2003
Prepared by
The INTOSAI Standing Committee on IT
Audit
Task Force for Auditing E-Government
Auditing e-Government
CONTENTS
PREFACE ......................................................................................................... I
TASK FORCE CONTACTS .............................................................................. I
1.
INTRODUCTION ...................................................................................... 1
1.1
Executive summary .......................................................................................... 1
1.2
Background ...................................................................................................... 3
1.3
Organisation ..................................................................................................... 3
1.4
The Survey ........................................................................................................ 4
2.
2.1
BACKGROUND ....................................................................................... 5
What is e-Government? ................................................................................... 5
2.2
Levels of e-Maturity ......................................................................................... 6
2.2.1
Roll-out ...................................................................................................... 6
2.2.2
Supply ........................................................................................................ 6
2.2.3
Degree of Sophistication ............................................................................ 7
2.3. Main challenges and risks to e-Government ................................................. 8
2.3.1
Initiating and supporting e-Government proposals.................................... 8
2.3.2
Implementing e-Government ..................................................................... 9
2.3.3
Consequences of e-Government .............................................................. 10
3.
THE SURVEY RETURNS....................................................................... 12
3.1
Summary ......................................................................................................... 12
3.2
Introduction .................................................................................................... 12
3.3
Detailed analyses of the survey returns ....................................................... 12
Question 1 ................................................................................................................ 12
Question 2 ................................................................................................................ 14
Question 3 ................................................................................................................ 14
Question 5 ................................................................................................................ 15
Question 6 ................................................................................................................ 16
Question 7 ................................................................................................................ 17
Questions 8 and 9 ..................................................................................................... 18
Question 10 .............................................................................................................. 19
4.
4.1
PROPOSALS FOR NEW PROJECTS ................................................... 21
Introduction .................................................................................................... 21
Version 7
Auditing e-Government
4.2
Sharing information and knowledge in the e-Government area ............... 22
4.2.1
Introduction .............................................................................................. 22
4.2.2
Challenges ................................................................................................ 23
4.2.3
Proposals .................................................................................................. 23
4.2.4
Recommendations and priority ................................................................ 24
4.3
Developing audit methods and audit perspectives on e-Government ....... 24
4.3.1
Introduction .............................................................................................. 24
4.3.2
Challenges ................................................................................................ 25
4.3.3
Proposals .................................................................................................. 25
4.3.4
Recommendations and priority ................................................................ 25
4.4
Training and education ................................................................................. 26
4.4.1
Introduction .............................................................................................. 26
4.4.2
Challenges ................................................................................................ 26
4.4.3
Main activities .......................................................................................... 26
4.4.4
Recommendations and priority ................................................................ 27
4.5
Joint international audits .............................................................................. 27
4.5.1
Introduction .............................................................................................. 27
4.5.2
Challenges ................................................................................................ 27
4.5.3
Main activities .......................................................................................... 27
4.5.4
Recommendations and priority ................................................................ 28
4.6
5.
Organisation of new projects ........................................................................ 28
RECOMMENDATIONS .......................................................................... 29
ANNEX A: SOME E-GOVERNMENT CASE STUDIES ................................ 30
ANNEX B: THE SURVEY QUESTIONNAIRE ............................................... 32
Version 7
Preface
The Auditing e-Government project was initiated by INTOSAI Standing Committee on
IT Audit at its 11th meeting in November 2002. The Committee agreed that eGovernment posed new risks and challenges for auditors as well as Governments. The
project has been coordinated by the Office of the Auditor General of Norway with the
SAIs of the United Kingdom, Sweden, USA, Canada, and Russia as project members.
The main objective of the project has been to investigate the SAIs different attitudes and
experiences in auditing e-Government with a view to propose new projects for the
Committee as to issuing guidance and sharing best practice in this area.
The task force group has finalised its work given by the IT Audit Committee and hope it
will give the Committee a basis for deciding priorities for further work in the area of
auditing e-Government. The task force group will make necessary changes to the report
to take account of feedback from SAIs at the 12th Committee meeting.
Office of the Auditor General of Norway, August 2003
Task Force contacts
The report draft is made by a working group set up with members from United Kingdom,
USA, Canada, Sweden and Norway. Among others the following persons have been
involved:
Project Coordinator - Erna Jørgensen Lea, Deputy Director General, Office of the
Auditor General of Norway (OAG), e-mail: erna.lea@riksrevisjonen.no
Rune Johannessen, Senior Advisor, OAG, e-mail: rune.johannessen@riksrevisjonen.no
Bård Seiersnes, Audit Advisor, OAG, e-mail: bard.seiersnes@riksrevisjonen.no
Steve Doughty, IT Director, National Audit Office (NAO), United Kingdom,
e-mail: steve.doughty@nao.gsi.gov.uk
Ian Petticrew, Principal Auditor, National Audit Office (NAO), United Kingdom
e-mail: ian.petticrew@nao.gsi.gov.uk
Vladimir Bogachev, Accounts Chamber of the Russian Federation,
e-mail: intrel@ach.gov.ru
Madhav Panwar, Senior Level Technologist, General Audit Office (GAO), USA,
e-mail: panwar.m@gao.gov
Richard Brisebois, Director, IT Audit Services, Office of the Auditor General of Canada
(OAG), e-mail: Richard.brisebois@oag-bvg.gc.ca
Bjørn Undall, Audit Director, Swedish National Audit Office,
e-mail: bjorn.undall@riksrevisionen.se
Bengt E W Andersson, Audit Director, Swedish National Audit Office,
e-mail: bengt.Andersson@riksrevisionen.se
Auditing e-Government
1.
Introduction
1.1
Executive summary
At its 11th Meeting, held in New Delhi in November 2002, the INTOSAI Standing
Committee on IT Audit agreed that e-Government posed new risks and challenges for
auditors as well as Governments, and that these should be investigated with a view to
issuing guidance and sharing best practice in this area.
A survey designed to obtain a broader view of SAIs’ differing attitudes and experiences
in auditing e-Government identified funding and costs; privacy and security; and
strategic planning and performance measurement as the three risk areas generally
regarded as most important when auditing e-Government. SAIs also identified the need
for special audit approaches and methods for selecting audit objectives and criteria; the
need for special audit skill and knowledge; unclear audit mandates; and finding relevant
matters of potential significance as particular challenges and risks in auditing eGovernment.
Based on the survey responses and our discussions, we propose 10 projects for further
work in the e-Government area corresponding to 4 main activities. We believe that these
projects will meet the main risks and challenges identified by SAIs:




Sharing lessons information and knowledge in the e-Government area;
Developing audit methods and audit perspectives on e-Government;
Training and education;
Joint (concurrent/cooperative) international audits.
The proposed projects, which differ in their complexity, resourcing requirements and
duration, cover both financial and performance audit. Most SAIs should therefore find
something of interest among them. Due to the projects’ differing objectives, the Task
Force recommends that the Committee give priority to those that do not depend on an
SAI’s level of maturity in auditing e-Government, and that provide a basis for further
work; these projects fall within the areas of Sharing Information and Knowledge and
Developing audit methods and relate to the main risks and challenges identified by SAIs.
