1. Republic of Serbia
State Audit Institution
November 2019
How We Grow
IT Audit
Serbian Experience
Dragan Stojanović
State Auditor for IT
2. Agenda
• Background on SAI Serbia
• Development of IT
• What ‘IT’ will happen quite soon (AMS, IDEA4ALL)
• IT Audit - Part of other types of Audit
• IT Audit - First Stand-alone Report
3. Background on SAI Serbia
• State Audit Institution is the highest authority for auditing of public
funds in the Republic of Serbia.
• It was founded in 2005, by virtue of the Law on the State Audit
Institution. Election of Members of the Council in 2007 marks the
beginning of the operations of the State Audit Institution.
• Today, the Institution has about 320 employees in total. Of this
number, five were members of the Council, about 285 were in
auditing departments and about 30 in audit support units.
• Organized into 6 sectors (4 for auditing, one for audit methodology
and quality control and one for audit support – with 5 units
(International Cooperation and PR, General and Legal Affairs, HR,
Finance and Accounting and IT)
4. Our auditees
• Ministries and other State Budget beneficiaries
• Territorial autonomies and local self-governments
• Organizations of mandatory social insurance
• Public Enterprises
• National Bank of Serbia
Currently SAI covers more than 11 000 auditees
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Number of reports 1 10 47 143 66 134 174 184 218 222 242
Novi Sad
Sektors No1-4
86 King Alexander Boul.
Primary
Computer Center
Nis Kragujevac
Internet
Head-office
41 Makezijeva Street
Secondary
Computer Center
5. Development of IT
2010
•IT Unit established
•Share disk space
2012
•DRIMS
Share Point 2010
2014
•DRIMS
Pilot Audit
•BAM software
2015
•Documents.dri.rs
2019
• Upitnik.dri.rs
6. Primary Computer Center
Internet
users
Outside
Firewall
Windows OS,
Office 201x
SQL Server
Production
SharePoint
2010 Server
Development
SharePoint 2010
Server
Public FTP Server
DMZ
Virtualized
Servers
Multi-functionality
Devices
Users
users
usersusers
Primary Doman
Controller,
DHCP, DNS
Wireless
AP
Data Storage
Data Storage
Server
Virtualized
Servers
FC/iSCSI
Production
Server for any
Web services
Mail ServerWEB
Server
Inside
Firewall
10. What ‘IT’ will happen quite soon
• Improve IS with new AMS based on SharePoint 2019
• IDEA4ALL
11. IT Audit - Part of other types of Audit
• “FINANCIAL and COMPLIANCE AUDIT MANUAL”, the SAI Serbia
guidelines for conducting audit, was approved by Council of SAI
Serbia 2015
• section 6.6.1 defines “Understand the IT Control Environment”
• section 7.5 defines “IT Considerations - IS Audit and Assurance
Guideline 2204 Materiality”
• section 8.7 defines “consideration of audit information technology”
• section 11.7 defines “IT considerations”
• Related to this sections, in Manual, as appendix, there are “IT
complexity assessor” and “IT Internal control checklist”, two
questionnaire tables which can helps auditors to assess auditee IT
system and to decide whether the it audit will be carried out
12. Digital Audit Process
Auditees
Accounting
Information System
Auditees
Financial
Statement
Data replication
from auditees
Auditor Trial
Financial
Statement
=
audit findings
Treasury
administration
BUDGET
EXECUTION
=
audit findings
Audit Report
IT Unit ofSAI
ETL
DRI Management
System
Analysis data for
planningprocess,
risk assessment,
sampling, etc.
15. IT support in finance audit
When it comes to support in the financial audit, we provide help
to assess the risk
Review of general ledger
• Unbalanced amounts in journal and general ledger
• Double entries into journal
• Missing entries into journal
• Journal entries during weekend
• Journal entries on specific dates
• Journal entries in specific time
• Journal entries in specific period
• Journal entries of large amounts
• Journal entries of round amounts
16. IT support in finance audit
Analytical records - Revenues
• Account date and payment date aging
• Debtors with balance higher than credit limit
• Debtors with total balance higher than credit limit
• Debtors with balance
• Summing up debtors' transactions
• Rounded numbers on specific dates
• Searching for duplicates in fields
17. IT support in finance audit
Analytical records - Expenditures
• Duplicate accounts or payments
• Accounts receivables with debts (advance payments)
• Creditors with total amounts higher than the approved limit
• Debtors with balance higher than the approved limit
• Accounts without order number
• Transactions with rounded amounts on specific date
• Transactions recorded on specific date
• Transactions recorded in specific time
• Accounts payable entered during weekend
• Accounts payable with round numbers
• Searching for duplicates in fields
18. IT support in finance audit
In Excel on the data we have obtained, we are processing it by
creating a pivot table by obtaining the following checks:
• Total expenditures and expenditures for direct and indirect
budget users of the audit entity for each economic
classification at the third level;
• Total expenditures and expenditures by all economic
classifications at the sixth level for each beneficiary of budget
funds
• Individual financial cards, as follows:
- by economic classification on the second, third, fourth and sixth
level,
- by section and by budget positions
19. IT support in finance audit
The slide gives an example of a financial card in the sixth level
We are selecting items that have high value, which are unusual
or crucial
20. IT support in finance audit
Calculator for materiality
21. IT support in finance audit
After determining the size of the sample, the redistribution of samples by
groups of accounts is carried out within the defined area and by direct and
indirect users of the budget funds of the audited entity.
22. IT support in compliance audit
We're checking security polices, user access controls and risk
management procedures in terms of Law on Information
Security which became effective on 5th February 2016.
This Law includes the following areas:
• IT Management
• Information Security
• Development, Procurement and Outsourcing
• Business Continuity Planning (BCP) / Disaster Recovery
Planning (DRP)
• IT operations
23. Key findings - organizations of mandatory social
insurance
(Pension fund, NHIF, National employment service)
26. Cooperation with other SAI
• we participate in the work of the EUROSAI IT working group
• we participate in the work of IT subgroup for ITSA / ITASA, in
first half of 2019 we conducted ITSA with ECA
• we organized two IT workshops in Belgrade, 2015 and 2017
• We worked together with our friends from Montenegro on
their first stand-alone IT audit
• Also, with our friends from Macedonia, we are working on the
development of a new AMS, based on their experiences in
this and with their help
•
27. 2014 IT Pilot Audit
• Pilot project had the three phases:
1. E-learning course – introduction with WGITA IT Handbook
2. Work on pre-study report and selecting the audit areas
3. Conduct IT audit in accordance with IT handbook
So, we became pioneers in establishing of IT audit in SAI Serbia
28. IT Audit - First Stand-alone Report 2019
The efficiency of the Information System for
the Public X Register
Domains with issues:
• IT governance – Lack of Project Management
• Application control – Integrity DB, poor app. functionality
• Information Security – exaggerated security control