What can we do, and how?

What can we  do as a SAI to create an enabling environment?

Obtain the necessary specialist ICT staff to help create the enabling environment

– Could be via contracts with the local private sector, a short-term external donor funded
consultant, or direct recruitment of own staff

– Conduct a benchmarking exercise with peer SAIs – the numbers needed will depend on
the complexity of the systems to be managed

Check out the INTOSAI Capacity Building Committee Guide – Managing Information Communications Technology

Do not forget...

…to identify and budget for the training needed by staff, including how to use the newly acquired equipment and software as well as their responsibilities for security of equipment and data.

Remember

ICT is not always the answer. While computerising audit processes can encourage systematic approaches to audit, SAIs need to have in place consistent audit approaches, as well as standardised toolkits and forms which auditors are expected to use. ICT should enhance effective processes, not automate failed approaches.

Does the SAI have a common system of defining folder structures so that everyone knows how to label documents and where to save them?

Good contracting practices – make sure there are sunset clauses to check prices are still competitive.

Training for staff, embed within induction training for new staff, and keep on training, especially on security.

The SAI’s annual training plan should include opportunities for staff to learn how to operate new equipment, and progressively enhance their skills in using core software.

The on-going costs which need to be built into the SAI budget – insurance, line rentals, replacement equipment, servicing, data.

Deciding on solutions for data storage

 

Choosing storage options

Own your own

Advantages:
▪ You control the security
▪ No need to worry about internet connection (in the same office)

Disadvantages:
▪ Highly technical and not all SAIs can afford to employ the necessary ICT skills
▪ Costly to install and maintain
▪ Bulky
▪ Needs to be in a secure, temperature controlled, area in the SAI
▪ Risk of loss of data in an emergency – flooding, earthquake, civil unrest
▪ Still needs back up off site every day
▪ Limited access right

Storage in the cloud

Only possible if government rules permit. There may be national/local cloud-based storage providers that fulfil the government’s rules, where global providers do not.

Advantages:
▪ Resilience – data unlikely to be lost
▪ Additional data storage, generally easy albeit at a cost
▪ Backed up automatically
▪ Software updates

Disadvantages
▪ You are dependent on the security of the provider and the country where the storage physically occurs
▪ Overall costs may be higher and additional data storage expensive
▪ If you do opt for the cloud, there are ways of improving security:
Systems such as Microsoft One Drive for Business can be made safe with a combination of using strong passwords, two-factor authentication, and made safer still by using such software as Box Cryptor.

Deciding on computers

Consider buying a mixture of computers – some staff may not be handling large files with massive amounts of data – so consider obtaining good work horse computers and just a few top-of-the range ones.

Dongles – usb routers – to access internet when working remotely – not so widely used now but can be helpful. Costs can be managed by agreeing with the provider usage limits. Training should be given to staff on how to manage data consumption.

Flash drives –come with risks because they are easily lost. A larger portable flash or hard drives may be more helpful and can store more data.

Tablet devices – look for up to 10 hours of battery life (manufacturers often exaggerate), at least 2GB Ram, operating systems choice between Google Android, and Apple, get biggest storage size you can, quad core processor higher GBs better screen size 7-8 inch smaller are more portable but if you plan to use them as a work tool then a larger 11 inch one may be more practical.

Points to consider when buying computers

 

Specifications for every-day computers:
-At least – Intel Pentium, Core i3, AMD Ryzen 3, at least 4GB Ram, and a Solid-State Drive (SSD).

Specifications for heavy data users:
– Intel Core i5, i7, AMD Ryzen 5 or 7, 8GB of Ram or more, and a SSD.
– Operating systems – mostly a choice between Windows and MacOS.
(Windows 10 – greater range of specialist software, more choice of laptops. MacBook – for longevity and quality but more expensive. Linux based operating systems (in practice Ubuntu) are low-cost and place lower demands on the computer though less widely used than the other.)