The result of this work will provide a basis for exploring these areas in more depth at a
later stage. However, we also recommend an early start on discussions to agree the
requirements and decision process for future concurrent/cooperative international audits.
Because the need for special audit skill and knowledge was a significant challenge
identified by SAIs in auditing e-Government, the Committee should regard the value of
training and education to be of particular importance in the projects carried out. This
could be addressed either by special projects, or by professional organisations such as
IDI. However, we recommend that projects within this category commence at a later
stage, when the results of the initial projects are known.
It is important to emphasise that the success of further projects will depend on the special
challenges posed by this type of international projects being met, in particular the
participants’ commitment to succeed.
1
Auditing e-Government
The table summarises the project proposed:
Proposed project
Joint
International
audits
Training and
education
Developing audit
methods and audit
perspectives
Knowledge Sharing
Information and
knowledge sharing
Information Sharing
Activity
Recommended
priority*
Resources
needed
Finalised
1. Collect and
distribute eGovernment audit
reports etc
1
Low
2004
2. Collect and
distribute SAIs eGovernment
experiences
1
Low
2005
3. Collect and
distribute eGovernment
material
1
Low
2004
4. Summarize audit
work
2
Medium
2005
5. Analyse eGovernment audit
methods
2
Medium
2005
6. Summarize eGovernment
concepts
SAI
Projectleader
Participating
SAIs
Medium
1
high
2005
1
Low/ medium
2004
3
Medium/ high
2006
9. Development of
e-Government
auditing courses
3
High
To be
decided
later on
10. Concurrent or
cooperative audits
1
Medium/
Running
from
autumn
2003
7. Develop best
practices in eGovernment
8. Adapt existing
audit models to eGovernment
high
* 1=highest, 3= lowest
2
Auditing e-Government
1.2
Background
As agreed at the Committee meeting in New Delhi, a project was set up to look into the
risks and challenges to both auditors and their governments posed by the introduction of
e-Government. These risks and challenges were investigated with a view to issuing
guidance and sharing best practice.
The first stage of the project was to conduct a survey to establish trends and
developments worldwide, the aim being to identify common issues and problems for
further discussion and investigation according to the Task Force mandate:
In the initial phase, a preliminary project works out a survey on the international
development, trends, attitudes and experiences in this area. This work will be
coordinated with EUROSAI if possible. Other aspect that needs to be resolved in
this project is the project scope (mission and goals), and questions regarding
organization, planning and the availability of resources. This preliminary project
will be finished in September 2003.
The project was designed to cover areas that are of particular relevance to e-Government,
rather than to IT in general. In other words, we focused on services, management,
technical solutions, legal risks, and other auditing risks that relate to the delivery of eGovernment services and solutions.
The first part of this report provides background information to help ensure that the
information gathered from the survey is based on a common understanding. It includes a
definition of e-Government, a description of the levels of e-Government service maturity,
and an outline of the main challenges and risks they pose.
The second part of the report contains an analysis of the survey returns on e-Government
completed by SAIs.
The final part of the report sets out our proposals for further projects within different
areas of e-Government audit. It covers both financial and performance audit requirements
as they emerged from the survey returns and from our discussions.
1.3
Organisation
The Task Force comprised the SAIs of Sweden, UK, US, Canada, Russia and Norway,
with Norway the responsibility of coordinating the work. The Task Force held two joint
meetings; in Oslo in March and in London in June. Sub-group meetings were also held
between the SAIs of Norway and Sweden corresponding to the tasks put down in the
group’s milestones.
The group divided the responsibility for the work as follows:




UK researched the background;
USA undertook the survey analysis and summary;
Sweden and Norway designed the questionnaire and the proposals;
Canada undertook the quality control and pilot on the survey questionnaire.
3
Auditing e-Government
As stated in the mandate, the work has been coordinated with the EUOSAI IT-workinggroup by updating the SAI Netherlands representative on progress.
1.4
The Survey
The survey questionnaire, which was based on our selected definition of e-Government,
was designed to identify SAIs’ differing attitudes and experiences in auditing eGovernment and the main risks and challenges they faced. The questionnaire was piloted
and adjusted before being circulated to all 180 SAIs, 57 of whom responded. The
information provided in the survey returns formed the basis of our discussions and of this
report.
4
Auditing e-Government
2.
Background
2.1
What is e-Government?
e-Government (synonymous with electronic government) is not, primarily, a technology
programme but a continual programme of change that has the potential to transform the
way that governments operate. The Internet yields many definitions extending from the
succinct to the exhaustive. Although they generally agree on the need to exploit
technology, their emphasis differs, with some describing e-Government’s overall aim in
terms of tangible benefits:
 Numbers of services offered;
 Numbers of visits (downloads of information) and business transactions;
 Improved efficiency (really about reduced operating costs);…..
…. while others emphasise the less tangible:






Transforming relationships;
Improving transparency and the democratic process;
Achieving social or economic good;
Facing (and presumably resolving) challenges;
Horizontal integration of services;
Multi-jurisdictional issues.
The distinction is that some view their goal in terms of “outputs”, while others have a
broader vision of social “outcomes”. The following extremes illustrate this:
Example 1 - City of Tampa: e-Government is about interaction, about business
interacting with government (using interactive applications for - procurement, proposals,
permit applications, inspections requests, information, etc); citizens interacting with
government (paying parking tickets, utility bills, filing complaints, requesting services,
etc.); and government to government transactions (agencies interacting with agencies at
multiple levels of government exchanging information).
Example 2 – Center for Democracy & Technology: E-government is about
transforming the way government interacts with citizens.
Given the broad perspective of an SAI’s work in the public sector, the definition of eGovernment selected for this project is………
e-Government is the online exchange of government information
with, and the delivery of services to, citizens, businesses and
other government agencies.
Annex A contains some examples of e-Government at work. These are not entirely a
catalogue of success stories, but they serve to illustrate different facets of the problem of
defining e-Government.
5
Auditing e-Government
2.2
Levels of e-Maturity
Maturity levels for e-Services may be considered from perspectives concerning rollout,
supply capability, and degree of sophistication:
 How far have the countries and agencies succeeded to rollout e-Government
services? Do they deliver some kind of e-services or are they still investigating the
demands, visions, and requirements for building e-services?
 If countries and agencies deliver (rollout) e-services what kind of e-services are
being delivered? Do agencies only deliver a few and simple e-services or many
and more seamless e-services? In other words what kind of supply capability do
agencies have?
 If countries and agencies deliver e-services and e-duties, how sophisticated are
each of these services? The degree of sophistication could be measured in terms
of developed relationships between the user and the IT system delivering the eservice.
2.2.1 Roll-out
Figure 1: this measurement of
maturity takes account of
countries that have yet to make
a significant in-road into an eGovernment programme. Their
position on the Demand,
Change and Capability
quadrant illustrates where they
lie in relation to this goal.
2.2.2 Supply
Demand
Supply Capability
Consultation with
citizens, businesses.
and external
providers
e-Government
services (Front Office)
Vision
Build Capability
Commitment,
leadership & other
drivers for change
Enabling Government
infrastructure (Back
Office)
Figure 1 – Roll-out
Figure 2: this measure
considers the maturity of the
services that have been rolled out - mere roll-out does not necessarily result in eGovernment (as defined earlier) having achieved a significant impact. Supply capability
considers progression through four ‘higher’ phases of maturity:
Phase 1 - publication: limited to publishing government information on a website.
