10 working days necessary for producing and
delivery of passports?
Finding: In fact, the Office can produce and deliver
passports for issuance on average within 4 days.
Conclusion: Residents do not receive documents as
soon as possible or overpay, because instead of the
stipulated 10 working days, documents are ready for
issuance within 4 days.
CASE STUDY: AUDIT ON THE ISSUANCE OF BIOMETRIC PASSPORTS II
WORKLOAD INTENSITY ESTIMATION

AUDIT SUPPORT TOOLS
PRECONDITIONS FOR DATA ANALYZING
Defined
problem
and clear
criteria
Understan-
ding of the
business
processes,
IS and data
significant
for audit
The
existence
of
structured
data in
electronic
form and
unique ID
Appropriate
IT controls to
ensure data
quality
Capable IT
staff of the
auditee to
prepare
requested
data
Auditee`s capability
The SAI`s
capability
The SAI`s
capability
- to use CAAT
- to support
audit teams
- to ensure
quality
- to ensure
security
- to extend
audit
schedule
(data may be
incomplete,
incorrect,
wrongly
selected)

CENTRALIZED OR DECENTRALIZED
DATA ANALYZING
pros cons
Centralized
data
obtaining and
analyzing
Clear indications on risks an
d areas to be checked.
Auditors may concentrate
on detailed testing.
Auditors may not see overall
picture and assess the impact of
identified errors.
Decentralized
data
obtaining and
analyzing
Each audit team develops
detailed understanding of
processes and data related
to the statement.
Data analysis can be
applied to specific risks.
Different approaches to data
analysis may be used in one SAI,
consequently, overall results may
not be comparable.
• process description for data obtaining, processing and deleting
• secure data delivery from auditee
• ensured limited access to obtained data bases
• documenting on data analysis and results
• the SAI`s register on received data bases
Internal
requirements

AUDIT SUPPORT TOOLS:
GEO SPATIAL DATA ANALYZING
Software, allowing users to analyze spatial information.
Usefull tool:
- to identify overlapping infrastructure objects
- to determine the distance between infrastructure
objects
- to calculate routes
- visualization of information and relationships (over
multiple periods)
- to check spatial data quality in public register
Preconditions:
- data availability in specific format (data transformation)
- specific software and skilled auditors
- the coordinate system used
- metadata
- more powerful hardware

DO WE COVER THESE AREAS?
DO WE HAVE A STRATEGY TO COVER?
Internal challenges
Auditors trained in IT field
IT competence centre
Audit support tools
•Audit management tools
•CAAT
Infrastructure
External challenges
Auditees` full transition to the
digital environment
Development of E-
government
• E-ident ificat ion
•E-signature and E-document
•E-services and State Portal
•E-archiving
•Open data

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019

Similar a PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 (20)

Más de Support for Improvement in Governance and Management SIGMA

Más de Support for Improvement in Governance and Management SIGMA (20)

Último

Último (20)

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019