Screen size and weight:
Bigger is not always better – go for 11, 12, or 13 inch display which typically weighs between 1 kg and 1.5kg. However, if weight is not an issue the larger 14 or 15 inch screen computers are often cheaper.  Go for a Full-HD 1,920×1,080-pixel resolution display – it will be sharper and cause less eyestrain.

For everyday use and to save the backs of staff – consider using separate monitors with larger screens which can then be set at people’s eye levels. Be careful about ultra-light computers they may not be robust enough for traveling around the country.

Other considerations:
▪ Camera – usually now built in.
▪ USB ports – useful for back up, presentations, but some SAIs block for security
reasons and to avoid unauthorised transfers of data.
▪ Long battery life – for those which will be taken to remote locations – 24-hour
battery life is ideal. Manufacturers often exaggerate the life of their batteries –
check with local reviews.
▪ Robust case – ideally lockable and able to be locked to something secure.
▪ Warranty After-sales support.
▪ Would you want some apps pre-loaded?

Deciding on software

Issues to consider

FUNCTIONALITY

word processing, spread sheets, email, presentations, data analysis, meetings

INTEROPERABILITY

ability to interact and share data

DELIVERY MODEL

local or cloud, for example – again balance of resilience vs bandwidth
available 

AVAILABILITY

of online help desks and support services

COST

per month and per device

Obtain a multi-user contract with a software provider – e.g. Microsoft Office Business Premium or Standard, or Google Workspace. A free alternative is Libre Office which comes with its own word, spreadsheets and slide programmes. This can be augmented with a free email system such as Mozilla’s Thunderbird.

Anti-virus protection – often comes with office software but an antivirus software which mitigates internet threats is recommended. In many cases the bundled security manager Defender in Windows is good enough. However, it is always important to train staff in “security awareness”. When using Linux there is no need for antivirus software, at least for the moment.

Deciding on smartphone and operator

Decide on the number and type of smart phones and any specific software which should be loaded on the phones.  Do your homework – check out the consumer magazines – though need to see how recently the tests have been done. Choose ones which are well tested and known, do not chase the brightest and newest.

Choosing phones

– Cost – famous brands come with a premium.
– Good battery performance (speed of charging, battery lifetime, spare batteries, and ability to change may be worth considering.
– With android phones, you need at least 3 GB of primary and 32GB of secondary storage.
– Ease of finding and cost of replacing chargers and leads (notoriously liable to be lost or misplaced).
– Good storage capacity.
– Compactness (fit in a pocket), not always need big screen or latest cameras.
– Robustness.
– Warrant.
– Good cover/screen protector – flip covers

Selecting an operator

Select an operator which can provide:

– Best 4 G coverage across the country
– Speed – a minimum acceptable upload and download
– Reliability – how often does it drop out
– Best price for data and for duration of calls
– Specify what is needed from them in terms of SAI network
– Guaranteed levels of service and refund arrangements should the level of service not be
provided
– Ease of payment by the SAI, and cost of additional data and users
– Consider installing fibre optic cable in HQ
– Ensure that the internet bandwidth is 15/15 Mbps
– Security
– Ease of contracting
Consider negotiating with the network provider to create a closed network
o Are the network calls likely to be free calls i.e., staff to staff with a small charge for
external calls to clients and others.

Deciding on audit management software

 

AT FIRST

– Ideally put in place good paper-based audit management system. However implementing an AMS can encourage greate audit consistency.
– Select computerised auditing software which is consistent with this approach.
–  Keep solutions simple and in line with the ICT maturity level of the SAI.
– Consult with peer SAIs that have such software and could help with training.
-When developing solutions, consider change management and keep stakeholders on board.