Phase 2 - passive interaction: the citizen and businesses communicates electronically
with government to initiate a transaction, but cannot complete it electronically (e.g.
selects a form to download and complete manually, and deliver by conventional means).
Phase 3 - active interaction: the citizen and government are able to complete basic
transactions electronically.
Phase 4 - seamless e-Government: sophisticated service delivery is achieved. Active
interaction (Phase 3) is tuned to enable both government and the public to obtain optimal
value from their electronic interaction. Extensive help based on ‘memory’ of past
6
Auditing e-Government
transactions, and links to private sector organisations and other jurisdictions (i.e. “crossborder”) provided where necessary.
Developing Supply
Capability
MultiJurisdictional
InterDepartmental
Active
interaction
IntraDepartmental
Single
Business Line
Seamless
e-Govt.
Passive
interaction
Publication
Information Initiation Interaction Integration
Figure 2 - Supply
2.2.3 Degree of Sophistication
The attainment of seamless e-Government involves achieving a number of measures of
post rollout sophistication. From the citizen’s perspective, five main drivers determine
the level of maturity of the service:
 Insight - does government remember me? When revisiting a website, does it know I
have previously interacted with government on the website, and then use that
information to offer a more tailored service? (e.g. see case study 1 at Annex A).
 Interaction: can I access multiple related government sites through a single portal?
(e.g. see case studies 3 & 6).
 Needs based: is this site organised around my needs? Is it intentions-based? This
measures the degree to which the services are organised around life/business events
rather than internal government structures (case studies 3 & 6).
 Customer facing: does this site help or advise me based on my needs or
circumstances? This measures the degree to which a website can identify services or
can help or advise automatically depending upon the circumstances of the citizen or
business (case study 1).
 Value added: is it possible for me to access other value-added non-governmental
services from this service? This measures the degree to which government services
are bundled with other non-governmental services to provide added value to the
citizen or business (case study 4, although this particular attempt failed).
7
Auditing e-Government
Unsurprisingly comparative studies show that e-Maturity tends to reflect a nation’s
economic, social, and democratic level of development (e.g. see the number of citizens
with on-line access in case study 6 at Annex A). They show that the front-runners are the
industrialised nations whose citizens enjoy the benefits of abundant resources, superior
access to information, and a more participatory relationship with their governments.
2.3. Main challenges and risks to e-Government
e-Government is said to have the potential to transform the way that government operate.
Some countries and agencies have not yet started to transform services into e-services,
while others are working with their visions, demands, and capabilities to develop eGovernment services. Some countries and agencies have progressed quite far along the
road of delivering sophisticated e-services. But the road leading to a seamless eGovernment is not an easy one. On the contrary, there are many risks involved, which if
they occur will have a detrimental impact on the economy, efficiency, and effectiveness
of e-Government investments. In the following, we have identified three broad risk areas:
 Risks related to initiating and supporting e-Government investment proposals;
 Risks related to implementing (developing, running, delivering, and maintaining)
e-Government services;
 Risks related to the consequences (value for money, effectiveness) of performing
e-Government services.
It is crucial for countries and agencies to identify the risks they face in the developing
their e-Government services, and to develop appropriate strategies for their management.
2.3.1 Initiating and supporting e-Government proposals
e-Government investments are often proposed by Cabinets and Parliament. Cabinets also
give orders or directives to specialist agencies/departments to develop different kind of eGovernment support mechanisms, such as standards to be used in the developing of eGovernment. These give rise to two types of risks:
Political risks: created by or tied to unclear demands, requirements, epolicies, and strategies from Parliament and Cabinet. Unclear or inconsistent
e-policies and the need for e-support mechanisms can make public agencies
confused about how to focus and act.
Strategic Management risks: studies of government IT projects generally
conclude that they are inherently risky, and although the nature of the risks is
well understood, under-performing, and abandoned IT projects recur. Projects
and programmes to implement e-Government are not only vulnerable to these
chronic risks, but to others stemming from their multi-organisational/multijurisdictional nature.
At the highest levels of maturity, e-Government developments span multiple
departments, multiple tiers of government (in some cases involving private sector
providers) and multiple jurisdictions (e.g. customs clearance, immigration and law
enforcement). “Joining up” government to provide “seamless e-Government” therefore
requires additional structures and business processes to those that apply to single
8
Auditing e-Government
department projects. Indeed, one might argue that projects at this level only exist within
cross-cutting programmes, the successful management of which will require significant
cultural and organisational change, such as strong political leadership stretching across
departmental and national boundaries, complex governance structures, multilevel
funding, and communications and relationship skills extending beyond what a ‘’single
organisation” project requires. The number of organisations involved, the length of the
programme, the various levels of government participation and the overall technical
complexity will in turn influence the extent and permanence of these changes.
The imperatives for implementing major e-Government programmes should therefore
focus on a clearly defined strategic goal agreed by the major stakeholders. There must be
appropriate levels of leadership and ownership (maybe involving an overseeing
department and ministerial responsibility). The appropriate skills and financial resources
must be provided. Stakeholders must also invest in the building blocks; and continue to
maintain the pressure for ongoing progress (which may be difficult to sustain in a longterm development).
2.3.2 Implementing e-Government
Given the orders and directives from Parliaments and Cabinets, the agencies and others
involved have to plan, develop, implement, and maintain e-Government services. There
are a number risks involved in this work:
Market research: there is evidence to suggest that some departments add a
public interface to their traditional business functions without first assessing
demand, or considering whether a service could be packaged with others to
provide a more marketable product.
IT business process risks: arises where analyses of security and information
processing do not extend to entire business processes, but merely to some parts
of them. Such risks may arise from: lack of data flow transparency, inadequate
integration of systems or deficient reconciliation and control procedures in
interfaces between sub processes arising from the exchange of data between two
subsystems within business processes. In this situation, there is a risk that IT
controls, such as access rights or data back-up procedures, will be effective only
for the sub processes, but not for the aggregated processes.
Project management: there are traditional problems surrounding the
management of IT investment projects. These problems will surely occur even
for e-Gov investments projects. To these traditional problems there will be
added new kind of management problems due to the fact that there will often be
more independent actors involved in the projects and the need for inter
departmental co-operation will increase.
Contract management: to the traditional problems surrounding procurement
are added those of on-going operation where this is outsourced, or the service is
provided under a private finance initiative agreement. Professional-level skills
and active, on-going contract management are needed to avoid the risk of the
contractor dominating the purchaser and delivering poor value.
9
Auditing e-Government
Technical standards and infrastructure: particular risks under this heading
concern the high cost of system inter-working (e.g. due to lack of crossdepartmental standards for exchanging data); lack of standards for protecting
the availability, integrity and confidentiality of public information; lack of a
standard approach to user authentication, and for protecting against nonrepudiation. There are also risks concerning transactions with individuals and
organisations outside management control and the use of external networks,
which generally, do not offer assurances over the security of the traffic they
carry. The risks also relates to the adequacy of the IT infrastructure for
information processing.
