it Why IT projects fail 1 Issue 26 ¦ May 2008
Issue 26 ¦ May 2008 it Why IT projects fail 1 In this issue Austria 4 Country focus Oman 12 Why Information Systems Projects Fail Jordan 18 Why IT projects fail Germany 26 Key issues for relying on External Consultants for Public Sector IT Projects Sweden 30 Effective IT Governance:How to Get Good, Secure IT Services Slovenia 36 Audit of IT system of the Tax administration of the Republic of Slovenia Lithuania 38 Shall be blessed Japan 42 Audit of Computer Systems used by the Japanese Government China CNAO’s Pre-audit investigation Guideline for IT Audit 46 Editorial This edition covers a wide range of topics, and includes some further material based on presentations at INTOSAI IT Audit Working Group’s Performance Audit Seminar held on Oman in 2007 on the topic “Why IT Projects Fail”. This is a subject which we all return to time and time again. Despite a huge amount of diagnosis, and lots of guidance on the cure, why do failures still arise, and worse still why do the same problems arise over and over again? Steve Doughty It is interesting to note that, for example in the UK, Government has been computerising since the 1950s. The delivery model was then largely in-house development, but over the years this as moved through in-house but involving external consultants, contracting out, market testing and outsourcing, Private Finance deals, and framework and strategic “partnerships”. But despite all these different delivery models failures still happen. Common words that feature in reports are words like “large, complex, inflexible, lack of user involvement, lack of training…”. Of course, we do not have all the answers, but what we do know is that if best practice is adopted and that a project’s scope is kept at “what we know we can do now” and not allowed to expand, budgets and timescales are realistic etc., the chances of success are significantly higher. In this, another bumper edition, we have contributions from Austria, China, Germany, Japan, Jordan, Lithuania, Oman, Slovenia and Sweden. We are most grateful for these articles which demonstrate the huge and varied amount of IT audit and related activity going on around the world. Whilst on the subject of credit to our authors, I must apologise to Stephen Kateregga, Assistant Director of Audit, and Ashok Ghosh, Consultant, from the Office of the Auditor General of Uganda. We unfortunately omitted to credit them for their very comprehensive article on their experience of IT Governance in SAIs in Edition 25 of intoIT. So, on behalf of our readers, a big “thank you” to all our contributors. The journal only survives because of your contributions, so please keep them coming. We are particularly keen to include a range of short news items about what is happening in the IT audit world in YOUR country. We happy to receive these at any time – please email them to [email protected] . We are very much aware of the difficulty in writing in English if that is not your first language, and are very happy to provide help and guidance to make sure that your article gets published to the best advantage. I am looking forward to hearing from you soon (yes, that means you!). Steve Doughty Editor IntoIT is the journal of the INTOSAI Working Group on IT Audit. The journal is normally published twice a year, and aims to provide an interesting mix of news, views and comments on the audit of ICT and its use in Supreme Audit Institutions (SAIs). Material in the journal is not copyrighted for members of INTOSAI. Articles from intoIT can be copied freely for distribution within SAIs, reproduced in internal magazines and used on training courses. The Editor welcomes unsolicited articles on relevant topics, preferably accompanied by a photograph and short biography of the author, and short news items for inclusion in future issues. The views expressed by contributors to this journal are not necessarily those of the editor or publisher. Contributions should be sent to: The Editor of intoIT National Audit Office 151 Buckingham Palace Road London SW1W 9SS United Kingdom, E-mail: [email protected], Web site: www.intosaiitaudit.org Country Focus Austria Le Leipzig Bonn B Frankfurt nkfurt Am M Maain Main Lubin Lu Lod Wrocla aw B g LUX. Kra ra Nurnberg urnberg Pr Prague Karlsru sruh ruhe uhe Ostrava O Ost t CZECH H CZECH Stuttgart Stuttg gart art B Brno sbourg bou SLOVAKIA Munchen Mun Munchen en B Bratislava r Vie Vien enna Vienna Zurich Z u Bern Ber n Innsbruc bu k Innsbruck G Gyo Gy Gyor Gyor Bud SWITZERLAN SW WI WITZERLAN AN ND ND Rhin e GIU UM U AUSTRIA R AUSTRIA Gra G raz ra Graz A SLOVENIA Ljubljan Ljubljana naa M ano Mila no Venezia Turin rrin Genova G ova enova Rijeka eka Rijeka naco aco co s seille P Zagreb Zag b CROATI OATIA OA IIA CROATIA Bolo logna lo Bolo l Firenze renze HUNGARY H UNGARY G BOSNIA BOSNIA Sara rajevo raj vo Split YUGOSL U AUSTRIA Historical background First traits of human settlement in Austria can be traced back to the Middle Palaeolithic era (Neanderthal). The most important archaeological evidence of Palaeolithic art was found in Lower Austria (Fanny of Galgenberg near Krems, around 32,000 BC, or Venus of Willendorf, around 25,000 BC). In the Copper, Bronze and Iron Age, people mainly focused on producing widely used raw materials, building trade centres and extensive trade routes. Iron Age culture was dominated by the Celts: the Hallstatt Culture even named the Early Iron Age. From 15 BC onwards, the area of today’s Austria, which then comprised the provinces Noricum, Pannonia and Raetia, officially became part of the Roman Empire with important settlements such as Carnuntum near Vienna (Vindobona), Virunum and Magdalensberg near Klagenfurt. After the slow decline of the Roman Empire and the confusion of the Migration Period (settlements by Goths, Slavs and Avars) part of today’s territory was included into the Carolingian Empire as marches. The most important example of the art of those times is the Tassilo Chalice at Kremsmünster Abbey (around 780). Already in the 9th century there was an “Ostmark” (Ostarichi), which became the main land of Austria in the 10th century. The first record showing the name Austria dates from 996 where it is written as Ostarrîchi. In 1278, Rudolf I, of the House of Habsburg, secured the Austrian duchies effectively for the House of Habsburg for the next 650 years The Habsburgs ruled almost constantly as Holy Roman Emperors from the mid 15th century onwards. In addition to the hereditary lands of Lower Austria and Styria, they soon acquired Carinthia, Tyrol and Carniola. Salzburg only became part of Austria in 1816. Since the 15th century, Austria was being threatened by the Ottoman Empire. In 1529 and 1683 the Turks besieged Vienna – although without success. Prince Eugen’s final defeat of the Turks at the end of the 17th century marked the beginning of an unprecedented golden age in Austrian culture. Austria and especially Vienna became the hub of Baroque architecture and painting. Artists such as Fischer von Erlach, Lukas von Hildebrandt and Jacob Prandtauer influenced profane and sacred Baroque architecture in Austria and Central Europe. During their reign, Maria Theresia (1740 to 1780) and her son Joseph I initiated fundamental state reforms (compulsory school attendance, absolute discharge, administrative reforms). Emperor Francis II abdicated as Holy Roman Emperor in 1806 under pressure from Napoleon. Already two years before, in 1804, the Empire of Austria had been founded on the remnant of the Holy Roman Empire and existed until 1867. In the late 18th and early 19th century, the Classical period of Western music flourished in Vienna. Best-known composers of this time were Joseph Haydn, Wolfgang Amadeus Mozart, Ludwig van Beethoven and Franz Schubert. The Austrian empire of 1804 and the dual monarchy Austria-Hungary (1867 to 1918) were multi-ethnic empires belonging to the German Federation. Like Prussia and Russia, Austria remained an absolutistic state, which was dominated by Minister Metternich’s police. This time of domestic retreat, of “Biedermeier”, bore fruit in painting (Ferdinand Georg Waldmüller), literature (Franz Grillparzer, Johann Nestroy) and music (Franz Schubert). In 1848, the peoples of the monarchy fighting for democracy and independence started the first revolution. They were defeated and Franz Joseph I was enthroned. Military defeats against Italy and Germany weakened the Habsburgs and led to profound political reforms. In the 19th century, Austria was also industrialized. But it was also a period of great cultural achievements. The historical buildings on Ringstrasse in Vienna (opera, parliament, university, etc.) were constructed and Venus of Willendorf the composers Johannes Brahms and Anton Bruckner worked in Vienna along with Johann Strauss and Gustav Mahler. At the beginning of the 20th century Jugendstil art (Otto Wagner) evolved around a group of artists who objected to prevailing conservatism. Representatives of the “Second Viennese School (Arnold Schönberg, Alban Berg, Anton Webern) set the direction music developed in the 20th century. This period surrounding the downfall and end of the Austrian monarchy was best described in the literary works of Stefan Zweig and Karl Kraus. In the early 20th century Vienna was also a scientific centre. World-renowned researchers in natural sciences (physics, medicine), philosophy or economics worked there at the time. The assassination of Archduke Franz Ferdinand in Sarajevo in 1914 by a Serbian nationalist was the immediate cause for the outbreak of World War I, leading to the downfall and the end of the monarchy. Emperor Franz Joseph died in 1916 and his successor Karl I had to leave Austria, when the first republic was founded in 1918. In the post war years, hyperinflation shook the young republic of Austria and could only be ended by introducing a new currency. This led to modest economic upswing, but in 1933 one third of the workforce was still unemployed. There was political tension between the opposing parties, which led to turmoil and civil war. Austria’s bad economic state in the 1930s encouraged the occupation by the German Reich in 1938. After World War II, Austria became an independent state again, but was also divided into occupation zones. Only in 1955, Austria regained full independence by concluding the Austrian State Treaty with the Four Occupying Powers. Austria became a member of the United Nations in 1955, on 1st January 1995 it joined the European Union and in 2002, the EU’s common currency, the Euro, was introduced. 5 Geographical background 60 per cent of Austria’s territory is located in the Eastern Alps. Therefore, Austria is often referred to as “Alpine Republic” in the media. There are larger plains along the Danube valley, in the Vienna Basin, in southern Styria and Burgenland. Austria’s highest mountain, Grossglockner (3,798 m) is located in the mountain range of Hohe Tauern between Carinthia and Tyrol. The second highest peak is Wildspitze (3,768 m), followed by Grossvenediger (3,674 m). Parts of the alpine region of Carinthia, Tyrol and Salzburg form the national park Hohe Tauern. This protected area comprises about 1,836 sq km. The highest alpine pass is Grossglocknerstrasse with an elevation of 2,504 m at Hochtor, its highest point. Lake Constance and Lake Neusiedl are the largest lakes, parts of both being on Austrian territory. The lakes of Carinthia (lakes Ossiach, Millstatt and Weissensee), the lakes of Salzkammergut (Wolfgangsee and Mondsee) are of special importance for tourism. Natural riverside areas can be found in all of Austria. The most important rivers are the Danube in Upper and Lower Austria and in Vienna, the Drau in Carinthia, the Inn in Tyrol, the Salzach in Salzburg, the Rhine in Vorarlberg and the Mur and Mürz in Styria. Austria lies in the temperate climate zone with oceanic and continental features. Generally, we talk about Central European transitional climate or alpine climate in the alpine region, where the winters are cooler due to higher elevations. 2005 2006 Growth in GDP (“securing growth opportunities”) + 2.0% + 3.3% Inflation rate (“sufficiently stable currency”) + 2.3% + 1.5% Unemployment rate + 7.3% + 6.8% 5.2% 4.8% Employed (“high employment”) + 1.0% + 1.7% Balance on current account (absolute) + Є5.16 billion + Є8.22 billion Balance on current account (in relation to GDP) (“foreign trade balance”) + 2.1% + 3.2% Unemployment rate according to EUROSTAT Source: AMS; WIFO; Statistik Austria The main reasons for the high income from tourism lie in undisturbed mountain and lake regions, the high number of cultural institutions, good infrastructure, the central position in Europe, modern accommodation and the high training level of staff. Tourism concentrates on three branches: ¬ City tourism concentrates mainly on Vienna and the Länder capitals. Tourists visit Austria the whole year round for cultural trips, adventure holidays or to attend conferences. ¬ Winter tourism is mostly concentrated on the alpine regions. Besides skiing holidays, health trips to the thermal regions get ever more attractive. In glacier regions skiing is possible all year round. ¬ In summer, tourists in Austria prefer active holidays and holidays at the lakes. Active tourists go cycling or paragliding and, ever more frequently, hiking and mountain climbing. In the past years summer and winter resorts have been transformed to all-year resorts to secure all-year occupancy. Economic background Development of the gross domestic product (nominal): The indicators for macroeconomic equilibrium (high employment, sufficiently stable currency, securing growth opportunities, foreign trade balance) show the following development as compared to the past years: GDP (billion €) 2004 237 2005 245 More and more tourists stay in better hotels. There is a trend towards shorter holidays, which are booked later as the tourists wait for snow reports in winter and for sunny periods in summer. 2006 258 Politics Tourism Tourism is one of the most important business sectors in Austria. 120 million overnight stays were reported in Austria for 2006. They amounted to an income of 13.3 billion Euro from non-resident visitors. The tourism net currency receipts accounted for 5.9 billion Euro. 6 Austria is a democratic republic. Its law emanates from the people. Austria is a federal republic with nine Länder: Burgenland, Carinthia, Lower Austria, Upper Austria, Salzburg, Styria, Tyrol, Vorarlberg and Vienna (federal capital). It has a federal constitution. Since 1955 Austria has been member of the United Nations; in 1995 it joined the European Union. Its currency is the Euro within the framework of economic and monetary union. The federal president is the highest representative of the state. He or she is elected for six years and can be re-elected once. The government consists of the federal chancellor and the ministers. The president nominates the chancellor and the ministers upon suggestion of the chancellor. There are two legislative bodies in Austria. The National Council is the dominant chamber of the Austrian legislation and is elected by the people based on proportional representation. The National Assembly is elected for five years, if the National Council or the federal president and the government do not shorten the legislative term. The number of members of the Federal Council is based on the population of the länder. The Federal Council has an absolute right of veto, when the competence of the Austrian Länder is limited by constitutional laws. In all other cases it has suspensive veto, which can be reversed by an inertia decision of the National Council. The Austrian Court of Audit The Austrian Court of Audit (ACA) is Austria’s independent supreme audit institution and has especially been established for the audit of the federal, länder and local levels of government. In addition to auditing the financial management and consultation services based thereupon – its most important strategic function – it also renders further services with major importance for the good governance of the state and performs special notarial functions. The Austrian Court of Audit audits the accounts and the financial management of the Austrian state for the National Council, the Länder parliaments and the municipal councils. Some facts about Austria Inhabitants 8.3 million Area 83,871 sq km – somewhat smaller than the US state of Maine; somewhat smaller than Portugal, about as large as Japan’s second largest island Hokkaido; somewhat smaller than French-Guiana. Religions 5.9 million Roman-Catholics (73.6%) 380,000 Protestants (Augsburg Confession, Helvetic Confession) (4.7%) 340,000 Moslems (4.2%) 180,000 Orthodox (2.2%) 8,140 Israelites 0.96 million without religious confession Language German Regional languages Croatian Slovenian Hungarian Recognised Sign language As an independent body of the National Council, the Austrian Court of Audit audits all financial operations of the federal government, enterprises in the ownership of the federal government and other legal entities defined by law. The audits of the Austrian Court of Audit are based on the principles of economy, efficiency and effectiveness as well as on the correctness of the accounting compliance with existing regulations. When auditing the financial operations of the länder, municipalities and municipal associations, the Austrian Court of Audit acts as independent audit institution of the länder parliaments. It audits the financial management of the respective land, enterprises of the land government in the ownership of a land alone or together with other entities defined by law as well as the financial management of municipalities with at least 20,000 inhabitants (including enterprises the municipality controls). The Austrian Court of Audit also audits the financial management of the social insurance institutions and other legal entities defined by law. Following the audit mandate laid down in the Austrian Constitution, the Austrian Court of Audit is independent of the government and directly reports to legislative assemblies (National Council and länder parliaments). The Austrian Court of Audit reports to the National Council, the länder parliaments and the municipal councils on its activities and individual findings. The reports to the legislative assemblies have to be published after being submitted to the National Council, the respective land parliament or municipal council. Objectives and mandate Mandate The Austrian Court of Audit fulfils its mandate – as laid down in the federal constitution – directly towards the National Council, the Länder parliaments as well as decision-makers in politics, administration and the economy. Even if it acts on a request or motion, the Austrian Court of Audit remains independent and is not bound by any instructions. Objectives As its primary objective, the Austrian Court of Audit aims at the most effective use of public funds, i.e. cost reductions on the one hand, and increased benefits from the use of public funds on the other hand. It checks whether public funds are raised and used in a lawful manner, as well as in a cost-efficient, economical and effective way and according to the principles of sustainable development. Thus the Austrian Court of Audit fulfils its mandate as laid down in the federal constitution, for the optimisation of income and expenditure. This strategic objective is also in line with the Austrian Court of Audit’s aim to increase the efficiency and effectiveness of public auditing. Organisation of the Austrian Court of Audit The Austrian Court of Audit is headed by the President, who is elected by the National Council upon proposal of its Main Committee for a single term of office of twelve years. His deputy is the highestranking official of the Austrian Court of Audit. The President has the same responsibilities as members of the federal government. He is entitled to participate in the debates of the National Council as well as of its committees and sub-committees dealing with ACA reports, federal financial statements and pertinent sections of the Federal Finance Bill. The Austrian Court of Audit is headed by the President and organised monocratically. The President is responsible for the decisions taken. The new organisation centralises its services in five Directorates-General and 35 specialised departments. To support selective as well as crosscutting work and audits, related tasks and audit areas have systematically been assigned to the respective Directorate-General. 