Decide whether to get an off the shelf audit management package or develop own:

Off the shelf

Advantages:

– Usually tried and tested system – more advanced functionality, more system security incorporated

– Available experiences from SAIs (or organisations) which have used the audit management package

– Usually, such software has better support and online user forums to share experience and respond to FAQs

Disadvantages:

– Difficult or impossible to incorporate SAI specific needs

– Usually tailored more to operating environments of private sector audit

– Usually more expensive in implementation and annual licence fees

In-house developed

Advantage:
– Can add specific SAI needs in the development of audit management
systems

Disadvantages

– SAI may need internal staff to maintain software or continue engaging a
consultant

– Can be time-consuming and costly

– System resilience and security may not be fully developed (or take time to get right)

KEEP IN MIND

Does the audit software operate on a phone or different operating systems or browsers? If staff record documents on their phones, who owns the data, where is it stored, and if the staff member leaves can we be sure the data is wiped? May not be a problem with open domain information, or auditee materials which can be obtained by the public easily but for more privileged material creates a risk.

Consult with peer SAIs that have such  software and could help with training.

MAKING VIDEO CONFERENCING WORK

In recent years, many SAIs have begun to use video conferencing packages such as Teams, Zoom, Google Meet and Blackboard to connect both within a country and especially internationally. Poor internet connections can make this difficult and frustrating, and good lines are rare with less than 2 Mbps download speed.

However, there are many simple techniques which can help to make things better including:

CLOSE OTHER APPLICATIONS

Setting up a large screen and microphones in a training room and inviting interested colleagues to gather round one connection point and turning off internet connections
elsewhere in the office

z

USING SOUND ONLY

Using mobile phone connections

– though this can be expensive

Moving close to the router or other places in the SAI where internet coverage may be better

Listening to the webinar on the premises of other organisations with better internet connections including hotels, international donors, and multi-national companies.

How can we ensure the authenticity of electronic evidence?

 

Increasingly SAIs want to access documents provided by auditees electronically. In doing this SAIs need to be able to guard against tampering and be assured by the auditee that the document is authentic.

Some SAI may need to amend their legislation to accept electronically copied documents.

Procedures need to be agreed with audit clients, staff need to be trained, and internal auditors need to occasionally confirm that the controls are operating as intended.

A digital mailbox can be used to for sending, signing, and certifying information using an Advanced Electronic Signature which comes with a time stamp to assure integrity.

Alternatively, though less secure, auditees can be asked to sign and date stamp copies of key documents and scan them into such software packages as Adobe, or Docusign, or save them into PDFs

(SAI Nepal can photocopy documents on the auditees premises but for key documents will ask the auditee to have the copies signed and date stamped to avoid the risk of future disputes. Documents sent in this way need to have end to end encryption using such apps as: Signal, Spider Oak, pCloud, Resilio or Engimai)

Switch on audit logs (i.e. records of access and amendments to documents) so there is a record of amendments and access. Audit logs should be reviewed regularly and at the appropriate level. This should be done for Audit Management Software and system administration.

How we can make use of better existing internet coverage during webinars?

Some handy tips which may help:

 

• Use headphones to cut out extrinsic noise
• Turn off other programmes to reduce interference
• Turn off other internet connections nearby to reduce the local traffic on the net
• Listen to the webinar on one computer, perhaps in a training room, to reduce the number of access points
• Install generators or solar panels to ensure reliable electric supplies
• Schedule webinars at times when there is lower internet usage in the SAI/country (when typically, is that?)
• Move to the offices of donors or to international hotels where the internet is stronger
• Connect your computer directly to the router using an ethernet cable assuming the router is connected to a broadband cable or fibre optic
• Invest in boosters to enhance the connectivity in rooms some distance from routers
• Always mute when not speaking
• Turn off video links and just rely on sound, especially if you are not presenting
• On sharing webinars, you could cast or share your screen onto a larger modern TV. There are also ‘plugin’ devices for older TVs that allow you to cast a laptop screen to them.
• If the internet coverage is too poor, consider phoning in using Whatsapp or a similar app

How can we maintain contact with staff who are working at home?

 

Use mobile phone tethering at off peak times to send and receive documents and use metered connection when tethering or have limited Wi-Fi

If the SAI has negotiated a closed phone group contract with the service provider, then it is likely that calls in the network i.e., staff to staff, will be free and external calls to clients etc will only incur a small charge

See SAI Uganda case study.