IT application risks: results from bugs and errors in IT applications,
uncoordinated or undocumented program changes, inadequately designed input,
processing and output controls in IT applications or inadequate procedures to
ensure software security in connection with the security infrastructure
(inadequate access authorization concepts and data back-up and restart
procedures).
Legal issues and risks: Some of the issues include protection of intellectual
property, including patent, copyright, and trademark laws, and enforceability of
contracts with Internet service providers. Risks include determine contract law
and jurisdiction when transactions through the Internet cross national
boundaries, and ensuring data privacy (including personal information) in
accordance with national laws.
2.3.3 Consequences of e-Government
Following their delivery, the realisation of the planned impact or long-term outcome of
the transformed e-Government services (i.e. their effectiveness) will depend heavily on
the extent to which citizens, businesses and other departments/agencies actually use them.
There are several risks at this post-implementation stage:
The user interface: the public will not be attracted to an e-Service that is
difficult to use, that doesn’t cater for minority needs (e.g. languages,
disabilities), or is not widely accessible on a wide range of access devices.
Advertising and promoting the service: the public can’t be expected to use a
service they are unaware of, or are unaware of the benefits in using it.
Incentives may be necessary to encourage people to make the change from
conventional access routes (e.g. the UK Inland Revenue pay a small rebate for
tax returns submitted electronically).
Building public confidence: the service needs to be available when required.
Poor availability might stems not just from downtime, but also from insufficient
bandwidth or failure to operate the service on a 7 x 24 basis. Information
offered by the service should be up-to-date and accurate, and avoid broken
links. The site should state its conformance to relevant standards (e.g. W3C, BS
7799, ISO 9001), state its policies on privacy and data protection, and provide
access to ‘help’ including the opportunity to interact with a real person.
10
Auditing e-Government
Customer relationship management (CRM): the service dies through failure
to evolve in response to the changing economic and social environment. CRM is
about developing and implementing business strategies and supporting
technologies that close the gaps between a service’s current and its potential
performance in retaining and growing its user base.
Risks relating to accounting principles and criteria: e-Government can have
a significant impact on accounting systems, changing business processes and the
evidence available to support business transactions. This in turn will lead to
changes in the accounting procedures followed and the accounting records
maintained.
Internal control environment: in an e-Government environment, most if not
all transaction stages are carried out electronically. Reliance on IT systems and
controls is therefore essential, as there is little or no original paper evidence
against which to check transactions. Thus, there are major risks relating to the
internal control systems with and between organisations. Management needs to
establish systems for monitoring, risk management, quality assurance, the flow
of information and communication, and also establish and maintain an adequate
control environment.
Risks of repeating mistakes: e-Government investment projects risk failure
because important experience and knowledge are not collected, analysed,
researched, evaluated, audited, etc., and passed on to other interested parties,
such as Parliament, Cabinet, agencies and other e-Government project teams.
Risks related to measuring the effectiveness of e-Government: in an eGovernment environment, new kind of measurements (e.g. cost/benefit
analyses) of the effectiveness of e-services will probably be needed. The risk is
that inadequate measurements will make it difficult to judge the effectiveness of
the transformed services.
11
Auditing e-Government
3.
The survey returns
3.1
Summary
Our analyses of the survey returns suggest that the INTOSAI IT Committee might
concentrate on addressing the following issues:






3.2
Development of audit methods;
Training and education;
Sharing knowledge and experience;
Special audit approaches and selection methods;
Special audit skills and knowledge;
Concurrent audit / Joint international audits.
Introduction
The survey was conducted through a questionnaire based on the selected definition of eGovernment and on questions set out to try to identify the SAIs’ different attitudes and
experiences in auditing e-Government, and the main risks and challenges they faced
(Annex 2). Before launching the survey, five SAIs were invited to take part in a pilot,
Canada being the only one to respond. The adjusted questionnaire was then sent all 180
SAIs, 57 of which submitted important input. This covered both SAIs that had conducted
audits in the e-Government area, and those that had not.
We acknowledges that different SAIs face different levels of maturity in the development
of e-Government. Thus, in this summary of the survey returns, which is based on the full
response, “maturity” relates to the maturity of the SAI in conducting e-government
audits, not to the maturity of e-Government rollout within the country concerned. This
enables us to report on the results from two different perspectives; those SAIs that
conduct e-government audits, and those that have not. Based on the survey response we
have classified 22 countries as having e-Government mature SAIs, while we regard 35
SAIs as non e-Government mature.
3.3
Detailed analyses of the survey returns
Question 1
Has the SAI done any analysis of challenges, risks, and potential lines of audit
enquiry related to the e-Government area?
e-Government mature SAIs: most SAIs (74% in this category) have analysed the
challenges, risks, and potential lines of audit enquiry. Some (17% in this category) are
beginning to assess what needs to be done in the e-Government area, the general focus
being on reliability of information systems, citizen focus, and implementation issues.
Changes in the e-Government control environment have also attracted attention while
some SAIs identify technical issues are the major challenge.
12
Auditing e-Government
Question 1: Has the SAI done any analysis of challenges, risks, and potential
lines of audit enquiry related to the eGov area? (e-Gov mature SAIs)
No analysis
conducted.
9%
Are beginning to
assess w hat is
required
17 %
Have done an
analysis of the
challenges and risks.
74 %
Others: most other SAIs (97% in this category) have not conducted an analysis, most
reporting that this was because e-Government systems did not exist within their
jurisdiction or they are at a nascent stage of development. However, many of these SAIs
expressed an interest in gaining from international experience to help equip them to
tackle the problems of auditing e-Government in the future. One of these other SAIs has
already begun to assess the risks and challenges.
Question 1: Has the SAI done any analysis of challenges, risks, and
potential lines of audit enquiry related to the eGov area? (others)
Are beginning to
assess what is
required
3%
No analysis
conducted.
97 %
Overall: 31% of SAIs have analysed the challenges, risks, etc., but most have not, either
because e-Government audit is a relatively new area or because e-Government projects
13
Auditing e-Government
are not yet in place in many countries. However, SAIs are generally interested in both
widening their knowledge base and learning techniques to enable them to undertake
audits of e-Government systems when they appear. Many e-Government mature SAIs
have conducted significant work in this area, although there has been a significant
variation between where different countries place the emphasis. This is probably due to
SAIs’ specific needs and perhaps to a lack of communication between SAIs on this topic.
Question 2
Is auditing e-Government one of the current audit priorities of your SAI?
e-Government mature SAIs: most e-Government mature SAIs (78%) regard eGovernment to be a current audit priority, a significant percentage indicating eGovernment to be an importance area of audit. However, some mature SAIs (17%) do not
regard e-Government to be a current audit priority, although some indicate this could
change in the future.
Others: most other SAIs (84%) indicate that e-Government is not their current audit
priority, an obvious consequence of e-Government systems not yet being in place in
many of these countries (see Q1 above). Nevertheless, some (13%) still indicated that eGovernment is their current audit priority, which might suggest an interest in taking up eGovernment audits. Many of the countries for whom e-Government is a not current audit
priority indicated their interest to gain from relevant knowledge and experience of other
SAIs so that they can undertake e-Government audits when necessary.