7 President Cabinet Directorate General 1 Directorate General 2 Directorate General 3 Directorate General 4 Directorate General 5 Department S1-1 Department S2-1 Department S3-1 Department S4-1 Department S5-1 Budget and infrastructure Strategic planning, controlling Editing of reports IT affairs Communication and parliamentary relations Department S1-2 Department S2-2 Department S3-2 Department S4-2 Department S5-2 Education Health International affairs, INTOSAI General Secretariat General legal and economic issues Human resources, administration and development Department S1-3 Department S2-3 Department S3-3 Department S4-3 Department S5-3 Research Hospitals EU financial management Federal financial statements, national budget, survey of public sector incomes Knowledge management Department S1-4 Department S2-4 Department S3-4 Department S4-4 Department S5-4 Science Social affairs Waterway and air transport telecommunications Banking, debt management Federal administration Department S1-5 Department S2-5 Department S3-5 Department S4-5 Department S5-5 Culture, art and media Energy Building and construction Economic affairs, competition Länder administration Department S1-6 Department S2-6 Department S3-6 Department S4-6 Department S5-6 Foreign affairs and defence Comprehensive environmental protection Land transport Labour market affairs Local governments, municipal associations Department S1-7 Department S2-7 Department S3-7 Department S4-7 Department S5-7 Judicial administration and domestic affairs Urban and regional planning Fiscal administration Real estate, property administration Organisation, staffing, IT systems By handwritten letter of 23 December 1761 Empress Maria Theresia establishes the predecessor of the present Court of Audit, the “Accounting Chamber”, assigning it the duty “to scrutinise all accounts and to point out all shortcomings discovered in matters relating to public finance and, in particular, public spending”. The Government Audit Act leads to the reorganisation of the supreme audit institution, which is now directly and exclusively accountable to the National Assembly. At the same time the mandate and the authority of the government audit institution are enlarged. Its functions, in particular, include: 1. expressing an opinion with suspensory effect on all important financial matters until a decision is made by the Empress, i.e. exercising the right to preventive control; The Supreme Court of Audit of the monarchy is incorporated into the institutional framework of the newly established Republic. It is answerable to the State Council. 2. making recommendations for improvements to accounting methods; 3. assuming the direction and guidance of all accounting agencies. 1761 8 Staff Units ... 1918 The Court of Audit is now entitled to audit all financial operations of the government as well as government debts. The audit mandate is moreover expanded to foundations, funds, institutions and entities in which the government holds a financial interest. The Court of Audit is charged with verifying compliance of the administration of public funds with existing laws and regulations. It is also tasked with a new field of competence, namely assessing the economic efficiency and expediency of financial operations. 1919 The Federal Constitutional Act of 1 October 1920 dedicates an entire chapter to government audit, thus providing its basic constitutional framework. The Austrian Court of Audit is directly subordinated to the National Council (first chamber of parliament). The President of the Austrian Court of Audit is elected by the National Council upon nomination by the Standing Committee and can be removed from office by resolution of the National Council. At the level of the Austrian Länder it is within the discretion of the respective constitutional assemblies to confer upon the Austrian Court of Audit the same audit authority exercised by the Court at the federal level (optional jurisdiction). 1920 ... President of the Austrian Court of Audit and of INTOSAI ¬ Member of the Supervisory Board of ÖBB-Infrastruktur-Betriebs AG (railway infrastructure company) Education ¬ Managing Director of ÖBB-Immobilienmanagement GmbH (real estate management of the Federal Railways) Compulsory school, secondary higher school, A-levels in 1975. Law studies at Vienna University, Austria, graduation in 1981 with a doctoral degree. Professional experience Government administration Different management functions in the federal financial administration (e.g. staffing and general policy matters) and in the provincial administration (e.g. managing function in the cabinet of the province governor of Carinthia). Parliament Executive director of a political group in parliament; responsible for coordinating activities between the government and parliament; promotion of intra-parliamentary cooperation between the representatives of the different political parties; direct cooperation with the federal ministries. Private sector Different managing functions in the private sector, e.g.: ¬ Member of the Board of Directors of Eisenbahn-Hochleistungsstrecken AG (railway construction company) ¬ Member of the Board of Directors of ÖBBHolding AG (railway holding company) 1 July 2004: President of the Austrian Court of Audit and Secretary General of the International Organization of Supreme Audit Institutions (INTOSAI) ¬ Professional Standards Committee (PSC) ¬ Subcommittee on Internal Control Standards ¬ Capacity Building Committee (CBC) ¬ Sub-committee 3: Promote best practices and quality assurance through voluntary peer reviews ¬ Working Group on IT Audit ¬ Working Group on Environmental Auditing ¬ Working Group on Privatisation, Economic Regulation and Public-Private Partnerships ¬ Working Group on Programme Evaluation ¬ Working Group on Accountability for and Audit of Disaster-related aid General Secretariat of INTOSAI The General Secretariat is located at the Austrian Court of Audit in Vienna. Under the direction of the Secretary General the tasks of the Secretariat include the management of the accounts of that worldwide umbrella organisation. According to its statutes, INTOSAI consists of the Congress, the Governing Board, the General Secretariat and various committees and working groups. In 1977 the IXth Congress in Lima, Peru, adopted the “Lima Declaration of Guidelines on Auditing Precepts”. In line with INTOSAI’s motto “experientia mutua omnibus prodest” (Shared experience benefits all) the General Secretariat keeps in contact with the more than 180 members in the time between congresses and organises seminars, expert meetings and other events. As Secretary General: ¬ ex-officio member of the Finance and Administration Committee ¬ observer in the PSC steering committee ¬ chair of the INTOSAI task force on Communication Strategy founded at the XIXth INCOSAI The provisional constitution provides for a State Court of Audit “to perform the financial audits and monitor the financial operations of the federal and Länder governments, the local authorities in communities with more than 20,000 inhabitants and their enterprises, institutions and other legal entities”. The mandate of the Austrian Court of Audit is transferred to the Court of Audit of the German Reich, which establishes a branch office in Vienna. 1939 ACA is member in the following committees, working groups and task forces: ... 1945 The Fifth Chapter of the Constitution is amended and the new Court of Audit Act is passed. ... 1948 9 The European Commission chose 20 basic public services and worked out an assessment system for the survey. The EU-wide survey resulted in a score for the online sophistication of 75 per cent. Full availability online has reached almost 50 per cent. In both indicators, Austria heads the results in providing eServices for its citizens. 95 per cent of the administrative tasks were available online, 83 per cent could be completed online. Audit principles The Austrian Court of Audit audits the economy, efficiency and effectiveness of the public administration and of public enterprises on the basis of regularity and legality in the interest of sustainable development. After auditing the legality of financial management, regularity is audited. Furthermore, savings potentials are defined for: ¬ efficiency: optimum relation between input and output (target-performancecomparison); Auditing information technology ¬ economy: minimum expense for the task to be performed; ¬ effectiveness: high degree of target achievement; and recommendations are issued. E-Government services in the Austrian administration The Austrian administration was ranked top in the EU’s e-government benchmarking exercise of 2006 for “Online Availability of Public Services: How is Europe Progressing1“. Two indicators were used to monitor the eEurope action plan: online sophistication of basic public services available and public services fully available online. These indicators were defined in 2000 and evaluated in 2006. Assessed were the online sophistication of basic public services in the EU member states, in Norway, Iceland and Switzerland. The 5th International Congress of Supreme Audit Institutions (INTOSAI) resolves to set up its permanent international secretariat at the Austrian Court of Audit. 1965 10 ... ACA also performs IT audits. An ACA team deals with essential aspects such as legislature in e-government and its implementation. This team also completes performance audits, which are performed at all levels and in all areas. To cover all aspects of this task, the team consists of technicians and lawyers. IT is an essential element for modernising and optimising the administration. Therefore ACA tries to consult auditees and provide them with information on new technological developments and processes. In general, procurement, technology, accounting and fulfilment of the contracted services are audited in IT projects. Apart from auditing IT implementation projects and new developments, special focus is laid on crosscutting audits of the administrative institutions. ACA compares whether these institutions want to implement similar technological innovations and whether synergy effects can be identified. Essential elements in auditing are fulfilling the functionalities and the scope of available functionalities and infrastructure. ACA stated that today’s technological opportunities lead to functionalities, which are too comprehensive for the users. IT audits Health insurance card in Austria; e-card The electronic health insurance card (dubbed “e-card”) is an electronic ID for using medical services from health insurance in Austria; on the reverse side, it incorporates a printed image of the European Health Insurance form. As an additional feature, the e-card may also be used as a Citizen Card after a no-charge certification process. As of January 2006, the e-card replaced the paper-based health-insurance voucher (“Krankenschein”) in Austria. The card holder data are stored and administered centrally in two parallel computing centres and made available online depending on the application and the access rights. Data are transmitted after encryption and signature; the signature is activated without a PIN code when the e-card is inserted in the card reader. The e-card system was designed as an online system and can be expanded for future uses, such as for electronic prescriptions, or patients’ electronic case histories. The Austrian Constitutional Convention proposes to enlarge the scope of responsibilities of the Austrian Court of Audit and to expand its audit authority to encompass municipalities with less than 20,000 inhabitants, stock corporations in which the public sector holds a stake of 25 per cent or more and EU direct aid. A special committee is set up in the National Council to commence preliminary deliberations on the report submitted by the Austrian Constitutional Convention. The deputisation rules regarding the representation of the President are re-drafted. The function of Vice President is abolished. If the President is prevented from discharging his or her duties, the President is to be represented by the most senior civil servant of the Austrian Court of Audit. 1994 ... 2005 Government budgeting NEW Reorganisation of IT–based government budgeting on the basis of managerial standard software was introduced in 1998 and successfully completed in May 2004. Central idea of Government budgeting NEW was the appropriation of budget law data on expenditure and income directly to the relevant department in the ministry. Bookkeeping should audit the data and non-cash performance. By transferring the tasks completed by bookkeeping to the ministry, bookkeepers in the ministries can be reduced by one half. Electronic files in public administration In public administration electronic files substitute paper files and are considered original files. Each print-out of an electronic file is a copy of the original. In administration the electronic file substitutes paper and all related procedures until filing. Eleven federal ministries and BHAG (Austrian federal bookkeeping agency) have used an electronic filing system acquired from the same producer in one procurement exercise in January 2005. Only the Ministry of Defence has used its own electronic filing system since 2002. | Contact Johann Vilanek ([email protected]) 1 http://ec.europa.eu/information_society/eeurope/ i2010/docs/benchmarking/online_availability_ 2006.pdf. Dr Josef Moser Dr Moser graduated in 1981 from the University of Vienna with a doctoral degree in Law. After a career in the public service in Carinthia, from 1992 to 2003 he was executive director of a parliamentary group in the Austrian parliament; and from 2002 also responsible for coordinating activities between the coalition parties and the federal ministries. Afterwards he had different managing functions in the ÖBB (railway company). Since 2004 he has been President of the Austrian Court of Audit and Secretary General of INTOSAI. 11 f a Str. of Horm r uz R N RAI T TA Om an h Musc cat U. A. E. Dhab abii Dhabi I A Al Khal a uf O M AN Al Ghayd an Arab ian Se Sal a all ah N Al Mu M kal l a OMAN By Awatif Amin Qassim, Specialist – Information Technology Department State Audit Institution – Oman [email protected] 12 Why information systems projects fail: Guidelines for Successful Projects Introduction Information and communication technology (ICT) plays an essential part in our life and the way we react with the external environment. Information systems are one of the ICT elements which shape our daily tasks by introducing value and quality to our daily activities. Technologies are emerging fields and are rapidly changing and the changes are moving around the globe in developed and developing countries. Information systems are the core of today’s emerging businesses. Billions of dollars are exchanged on daily basis based on automated systems and information technology. It is essential that information system projects are properly scoped and implemented successfully. According to Gheorghiu, A. (2006), a survey showed that around 70-80% of all information technology and information systems fail. Despite best practice and defined procedures and methodology applied in project management, as well as the development and the advancement in the project management field, the world is still experiencing failures in implementing information system based projects, especially in developing countries in the Middle East. The gravity of information systems is increasing day by day around the globe, but at the same time the failure rate of information systems projects is still high. Why Systems or Information Technology Projects fail Different research and studies, regarding information systems or information technology project failure show the highest risk factors that were behind the project failure. The world’s statistics always publish failure rate in general, which clearly can prove for business and information technology executives that there is failure at IS projects regardless of whether it is high or low for (IS) or (IT) projects. The key objective of all the research and studies is information and communications technology awareness which can reduce or resolve failure rate for a project by using the accurate and professional techniques. Different types of existing surveys results published by IT Cortex providing statistical information regarding the rate of failure in IS or IT projects. Following are lists of the existing surveys: 1. (2001) The Robins-Gioia survey. 2. (2001) The Conference Board survey. 3. (1997) The KPMG Canada survey. 4. (1995) The Chaos report. 5. (1995)The OASIG survey. All Cortex statistics generally agreed on the below points regarding the failure at information systems and information technology project: ¬ Unsuccessful IT projects are more likely than successful projects. ¬ Nearly 20% of IT projects are satisfactory. ¬ Failure rates are much more likely in case of large size IT projects compared to small and medium size projects. Information Systems and Information Technology Project Common Failure factors Information systems projects always and everywhere around the globe have a reputation for failure, i.e. unused, partially used, cancelled and many other factors. Each project differs from another even if it is for the same system because each project has its own requirements, project management, users, organisation culture, team skills and knowledge, and many other aspects that are linked directly to the organisation and not to the project itself. Different research studies have been made which describe and summarise the most common failure factors in IS projects. Most of the results show similar failure factors but each factor can have different priorities which link to the project and the 14 organisation itself. Moreover, the project and organisation always have a strong relationship with each other which can shape the final outcome of the project in terms of failure or success. According to Dorsey (2000), in all the studies that have been done till now regarding Information systems, failure or success have highlighted top management support as a critical success factor in any project. Any project without full commitment from the top management, in case of problems can collapse at any time during the project life cycle. One of the researches listed risk factors ranking wise. ComputerWeekly.com joined forces with Oxford University to carry out a research into the state of IT project management in the United Kingdom. The research was led by Sauer, (2003) fellow for information management at Templeton College, and sponsored by the French Thornton partnership. The aim of the research was to help Information technology and business executives create realistic expectations for Information technology projects and improve the performance of project management, besides developing the skills required for project management. The most common risk factors ranking wise were one of the outcomes of the research. Table 1 opposite lists ranking wise risk factors. Although there is a high rate of information systems project failure there are ways of enhancement and areas of improvements. Different books, research and studies give clear improvement factors that can help avoid failure in IS projects. The improvements factors were published after detailed study and investigation of different kinds of IS projects among multiple industries around the globe. The main aim of all the existing improvement factors is to reduce or resolve the failure rate at IS projects. Moreover, they help the top management and project managers to use standard best practices and move towards a technology world with minimum risk factors. One of the research have clearly defined improvement factors regarding information systems project, Table 2 lists the factors. The CHAOS study, which was conducted by Johnson, et al (2000) has defined a recipe for success as a CHAOS 10. Moreover, they have clearly explained that no project requires the entire 10 recipe ingredients for success, but the more factors present in a project, the more value can be added to the project. Table 3 lists the CHAOS 10 recipe ingredients for success. Each success factor has been weighted according to its influence on the project’s success. The more success rate, the lower project risk. Table 1: Risk ranking Rank ing and risk 1. Lack of top management commitment 11. Shortage of knowledge/ skills in the project team 2. Misunderstanding of scope/ objectives/requirements 12. Improper definition of roles and responsibilities 3. Lack of client/end-user commitment/involvement 13. Artificial deadlines 4. Changing scope/objectives 5. Poor planning/estimation 15. New or radically business process/task 6. Inadequate project management 16. Employment of new technology 7. Failure to manage end-users expectations 17. Poor control against target 8. Conflict among stakeholders 18. Number of organisational units involved 9. Change is senior management ownership 19. Lack of effective methodologies 10. Lack of adequate change control 14. Specification not frozen 20. Staff turnover 21. Multiple vendors Table 2: Ranking wise improvement factors Ranking and factor I. A. Greater top management support Alignment of IT project initiatives to business strategy J. Greater understanding of project management on the part of top management, project boards and clients B. More commitment from users C. More power and decisions making authority D. Greater financial control and flexibility E. Greater Control over staff resources F. Commitment to requirements and scope once specified K. Greater realism in setting targets. Several respondents railed against imposed rather than planned targets and deadlines L. Establishment of a supportive project/programme office. G. More project management training H. Commitment to a stable project management method Table 3: CHAOS 10 – Recipe for Success 1. Executive Support 18 2. User Involvement 16 3. 