This article first appeared in the Feb/March 2014 edition of Government News.
By David Berkelmans
In recent years Commonwealth Government Agencies have been subjected to increasingly tightened budget positions. Cost cutting initiatives such as efficiency dividends and the implementation of recommendations from the Gershon Review have required some tough decisions to be made in regards the way agencies spend money.
With the recent change of government we are likely to see these trends continue. The new Government has committed to reducing the public service by 12,000 people as well other cost saving initiatives through the upcoming Commission of Audit. In general terms, the public service house staff to perform administrative functions.
Of course there are some variances to this such as the Department of Defence and law enforcement agencies but in the main agencies operating expenses are spent on:
— Staff
— Property Operating Expenses
— Information and Communication Technologies (ICT)
Due to negotiated wage increases in collective agreements, long term lease arrangements and rising energy costs, it is generally very difficult for Commonwealth Government Agencies to find short term savings in staff and property operating expenses. As a result with the budgetary constraints being placed on agencies it is often ICT that is targeted first as a place to find savings.
There is also increased pressure on ICT departments to assist other areas within the organisation to decrease their costs by providing automated or more efficient processing solutions. Digital solutions have been identified by Government as an effective mechanism to save costs. Engaging the public through websites or mobile applications has been identified as significantly cheaper than traditional modes of communication such as call centres and shop fronts. At Oakton we undertake IT audits across a number of agencies and we have noticed some common issues arising in recent years as the result of cost cutting exercise.
In general terms we have noticed the following:
— Governance and Assurance type roles no longer in place
— Governance implementation projects stalled or abandoned
— Key contractors disengaged
— ICT staff who are frustrated, fatigued or stressed
The combination of these factors and other general cost cutting measures has seen some significant issues arise in audits we have done, these have included:
— Scaling back or dramatically weakening disaster recovery and business continuity arrangements
— Manual uncontrolled workarounds being implemented when system issues arise as the issues are too expensive to fix
— The storing or reviewing of audit logs of key transactions not occurring
— The failure to install patch updates
— The non-replacement of out of date and unsupported legacy systems
— The granting of unrestricted system access to users who are performing multiple roles due to short staffing
— Failure to implement previous audit recommendations
— Out-dated documentation and procedures
Increasingly IT Audits have become more difficult to undertake because staff are difficult to get hold of and difficult to engage with because of the constraints they find themselves under.
Technology is also changing, government agencies are embracing and utilise digital solutions to achieve efficiencies and ICT areas have been responsible for implementation.
This has included:
— Cloud Data Storage
— Social Media solutions to engage with the public
— Mobile Applications
— Big Data Solutions
This means the technical knowledge an IT auditor requires has also changed. More than ever IT auditors are required to be adaptable to not only the circumstances that they are auditing but the changing technologies. As a result of these factors, our IT auditors have had to re-think their approach to IT audit.
Some of the key things we have focused on when undertaking our audits include:
— Simple risk based auditing that only focuses on high risk items and issues, this includes shortening audit reports to ensure they only focus on the major issues
— More focus in the planning process and abandoning the audit if it is not seemed necessary so the resources can be directed elsewhere
— Having more flexibility in the Annual Audit Program so audit resources can be redirected as and when required to respond to arising risks
— Greater use of pre-developed audit frameworks and programs such as those that have been developed by ISACA
— Utilise subject matter experts within Oakton to assist in audit that the auditor has limited experience in
— A greater focus on performance measurement in our audits, ie the processes may work but are they being undertaken in the most efficient manner
— Better-structured recommendations that may not completely address the issues identified but will reduce the risk to acceptable.
These changes have meant that we do not necessarily identify all issues when we undertake our IT audits but it does ensure that issues that are of the highest risk to management are addressed in a manner that reduces the organisations risk exposure.
David Berkelmans Consulting Director, Assurance and Risk Management at CISA, Oakton.
Leave a Reply