Overall: 41% of SAIs regard e-Government to be a current audit priority. The reasons for
not regarding e-Government to be a current audit priority include lack of developed eGovernment systems, an unclear audit mandate, and inadequate technical skills.
Question 3
In general, which three special risks/areas does the SAI see as most important in
auditing e-Government from a financial or performance audit aspect?
e-Government mature SAIs: the three special risks/areas ranked as most important in
auditing e-Government are funding and costs (11%), privacy and security (12%), and
performance measurement (12%). This indicates a focus on large-scale investment and
recurring expenditure incurred by countries having e-Government mature SAIs. The
focus on privacy and security indicates the risk of unauthorised physical and logical
access. Performance measurement indicated the need for an effective cost benefit
analysis in implementing or improving an e-Government project.
Other SAIs: funding and costs (15%) is ranked as the most important risk/area; strategic
planning (13%), and privacy and security (12%) are ranked in second and third place.
Strategic planning probably emerges as an important area because most of these
countries are in the process of developing e-Government projects, or will be doing so in
future.
14
Auditing e-Government
Overall: funding and costs (13% of total score awarded by all SAIs) emerged as the first
and the most important risk area in e-Government, with privacy and security (12%)
strategic planning (10%), and performance measurement (10%) as the next most
important. These areas could probably form the focus of information exchange and
sharing among SAIs, as most would find such information useful.
Question 4
Has the SAI done or plan to perform financial or performance audits (including ITaudits) in the e-Government area?
e-Government mature SAIs: the majority have undertaken or are planning to undertake
audits in the e-Government area. Some focus on financial audits (26%), most (41%) on
performance audits, with a significant number focusing on both. Many SAIs have
successfully completed between one and six e-Government audits, with one having
completed over 50. Many of these SAIs have also indicated that they are planning to
undertake audits in e-Government area. The difference between responses on financial
and performance audit is not significant with many SAIs concentrate on both, which
perhaps indicates the overlapping nature of these audits. These SAIs could therefore share
knowledge and techniques that are universally applicable to auditing e-Government
without distinguishing between financial and performance audits.
Others: the majority have not undertaken or are planning any auditing of e-Government.
Only 7% indicate that they plan to undertake financial audits of e-Government, while
12% indicated that they are planning performance audits. This is attributed to either a
lack of e-Government applications in these countries, or inadequate methods and audit
skills to undertake the work.
Overall: although only 16% of SAIs have undertaken or plan to undertake financial
audit, and 25% are in a similar position with performance audit, this question brought out
two important points. First, many e-Government mature SAIs have already undertaken eGovernment audits and thus have knowledge and experience that they can share with all.
Second, the distinction between financial and performance audit need not affect the
sharing of knowledge and experience; the focus could instead be on the new techniques
and practices unique to e-Government in general that can be applied to both financial and
performance audits.
Question 5
Are there any audit reports concerning e-Government that you would like to
mention (from any relevant aspect) and, if so, what aspect makes them worthwhile
to mention?
e-Government mature SAIs: 48% indicated that they have audit reports on eGovernment projects, with a number specifying the web links (URLs) where these can be
obtained. The reports published by Australia, Bosnia & Herzegovina, Estonia, India,
Sweden, UK and the USA illustrate the nature of e-Government auditing in those
15
Auditing e-Government
countries, and can be used as a database for knowledge sharing. One SAI indicated that
an audit is in progress; in due course, the knowledge from audits under progress can also
be made utilised.
Others: no material available.
Question 6
Does the SAI use or plan to use internally developed (or also imported and adjusted)
audit methodology for auditing the e-Government area or do you use or plan to use
external sources and methods?
e-Government mature SAIs: 22% use or plan to use internally developed methodology,
26% externally developed, 39% both, while 13% cite no specific methodology. Amongst
the externally developed methodologies, COBIT and INTOSAI standards emerged as the
most important. Canada, USA, Korea, and Sweden indicated that they use their internal
methodologies.
Question 6: Does the SAI use or plan to use internally developed (or also
imported and adjusted) audit methodology for auditing the eGov area or do you
use or plan to use external sources and methods? (e-Gov mature SAIs)
No specific
methodology
13%
Yes - Both internally
developed and
external souces
39%
Yes - external souces
26%
Yes - Internally
developed
22%
Others: the majority (66%) have no specific methodology, which might explain why
they have not so far undertaken e-Government audits.
16
Auditing e-Government
Question 6: Does the SAI use or plan to use internally developed (or
also imported and adjusted) audit methodology for auditing the eGov
area or do you use or plan to use external sources and methods
(others)
Yes - Both internally
developed and
external souces
3%
Yes - Internally
developed
17 %
Yes - external souces
14 %
No specific
methodology
66 %
Overall: 58% of SAIs use or plan methodologies, whether internally developed,
externally developed, or both, indicating a perceived need for a suitable standard method
for undertaking e-Government audit. COBIT appears to be a popular framework, with
INTOSAI being another important source of methodology. A number of SAIs indicated
their intention to use experience and best practices developed by other SAIs. Thus, there
is a well-established case for INTOSAI to develop a general framework or methodology
that SAIs can adapt to their respective needs. A checklist of items to be verified could be
of use to many of the SAIs that have yet to undertake e-Government audits. Advanced
techniques could be of more use to e-Government mature SAIs.
Question 7
Which special challenges and risks do you foresee in auditing e-Government for
your SAI?
e-Government mature SAIs: the need for special audit skill and knowledge (30%)
emerged as the most important special challenge, followed by special audit approaches
and methods for selecting audit objectives and criteria (28%), with gathering data and
information a distant third (11%).
Others: the three most important areas are the need for special audit skill and knowledge
(29%), the need for special audit approaches and methods for selecting audit objectives
and criteria (27%) and unclear audit mandate (13%).
Overall: the first two important areas of special audit approaches and special audit skills
and knowledge indicate the uniqueness of IT audits in general, and of e-Government
auditing in particular. Due to it being a new area, audit approach, skill, knowledge etc.
are still evolving. Training in these areas both within and across SAIs could be of
17
Auditing e-Government
significant value. Also emerging as a significant challenge is an unclear audit mandate,
which might require resolution at the SAI level. However, the fact that e-Government has
emerged as an important area for audit examination in most countries might influence
SAIs whose mandates are unclear to have e-Government included through the appropriate
process. Moreover, a convergence of both e-Government mature and other SAIs is
evident with the issue of the need for special audit skill and knowledge.
35,00 %
Question 7: Which special challenges and risks do you forsee in auditing e-Gov
for your SAI? (Overall)
Need for special audit
skills and knowledge
29,06%
30,00 %
25,00 %
Need for special audit
approaches and methods
for selecting audit
objectives and criterias
27,35%
20,00 %
Unclear audit mandate
11,11%
15,00 %
10,00 %
Finding relevant matters
of potential significance
9,40%
Gathering
data/information
9,40%
Analysing data /
information
9,40%
Others
4,27%
5,00 %
0,00 %
Questions 8 and 9
Would you consider taking part in a concurrent audit? (If your answer to above
question is yes, please state if the audit most likely will be performed in a division
mainly performing a) Financial audit b) Performance audit).
e-Government mature SAIs: 61% indicated that they would consider taking part in a
concurrent audit, 31% would not, and 9% were unsure. Of the e-Government mature
SAIs that would consider taking part in a concurrent audit, 36% stated that they would
participate in financial audit, 59% were interested in performance audits, and one SAI
was undecided.
