This document discusses the audit of e-government projects by the Turkish Court of Accounts. It provides background on the establishment of the Court's IT audit capabilities and the growing number of e-government projects in Turkey. It then describes common reasons for low success rates in e-government projects, such as poor risk management and lack of qualified staff. The document outlines Turkey's 2016-2019 National e-Government Strategy and the Court's role in auditing e-government projects to ensure efficiency, effectiveness, and compliance. It proposes a model for auditing e-government projects across different phases and technical areas.

1. Mehmet TAŞ
Principal Auditor
IT Audit Group
Turkish Court of Accounts - TCA
mtas@sayistay.gov.tr

2.  Establishment of Computer-Assisted Audit Group (1997)
 First IT audit (2002)
 IT audit guideline (2007)
 IT audit training activities (2007 - …)
 Expert support in conducting technical tests (2007 - …)
 Establishment of IT Audit Group (2015)
 Audit of e-Government projects (2017)
1

3. Growing number of e-Government projects
 Transformation of public services to e-Government services by use of ICT
 Modernization and/or integration of e-Government services
2

4. Low success rate in e-Government projects
 Decision making failures
 Project requirements not described with sufficient clarity
 Poor change management
 Poor risk management
 Information security requirements neglected
 Roles and responsibilities not defined clearly
 Lack of qualified staff
 Communication failures with stakeholders & suppliers …
3

5. 2016-2019 National e-Government Strategy and Action Plan
 Action 1.2.2: Ensuring efficiency of audit for e-government projects in public
sector
Responsible Entity: Turkish Court of Accounts
 A model will be created for the audit of e-Government projects
 A guideline will be prepared for the audit of e-Government projects
 Audit of e-Government projects will be generalized in all public agencies and
institutions
4

6.  Examination and evaluation of internal controls
 Necessary for successful completion of e-Government projects
 Within efficiency, effectiveness, confidentiality, integrity, availability,
reliability and compliance criteria
5

7.  Completion
 within defined scope
 within given budget
 at targeted time
 Ensuring
 user-satisfaction with appropriate quality
 information security requirements
 compliance with national policies, entity strategies and relevant legislation
6

8.  Efficiency
 Effectiveness
 Confidentiality
 Integrity
 Availability
 Reliability
 Compliance
7

9.  IT Governance/Management
 Project Management
 System Development and Acquisition
 Outsourcing
 Operation & Maintenance
 Business Continuity & Disaster Recovery Planning
 Information Security
 Application Controls
8

10.  Determine the risks concerning the examined information systems
 Identify the necessary control mechanisms that can minimize these risks
 Check whether these IT controls are established, and if so, whether they are
functioning effectively or not
 Assess the weaknesses in IT controls
 Report the obtained findings according to a certain procedure
9

11.  Determine the type and the phase of the project
 Identify the audit areas to examine
 Determine risks
 Identify the necessary controls
 Check whether these controls are established, and if so, whether they are
functioning effectively or not
 Detect and assess control weaknesses
 Report material control weaknesses
10

12.  Preparation/start
 Realization
 Analysis
 Design
 Development
 Testing
 Integration/deployment
 Service delivery/completion
11

13. 12
Preparation/Start Realization Service Delivery/Completion
PROJECT PHASE
AUDIT/CONTROLAREAS
ITGovernance/
Mangement
- Strategic Planning
- Policies and Procedures
- IT Organization, Roles and Responsibilities
- Human Resources & Training
- Requirement Analysis & Management
- Compliance with Legislation
- Risk Management
- Asset Management
- Information Security Management
ProjectManagement
- Integration Management
- Scope Management
- Time Management
- Cost Management
- Quality Management
- Human Resource Management
- Communications Management
- Risk Management
- Procurement Management
- Stakeholder Management

14. 13
Preparation/Start Realization Service Delivery/Completion
Operation&
Maintenance
- Service Level Management
- Configuration Management
- Incident & Problem Management
- Change Management
- Capacity Management
PROJECT PHASE
AUDIT/CONTROLAREAS
System
Development&
Acquisition
- Policies and Procedures
- Analysis
- Requirements Definition
- Design & Code Development
- Acquisition & Configuration
- Test
- Acceptance & Implementation
- Data Transfer
- Monitoring
Outsourcing
- Procurement/Selection of Supplier - Contract - Examination and Acceptance

15. 14
Preparation/Start Realization Service Delivery/Completion
AUDIT/CONTROLAREAS
Information
Security
- Analysis, Design and Realization of System
Security Requirements
- Analysis, Design and Realization of Application
Access Rights and Controls
- Analysis, Design and Realization of Database
Access Rights and Controls
- Physical and Environmental Security
- Network Management and Security
- Operation Systems Management and Security
- Database Management and Security
- Web & Mobile Application Security
Application
Controls
- Input
- Data Transfer
- Process
- Output
PROJECT PHASE
BusinessContinuity&
DisasterRecovery
Planning
- Business Continuity Policy
- Business Continuity Organization
- Risk Assessment
- Business Impact Analysis
- Business Continuity & Disaster Recovery
Planning
- Testing
- Back-up
- Security
- Outsourcing

16. Thank you for
your attention…
IT Audit Group
Turkish Court of Accounts - TCA