14 Experienced project manager 4. Clear business objectives 12 5. Minimised scope 10 6. Standard software infrastructure 8 7. 6 Firm basic requirements 8. Formal methodology 6 9. 5 Reliable estimates 10. Other criteria 5 15 Project Guidelines The guidelines have developed by the author after thorough research and investigation into the information systems project failure issue and the aim of the concern guidelines was to resolve or reduce project failure rate by following the accurate guidelines in small or medium size IS projects. Twenty project guidelines have been developed for the three essential project stages, namely: Table 4: Twenty project summary guidelines Guideline Number Before starting the project 1. Prior to selecting a project 1 Analyse the organisation environment using standard tools such as SWOT or PEST 2 Align Business with ICT Strategy 3 Ensure management buy-in 4 Ensure adequate project resources 5 Ensure project team have the required skills and knowledge to run the project 6 Clearly define scope, objectives and requirements 7 Break project down into manageable components 8 Construct the project’s product to be flexible and open to future change 9 Make use of previous experience 10 Establish clear criteria for supplier selection 11 Carry out detailed costing and establish a feasible project budget 12 Maintain communication at all levels 13 Boost awareness inside the organisation of the project 14 Adopt a good project management strategy 15 Create risk plan and monitor it 16 Establish timetable to give users enough knowledge to accept new system 17 Establish documentation standards and backup strategy 2. During the project 3. After the project execution In reality it is not necessary for an organisation to follow all the concerned guidelines but to understand the standard steps which can be followed in a IS project. These guidelines can be used as a best practice. Each guideline is developed to keep a project on the right track and minimise the risk before, during and after the project. The first and second project stages are the most critical which require focus and clear understanding not only from a project manager but more importantly top management. Top management support is essential at all the stages of a project before, during, after the implementation. Finally, the guidelines are not developed exclusively for information systems specialists, project managers and technical people. Their aim is to cover and help the entire range starting from top management through to the ordinary users in an organisation. The whole plan is to understand what is required for a successful information systems project. Table 4, lists the twenty project guidelines summary for all the three stages before, during, and after project implementation. Guidelines 3,12, and 13 are repeated at more than one stage. During the project Repeated Guidelines 3,12 and 13 After the project implementation 3 Ensure management buy-in 12 Communication at all levels is essential 13 Boost awareness inside the organisation of the project 18 Periodic reviews once project is live 19 Consider ongoing user training 20 Establish a project knowledge base Repeated Guidelines 3 and 12 16 3 Ensure management buy-in 12 Communication at all levels is essential Messages from leaders and professionals regarding the article The culture 50 years ago in the world was totally different from that of today, which means it is still changing. So we have to keep abreast of the changes and receive what is best from the culture but at the same time refrain from what is not useful. The most important thing is that we have to follow a new culture, the culture of technology and information H.M.Qaboos Bin Said (2007) “Information technology is not a magic formula that is going to solve all our problems. But it is a powerful force that can and must be harnessed to our global mission of peace and development” Kofi Annan (2003) Awatif Amin Qassim Awatif is a Specialist in the Information Technology Department at the State Audit Institution Sultanate of Oman. She studied for her MSc in Information Systems at Kingston University, London Nicosia CYPRUS Eu ph rat es SYRIA Beirut e a D s Damascus LEBANON Po r t Said Alexandria Tel Aviv ISRAEL Amm n Amma Amman R. I R A Q ad Sea Se ea Dead phrate RDAN JORDAN ro Ben S uez ef S A U D I El-M A R A B I A R. le Ni Al Manam E G Y P T Aswa n Medina Riyadh Why IT projects fail Mec a Po r t S u JORDAN Research continually shows that many information technology (IT) projects all over the world have difficulties with completion on time or on budget or on scope. In fact many are cancelled before completion or not implemented. Project success is affected by many factors such as project team, suppliers, customers and stakeholders; the truth is that they can all provide a source of failure. There are many different reasons for the failure of IT projects but the most common reasons are rooted in the project management process itself, this paper covers the key reasons of IT projects failures. 18 IT Projects fail when they do not meet one or more of the following criteria for success: ¬ delivered on time, ¬ on or under budget, ¬ satisfies user requirements. Only a few projects achieve all three. So what are the key factors for IT project failure? Organisations and individuals have studied a number of projects, successful as well as failed ones, and some common factors emerged. A number of these factors are involved in any particular project failure and they interact with each other. Here then are some of the most important reasons for failure. Lack of a project methodology The project methodology or project lifecycle describes the approach that will be taken to carry out a project. Lack of a project methodology will force the project manager to make on-the-fly decisions, based more on gut reactions than factual and objective analysis. Projects should follow a well thought-out route to avoid going in circles, getting lost, and hitting countless roadblocks. Taking an unstructured approach is a risk that will lead to unstable results because things rarely fall into place by themselves. Methodologies vary greatly from project to project, taking into account environmental factors and project specifics. And, of course, the methodology is relative to the size of and the complexity the project. The bigger the project, the more important it is to have a methodology. But regardless of size, every project methodology must address three core issues: planning, development and implementation. By following a pre-defined set of guidelines and a migration path, you have something concrete to which you may refer and measure progress against. Poor planning Planning is one of key factors that affect the success of any project because “Fail to plan is a plan to fail”. The project manager should pay a lot of attention to this area and give it enough time and effort regardless of time pressure. They should be aware of bad results when a project plan is non-existent, out of date, incomplete or just poorly constructed. To plan for a project is to set the foundation for project work by defining the tasks to be accomplished, and the time, resources, staffing, communication and costs involved in completing these tasks. The quality of a detailed plan of work depends on the project manager’s technical expertise. Lack of such expertise will lead to a much more generalised plan, in this case the project should have a technical leader whose responsibility it is to cooperate with project manager to make detailed plans. A successful project needs: Risk plans Every IT project involves some degree of risk. Not doing an explicit risk assessment is one of the major problems with project planning. Projects that do not have a plan for handling risks can be hit by sudden unexpected events and be faced with unachievable schedules and deliverables. They can end up losing the client, and because of that we realise the importance of an adequate risk plan. Risk management has become a major issue especially as projects get bigger. Success here means creating a plan to assess the risks, the ‘which’, the ‘what’ and the ‘why’ of each risk identified and planned for. Quality assurance plans Projects must develop a QA plan as part of the overall project plan to explain the planning, implementation and assessment procedures they will put in place to ensure that project outputs comply with business standards and best practice, as well as any specific quality assurance and quality control activities. A QA plan integrates all the technical and quality aspects of the project in order to provide a “blueprint” for obtaining the type and quality of environmental data and information needed for a specific decision or use. The project’s QA plan should cover the issues listed in Figure 1. When deliverables are supplied, the project should also provide documentation describing the QA tests performed and evidence of compliance. The more detailed planning the higher the chances of success. Each and every activity that is expected down the line gets due attention. Not only is this pre-planning well documented, but also even after the project has taken off, if things don’t exactly pan out as planned, the project manager should not hesitate to re-plan, avoiding project management failure, and readily incorporate the changed circumstances in their new version, so that future events are controlled. Figure 1: Issues in a QA Plan Fitness for purpose Deliverables should be fit for purpose. For example, projects should be internally consistent, up to standard, free of bugs and perform well. This does not necessarily mean perfection, but fit for purpose consistent with the level of funding and project resources. Best Practice for processes Projects should follow best practice for creating their deliverables, e.g. technical design and architecture, programming, web sites, and data capture. This should include processes, workflow, tools, equipment and methods. Adherence to specifications Projects will be asked to develop their own specifications. This might involve requirements specifications, functional specifications, and/or technical specifications. Once specifications are agreed, deliverables must conform to them. Adherence to standards Projects must ensure that their deliverables conform to company standards for content, metadata, interoperability, terminology, learning and linking. Accessibility legislation Business systems should be accessible to a diverse range of users. In order to achieve it we advise that all resources meet good practice standards and guidelines pertaining to the media in which they are produced. Project plans should consider cost, resources and requirements needed to succeed. These plans should be timed so that there can be a monthly plan, a weekly plan, and a daily task schedule so that everyone can follow the progress of the project step by step. Poorly defined project scope – unclear goals and objectives A project manager should understand the compromise between what they want to accomplish and what they are actually able to deliver. When goals exceed the ability to deliver timely results, the project will surely fail. Successful projects always have a welldefined scope that states realistic goals, and attainable objectives, establishes clear milestones, defines benefits and deliverables, and conducts regular technical reviews and measurements. By this you can ensure that the project will be visible to all parties including senior management and clients. The scope should be clearly defined as part of the project definition. Much of the work at that time is directed at agreeing the optimum definition of the project – both in terms of its deliverables and in terms of how it will operate. This scope definition will form the baseline against which potential changes are assessed and against which the project’s performance is measured. The concept of well-defined scope is affected by many factors. For example the goal of the project may be partially clear because of poor requirements gathering in the definition stage of project, goals and objectives might be unclear because project users lack the experience to describe what they really require. 19 Project problems start with the three most common scope mistakes: ¬ Overrunning initial cost estimations. ¬ Over – or underestimating project schedule This is a double-edged sword: setting a generous timeframe runs the risk of the project becoming obsolete by the time it is completed, but setting a tight timeframe in relation to the amount of work required will put a strain on personnel. ¬ Miscalculating the work to personnel ratio. Vague requirements, poor user input, lack of user involvement Lack of user involvement will cause a great deal of resentment among the corporate user community, projects may be seen as something forced upon them by developers who only want to test out their new toys. It should not be forgotten that projects are built to support end users, not developers. Requirements need to be worked out on both sides because there is a symbiotic relationship between users and developers: ¬ Users, who know the business processes best, need to clearly express their requirements and provide feedback on each project deliverable. ¬ Developers, who know what technology can be used to put those business processes into place, need to ask the right questions and not make any assumptions about what they think the users mean. Nothing kills projects faster than giving users something they did not ask for and then pretending they did. IT teams may be given a vague and informal set of requirements, and they, in turn, may not bother to consult with users or ask any questions, as a result they will build what they believe is needed, not what users need. Scope creep, objective and requirements changes during Project IT projects suffer from two classic problems in project management, scope creep and feature creep. Scope creep refers to uncontrolled and unexpected changes in user expectations and requirements as a project progress, while feature creep refers to uncontrolled addition of features to a system based on the incorrect assumption that one small feature will add nothing to cost or time. The project manager should understand project trade-offs and make the right decisions related to resources, features and time schedule even though the requirement changes. He should be aware of the risks of change and the risks of not changing and should have the ability to balance these risks before deciding what to do. One obvious solution is to establish a reasonably stable requirements baseline before any other work goes forward. But even when this is done, requirements may still continue to creep. No one can design Figure 2: Example scope and change control process Participants Project office Identify Capture Review, assess Assign for review Propose action External suppliers Steering committee Contract revision Approve for action Assign for action Action Action Review action Agree closure 20 a process that assumes requirements are stable. In virtually all projects, there will be some degree of learning what the requirements really are while building the project. Projects could be headed for trouble if architectures and processes are not change-friendly, or if there are poorly established guidelines that determine how and when requirements can be added, removed and implemented and who will bear the cost of the changes. On the other hand, if you build a project from small, iterative phases instead of mammoth, serial deliverables, you will deliver more quickly, leaving less chance for change to overcome the work, and less risk of large project failure. Another recommended solution for scope creep is a change control process. Change control will involve a combination of procedures, responsibilities and systems. The key to success is to have a well-controlled but efficient process. Define and agree: ¬ On what basis changes should be approved, ¬ Who does what, ¬ The membership of the change control board(s), ¬ The detailed procedures, forms etc, ¬ Protocols for levels of authority, e.g. what types of change can be approved without reference to the project’s business owners, ¬ Linkage to other management procedures, e.g. the issue management process, configuration management, ¬ Which tools will be used to support and manage the process, ¬ How to communicate and promote the process and its importance to all participants. Any participant or other concerned party may raise Change Requests. The Project Office team and Project Manager will ensure they are captured and actively manage them to conclusion. An initial review should be made to examine the need for change, how it could be achieved and what the consequences would be. The most appropriate member of the Project Team would normally perform this review. Based on those conclusions, the recommended action would be proposed. In this example, there are three possible courses for the approval of the change: ¬ Minor changes within scope can be approved by the Project Manager, ¬ Any change affecting an external subcontractor would need to be reviewed with that contractor who would agree any necessary contract revisions or payments etc, ¬ Changes of scope and contract revisions would require the approval of the Steering Committee or the Change Control Board. In making the decision, the Project Manager, Change Control Board or Steering Committee would be guided by pre-established principles for making change decisions. After the action is agreed the work is assigned for action by the Project Team and/or the external sub-contractor. When complete, the action would be reviewed and the Change Request closed. It is possible that the agreed action could have more than one stage. For example, it might be better to introduce a temporary solution so that the overall benefit from the project can be delivered, and then build a permanent solution after the system is live. Poor architecture – inflexible and difficult to change Any environment usually develops, and according to this development many issues may change such as strategies aligned to this environment objective, requirement etc. The concept that “what we are using today may be useless tomorrow” is clear and understood. This concept should be considered when building any project. If the project architecture is inflexible for updates, then this project may collapse because of daily changes and rapid developments. An example of flexible architecture is the Patriot missile used during the Gulf War. It was not designed to intercept scud missiles, but the software was able to be reconfigured to support the new function. On the other end of the flexibility spectrum was a security program created to protect sensitive wordprocessing documents. Everything worked well for a few months until the operating system was updated. The word-processing programs still worked, but the security program became useless and unfixable because much of its code was tied to operating system features that were dropped in the new system. People must think ahead about what is likely to change. If you do architecture right, you will not have to restart from zero again and rebuild the project from the beginning as nothing is existed because you are able to add and modify features that caused by any change any time, but if you do it wrong, you will suffer death by a thousand cuts. Bad choices show up as long-term limitations, aggravation and costs. 