Others: 42% are willing to consider taking part in a concurrent audit, 50% are unwilling,
and 8% are unsure. Those who responded favourably were equally distributed between
preference for performance and for financial audit, with one SAI undecided.
Overall: in general, there was a very good response for concurrent, with 51% of all SAIs
indicating their willingness to take part. Among these 40% would take part in financial
audit, and 53% would like to get involved in Performance audit. 7% of the interested
SAIs are undecided between Performance and Financial audit. Because it would be a
18
Auditing e-Government
good learning process for most SAIs, the INTOSAI working group might consider taking
up some concurrent audits.
Question 10
In which areas and in what ways do you think INTOSAI IT- Committee best can
contribute to the SAI's work regarding e-Government?
e-Government mature SAIs: sharing audit methodology (25%) emerged as the most
significant way in which the INTOSAI IT Committee can contribute. Sharing lessons
learnt (19%) follows with methodology development (19%) rated third.
Question 10: In which areas and in what ways do you think INTOSAI ITCommittee best can contribute to the SAI's work regarding eGovernment? (e-Gov mature SAIs)
30,00 %
24,96 %
25,00 %
18,95 %
19,40 %
20,00 %
15,00 %
9,77 %
8,12 %
10,00 %
5,41 %
5,00 %
0,00 %
Development of
audit
perspectives
Methodology
development
Sharing audit
methodology
Sharing lessons
learned
Training/
education
Information
gathering
Others: methodology development (24%), training and education (21%) and
development of audit perspectives (18%) are the three important areas rated by other SAIs
in which INTOSAI IT Committee can provide guidance.
19
Auditing e-Government
Question 10: In which areas and in what ways do you think INTOSAI ITCommittee best can contribute to the SAI's work regarding e-Government?
(others)
30,00 %
24,44 %
25,00 %
20,74 %
20,00 %
18,37 %
16,00 %
15,00 %
8,30 %
9,19 %
10,00 %
5,00 %
0,00 %
Development of
audit
perspectives
Methodology
development
Sharing audit
methodology
Sharing lessons
learned
Training/
education
Creating a
homepage of eGov auditing
Overall: development of audit methodology emerges the most important area in which
SAIs look to the INTOSAI IT Committee. Significantly, many non e-Government mature
SAIs find training and education and development of audit perspectives as important
areas since most have limited capabilities in this area. e-Government mature SAIs focus
on sharing lessons learned and sharing audit methodology, which in due course is also
likely to become the focus of other SAIs. Hence, the INTOSAI IT Committee should
consider working in these areas.
Question 11
Would your SAI be interested to produce a paper on your experience in auditing eGovernment?
Overall: 62% of the e-Government mature SAIs (29% of all SAIs) indicated their
willingness to produce a paper based on their experiences; their published audit reports
would be of great help in this respect, and they can be supplemented by a paper indicating
their:






audit objectives;
scope;
methodology and techniques;
specific checklists, questionnaires etc used;
risks, constraints and limitations; and the….
impact of their audit findings.
The SAIs that have not completed any audit so far, but have done some work in the area
of e-Government can also contribute by preparing a paper elucidating the various
challenges and difficulties faced by them, which would be useful for information sharing
and exchange.
20
Auditing e-Government
4.
Proposals for new projects
4.1
Introduction
Based on the SAIs’ recommended joint actions, we found that the IT Audit Committee’s
actions could fall into the following types of co-ordinated activities:




sharing information and knowledge in the e-Government area;
developing audit perspectives, methods and practices on e-government;
training and education;
joint international audits.
The Task Force therefore present different sub-projects within these activities; projects
covering both financial and performance audit, and projects of different length of periods
and hopefully of interest for many SAIs. The Committee is invited to prioritise within
these.
Based on the survey responses and on our interpretations and discussions on the results,
we have summarised the overall picture of e-government risks and the SAIs’
requirements for joint actions within the IT Audit Committee. We identified the
following broad e-Government risk areas:
 e-Government governance (initiating and supporting): Strategic planning, vision
and priorities and governance;
 implementing e-Government services: project management, funding, costs,
privacy and security, other legal matters;
 consequences of e-Government (effectiveness): business transformation, benefits
and performance measurements.
The survey identified the following challenges in auditing e-Government that should be
addressed:




Finding relevant matters of potential significance;
The need for special audit skill and knowledge;
Unclear audit mandate;
The need for special audit approaches and methods for selecting audit objectives
and criteria;
 Gathering and analysing information.
The areas of special audit approaches and special audit skills and knowledge indicate the
uniqueness of IT audits in general and e-Government audits in particular. This being a
new area, audit approach, skills and knowledge etc are still evolving in some SAIs.
Training in these areas within and across the SAIs will therefore be of significant
importance; one way of doing it is to observe an SAI auditing e-Government.
Also significant is the emergence of an unclear audit mandate as a challenge faced by
some SAIs.
21
Auditing e-Government
The four co-ordinated activities referred to above should focus on both the presented risk
areas and challenges. This could be done through sub-projects within each main activity.
The following table illustrates how the main activity areas and suggested projects relate
to risks and challenges:
Main challenges for auditing eGovernment risk areas
Need for special
approaches and
methods
Gathering and
analysing
information
X
X
X
X
Jointly developing audit
perspectives, methods
and practices on egovernment
X
X
X
X
X
X
4.2
X
X
X
Unclear audit
mandate
X
Co-operations between
SAIs in international
audits
Need for special
audit skills and
knowledge
X
Training and education
Finding relevant
matters of potential
significance
e-Gov
implementation
Sharing information
and knowledge in the egovernment area
Activities
Effectiveness
Governance, vision
and strategies
Main risks
Risks
concerning eand
Government
challenges
X
X
X
X
X
X
X
X
X
X
Sharing information and knowledge in the e-Government
area
4.2.1 Introduction
The survey results illustrate that SAIs are interested in sharing and using their
experiences and tools. In general, they appear to be interested in both increasing their
knowledge base and learning techniques that will help them undertake audits when eGovernment systems are implemented. A number of SAIs have conducted significant
audit work in e-Government. However, there is a significant variation in where SAIs
focus when auditing e-Government, probably due to their specific needs and to the lack
of exchanging information, ideas, and methods.
22
Auditing e-Government
The objective of projects under this heading should be to provide better knowledge and
understanding of the concept and realisation of e-Government, and the audit work within
this area. They should also make available through different media what useful
information, knowledge, and methods that already exist. The exchange of knowledge
should focus on the priority risk areas (governance, implementation of e-projects,
security, and trust, and the effects of e-services) and the action that SAIs should take on
these issues.
4.2.2 Challenges
Projects that take on the tasks of international information sharing face several challenges
in connection with the collection, the work on, and the distribution of the information.
Examples of problems that might arise are:
 Lack of electronic publication: even where SAIs are conducting significant work
in e-Government area, the results might not published electronically;
 Differences in the scope, the language and the way in which SAIs operate and
report on their work;
 Distribution of the results so that it reaches as many as possible.