Staff provide own equipment to specifications provided by SAI and then staff receive a contribution towards such costs.

Need to be a clear SAI policy.

SAI will need a to agree level of contribution and arrangements should the phone be lost, or the staff member leave the SAIs

Arrange for the phones to be topped up monthly with an agreed volume of data usage

Ensure staff know how to keep data usage to a minimum

Issue staff with laptops

 

Allow staff to use for a small number of personal calls:

Check if there are any tax implications

Adopt an honesty policy with staff paying the SAI monthly for personal use (with occasional spot checks by SAI Internal Audit)

To work around poor internet cover at home:

Do not expect immediate responses, allow for asynchronous connections
Send key documents overnight when internet usage is low

Create common emails:

If there is no current system of common emails, create a network with common email
addresses (Gmail, Microsoft, Yahoo, or another common email provider)

You may consider setting up a separate email-domain (saicountry.com) on a web-
hotel/hosting provider. May be more cost-effective and give more options

To help staff who have erratic electricity supplies

Contribute to the cost of home generators via perhaps a loan scheme and/or provide extra batteries which can be charged off-peak

Issue staff with smart phone

Consider the following: Preload a prepaid monthly allowance for data use and phone time. Resolve issue of who pays for personal phone usage

How do we ensure our equipment is safe when working from home, or in the field?

Ensure all devices are encrypted – most devices can be bought pre encrypted. Remote storage devices sometimes come encrypted by default. If they do not, commercial file encryption packages can help. Windows also has the ability to encrypt files. There are a range of options here for sensitive materials. You need to be clear on the encryption key (password) though – you are really trying to save the data from a casual thief (so consider a key per audit or similar).

Windows devices are often encrypted by default (you configure the device with Bitlocker on setup Device encryption in Windows 10 (microsoft.com). This is not the case for Windows 10 home.

– Always enable security locks in laptops and phones, i.e. use a password or fingerprint or face-recognition graphics.
– Follow security protocols provided by HQ.
– Keep devices out of sight when travelling on public transport.
Lock the devices away at home when not being used.
– When working on a client’s premises, lock the computer to a secure place and never leave it unlocked on a desk, even if going to the bathroom or for lunch. (Keep devices locked away in a safe in a hotel, or chained to furniture).
–  For sending messages use free cross-platform encrypted messaging service apps e.g Signal.
–  Devices can be wiped remotely when they are registered to an account.
–  Purchase devices which are GPS trackable, for recovery, and make sure it is switched on. (Consider whether it might be more efficient for staff to have the capability to do this so they can turn this feature on when they are in the field as well as having it centrally controlled.)
– Establish clear security and safety protocols for keeping equipment safe, keeping data safe, keeping staff safe, and again keep training.

~

How do we collect audit evidence in the field when clients’ records are paper based?

Use smart phones to photograph auditee document:
(Ensure that the phones indicate the time, date, and location where the documents are photographed. Camera settings should have location tag settings switched on.)

Download an Optical Character Reader (OCR) app on to the phone or tablet and use to convert from JPG to PDF to Excel.  (Camscanner allows iOS and Android devices to be used as image scanners. It allows users to ‘scan’ documents and share the photo as either a JPEG or PDF.)
(Reduce the file size of photos – switch from colour scan to greyscale one and reduce its quality to the least tolerable level.)
(Possible tools for images include: https://sourceforge.net/projects/flexxiimage-resizer/ or https://www.xnview.com/en/ or GIMP https://www.gimp.org/.)

– Ensure that your legislation accepts electronic and/or photographic records as evidence – if not seek to have the law amended.

Issue back up batteries and chargers and use battery operated portable scanners.

Back up audit files on a USB stick, floppy disc or portable hard drives and courier to nearest point with strong internet – a regional government hospital, a regional SAI office or even the SAI head office.

Locate internet or satellite points where audits can be uploaded and shared with audit managers in a SAIs headquarters – may be too expensive in most cases for a SAI to own and/or use.