21 Stakeholder conflicts All the stakeholders of the project should share similar business interests. For example, assume that a project is being built, but after a while the developers need some clarifications, i.e., with input A, does the system choose X, Y, or Z? If stakeholders cannot agree on answers this will force them to acknowledge deep incompatibilities among their business interests, then the system will be cancelled in an expensive failure for the entire enterprise. It becomes a problem when the stakeholders work under the illusion that everyone is going to get everything that they want. They will contradict each other by their differences rather than going through conflict resolution in the early stages. The developers will expose the stakeholders’ irreconcilable differences because programmers cannot create an ambiguous system. Stakeholder conflicts can play many different roles in project failures. Often, stakeholders have personal reasons for not being able to work together. When ego and pride get in the way of any project, it will almost always end in some disaster. Other projects, especially smaller projects within larger projects, never go anywhere because the internal stakeholders cannot agree on priorities. These are “pretend projects,” meaning a few developers work on them part time, but nothing is ever delivered. Whatever the case is, you should always think like this if you start any fixed-fee project you should end it according to a specific deadline, because it is important to allocate budget ahead of time. Lack of top management support and involvement Insufficient budget and poor resource allocation Few projects have the chance of getting off the ground without the support of senior managers in the organisation. Without executive support the project managers in the organisation will find it difficult to align business requirement with their projects. It is a problem when developers do not know who the “real” sponsors are, and keep progressing without sponsor involvement. For the best true sponsors need to be shown up and communicate with the team, follow the project step by step, hear good and bad news in “small pieces” rather than in “one chunk”, this way you will avoid losing their support if any surprise comes on the way. Non-sponsored projects are taken less seriously and may sometimes be viewed as merely someone’s pet project. Without the backing of senior management to lend credibility to these projects, originators will have a difficult time recruiting employees to participate in development and testing. Teams are usually made up of people from different departments who all have their own set of priorities and of course, they all have their own bosses, so it is natural that those involved in any project will have tendency to keep the best interests of their own department in mind, and there’s nothing wrong with that. In fact, that’s why they are on the team, to represent the needs of their department. However the risk is in having a selfish person or group who may control project, ignoring requirements of others. Financial threats are the result of poor budget forecasting and tracking, lack of inter-department charge backs, and ineffective tracking of resource and cost allocations. Insufficient budget is still a major reason for missing goals and objectives of projects within the quality framework that is required. Project Y always needs to be delivered tomorrow within X budget. When we talk about budget we should be aware of what may happen if there is not enough funding, so a resource assessment should be made carefully by conducting complete and accurate financial analysis. A resource assessment describes the people, skills, hardware, software, and network resources needed to complete a project. Resource assessment is sometimes the practical first step to making staffing decisions for a project. The project manager is typically responsible for assessing resource needs and deciding whether a formal, documented assessment is necessary. What kinds of projects need a Resource Assessment? Although every project undergoes some kind of resource assessment, they are frequently informal and undocumented. Large, complex projects, and those working with new technology, will benefit most from formal assessment of resource needs. A resource assessment needs to consider and document the items in Figure 3. Poor schedule estimation, unrealistic or long timescales Figure 3: Resource assessment contents Project Name 22 Staffing & Skills Inventory What staff are already assigned to the project? What skills do they have? Roles/Skills Needs What roles and skills are needed that aren’t covered by project staffing? Staffing Needs What is needed to address roles and/or skills not covered by staff already assigned to the project? Training Needs What training is needed to cover skill gaps? Hardware & Network Needs What hardware and network resources does the project require? Software Needs Does the project require any specialised software? Support Needs What kinds of support are needed from other C&C units to address needs for skills and/or roles not covered by project staffing? Scheduling project work is an essential element of project management. A project schedule makes it clear to all participants when work is expected to be completed. It also shows the time-related dependencies between different project tasks. In a complex project, several schedules may be necessary, covering different levels of detail or different parts of the project. Poor time estimation can cause project related problems. One common problem during the creation of the Work Breakdown Structure is assuming that the time on task equals duration. The time on task is the time the task will take to complete without interruptions, whereas duration is the time the task actually take to complete including interruptions. Using the time on task to estimate schedule is a common mistake made by project managers. Who schedules the project? Another common problem is using linear approximation when estimating schedule. For example, if you doubled the cows in a farm, you double your production of milk. The IT projects are beyond the scope of such approximations. Assume we have a large IT project using a team with a staff of one hundred people. Linear thinking would support the conclusion that increasing the people by 100 percent would decrease the schedule and increase the cost to approximately the same degree. In reality, doubling the staff produces a non-linear result. In general, every project has a minimum achievable schedule. Many managers are well aware of the need for fast delivery, leading to other problems of unrealistic timescales. These are set without considering the volume of work that needs to be done to ensure delivery. As a result these projects are either delivered late or only have a fraction of the facilities that were asked for or they are bug-filled, because of that every project manager should consider volume of work, number of staff, number of working hours, and the duration of each task in parallel to avoid any kind of pressure. It is true that working under pressure can increase the quantity of results one receives, but, after a point, dramatically reduces the quality of those results. In fact pressure sometimes produces the opposite of its intended effect. On the other hand if the project manager sets long time scales, the project may be obsolete as a result of changes in requirements. Normally requirements change from time to time due to changes within the project users’ environment. If the project objective is to serve certain society; it should be parallel to their requirements. The key recommendation is that the project time scales should be short, which means that larger projects should be split into separate projects. Setting overall completion dates must be done by the project sponsor and stakeholders. The project manager assists by digesting information about scope, deliverables, and resources, and estimating times for completion of project tasks. Once an overall schedule is set, the project manager is responsible for monitoring the progress of the project and revising the schedule if needed. This must be done in consultation with project team members who are doing the work. Working with team members to produce accurate time estimates is one of the high mysteries of the art of project management. The project manager must balance the needs for honesty and realism with appropriate motivation to keep the project on track despite inevitable surprises. There will typically be give and take as a project proceeds among budget, features, and schedule. It is essential for the project manager to keep all participants informed as to current schedule status. Time schedules should be reviewed to see if they are realistic and participants should be encouraged to express their reservations on it. Communication breakdowns failure to communicate and act as a team Projects sometimes fail because of inadequate communication between team members; in such cases they lack the ability to work as a cohesive unit and are in constant disagreement. The arguments and infighting cause everyone to move in opposite directions, lowered morale, and spawn an “us versus them” atmosphere. Another common problem is the size of the project team. There is a direct relationship between the size of the project team and the difficulty of keeping all members of that team up to date on changes, progress, tools and issues. Such problems are common on large projects, especially if people are working at different sites. In many troubled projects no one person has an overview of the whole project. Each project member needs to know how his or her piece of work fits into the entire architecture. The key recommendation here is to avoid forming a team of more than five members, instead opting to form multiple teams working on individual objectives. Each of these smaller teams has a manager, who is himself part of a management team. In extreme cases multiple management teams exist and an executive team is formed. The focus of each team is rigorously defined and strictly enforced/policed. In general communications problems can be avoided by adopting a communication plan at the planning phase. A communication plan identifies people with an interest in the project (stakeholders), communication needs, and methods of communication. Communication planning helps to ensure that everyone who needs to be informed about project activities and results gets the information they need. The project manager is responsible for identifying communication needs and deciding whether a formal communication plan is needed. Although every project undergoes some kind of communication planning, it is frequently informal – determining who needs to attend which meetings, receive which reports, etc. Projects of long duration will benefit from formal planning because the project stakeholders are likely to change over time. Projects that affect a large number of people or organisations may also benefit from formal planning to ensure full identification of all stakeholders and of communication needs. A communication plan needs to consider and document the items in Figure 4. Figure 4: Communication Plan Contents Project Name List of Stakeholders Who has interest in the project? See the project definition for an initial list of stakeholders. Be sure to include both business and technical stakeholders. Information Needs What kinds of information about the project are of interest? Consider need to communicate plans, status and progress reports, changes, major events, availability of prototypes and demonstrations, etc. Communication Methods What information will be communicated to what groups in what ways? Common methods include reporting and documentation, email, meetings, and web sites. 23 Staffing – Insufficient number, inappropriate skills Staffing is one of the most critical elements of a project’s success. Without staff, there is no project. Once you have defined the project and are clear about at least some of the project’s initial tasks, you can define your staffing needs. It is important to know the type of staff that the project needs, e.g. database administrator, one or more programmers, and technical writer. Once the type of staff has been defined, you need to get individuals assigned to your project. The best places to go for staffing resources are the project’s sponsor and stakeholders. You should be prepared to answer the following questions that might come up when you ask for staffing resources: ¬ What percentage of their time will you need? ¬ How long will you need this person? ¬ What are the benefits of this particular person working on the project? ¬ How do the skills needed and this person’s skills match up? ¬ How many members do you need to share workload? Most IT projects require a diverse range of skills; the project must have the right people to do the right job. For example, programmers need to have experience in the technology before counting on them, so they should be selected wisely. Furthermore, managers can perform poorly if they lead projects that do not match their expertise. The project manager should have enough experience and knowledge from similar projects before, so that the same mistakes will not be repeated. Projects which deal with high technology need managers with solid technical skills. In such projects, authority must reside with people who understand the implications of specific technical risks. However, the best technologists are not necessarily always poised to be the best managers. The skill set for management and programming is disjoint. The larger the project, the more need there is for people with excellent planning, oversight, organisation, and communications skills; excellent technologists do not necessarily have these abilities. The solution to skill-driven challenges is easy to define but difficult and expensive to accomplish. A project needs to attract and retain the most highly skilled and productive people. A well paid project team with the right specialised skills is worth far more to an organisation than a group of lower-cost people who need weeks or months of fumbling through a new process or technology before they can start being productive. In a straightforward phrase “you get what you pay for”. 24 Poor testing The developers will do a great deal of testing during development but eventually users must run acceptance tests to see if the project meets their business requirements. This stage should be before the project implementation, skipping the testing phase because the project is way behind schedule will lead to a downright failure. However testing often fails to catch many faults before a project goes live because: ¬ Poor requirements which cannot be tested, ¬ Poorly or unplanned tests meaning that the project is not methodically checked, ¬ Inadequately trained users who do not know the purpose of testing, ¬ Inadequate time to perform tests as the project is late. Users should do the acceptance testing, in order to build their confidence with a project and to utilise their experience of the business. To do so they need good testable requirements, well designed and planned tests, be adequately trained, and have sufficient time to achieve the testing objectives. IT illiteracy Sometimes adopting new technology may lead to a failure, even though it is successfully tested, implementing it for the first time in the project is in itself a risk. Will the team use it in the right way? Will they have enough practice while they don’t have expertise? Will it satisfy the project requirements? It is related to the failure to align business objectives with IT and its processes. This usually occurs when the company’s internal controls have material weaknesses or when it is in non-compliance with various processes. Therefore each project should have Internal or external auditors who have an obligation to publicly report facts. Hidden costs of going “lean and mean” Any failure will be viewed as a direct result of underperformance, even though underperformance is not often a significant factor in the failure of most projects. Instead, failed projects often have goals that were inherently unattainable, poor staff, etc. Late warning signals The early project milestones involve diagrams, designs, and other documents that do not involve working code, these and other project milestones then go by or less on schedule, and testing may start more or less on time, so that errors which discovered days before the deadline of the project will cause the project not to be completed even close to its deadline. | Rasha Abdel Rahman References Department of Information Technology, Audit Bureau of Jordan Rasha Abdel Rahmman graduated from the Information Technology Faculty of the University Of Jordan with a B.Sc Computer Science. She has worked for the Audit Bureau of Jordan since 2004 in a variety of technical and managerial posts. She has specialist skills as a developer and administrator of Oracle databases. She is a qualified IT Auditor and has represented the Audit Bureau at international events. Glaser, J (2004) Management’s role in IT project failures Healthcare Financial Management, October. Grossman, Ira (2003) Why so many IT projects fail, and how to find success Financial Executive, Volume 19, Issue 3, page 28. Humphrey, W (2005) Why Big Software Projects Fail: The 12 Key Questions The Journal of Defense Software Engineering, March Issue. Armour, P (2005) Project Portfolios: Organisational Management of Risk Communications of the ACM, Volume 48, Issue 3, page 17. James P. Lewis Fundamentals of Project Management, 3rd edition. James P. Lewis Team-Based Project Management in Back Matter (1), Back Matter (2), and Back Flap Betts, M (2003) Why IT Projects Fail [Online journal] Computerworld, Volume 37, Issue 34, Page 44. Available from Academic Search Premier at http://www.ebscohost.com [Accessed July 21, 2005]. Jenster, P and Hussey, D (2005) Create a common culture between IT and business people to reduce project failures Computer Weekly, March 22. Coley consulting (2001-2005), Why projects fail, Available at http://www.coleyconsulting. co.uk/sitemap.htm Simon Wallace (2004) The ePMbook, Available at www.epmbook.com Ephraim Schwartz (2004) online research IT Myth 5: Most IT projects fail, August 13. Paul Chin (2003) online research Cold Case File: Why Projects Fail, May 6. 25 ad Bornholm (DENMARK) Puttgarden Kiel Bay Kie lC an al Mecklenburger Bucht Kiel Pomeranian Bay Stralsund Rostock Lubeck Sea Bremerhaven Wilmhelmshaven Swinoujscie Hamburg Schwerin Emden Szczecin en Elb Ha ve l e Bremen Oldenburg Wittenberge DS Od GERMANY Ems Braunschweig nschweig es W Frankfurt e Neiss e Essen Halle Dusseldorf Cottbus Elb Dortmund Leipzig Gorlitz Kassel ogne Dresden Erfurt EEisenach Bad Hersfeld Siegen Zielona Gora Spree Dessau D Gottingen ngen rg POLA Magdeburg Magdebu er Bielefeld Munster Potsdam l na Hannover Osnabruck hede Gorzow Wielkop er Berlin tella n dk Mit a Werra Jena Gera Bonn Fuld Chemnitz Zwickau Decin Usti nad Labem a Koblenz e ell Mai Bamberg Wurzburg Rhein-MainDonau-Kanal Mannheim Rhin e Karlsruhe Heilbronn Plzen CZECH REPUBLIC ava Vit Heidelberg Saarbrucken Prague Cheb n Mainz os M Hra Kral Hof Frankfurt Am Main Wiesbaden Nurnberg Regensberg Ceske Budejovice GERMANY Dr. Ulrich Ditzen, Member and Audit Director in charge of IT Audit highlights the general structural IT problems of German federal departments and agencies. He reports on the current situation and procedures in place, highlights the shortage of staff with adequate IT skills in the public service, discusses the importance of the use of external consultants for planning and implementing IT projects in the German federal administration, the major shortcomings made in purchasing consultancy services and the conditions in which the use of external consultants can add value. 