Where are we now
How is poor connectivity affecting us?
i.e. What is the problem?
Poor connectivity makes all external communications difficult, reduces efficiency, and can adversely affect staff morale. If a SAI has limited or poor internet, there are a wide range of activities which it cannot easily do.
These may include:
– Sharing information among auditors when conducting a particular audit.
– Taking advantage of the efficiency of the cloud-based systems.
– Accessing the ICT systems of auditees, especially financial information needed for the audit process.
– Operating efficiently in the field and capturing auditee data which is only available in hard copy when power supplies are erratic.
– Making it difficult to produce audit reports faster.
– Communicating easily with staff who are working at home or away from the capital city.
– Enabling managers to review the quality of audits while staff are in the field.
– Participating in global or regional webinars.
– Benefiting from international e-learning events.
What do we currently have? i.e. Where are we now?
As part of seeking solutions, SAIs need to do a stocktake, identifying clearly where they currently are.
Some of the high-level areas which should be covered includes:
Does the SAI have a clear, costed ICT strategy and plan?
– Where does ICT fit in the overall SAI strategy ?
– Is there a separate ICT Strategy or Annual Plan?
– Has the ICT been costed? Is it in the SAI’s budget submission to Parliament or the Ministry of Finance?
– Does the budget include the cost of training, and the on-going costs of maintenance – including recognising that computers need to be replaced at regular intervals?
– Have you identified the key risks you might face – dependence on key individuals, theft of equipment, and more damagingly theft or loss of data – and have you considered how to manage such risks?
Does the SAI have in place the necessary policies and controls?
– What external policies and legislation on ICT does the SAI need to comply with?
– What policies does the SAI have on keeping ICT information and resources secure?
– Does the SAI have policies on the personal use of SAI equipment?
– What policies does the SAI have relating to remote working and staff using their own equipment?
– Does the SAI have a `buy your own devices’ policy for helping staff purchase their own equipment, including home internet, security, and back-up generators?
– Does the SAI have systems in place to verify compliance with policies, especially regarding information security?
– Does the SAI conduct an annual overall IT audit on the control environment focused on key risk areas?
– Does the SAIs have clear policies and procedures in place when disposing of redundant equipment, e.g. cleaning out data from memories, and even destroying hard drives.
Has the SAI identified the equipment and software it needs?
What is the current state of the SAI’s internet? For example, to be able to hold a video conference download speeds of at least 10 Mbps are needed.
What is the current state of the internet in the country i.e., are there organisations and/or places where connectivity is better and if so, can the SAI’s access those? (See SAI Remote Working image (open in new tab) when internet connectivity is poor).
How many laptops does the SAI have, what does this work out at per staff member, what proportion of these computers are fit for purpose (i.e. can they do the job the SAI needs them to do), and how long can batteries last?
What licensed software does the SAI use? How many of the laptops have access to this software?
Are the laptops networked? If not, how is information shared between computers? E.g., flash drives, or sent via the internet as email attachments? (See Local area network image)
Do staff all use an email with a common address?
What data storage capacity does the SAI have? Is this sufficient based on the SAI’s assessed needs? Can it use the cloud safely; what legislation and/or government guidance exists on the use of the cloud?
How reliable is the electricity supply and, if it is unreliable, does the SAI have back-up generators, solar panels, battery operated equipment, rechargeable power packs?
How many mobile phones does the SAI have per staff member? Do they have sufficient airtime to communicate with colleagues and auditees and data to be able to be used to photograph and transmit documents from the field? Can tethering be used?
Does the SAI have any portable scanners, if so, how many? Does the SAI use tablet computers, if so, how many?
Do SAI staff have access to a help line when they encounter ICT related problems? How is this funded?
When computers, phones and other equipment are obtained, details need to be entered onto an asset register which records clearly who has custody of the particular item. Is someone in administration required to check annually the location of all main items?