4.2.3 Proposals
The Task Force suggests the following projects within this area (note: where reports are
recommended, they should be made available on the INTOSAI IT Audit Committee’s
web site):
Sharing Information
Project 1: collect and distribute existing material to produce a database on the
IT Audit Committee web site. The database should include e-Government audit
reports, e-Government analyses made by SAIs, and e-Government related web
links. The base for this activity should be for SAIs that indicated that they have
such material to contribute it. After the database is created, it should be
maintained by SAIs advising the UK NAO (who manage the Committee’s web
site) of changes they wish to be implemented.
Project 2: collect and distribute material concerning SAIs experiences in the
e-Government area, and make this material available in the database proposed in
Project 1. The base for this activity could be to ask the SAIs to produce a special
memo about their experiences. The memo should include such matters as various
challenges and difficulties encountered by SAIs entering the e-Government Audit
area; audit perspectives and audit questions and motives for these issues; the audit
methods used and their evaluation; any other experiences from the work
undertaken; and recommendations for SAIs to perform e-Government audit
projects.
Project 3: collect and distribute material concerning e-Government in
general (existing reports, web links etc) about the concept and realisation of eGovernment to provide reference material about the e-Government concept. The
23
Auditing e-Government
base for this could be material already collected by the task force and references
from SAIs.
Sharing knowledge
Project 4: summarize audit work to produce a report that summarises and
analyses at a high level interesting audit work in the area of e-Government (SAIs’
strategies in the area of e-Government, risk analyses, approaches, objectives,
methods used etc). The analysis should include a discussion about universal audit
matters as well as more country/SAI specific matters. The base for this activity
could be the collected material proposed in Project 1 and 2 above.
Project 5: e-Government auditing methods to produce a report that discusses in
more detail and analyses the different audit methods used by SAIs in their eGovernment audit projects, the goal being to provide recommendations about
more universal audit perspectives, methods and audit work. This report might
include some kind of checklist of important issues.
Project 6: e-Government concepts. To produce a paper that describes and
explains in more detail the concept of e-Government, and how the main areas of
government are affected by e-Government initiatives. The report should describe
important e-Government issues to be audited. A starting point could be the
chapter about e-Government in this report complemented with analyses of the
material collected via Project 3 above.
4.2.4 Recommendations and priority
The proposed projects are ranked in recommended order of priority. Projects 1 and 3,
within Information Sharing, can be conducted before the Committee meeting in Moscow
in 2004. Projects 2, 4 and 5 should be based on the results of Projects 1and 3, thereby
providing a knowledge base for undertaking e-Government auditing.
Even though Information Sharing should be carried out prior Knowledge Sharing, the
Task Force recommend that the analysis of collected material should start early, perhaps
as a parallel activity to Information Sharing, and closely interact with Information
Sharing. Information Sharing could be undertaken by some SAIs and Knowledge Sharing
by others, with some SAIs possibly working in both areas.
4.3
Developing audit methods and audit perspectives on eGovernment
4.3.1 Introduction
The survey results demonstrate that SAIs are interested in developing audit methods, and
this emerges as one of the most important areas in which they are looking to the work of
the INTOSAI IT Committee.
The overall objective of sub-projects under this heading is to provide SAIs with
appropriate tools to audit the different aspects of e-Government in a consistent best
practice manner, and in so doing, improve the development of e-Government within their
24
Auditing e-Government
jurisdictions. We recommend that the development of perspectives, methods, etc, should
focus exclusively on the aspects that are peculiar to e-Government, and include both the
main risk areas identified by SAIs (governance, implementation of e-projects, security
and trust matters, and the effectiveness of e-services) and the challenges for audit.
However, SAIs should continue to use existing tools and methods for IT security and IT
auditing.
4.3.2 Challenges
Projects that undertake the tasks of developing methods for international use face several
challenges, of which the following are examples:
 The need to produce common/universal international definitions and measuring
standards/audit criteria.
 Differences in scope, language and the way the SAIs undertake and report on their
work.
 Differences in the e-Government maturity level and experiences of SAIs and
governments.
 Distribution of the results so that they reaches as many as possible.
4.3.3 Proposals
The Task Force recommend the following projects within this area:
Project 7: best practice. To produce a report based on SAIs’ reports and other
sources, on auditing e-Government, and incorporate the lessons into audit best
practice checklists. An example might be to develop a checklist for auditing
agencies’ web sites, the use of which could be a starting point for many SAIs
entering the e-Government audit area. This activity should be based on collected
and analysed material as mention in 3.2 and especially in Project 5. This material
should be further elaborated to create more universal checklists.
Project 8: adapt existing audit models. To produce a report presenting
internationally developed audit models, adapted and expanded to deal with the
special considerations necessary for SAIs’ evaluations in their e-Government
areas. This activity could be based on a model, such as IT Service Management
(SAI Norway), INVIT (SAI Sweden), COBIT, and Communication Security on
Internet (SAI Sweden).
4.3.4 Recommendations and priority
The proposed projects are ranked in recommended order of priority. Project 7, concerning
a checklist on auditing agencies’ web sites, can be conducted before the next Committee
meeting in Moscow 2004. Because Project 8 is likely to be more time consuming, it
should therefore follow completion of Project 7. SAIs working on Project 7
(“Checklists”) will need to interact closely with those collecting material for Information
and Knowledge Sharing.
25
Auditing e-Government
4.4
Training and education
4.4.1 Introduction
The survey results demonstrate that training and education are an important challenge for
SAIs, and that acquiring audit skills and knowledge is of particular importance when
auditing e-Government. This being a new area to many SAIs, their audit approach, skills
and knowledge etc are still evolving. In all the Committee’s projects, the value of training
and education should be regarded as of significant importance. It might be delivered by
special projects or by professional organisations, such as IDI.
The overall objective of projects under this heading should be to provide SAIs with a
better understanding of the e-Government area together with opportunities to undertake eGovernment audits. Training and education should focus on how to support the auditors
in this work.
4.4.2 Challenges
The main challenges in a training and education project lie in making the material
understandable and interesting for countries at different e-Government maturity-levels,
and in overcoming language-barriers. Other challenges include:
 Making the material instructional and of a high standard;
 Gaining commitment from each SAI regarding budget (can be a “high-cost
project” when implementing e-Learning software);
 Obtaining material from other projects on which training materials can be based.
4.4.3 Main activities
There are several different kinds of training and education activities. Each activity can be
a stand-alone activity, but can also be a part of at wider training and education project.
Project 9: development of courses and educational material on e-Government,
to cover e-learning, training within SAIs, and the possible use of e-Government
“taskforces”.
 E-Learning, which is becoming more widely used by companies and
government agencies, can be a cost-effective means of providing SAIs with
knowledge on e-Government themes. The training material would need to be
easily adapted to different maturity levels. An e-Learning programme might
be CD-ROM or web-based, but even if cost-effective, some forms of eLearning can be expensive to develop due mainly to the need to develop a
technical platform.
 e-Government Taskforce is a group of auditors who are experienced in eGovernment and who deliver training locally at SAIs. Such a taskforce should
be linked closely with IDI.