26 Key issues for relying on External Consultants for Public Sector IT Projects Audit findings generated by the German SAI on general structural IT problems of German federal departments and agencies include computer literacy, experience with suppliers and with relevant legal practices. The problems facing us can be illustrated by a quote from the budget documents of a German federal government department: 90% of the IT budget has been definitely allocated to operation and maintenance. IT-related staffing is often quantitatively and qualitatively inadequate to meet current requirements. Either the number of posts is insufficient or posts are vacant and it is difficult to recruit adequately skilled staff. The use of external staff may be a potential solution. There are a number of recurring problems and factors critical to the success of IT projects. The objectives of projects are often not clearly defined in terms of content, use of resources, value added and specific requirements. It is often difficult to identify the biggest common denominator. Deadlines are often set first without stating how to accomplish the objective. Staff with operational responsibilities are often not asked or do not clearly state their preferences. No investment appraisal is carried out. IT project implementation periods are often so long that, given ever shorter innovation cycles, there is a risk that specifications laid down initially become outdated and obsolete while project implementation is still underway. Management consulting firms often point out the following recurring problems and factors critical to the success of IT projects: skills available in-house are often limited, so is expertise in procurement and contractawarding procedures, in project steering and the later transfer of know-how. Changing specifications and managing the changes are often impaired by the shortage of adequate skills among public sector staff. These skills “In recent years, the degree of IT integration in operational functions, the intensity of IT support, the connectivity between workplaces at branch offices and headquarters, the degree of information density but also the dependence of stable operations on the high quality of IT systems have steadily increased.” Further factors to be considered are: ¬ Between 1995 and 2003, total IT expenditure (budget title groups 55 and 56) increased by more than 150%. Broken down by capital expenditure on IT and recurring expenditure on IT support services, these increases are 175% and 450% respectively. ¬ There are 15 federal government departments (ministries) with a total of 435 agencies. There are 211,000 federal workers (137,140 civil servants and 73,875 employees, excluding the Armed Forces and Federal Employment Agency). Total budget expenditure in FY 2007 was about €260 billion. As far as can be ascertained under the present budget system, specific IT expenditure totals €2 billion. However, we have reason to believe that an undetermined amount of IT-related expenditure is hidden under budget items that belong to construction projects and to the performance of operational functions by departments and agencies. ¬ As of early 2007, the civilian departments and agencies were equipped with 140,000 personal computers, while 135,000 personal computers were in place within the remit of the Ministry of Defence and 95,000 in the Federal Employment Agency. In the federal ministries, nearly 100% workplaces are equipped with personal computers. In the subordinate agencies, more than 90% of workplaces are equipped with personal computers. Since 1999, departments are fully connected by a single intranet, which was built up in connection with the relocation of the seat of the Federal Government and Parliament from Bonn to Berlin. Audit findings generated by the German SAI on general structural IT problems of German federal departments and agencies IT services have become vital for government operations and transactions. However, IT applications and structures have for many years evolved as isolated solutions with an exclusive focus on the operational needs of the department or agency in question. The ’patchwork’ grown over time had to be harmonised, as compatibility problems of the applications and a large number of (unused) IT system functions resulted in a lack of acceptance and in ‘frictional loss’. Systems integration has become ever more important for suppliers and service providers but above all for the purchasers. Audit results generated by the German SAI on problems with the availability of staff Frequently, the project staff do not have adequate skills and the project leader does not have any solid experience. Staff are not released from their previous functions or are assigned to a project for different periods. Successful support by a coach would require intensive participation, steering and acceptance of the services delivered. A clear strategy as to developing skills needed in-house has often been lacking. The transfer of consultants’ expertise has often not been stipulated in an extra contract. The importance of external consultancy for public-sector IT projects IT projects have become increasingly complex and their implementation requires more input. This is due to higher quality requirements, the widening scope of functions to be performed, the increasing number of stakeholders, the need to take into account existing IT systems and the stronger integration between different IT systems. Project objectives often conflict in terms of performance, time and resources. Until recently, no generally accepted definitions of the terms “experts” and “support services” existed within the German federal administration. Other terms such as “assessor”, “business advisor”, “consultant” and “coach” have frequently been used indiscriminately without much regard for a precise and uniform definition. In 2005, the German SAI developed, in agreement with the Federal Ministry of Finance, a definition of “external consultancy”. According to this definition, the subject of external consultancy is the provision of a service against remuneration with the objective of developing, assessing and imparting to the decision-makers practical recommendations with respect to concrete decisions to be taken by the contracting authorities and, where appropriate, providing further advice during implementation. In the context of this definition, recipients of the consultancy services are federal departments and agencies, quangos and grant recipients. The service provider is a natural or legal person active outside this field. The German SAI’s audit work has revealed that consultants are primarily relied on in the following stages of IT projects: 1. identification of requirements, 2. drawing up of specifications, 3. valuation / estimates of costs and expenditure, 4. negotiations with contractors, 5. change request procedure, 6. review and revision, risk assessment, 7. testing and acceptance. The administration often justifies its reliance on consultancy services with the following arguments: Funding can be obtained more quickly because funds for “procurement” are easier to obtain than funds for hiring staff. A consultancy contract is usually made for a limited period of time. This improves the chances for a project to be approved, facilitates quick implementation and the overcoming of internal conflicts. The use of external consultants also enhances the legitimacy and prestige of projects, often generates new ideas and facilitates the discovery of other options. On rare occasions, external consultants serve as trouble shooters. 27 contract award procedure, project results Audit findings generated by the implementation and use German SAI on general IT-related evaluation, of results. staffing problems in German federal departments and agencies Audit experience in connection with the implementation of As a result of the increasing use of external staff, private-sector staff are used for long results generated by consultancy periods of time to perform inherently administrative functions. There is a trend to contract out even sophisticated and conceptual IT functions to the private sector. External (private-sector) staff permanently perform functions of everincreasing importance. Where external staff are used to evade internal staffing problems, this creates a high and increasing dependence on external expertise in an environment of rapid technological change. Departments and agencies increasingly lose the ability to assess and act upon emerging issues. Declining budgets, increased cost pressure and shortage of staff resources increasingly restrict the scope for government action. Shortcomings found by the German SAI concerning the use of consultants There is a general trend to rely on consultants also for the performance of core functions. The contracting authority often has inadequate competence for controlling. Mistakes are made most frequently during the following stages and in the following fields: planning of the use of consultants (identification of the need for consultancy services), performance (value for money), 28 In a number of cases, the German SAI has had doubts as to whether results generated by consultancy had the intended effect or were suitable as a sound basis for decisions. These doubts were based on the criterion that successful necessary consultancy should have a clear influence on further action, current and future decision-making. Scientific study A scientific study carried out in the public sector revealed that the feasibility of the problem solution worked out is the most important criterion for selection (80%). However, the criterion is ultimately met in only 50% of the cases reviewed. The study further found that the proposed solution was often implemented only “to a small extent” and that, in nearly one third of the cases, consultants had to remain active during implementation. The know-how expected to be generated was transferred in only two thirds of the cases reviewed. Summary and outlook (Core) functions that should be reserved to the public sector include developing and deciding on the IT strategy, IT portfolio, IT architecture, IT standards, IT controlling and reporting, IT procurement and management of IT interfaces. In its audit work, the German SAI has found that the factors critical to the success of consultancy for IT projects and the measures necessary in this context are: 1. the definition of problems and objectives, 2. the necessity of consultancy, 3. performance (value for money), 4. the specification of requirements, 5. the methods of awarding contracts for consultancy services, 6. the precise formulation of contractual provisions, 7. monitoring, steering and acceptance, 8. the implementation of the results developed by consultancy. To address an IT problem, the administration should accurately analyse and determine the current situation, the objective to be accomplished and the difficulties emerging or identified in achieving the objective. The German SAI’s audit findings highlight the fact that, on the whole, the decisions about the use of external consultants are too rarely based on a sound and sensible analysis of the problem and that the objectives and criteria have often not been determined in a way permitting project evaluation. Before considering the award of a contract to an external service provider, the administration should critically examine whether it can perform the service itself. In the course of its audit work, the German SAI has found that, in many cases, departments and agencies give reasons for the use of consultants that are not directly connected with the problem to be solved, e.g. “opening up other perspectives“ or “better way of convincing the policymaking level of the validity of results [generated by third parties] on which action should be taken“. Such reasons often were more important than the need to compensate for a lack of professional or technical in-house expertise. It is always necessary to carry out an investment appraisal, in the course of which all alternative options need to be stated and evaluated. The Bundesrechnungshof found that, preliminary to awarding contracts to external consultants, investment appraisals, which are a necessary tool for verifying compliance with the requirements of efficiency and effectiveness, have rarely been carried out. Based on the German SAI’s experience, there are the following alternatives to commissioning external private-sector consultants: Apart from performance of the service by the department or agency itself, support can be obtained from, for example, internal consultancy teams of the public administration from their own or another government department. If purchasing external consultancy is the most cost-effective option, the administration needs to unambiguously and comprehensively describe the consulting service to be performed. If the administration itself is not capable of describing the service required, this is evidence of the fact that the project is not yet ‘mature’ enough for calling in external expertise. Where the department or agency in question is not able to describe the problem to be solved or – as frequently observed – needs a third party to describe the problem, it will also not be able to verify whether a specification of requirements drawn up by an external consultant actually meets the requirements of the department or agency. As a matter of principle, a public invitation to bid must be issued and, where appropriate, such invitation has to be published throughout the European Union. A contract award by negotiated procedure is admissible in few exceptional cases only. However, in most of the cases audited by the German SAI, contracts for consultancy services were awarded without competition. Contracts must be worded so as to ensure that the content and timing of the service purchased are described unambiguously in a way permitting verification. Prior to awarding a contract for consultancy services, there should be full understanding of the essential contents of the contract. This includes the description of both the service to be provided and of the results aimed at. Sound evaluation criteria and milestones defined in detail should be available at an early stage. By appropriate monitoring and steering of the consultancy activities, the administration can make a substantial contribution to their success. The results generated by consultancy have to be accepted on a timely basis in order to safeguard the possibility of claiming damages for breach of contract or poor performance. The Bundesrechnungshof has found that departments and agencies adequately monitor and steer the consultancy projects only in a few cases, that the acceptance of the service was frequently delayed, that ambiguous specifications such as “assisting the contracting authority with … “ or “… will be available as consultant beyond that period“ hamper any effective monitoring of service provision. Such formulas are no appropriate basis for accepting the service. A reliable and transparent ex post project results evaluation should be carried out after the conclusion of any consultancy project. In many cases, the results evaluations required under budgetary law had not been carried out. The German SAI often had doubts as to whether results generated by consultancy had the desired effects or whether they were used at all as a basis for decision-making. On balance, budget funds were spent on consultancy work whose results added little or no value; due to omitting ex post results evaluations, no lessons were learnt to prevent deficiencies in future similar cases. The administration needs to transparently document each successive step from the description of the problem via the verification of needs to the implementation of the results generated by consultancy. This is an indispensable prerequisite for carrying out any ex post project results evaluation. In the course of its audits, the German SAI frequently found inadequate and incomplete records. Comprehensive documentation avoids duplication and provides key information for the staff assigned to an IT project later on and for the planning of future projects. The use of consultants may effectively support administrative activities in cases where problems cannot be solved in-house. The extent to which external consultants are used will continue to increase, especially in the case of major IT projects. Nevertheless, the risks and potential errors are as manifold as the possibilities for making use of external expertise. The decisive factor is the ability of the contracting authority to identify its own needs and to monitor the provision and success of the service purchased. Consultancy services are not a commodity whose choice is merely governed by its price (as in the case of hardware or IT infrastructure services). It is absolutely necessary for the decisionmakers to be aware that the principles of economy and efficiency also apply to the use of external expertise (need, efficiency, competition, evaluation of results). Alternative options would be service centres within the administration having the necessary special skills and expertise needed to cover the entire remit of a department or even to perform crossboundary advisory functions. | Ulrich Ditzen Ulrich Ditzen is a graduate of Darmstadt Technical University where he earned doctorate in economics in 1980. He is a Member of the German SAI, the Bundesrechnungshof and is currently Audit Director of the unit in charge of IT auditing. He joined the Bundesrechnungshof in 1987 and held posts in various audit units such as telecommunications and electronic accounting. Prior to that, he worked at the Federal Ministry of the Economy. 29 û 8 8 û 6 rojo Kiruna ki Kolari Kelloselka Ou nas Kamilarvi ea joki rn To Malmb erg et odo B n lve Jokmokk Lu Ke mijo ki Rovaniemi Mo leal ve Sandnes San sjoen n Kemi oden B Mosjoen Sk elle ftal ve n Norwegian Sea Iijoki Lulea ite a P Oulu Ou lujo ki Storuman Skellefte a û 4 6 64û Lycksel Vilh elmina Um ea Nams N os analven Steink jejer Steink Kajaa lve n Kokkol a Umea Angerm SWEDEN Storsjon Trondh ei m FINLAND Ornskoldsvi Indalsa lven K k Vaasa Ostersund Molde Alesund e Seinajoki Aanekoski Jyvaskyl Andalsnes Harnosan d Ang e NORWAY Sundsval l Ljusnan Ost Glama Floro erd ala Hudiksval lve n l Gulf of Bothnia M Jamsa n Lage or i P Lilleh ammer Tamp er e Hameenlinna Rauma Lah t Mora Klar Hamar erg B en a Gavle Falun n alve 60û Turku Dal orlang B e alve Helsi n Drammen Up sal p Oslo Karlsta d Otra Stavang er Vanern g a Sk û 6 5 Vannersb or g Uddevalla ak err Goteb or g Hiiumaa Motala Falkop ing oras B Jonkop ing f f o Fin lan d ESTO Nykop ing arnu P Norrkop ing Linkop ing Gotaalv Gul Tallin Sodertalje Mariesta d Mellerud Arendal ALAND ISLANDS Stockholm Oreb r o orsg P runn Kristiansand a Vasteras Haug esund Saaremaa Vattern Vastervi k Nassj o V il North Sea Klaip eda LITHUANIA û 4 2 Effective IT Governance: How to Get Good, Secure IT Services SWEDEN This article describes experiences from 19 audits of the Government’s and the public administration senior managers’ IT governance. Our main conclusions are that there is an urgent need for stronger IT governance at both the levels of the Government and senior managers. Only such governance can ensure that good, secure IT services will be conceived, developed and implemented, as well as meet all significant requirements for IT security. Since the audits were conducted actions have been taken at both levels to strengthen IT governance. In Sweden, according to the Government, government agencies should become proficient information technology (IT) users, especially in two areas: (1) good e-services, as part of e-government, and (2) security of these services, that is, the protection of the confidentiality, integrity, availability, and traceability of data, as well as the protection of IT systems. The Swedish National Audit Office (SNAO) audited the performance within these areas, performing 19 audits, from 2002 to 20071. The IT Governance audits can be classified in three audit areas: 1. Effective IT-Based Investment in Business Change – Focus on Agency senior managers 2. Effective Web Sites and Good e-Services – Focus on the IT Governance of the Government and Agency senior managers 3. Effective Security for Information Assets and especially for e-Services – Focus on the IT security governance of the Government and Agency senior managers Audit Question Did the agencies manage investment in IT-based business change so as to achieve efficiency? Methods Used Our audits were based on the IT investment management model (ITIM) of the U.S. Government Accountability Office (GAO), supplemented by Swedish legal requirements and adapted to the Swedish administrative environment. This adaptation was key in making it easy for senior managers at different levels in the agency to understand the audits. During the audits, we noted that senior managers did not have any problem relating their work to our norm. The norm includes agencies’ operational activities, such as strategies, with the requirements for each: ¬ Develop proposals: An innovation system, built on activities that are well managed and developed, which produces good investment proposals, including those for IT support2. ¬ Assess proposals: (1) Investment proposals include proposed development programmes (for example, for IT support) and (2) assessments based on an agency’s available IT resources (including a database). ¬ Select proposals for implementation: New proposals are related to earlier, ongoing and approved development programmes (so-called “investment portfolios”), so as to guarantee links to the (1) investment strategy and (2) evidence trail for tracking decisions. They are described below, together with some lessons to be learned. Audit area 1: Effective IT-Based Investment in Business Change – Focus on Agency senior managers In this area, we audited the IT governance of senior managers in five agencies heavily dependent on IT: the National Labour Market Administration, the National Land Survey, the National Road Administration, Statistics Sweden, and the Swedish Meteorological and Hydrological Institute. In particular, 1 2 30 we looked at IT governance in terms of the steps senior managers took to assure good investment in IT business change. Until June 30, 2003, there were two public audit offices in Sweden: Riksrevisionsverket (RRV) and Riksdagens revisorer (the Parliamentary Auditors). On July 1, 2003, these two offices were amalgamated to form Riksrevisionen (RiR). The RRV and the RiR have the same English name: Swedish National Audit Office (SNAO). An innovation system consists of a network of groups, organizations, people, and rules in which new processes and methods are created. ¬ Manage implementation: (1) Programmes are given realistic conditions for success, (2) project risks are assessed and managed, (3) standards are used consistently, and (3) completed projects are monitored. ¬ Knowledge management: Good use made of the experience acquired to continuously improve the investment process. ¬ Create and maintain the investment process: Sufficient oversight of the investment process, identifying strengths, weaknesses, and possibilities for improvement. For each audit area we used these methods: asked the senior managers to answer a questionnaire with self-evaluation questions, asked for relevant documents showing the agencies’ activities for each strategy in our audit norm, analysed the answers on the self-evaluation questionnaire and the norm-related documents, interviewed 15 to 25 staff, drafted an audit report and asked for agency comments, gathered agency representatives to a special seminar in which both the identified problems and possible solutions were discussed, and informed senior managers of our findings and recommendations. Audit Findings We found that the five agencies, despite their long experience with IT investment, had considerable shortcomings in the governance of IT investment (see IntoIT issue 18 Better managed investment in IT-based business development). These agencies lacked: ¬ sufficiently well-developed processes to elicit good ideas as to how IT can be effectively managed; ¬ periodic, systematic reviews of their investment processes, enabling them to identify where change is needed; ¬ adequate articulation of their investment strategies, making it difficult to justify and select among competing proposals; ¬ obtaining a clear and comprehensive understanding of an investment proposal; ¬ ¬ business management driven projects in combination with well-established methods and models for managing and undertaking investment project; and achieve the anticipated benefits of IT investments in an agency’s operations. Shortcomings in investment strategies created problems when translating the assessment of IT investment proposals into approved decisions. Because the investment proposals did not link well with the operational strategies, the risk increased that the proposals would not lead to the investments sought by each agency. In addition, investment decisions were not always based on clear descriptions of the proposal’s expected business benefits and implementation risks. Furthermore, proposals setting out the comparative costs, risks, and effects of alternative approaches to IT investment projects were not adequately dealt with, nor were proposals clearly linked to each other. These combined factors prevented decision-makers from obtaining a clear and comprehensive understanding of an investment proposal. Moreover, IT projects were inadequately integrated into (1) previously approved investment projects and (2) the IT systems – the environment – in which they were intended to operate or which they were intended to support. An IT investment alone rarely achieves the anticipated benefits in an agency’s operations. It is often necessary to change working methods, staff development and organisation. In addition, governance of the IT projects was carried out at too low a management level. This meant that the governance of individual business projects was more geared to reacting to problems that arose (reactive management) rather than to systematic risk assessment (proactive management). With systematic risk assessment, an environment is created and maintained in which risks are not allowed to develop into problems. Finally, well-established methods and models for managing and undertaking investment projects, such as those identified in the IT investment management model, were not used consistently. Experience and knowledge of different components of the investment process were not utilised in a systematic way, which all the agencies in our audits acknowledged to be an area for improvement. In addition, we found it difficult to (1) obtain an overview of the knowledge that exists and (2) gain access to the knowledge when needed. In particular, only one of the agencies had utilised lessons from past investment projects for new ones. Recommendations In general, all five agencies should improve each step in the IT investment process. In addition, the Government should exert better governance of government agencies that are concerned with IT investment. 3 32 Audit area 2: Developing Effective Web Sites and Good E-Services – Focus on the IT Governance of the Government and Agency senior managers In audit area 2, we audited the development of e-services, asking detailed questions concerning the development of effective Web sites and good e-services. As part of this audit area, in 2002-03, we initiated audit project A. Two risks were defined in a pre-study: (1) the digital divide and (2) poor usability of Web sites and other services, which were squeezed out by investment in e-services. In 2003, we initiated audit project B, a materiality and risk analysis of the government’s IT governance of the transition to e-government – that is, 24-hour, 7-day government agencies. We found eight main risk areas3: ¬ overall governance of government agencies’ work on e-government; ¬ agencies’ implementation of e-government; ¬ administration and operation of the infrastructure for different types of services; ¬ use of e-services; ¬ the effects of investments in e-government; ¬ the support for the work on e-government; ¬ the sources – what are they? – and purpose of the current fashion of investing in e-government; and ¬ technical advances as a foundation (that is, the development of components for Internet applications) for e-services. Audit Questions For project A: How effective are agency Web sites in meeting the needs and requirements of the individual user? For project B: How effective are the Government and government agencies in developing good e-services? Methods Used For project A, we used several methods: a Web questionnaire sent to 92 government bodies, in-depth interviews with immigrants and elderly people and a test of 92 Web sites using national and international accessibility standards and our own criteria for special categories of users. For project B, we investigated all levels of the government: the demands, requirements, e-policies and strategies from the Parliament and the Government. We performed interviews focusing on the interaction between the Government and agency senior managers concerning the direction of the development of e-government, and the agency Senior We have not analysed risks from the Swedish Parliament’s point of view, for example, risks related to democracy. Manager’s strategic analysis and actions based on direction of Government. We did 10 case studies, divided among government agencies and related government departments. These case studies included in-depth study of Web sites (for incoming e-mail, information quality, and initiatives for new e-services). Audit Findings For project A, we found that the agencies’ Web sites and the e-services offered there did not promote an efficient dialogue between users and agencies. In particular, the Web sites failed to meet certain accessibility requirements for the disabled, immigrants, and the elderly. For project B, we found that the governance of the Government for investing in good e-services, including the types of e-services to which the agencies should give priority, was limited. Instead, the Government chose to exert governance mainly through its own support agencies and by means of rules, which were inadequate. In addition, the Government’s reports to the Swedish Parliament contained no information about the effects of e-government, including e-services. We also found that government agencies had difficulty in developing good e-services because they lacked government support. As a result, e-services have not been developed; do not meet user requirements; and are at risk of citizens’ mistrust, given that the agencies, as well as the Government, can not guarantee security, especially for e-mail to the agencies. In addition, at the agencies, narrow reasoning was allowed to govern investment. Agencies had to finance such investment entirely from their own resources. This created poor incentives to build eservices in collaboration with other agencies. Finally, certain legislation made it difficult to achieve an effective use of e-mail and Web sites. We found e-mail – a basic service of e-government and the most important route for citizens wishing to contact their government – a particular problem. Citizens demand to be able to use e-mails as a means of formal communication, but agencies are not legally bound to answer e-mail or attend to e-mail enclosures. Recommendations The Government should improve interagency collaboration, which requires more elaborate governance of communication among agencies. The Government should also appreciably improve its control of agency modernisation efforts, including the establishment of clearer rules and guidelines, so as to enable e-government for government agencies’ handling of e-mail. Audit area 3: Effective Security for Information Assets and especially for e-Services – Focus on the IT Security Governance of the Government and Agency senior managers In audit area 3, we audited IT governance of e-services security. As part of this audit area, in 2005-06, we initiated audit project C. In particular, we looked at whether senior managers systematically used internationally accepted standards for information and IT security. In 2007, we initiated audit project D, an analysis of the Government’s governance of the public administration’s field of actions in the area of information and IT security. In audit project C, we audited senior managers’ governance of information and IT security. The information and IT security is concerned with: ¬ protecting information assets against manipulation and destruction; ¬ preserving information assets availability; ¬ preserving information assets confidentiality; and ¬ preserving an audit trail concerning information assets used. This security is especially important now that e-government is opening up agencies to threats from the outside world. For this reason, we carried out audits in 2005 and 2006 of IT security at 10 major government agencies with significant information assets. In the audits, we focused on senior managers and their governance of IT security. This means that we studied senior managers’ IT governance of security, including: ¬ control environment; ¬ risk analysis; ¬ control functions and individual security measures; ¬ information and training; and ¬ follow-up, evaluation, and further development and administration. In audit project D, we audited the Government’s governance of information and IT security within the public administration. The audit was carried out in the light of the problems that have emerged in the SNAO’s audits of ten public agencies’ performance of their responsibilities for information security (audit area C). Audit Questions For project C: Considering the prevailing standards for information security management systems, is the government agencies’ IT security governance effective? Given the audit question, there were two possible areas to be audited: (1) actual security and (2) senior managers’ IT governance of security. We chose to focus our audits on senior managers’ IT governance of security. For project D: Is the Government taking its responsibility for making requirements of and following up the work of their agencies (the public administration) with respect to security of information and IT, and for taking the initiative for measures aimed at improving the conditions for the work of the public administration within this area? Methods Used For project C, we used several audit techniques: (1) a Web questionnaire to get agencies’ opinions about their IT security; (2) a request for formal documents showing the agencies’ security activities at all organisation levels (we received 50 to 100 different documents from each agency); (3) follow-up concerning the documents; (4) study of the questionnaire answers and the documents; and (5) 10 to 15 interviews, focusing on senior managers (interview questions were based on a special questionnaire, related to the COSOstructure). Finally, we drafted an audit report, letting each agency comment on the draft and informing the senior managers about our findings and recommendations. We took as our starting point an international standard (ISO 17799), and added components from Swedish legislation, as well as international experience. We then transferred the requirements for IT security to a COSO perspective which means that we examined senior agency management’s internal control and monitoring of information assets and IT security. For project D, we used several methods: we analysed the findings from the 10 audit projects in order to ask the Government if the common pattern of problems among the 10 audits was known or not, we gathered information concerning our pattern of problems from four agencies being expert and used by Government in the area of information and IT security, we analysed the Government’s written statements in official documents to the Parliament concerning the status of information security and what actions the Government had promised to take, we performed in-depth interviews (based on questionnaires) in the Government focusing on the information gathering and organising of matters concerning information and IT security. We also made a special analysis of shortcomings in the legislation in the area. 33 Audit Findings In project C, we found that government agencies were not working effectively because important parts of the information security management systems were missing or defective: ¬ Control environment—organisation of security work, policies, and reporting Senior managers’ attitudes (1) were not always favourable towards security investments, (2) did not show a keen understanding of today’s threats, and (3) did not always formulate clear security objectives. ¬ Risk analysis: Often patchy, seldom comprehensive. Following the implementation of investments in security measures, senior managers often did not demand an overview of important and residual risks. Responsibility often unclear, and methods for analysis not selected and decided. ¬ Training for skills: Priority was given to technical measures rather than training. Education seldom systematic, including that for staff who need refresher knowledge about (1) their responsibilities and (2) how, if there are problems, troubleshooting should be carried out. ¬ Chain of command: Reporting upwards was not well organised. ¬ Cost: No one senior manager had a clear picture of the costs of IT security. ¬ Senior managers’ responsibilities: Inadequate follow-up on the implementation and operation of security measures that had been decided earlier. Finally, the information security management systems are not comprehensive—that is, responsibilities, reporting, and follow-up are not integrated. Important objective data, with which senior managers make decisions, was missing. This made it hard for senior managers to exert effective IT governance of security. Therefore, the potential for investment in IT security is not well exploited. The amount of resources invested and the costs were most often not even known! 34 In project D, we stated that the problems on agency level described above were serious and that they imply a risk of significant negative consequences for government commitments such as electronic government and national emergency management. In the light of the above, the SNAO considers that the Government’s control of information security is of great importance. The SNAO’s overall assessment is that the Government has not followed up to ensure that the internal management and control of information security in the public administration is satisfactory. The Government has not taken sufficient initiative to improve the conditions for the administration’s work on information security. The SNAO has established that the Government has taken measures with respect to the technical conditions for agencies’ information security work, such as e-signatures, e-identification, secure Internet, etc. On the other hand, no measures have at the time of the audit been taken to support the agencies’ internal management and control of information security. The SNAO takes the view that an overhaul of the regulations is urgently needed, particularly against the background of the investment in e-government. The Government has not given the expert agencies a sufficiently explicit mandate, which has meant that they have had difficulties in giving the Government a complete picture of the information security problems at the agencies. An explicit mandate is also needed in order for the expert agencies to provide appropriate regulations detailing the Government’s requirements for the agencies’ work on information security. The audit shows that over the past ten years the Government has been broadly aware of certain management problems in the sphere of information security, but the picture has been unclear with respect to central government agencies and the Government has been unable to present any complete picture of the problems affecting the public administration. According to the SNAO, the Government’s organisation of the work done by the Government Offices on information security issues and the management of the expert agencies is together insufficient to handle the agencies’ problems with their information security. Recommendations For project C: Senior managers’ control in the field of IT security should be strengthened. This could be done using the standard SS-ISO/IEC 27001/17799 Information Security Management. One key activity is the risk analysis. This activity needs to be strengthened since it is the base for information security measures. For project D: The Government should focus more clearly on information security issues. Give the expert agencies an explicit mandate to follow up and report on the agencies’ work on information security. Give the agencies better conditions - set more explicit requirements for information security work. Lessons Learned As a result of the Government’s investment in electronic government, growing numbers of agency services are becoming available on the Internet, agencies are joining together to create co-ordinated e-services and there is a general increase in IT-based development work. In order for this reform of the public administration to succeed, citizens and businesses must have confidence in the e-services provided on the Internet. There is a risk of a lessening of confidence in the agencies’ e-services if the information cannot be protected. It may be a case of unauthorised persons gaining access to sensitive information or changing data or in some other way acting so that the services cannot be used. If that happens, there is a considerable risk of the entire investment in e-government being jeopardised. In the transition to e-government, in our opinion, there is an urgent need for stronger IT governance at both the levels of the Government and senior managers. Only such governance can ensure that good, secure IT services will be conceived, developed, and implemented, as well as meet all significant requirements for IT security. Since the audit projects been finalised in spring 2007 we have made some follow-ups. At the agency level we noticed some improvements of IT governance of information security in form of plan of actions, reviewing important documents, implementing information security standard and educating the staff. During autumn 2007 an expert agency published regulations stating that government agencies should implement an information security management system. At the Government level a plan of action to improve e-government recently (February 2008) has been taken. In this plan of action the need for stronger IT Governance is stated to ensure that good, secure IT service will be conceived. Several actions will be performed 2008 – 2009 in order to fulfil the Government’s goals. | References 1. SNAO. IT i verksamhetsutvecklingen: RRV 2002:30 2. SNAO. Webben 1: 2003. 3. SNAO. Vem styr den elektroniska förvaltningen: 2004:19. 4. SNAO. Project Auditing Information Security (ten different audit reports): 2005– 2006. 5. SNAO. Government control of information security work within the public administration: 2007:10 6. Undall, Bjorn, and Bengt E W Andersson. ”Better managed investment in IT-based business development,” IntoIT, no. 18 (June 2003). Bengt E. W. Andersson Bjorn Undall Bengt E W Andersson specialises in auditing the use of IT and information exchange between Public Administration bodies. Within the office he has also been involved in quality assurance and IT support. He holds a Licentiate of Philosophy in Information Systems. Björn Undall’s main audit responsibility is the effective use of IT in Public Administration. Recently he has specialised in auditing Information Security issues. He holds an MBA from the University of Lund, and has (alas!) unfinished doctoral studies. 35 Dan AUSTRIA S OVENI SL O A SLOVENIA CROA OATI A A CROATIA SLOVENIA An English summary of this report will be published on the EUROSAI IT Working Group members website, but readers can also contact the Court of Audit on [email protected] for a copy. Audit of IT system of the Tax Administration of the Republic of Slovenia Reasons for the introduction of the audit The Tax Administration of the Republic of Slovenia (TARS) in common with other modern Tax and Revenue Administrations heavily relies on IT support. The Court of Audit of the Republic of Slovenia (CoA) has previously audited TARS and on both occasions made same request for action, which has not yet been fulfilled. Another good reason was that TARS new leadership indicated willingness to be audited externally. Audit approach Our audit approach was divided into two main parts. The efficiency part consisted mainly of an Assessment of efficiency of TARS IT systems according to version 4 of CobiT. On the efficiency part, the CoA has also performed an assessment of the quality of the information stored in three of TARS most important IT subsystems (1 Eppler model). We have tried to evaluate mainly user experience variables such as speed, availability, usability and so forth. The second part – Regularity of TARS IT system – was quite narrow and only consisted of compliance and error checking. 36 1 The findings Our auditors have, together with auditees staff, performed an evaluation of all 34 IT processes across four domains. The target for average grade of all 34 processes that we agreed with the auditee was to be three. This desired level was missed by 0.7 with only two processes reaching a score above 3 and additional five with a grade 3. CoA has made several recommendations for the most critical processes. The assessment of the quality of the information in three most important applications (individual and businesses tax, VAT system, Taxation register) was less harsh but also in that area CoA agreed several less formal recommendations with the auditee. The absence of central and integral bookkeeping evidence, significant number of errors in Income tax calculations as well as absence of controls for its detection and correction were the reasons for a negative opinion on the regularity part of the audit. Development after the publication of the report Our report has gained significant public attention and was quite favourably accepted by the auditee as well as by the Public Accounts Committee of the Slovenian Parliament. The response report issued by auditee was encouraging. TARS has introduced significant changes in its operations, their budget and plans were amended and public procurement process for new IT system is already in progress. Eppler Martin J.: Managing Information Quality, Springer-Verlag Berlin, Heideberg, 2003 Conclusion The Court of Audit of the Republic of Slovenia intends to continue this type of measuring of performance of major public IT systems. Our goal is to be able to benchmark different auditees and to be able to show to the public and to the parliament how good is the service that our publicly financed IT systems are providing. With this in mind, we are striving to do our part in achieving our mission goal – Watching over Public Money. For more information please visit our website: http://www.rs-rs.si. Some material is also available in English at http://www. rs-rs.si/rsrs/rsrseng.nsf. | In accordance with the Slovenian Constitution the Court of Audit of the Republic of Slovenia is the highest body for supervising state accounts, the state budget and all public spending in Slovenia. The Constitution further provides that the Court of Audit is independent in the performance of its duties and bound by the Constitution and law. The Court of Audit Act also defines that the acts with which Court of Audit exercises its powers of audit cannot be challenged before the courts or other state bodies. 37 North S Amsterdam SWE ETH. Copenhagen Gulf of Bothnia ERMA ERMANY Stockholm hol ollm Berlin D OLAND Baltic Sea Tallinn Tal Ta l Rigaa R ingrad Kaliningrad aliningr LITH ANIA LITHU LITHUANIA A Vilniuss Minsk BELARUS Smolensk Smo molens mo nsk NE UKRAINE Kiev OMANI A A uchares charestt Helsinki EST. St. Petersb g LA LAT. AT rsaw M Murm FINLAND Pskov P skov sk Novgorod Lake Onega ega Shall be blessed? Arkhang Konosha osh Tver' Vologda Yarosla aY ros ' roslavl Moscow Mosco ow Kostroma Bry Br B Brya ryans y k Kaluga Ive Ivenovo ven ve T laa Tu Vladimi V l im r Orel Nizhn Nizhniyyaazan' R N LLip ip ies k Kursk ur K rkiv Kharkiv TTambo b Kotlas Kirov LITHUANIA Blessed IS Audit in Valstybės kontrolė, the National Audit Office of Lithuania “Hey you, you’re a child in my head You haven’t walked yet Your first words have yet to be said But I swear you’ll be blessed” Recording facts or events, especially when they are recent, is an unrewarding task. Firstly, we unconsciously try to determine that something important happened much earlier than it actually did. Secondly, we over-estimate those important facts or events which may be witnessed by others. That’s why such stories often reach prehistoric times, enhancing today’s deeds with a patina of antiquity, and awarding us the status of observers, sometimes even the status of actors of such events. And more – it’s very difficult to play the role of objective bystander when you are stirred up by the events which are sometimes, somehow related to you. by Elton John & Bernie Taupin Therefore – if no one says otherwise – 1997 shall be remembered as the start year of information systems audit at the National Audit Office of Lithuania. In any case, this was the year when we first uttered the words “informacinių sistemų auditas”. We did not know then what we wanted, but we knew that “we want”. The first VFM report (value-for-money audit as a separate audit area was recognised by the National Audit Office of Lithuania only in 2001) was titled “Regarding results of assessment of activities of establishing and development information systems in terms of economy, efficiency, and effectiveness”. The report recommended: ¬ better coordination between IT strategic plans of ministries and agencies with the strategic plan of information society development for Lithuania; ¬ better coordination and control of IT projects and initiatives, and; ¬ improvement of data exchange between state institutions. we want Audit of Information Technology. Someone should be the first to say those words which are a lovely combination to listen to, to say nothing of their meaning. There is a possibility (or a privilege?) to control (or to be responsible for) something which is important and meaningful. Looking for the origins, one may recall the year of 1997 when the INTOSAI information systems audit material had been translated into Lithuanian. Today we can no longer find anyone at the National Audit Office of Lithuania who can witness why and how this material appeared, and why it was translated into Lithuanian; but we believe that 1997 marked the beginning of information systems audit. Reasons, however, are much more instinctive rather than consciously recognised. 38 2001 was probably the year when we already knew what we wanted but did not know how to achieve it. Luckily (although someone has said that luck is no more than a result of your own efforts…) this year heralded a slow but targeted and sustainable enforcement of IS audit function. We must pay tribute to those who were our patient but strict teachers. In 2001 and 2002, a joint project with the Swedish International Development Cooperation Agency (SIDA) allowed us to organise two IT audit seminars at the National Audit Office of Lithuania, led by specialists from the Swedish Riksrevisionen (the Swedish National Audit Office). Figure 1: Types of IS audit Information Systems Audit Evaluation of Internal Control Evaluation in terms of 3Es existing standards has become obvious. Such a need was not only an external, but also an internal factor, conditioned by growth of complex information systems in the public sector and – subsequently – by an increase of finance for such systems. The need to design one’s own IS audit methodology and to institutionalise the IS audit function has become stronger. we can General Controls Application Controls System development The years of 2002-2005 were also a successful learning time. This period saw the First and the Second PHARE projects, when our experience was shared with the National Audit Office of the United Kingdom, and Danish Rigsrevisionen (the National Audit Office of Denmark). And of course, we benefited from training at the International Centre for Information Systems and Audit offered by the Supreme Audit Institution of India. Even minor efforts, provided they are persistent and targeted, sooner or later will bring the desired result. One of the wins worth acknowledging is that the first auditor of the National Audit Office of Lithuania has become CISA certified. The first such in the Lithuanian public sector. Sometimes small rivers, being close each to the other, but separated by hills, have to make a long journey before they come together. In the same way, the functions of information technology governance and information systems audit have risen from IS Performance Audit different springs. Despite bringing their competencies separately, they, against all the odds, inevitably approached each other. From our start in 2002, the functions of information technology governance and information systems audit were separate. But, over time, they grew towards each other. No-one can say if the CobiT methodologies (or good practices) for IT governance and audit were firstly applied to IT governance or IS audit. The EUROSAI Information Technology Working Group project “Information technology self-assessment for supreme audit institutions” started in autumn of 2002 and the first IT selfassessment seminar happened on 13-17 October 2003, moderated by representatives of the Court of Audit of the Netherlands. This was an important event both for information technology governance and for information systems audit. Lithuania joined the European Union in 2004, and the need to carry out specialised information system audits according the In February 2006 the IS audit function became part of the newly established Department of Information Technology Management and Audit, and in October 2007 the function was entrusted to the Division of Information Systems Audit, within the same department. This is a compact unit of a head and four state auditors, a good place to grow together and to become stronger, and a good way to help a lot of financial auditors to become more competent in auditing the general controls of straightforward information systems. In April 2006, the Methodical Recommendations for Information Systems Audit, based on INTOSAI Auditing Standards, and European Implementing Guidelines for the INTOSAI Auditing Standards (Guideline No. 22) were approved. Methodological Recommendations defines the place of IS audit, as well as its types, relation with financial and value-formoney audit, scope and methods. Methodical Recommendations is an important document, therefore we will focus on some of its basic principles. Those who are interested can find the document on our web site at http://www.vkontrole.lt/en/docs/ IS_Audit_Methodical_Recommendations_ EN.pdf. We hope this material will be useful. 39 Methodical Recommendations gives the following definition of Information Systems Audit: ¬ Audit of Information System general controls ¬ Audit of application controls ¬ Audit of Information System development controls ¬ Distribution of tasks between different levels of auditors are as follows: ¬ IS audits performed by generalist auditors are limited to medium complexity evaluation of IS general control and accounting programmes (e.g., Navision Financials, LABBIS etc.); ¬ IS auditors perform audits of general control of complex IS (e.g., IS of the State Social Insurance Fund Board of the Republic of Lithuania, Customs‘ IS etc.), IS development audits, and IS performance audits; ¬ IS/IT specialists provide specialised guidance on particular issues. Information System performance audit. The objectives of the different IS audit types are as follows: ¬ Audit of IS general controls. Evaluate internal control which covers all information systems of an organisation. ¬ Audit of application controls. Evaluate a control related to data input, processing, protection, and obtaining in the specific applications (e.g., Navision Financials or LABBIS). ¬ Audit of IS development controls. Evaluate management and control of IS development from conception to live running; covering IS change management; ¬ Objective of IS performance audit. Evaluate issues related to IS in terms of efficiency, economy, and effectiveness. In terms of IS audit, INTOSAI distinguishes three levels of auditors (implementation of these levels in the National Audit Office of Lithuania is presented in Figure 2.): ¬ Public auditors conducting financial and performance audits (hereinafter – generalist auditors), ¬ IS auditors, ¬ IS/IT specialists. During financial or performance audits generalist auditors may ask for help from IS auditors or IS/IT specialists. In such cases the Audit Department Director (Deputy Director) applies to the Head of the structural unit of the NAOL which performs IS audits. If necessary, an external IT/IS specialist can be brought in. Having performed IS audits, generalist auditors present their evaluation of IS general controls to the structural unit of the NAOL which performs IS audits. Two illustrious value-for-money audits were carried out in 2006 and 2007, aimed at IT governance in governmental (supra-ministerial) institutions which made many recommendations for the government to assure proper governance of the IT function. Among them, recommendations on improvement of management structures of e-government projects as well as on their comprehensive quality control in terms of efficiency, economy, and effectiveness. We are active participants in the project “Information technology audit function self-assessment for supreme audit institutions” and the first pilot seminar in Vilnius on May 22-23, 2007, launched by the EUROSAI Information Technology Working Group project. A good basis for future action, “we shall do” indeed! | we shall The existence of Methodical Recommendations, and the distribution of tasks between IS auditors and generalist auditors have allowed the last-mentioned to perform 76 general control evaluations of simple information systems in 2006. At the same time, IS auditors carried out six general control evaluations of complex information systems, a good distribution of tasks and a good use of IS auditors’ potential. Figure 2: Division of functions when performing IS audit IT/IS Specialist IS Auditor Specialists from internal IT Department Helps to transfer data from the IS of audited entity to computerised audit tools External IS/IT Specialists 40 Generalist Auditor Financial auditors use computerised audit tools, carry out risk evaluation in non-complicated IS, Evaluates general controls having encountered of information system problems relating to clients Helps to perform audits of IS, consult IS auditors for application software for financial more detailed analysis and performance auditors Performance auditors use Participates in evaluating computerised audit tools, of IS from the point of view participate in analysing of economy, effectiveness correctness, reliability and and efficiency comprehensiveness of Prepares IS methodologies management information and provides training and evaluate IS from the Provides information to point of view of economy, IT Department about effectiveness and efficiency good IT governance / management practice Dainius Jakimavičius Dainius Jakimavičius graduated from Vilnius University in 1983. He became a Doctor of Mathematics in 1993. He has worked in the Lithuanian National Audit Office since 2001. He has been successively Head of Information Technology Division (2001-2002), Director of Information Management Department (2002-2004), Director of Information Technology Department (2004-2006) and currently Director of Information Technology Management and Audit Department. 41 mu Juzno Sac a s O C E A N sk S Sapporo Sea of Japan n S Sendai (East Sea) n H NORTH A KOREA yo Tokyo JAPAN Pyongyang Fu eoul SOUTH KOREA Yellow Sea SShanghai st China JAPAN Auditees The auditees were: Cabinet; Cabinet Office; Ministry of Internal Affairs and Communications; Ministry of Justice; Ministry of Foreign Affairs; Ministry of Finance; Ministry of Education, Culture, Sports, Science and Technology; Ministry of Health, Labour and Welfare; Ministry of Agriculture, Forestry and Fisheries; Ministry of Economy, Trade and Industry; Ministry of Land, Infrastructure and Transport; Ministry of the Environment; the Diet; Courts; and the Board of Audit of Japan r ce n Ca of c i op Tr Audit of Computer Systems used by the Japanese Government Topics Covered 1. Outsourcing contracts concluded by the Cabinet Office and Ministries with system integrators (SI) including NTT Data Corporation. 2. Competitiveness and economy of maintenance and operation contracts. 3. Use of major systems. 4. Management of information security. 5. Present situation of the systems (including legacy systems) for which operation and system optimisation plans are to be made, based on the Programme for Building e-Government and the measures being implemented towards the optimisation. 6. Verification of the final accounts in consideration of the above. Results of the Audit Outsourcing contracts concluded by the Cabinet Office and Ministries with System Integrators including NTT Data Corporation a. Outline of information systemrelated contracts concluded by the national government The Board of Audit of Japan analysed the national government’s information system-related payment in the fiscal year 2004. There were 6,475 contracts and 477.3 billion yen concerning 77 operations and systems covered by the optimisation plans in the administrative agencies and the Diet, Courts, and the Board of Audit of Japan itself, for which the payment amount exceeded 1 million yen. b. Contracting parties As for the payment to the contracting parties of the 6,475 contracts, the payment to NTT Data Corporation was the largest, amounting to 173 billion yen and accounting 42 for 36.2% of the total. The payment to the top five contractors accounted for 65.4% of the total payment amount. c. Tendering procedures Of the 6,475 contracts, the tendering procedures for 2,873 contracts for each of which 3 million or more was paid (amounting to 473.2 billion yen in total) are that 80.8% of the contracts and 96.3% of the total payment were single tendered. Most of the national government’s information system-related contracts are awarded using single tendering procedures. Competitiveness and economy of the maintenance and management contracts Of the 2,873 contracts worth three million yen or more, the Board of Audit of Japan examined the competitiveness and economic efficiency of 492 maintenance and management contracts (worth 36.6 billion yen) concluded by the internal departments of the Ministries and Agencies. a. Competitiveness for maintenance and management contracts Of the 492 contracts, those awarded by competitive tendering procedures accounted for 8.1% by number and 3.9% by value, while those awarded by single tendering procedures accounted for 91.8% by number and 96.0% by value. Thus the percentage of contracts awarded by competitive tendering procedures is low. For 458 contracts (excluding unit-price contracts from the 492 contracts), the average ratios of the successful bid price to the planned price by type of tendering procedures were 81.9% of competitive tendering (94.3% of one bidder and 60.9% of multiple bidders) and 97.4% of single tendering. For 168 contracts (30 contracts of competitive tendering and 138 contracts of single tendering) selected from the 492 contracts, the following items of written specifications, which would be important to increase competitiveness in tendering, were more frequently described in competitive tendering than in single tendering: [1] work amount by work item and data on the occurrence of troubles; [2] scope of responsibility; and [3] system component items. b. Calculation of the planned prices for maintenance and management contracts From the 492 maintenance and management contracts, the Board of Audit of Japan first selected the contracts under common operational items ([1] system monitoring; [2] preventive maintenance; [3] responses to inquiries from the officials in charge of the system; [4] troubleshooting; and [5] system operation). Then the Board extracted 112 contracts. As for the calculation methods of the planned prices, 26 Ministries and Agencies that awarded these 112 contracts have no manuals based on which their planned prices shall be calculated. For the unit personnel cost (man-months cost in yen) of system engineers (SE) and others, as for the materials based on which the unit cost was determined for the 112 contracts, the documents most frequently referred to are the written estimates submitted by system integrators. Also, the unit personnel cost paid for the same operation based on the same reference material varies by contract. 43 As for the verification of the appropriateness of the SE-related price estimates in the planned prices, the appropriateness was not specially verified for 29 contracts (25.8%) among the 112 contracts and the appropriateness was verified for 59 contracts (52.6%) by service reports. (The appropriateness was verified for 14 of 59 contracts by calculation of the unit hours required for each operation.) Use of major systems a. Use of electronic application systems The Board of Audit of Japan conducted audits on the following electronic application systems managed and operated by the internal departments of the Ministries and Agencies: 16 general-purpose systems of 16 Ministries and Agencies; 25 special-purpose systems of 12 Ministries and Agencies. Thus the Board examined a total of 41 systems of 20 Ministries and Agencies, for which they had paid a total of 32.9 billion yen in fiscal years 2003 and 2004. As at the end of September 2005, electronic applications can be made for as many as 14,354 procedures. General-purpose systems were used for 12,899 procedures and special-purpose ones for 1,455. Of the procedures for which electronic applications are possible as of the end of fiscal 2004, the percentage of procedures for which the total number of applications (number of electronic applications + number of written applications) was zero account for 52.4% of the procedures to be processed by general-purpose systems and 23.7% of the procedures to be processed by specialpurpose systems. The percentage of electronic applications processed by the general-purpose was 0.02% and the percentage of electronic application processed by special-purpose systems was 5.57%. 0.94% is in the total number of applications in fiscal 2004. b. Use of electronic bidding systems The Board of Audit of Japan conducted audits on 12 electronic bidding systems managed and operated by the internal departments of 12 Ministries and Agencies. The payment made in relation to these systems in fiscal years 2003 and 2004 amounted to 4.6 billion yen. For the use of electronic bidding systems from fiscal year 2003 to fiscal year 2005 (to September 2005), the percentage of electronic bidding (number of contracts for which whole or part of applicants made a bid through the electronic biding systems divided by the number of contracts for which electronic applications could be made) remained relatively lower for goods and services than for construction. 44 Management system for information security a. Information security measures The Audit Board examined the information security measures implemented by the internal departments of Ministries and Agencies as of the end of October 2005. As for the procedures to enter and exit the server room, 10.8% of the departments “have no application procedures and do not keep the entry/exit records at all.” As for the monitoring of LAN devices by the use of network monitoring equipment, 6.8% of the departments do not conduct monitoring on any possible attacks to the LAN. For the backup of data stored in a variety of systems installed at the server room, there is no backup data or the backup data is stored only in the server room for nearly half of the data (45.7%). As for the accessibility to data folders of the divisions of the internal departments, they are “readable” at 5.7% of the departments. 3.4% of the departments have virus definition files updated by users manually. As for the use of privately owned PCs at offices, 59.3% of the departments “do not prohibit the use.” Regarding the connection of privately owned PCs to the LAN, many of the departments “prohibit the connection”, but at many of these departments, “users can connect their private PCs to the LAN if they configure some settings”. b. Management System for Information Security Of 25 Ministries and Agencies (those excluding the eternal organs under control of the Ministries and others from the Ministries and Agencies), 23 had formulated information security policies but only seven of them conducted risk assessment when they formulated their initial policies. Only 12 Ministries and Agencies had provisions for the establishment of audit teams, of which only four actually had those teams in place. As for written procedures to implement information security, three had not created any such manuals. One of the Ministries and Agencies had its audit team “check the compliance with the Policies,” four conducted “self-examination,” eight conducted “information security audits,” and 17 conducted “vulnerability assessments”. Present situation of the systems (including legacy systems) for which operation and system optimisation plans are to be made based on the Programme for Building e-Government and the measures being implemented towards the optimisation a. Present situation concerning the systems for which operation and system optimisation plans are to be made As of the end of June 2005, a total of 77 operations and systems in the Ministries and Agencies were included in the target of optimisation plans. Their management cost came to 465.3 billion yen in fiscal year 2004. Of the 77 operations and systems, 36 are legacy systems used at 16 Ministries and Agencies. For the management of these legacy systems, the Ministries and Agencies paid the contract amount of 345.8 billion yen in fiscal year 2004, which accounts for 74.3% of the amount paid related to the 77 operations and systems. Of data communications service contracts, the service fees reached or exceeded 100 million yen for nine contracts in fiscal year 2004 and a total of 157.6 billion yen was paid for these contracts. As of the end of fiscal 2004, the Remaining Debt concerning the nine data communication services contracts totalled 164.2 billion yen. b. Formulation of the operation and system optimisation plans For the 77 operations and systems for which optimisation plans were to be made by the end of fiscal year 2005, a total of 7.8 billion yen was paid as expense for commission. c. Cost reduction effect and problems described in the optimisation plans The Board of Audit of Japan estimated the development cost. Some operations and systems of the development cost will be recovered as a result of reduced management cost within four years, but the others will not be recovered within four years. d. Problems to solve to ensure the appropriateness of the optimisation plans One of the outcomes of the optimisation plans is DFDs (standard document formats are created based on data flow diagrams). There were as many as 831 inconsistencies found in the description of information flow in 47 of 66 optimisation plans. Some of common operations and systems still need to be coordinated. Verification of the final accounts based in consideration of the above (i) The Board of Audit of Japan checked the contracts for 77 operations and systems of the administrative agencies for which optimisation plans were to be made and which accounted for most part of their information system-related budget as well as the contracts worth of 1 million yen or more concluded by the Diet, courts and the Board of Audit of Japan itself. As a result, it was revealed that the information system-related payment made in fiscal year 2004 totalled as much as 477.3 billion yen. As for the contracting parties, payments to the top five companies accounted for 65.4% of the total. For tendering procedures, the percentage of competitive tendering was low. (ii) As for maintenance and management contracts, those awarded by single tendering procedures accounted for 91.8% in the number and 96.0% in the amount, demonstrating low competitiveness in tendering. The rate of the Successful Bid Price was higher for contracts awarded by single tendering than for those awarded by competitive tendering, in particular by multiple bidding. The planned unit personnel cost greatly varies by contract. Such verification and reflection of the results were not sufficiently conducted. (iii) As for the procedures for which electronic applications can be made through electronic application-related systems, there were no online or written applications filed in fiscal year 2004 for 52.4% and 23.7% of such procedures for general-purpose systems and specialpurpose systems, respectively. The total percentage of electronic applications was low as 0.94% for the general-purpose and special-purpose systems. (iv) For the information security measures implemented by the internal departments of the Ministries and Agencies as of the end of October 2005, there are the deficiency of data-and privately owned PC-related security measures. The management of information security is inadequate. | (v) The cost of managing 77 operations and systems for which optimisation plans would be formulated came to 465.3 billion yen in fiscal year 2004 which the cost of managing the 36 legacy systems amounted to 345.8 billion yen (74.3%). As for the cost reduction effect estimated in the optimisation plans, they need to be improved and reviewed to attend the effect. The Board of Audit of Japan found a lot of inconsistencies in the DFDs to be included in the optimisation plans. Opinions about the Audit Results The following measures should be implemented to ensure the economical, efficient, and effective implementation of the national government’s information system-related budget. 1. to improve the competitiveness and transparency of the contracts and to improve the rationality of the calculation of planned prices 2. to promote the use of the electronic application-related systems and thereby increasing the convenience of people 3. to enhance the security measures and to improve the management system for information security 4. to implement their operation and system optimisation plans while to ensure that the plans respond to the changes of the situation. The Board of Audit of Japan will keep its eyes on the movement of the government towards the implementation of the optimisation plans and conduct multifaceted audits on the government’s computer systems. 45 Ulaangom Amur Hailar Hulun Nur Ulaanbaatar Hovd Choybalsan Irtysh Qiqihar Bayanhongor Altay Jixi Harbin M O N G O L I A y Jilin Changchun Urumqi Vladivosto Dalandzadagad Hami Fuxin Baotou Huang Ha Yumen Zhangjiakou Datong Beijing Tangshan Hu Xian Shiquan Jinsha R. Hefei Yangtze Huangshi Nanchang Str . Shaoguan Xiamen Guangzhou Nanning Chittagong Sittwe MYANMAR VIETNAM LAOS Taipei y u k y Taiwan Shantou Kaohsiung Zhanjiang Hai Phong Gulf of Tonkin Chiang Mai o f Salween R. B a y m Vinh Vientiane Nong Khai S o u t h C h i n a S e a Laoag s l a n Kume u Shima d s Tokuno Shima kino Erabu Shima O kinawa O Miyako Retto Ishigaki Shima Iriomote Jima R Hong Kong Hanoi Mekong Amami OShim a I Kunming Mandalay S e a Wenzhou Fuzhou Dhaka Monywa C h i n a Pingxiang Khulna kata E a s t Shanghai osa Imphal Yueyang Kyus Wuxi Wuhu Huzhou Jiaxing Hangzhou Ningbo Jingdezhen Shang Rao Fo rm Salween R. es Pusan Changsha Guiyang Dukou Mekong maputra Brah Taegu Kita-kyushu Fukuoka tze ng Ya Wuhan Chongqing Jin sh a R. Zigong Qingdao Huainan Nanjing Mianyang Chengdu SOUTH KOREA Taejeon Incheon Yellow Sea Zaozhuang Kaifeng Xuzhou Huaibei Luoyang Thimphu Ha Taian Lanzhou Lhasa Seoul ang Jinan Golmud BHUTAN Dalian Shijiazhuang Handan Hu an g Ha Benxi NORTH Yingkou Feng Cheng KOREA Dandong Pyongyang Tianjin Taiyuan Xining Salween Jinzhou Hohhot Yinchuan C H I N A BANGLADESH Liaoyuan Fushun PHILIPPINES LIPPINESS THAILAND on CHINA In December 2007 the National Audit Office of China formulated a pre-audit investigation guideline for IT audit, as one part of the Chinese Government Auditing Standards System. P a i f i c O e a n CNAO’s Pre-audit Investigation Guideline for IT Audit The National Audit Office of the People’s Republic of China (CNAO) attaches great importance to the pre-audit investigations of IT audit projects. Prior to preparing audit implementation programmes, according to the nature and scale of the audit project, the audit team is required to arrange competent staff to know about the information of auditees. Therefore CNAO has formulated this Pre-audit Investigation Guideline for IT Audit. This Guideline can be used in pre-audit investigations where: ¬ The auditee has computerised its accounting or other main business systems; ¬ The audit team are carrying out an Information Systems, E-Governance or IT performance audit. The CNAO requires auditors to pay attention to the substantial changes brought to the audit institutions and the auditees by the application of information technologies. So the target of the pre-audit investigations on IT Audit is to make the audit implementation programs prepared by the audit teams and audit institutions meet the needs of audit in an IT environment. According to the Guideline, auditors involved in the pre-audit investigations should have appropriate IT knowledge and skills. If necessary, professional IT staff from CNAO’s IT Centre or external IT specialists could be invited to join the audit team. Pre-audit investigations can be implemented through consultation, group interview, questionnaires and surveys, information/data inquiry, on-the-spot inspection and visiting related organisations. 46 Through the pre-audit investigations, auditors should obtain basic information as follows: Firstly, the information systems used by auditees, including: the method and time of acquisition, operating system, database management system, application software versions, hardware configuration, data processing flow, interaction with other information systems, data output type and format, system controls and security policies. Tests could be carried out in the Auditee’s information system during the pre-audit investigation, only when the normal operation of the target information system is ensured. Secondly, Auditee’s electronic data, including: data storage medium; data volume measured by gigabyte (GB); the compliance level of output data to the Chinese National Standard, whether the data could be collected successfully by audit software such as Auditor Office (AO); the capability of auditees to support the auditors’ data-collecting processes; the preliminary check for the authenticity and applicability of the data during the pre-audit investigation. Thirdly, the dependence of auditees’ business flow on information technologies, including the degree of impact on the continual operation of auditees; the popularity of information systems. Auditors can review the dependence indicators by sampling during the pre-audit investigation. Fourthly, IS management and management styles, including: the legal requirements for the IS in use; the position of the IT Centre in the organisation chart; segregation of duties between IS managers and users; the setting of major control points and posts. Auditors can review the management structures by sampling during pre-audit investigation. Fifthly, the environment under which the IT audit is carried out, including: the facilities and network environment provided by auditees, the equipment and facilities that audit teams should prepare; the software supplied by auditees, the software to be prepared by the audit teams; assessment of the security impact to both auditors and auditees under the IT environment of auditees. The process of pre-audit investigations and information collected should inform: ¬ Audit objectives; ¬ Audit contents and priorities; ¬ Audit items, which could have significant influence on audit objectives; ¬ Significance level and audit risks; ¬ Organisational manners and working methods under IT environment; ¬ Computer equipment and environment necessary for audit and their solutions; ¬ The number and skills of IT professional staff needed in the audit team; ¬ Estimated audit working time span and budget. If, based on the preliminary result of pre-audit investigation, the audit team believes auditee’s information system has weakness and may significantly influence the authenticity and integrity of the electronic data, the team can recommend that an information system review be added to the audit implementation programmes. | Wang Zhiyu, Director General, IT Centre of CNAO Wang graduated from Zhengzhou University of China and was awarded a Bachelor degree in Economics in 1981. He was appointed as the Director General of CNAO’s IT Centre in 1999. As a CIO, at present he is responsible for the implementation of Golden Auditing Project. Because of his excellent work, he was awarded the Prize of Outstanding Contributor for Promoting IT Application in China in 2004. 47 The INTOSAI information technology journal it © National Audit Office 2008 | Design and production by NAO Marketing & Communications Centre | DG Ref: 8266RD | Printed by Heronsgate Printed on Greencoat paper. Greencoat is produced using 80% recycled fibre and 20% virgin TCF pulp from sustainable forests. www.intosaiitaudit.org
© Copyright 2024