26
Auditing e-Government
4.4.4 Recommendations and priority
We recommend that this project is deferred until the projects covering Information
Sharing and Knowledge Sharing and Development of audit methods/checklists are
complete, to enable their outputs to feed into development of the education project.
4.5
Joint international audits
4.5.1 Introduction
The survey response revealed that approximately half of the SAIs would consider
participating in a joint or concurrent audit, and that interest in financial and performance
auditing was about the same. Undertaking joint/concurrent audits will perhaps be the best
learning process for most SAIs.
The objectives of projects in this area involve:
 Increasing the quality of audits performed through pooling resources, such as
knowledge/experience and specialists (that also can be jointly financed) and
creating a broader foundation for criteria and suggestions through benchmarking;
 Developing networking for future audits and knowledge sharing.
4.5.2 Challenges
The main challenges when carrying out international or concurrent audits within the eGovernment area are:
 Gaining commitment from each SAI on focus and budget (can be a “high-cost
project” because of travelling expenses);
 Gaining access to confidential documents necessary for the audit;
 Defining a common scope and approach to the audit;
 Overcoming the language-barriers.
These challenges can be mitigated/controlled by lowering the level of “concurrency”, and
by avoiding the need for “foreign” auditors to make direct contact with domestic
agencies.
4.5.3 Main activities
Project 10: Concurrent/cooperative audits1 are defined (in this case) as a
project where several SAIs carry out audits within the same area and based on the
same comparable audit objectives, criteria, and methods (survey questions,
statistical methods etc). Audits are executed by each SAI within its own
jurisdiction, but with the audits being coordinated in the above-mentioned
respects.
1
Concurrent audit means some auditors performing nearly identical audits (which can make it
difficult to adjust for organisational or cultural differences in the participating countries and SAIs)
where auditors from other countries also takes part in the local execution of each audit (which
usually creates problems when the participating SAIs and auditees do not share the same
language).
27
Auditing e-Government
This method of organising an audit offers the possibility to secure high quality audit by
pooling the knowledge of methods, analytical skills, and judgement of experienced
auditors from two or more countries. The objective is to provide SAIs with a base of
knowledge (audit evidence, findings, conclusions, and best practice) to suggest important
improvements in the development of e-Government. The definitions of best practice and
audit criteria can be based on a much broader knowledge base in order to make them
more acceptable to auditees.
Examples of interesting themes for a concurrent audit are:
 Audit of the governance (on government and/or agency level) of e-Government
transformation;
 Audits of the effects of e-Government transformation;
 Audits of e-Government accounting systems;
 Auditing changes in applications and security in an e-Government environment.
4.5.4 Recommendations and priority
We recommend that SAIs interested in undertaking cooperative audits hold initial
discussions about e-Government audit themes, time-span, and other practicalities
(requirements, mandate) during the Committee meeting in Oslo. A short report from this
meeting can be added to the minutes in order to widen the number of participating SAIs.
4.6
Organisation of new projects
The recommended projects are a step towards meeting SAIs’ uncovered needs within the
four main activities above. They cover both financial and performance audit, are of
different duration and, hopefully, are of interest for many SAIs.
The survey results showed that training and education is an important challenge for SAIs,
and that acquiring audit skills and knowledge is of particular importance when auditing eGovernment. The Task Force emphasise that success will depend on addressing the
special challenges posed by these types of international projects, and on the need for the
participants to commit the necessary time and recourses to them.
The Task Force therefore recommends that the future conduct of sub-projects by
interested SAIs within these areas is organised on task force lines, with one SAI acting as
Project Coordinator.
28
Auditing e-Government
5.
Summary of recommendations
The table summarises the project proposed.
Proposed project Recommended
priority*
Joint
International
audits
Training
and
education
Developing audit
methods and audit
perspectives
Knowledge Sharing
Information and
knowledge sharing
Information Sharing
Activity
Resources
needed
Finalised
1. Collect and
distribute eGovernment audit
reports etc
1
Low
2004
2. Collect and
distribute SAIs eGovernment
experiences
1
Low
2005
3. Collect and
distribute eGovernment
material
1
Low
2004
4. Summarize
audit work
2
Medium
2005
5. Analyse eGovernment audit
methods
2
Medium
2005
6. Summarize eGovernment
concepts
high
2005
1
Low/
medium
2004
3
Medium/
high
2006
9. Development of
e-Government
auditing courses
3
High
To be
decided
later on
10. Concurrent or
cooperative audits
1
Medium/
Running
from
autumn
2003
8. Adapt existing
audit models to eGovernment
Participating
SAIs
Medium
1
7. Develop best
practices in eGovernment
SAI
Projectleader
high
* 1=highest, 3= lowest
29
Auditing e-Government
Annex A: Some e-Government Case Studies
1 – Ireland: Reachservices (http://www.reachservices.ie/)
Reachservices provides quick, secure access to public sector information and interactive
services. It also features a wide range of application forms for services delivered by
government departments and agencies, local authorities and the health sector. The
Repository of application forms allows the citizen to print any of the forms featured,
complete them manually and submit the completed application via traditional means.
Alternatively, by registering with Reachservices, the citizen can submit an online
application for many of the services featured on the site. Personal details are stored
securely so that when an available online service is applied for through Reachservices,
the application form automatically displays relevant details provided by the citizen when
registering thus reducing ‘form filling’.
2 - Korea: plans for m-government
In addition to Internet service delivery, the South Korean Government is about to launch
a series of "m-government" initiatives to access services and information via mobile
technology. The government is keen to decentralise administration and see “mobile
government” as an important part of a wider effort to boost mobile phone services and
take existing e-Government initiatives a stage further. Their intention is to allow citizens
to access administrative documents and public services through mobile handsets, PDAs
(personal digital assistants) and other wireless devices. In two years time citizens will
have online access to around 180 transactional procedures.
3 - Egypt: Egyptian Government Gateway
(http://www.alhokoma.gov.eg/index.asp)
The Egyptian Government in conjunction with Microsoft has launched a secure hub for
electronic transactions based on the UK’s Government Gateway
(http://www.gateway.gov.uk). Egypt’s Gateway provides registration and authentication
for e-Government services offering citizens access with a password, but as developed
proceeds more secure access is planned with citizens using digital certificates. The first
services to be offered will be for vehicle registration, payment of parking fines, tax and
customs, with at least 10 services being planned by the end of 2003.
4 - UK: on-line fishing licenses (http://www.environmentagency.gov.uk/subjects/fish/)
A UK private company’s first attempt to provide an e-Government service failed in the
face of competition from a central government department. Visitors to
fishinglicence.co.uk, set up in August 2000 by Impower to offer Environment Agency
fishing licences, received the message: "Gone Fishing..." It continued "When Impower
launched the online fishing licence service in August 2000, it was one of the first online
interactive "e-Government" services. We hoped to develop the site in conjunction with
the Environment Agency, but the Agency decided instead to develop its own online
service, which it launched early in 2001. Unfortunately this has undermined the viability
of our own service which reluctantly we have had to withdraw." Both services accepted
online orders for fishing licences, which were then posted to the angler. Impower
30
Auditing e-Government
charged a £1.50 convenience fee to cover the cost of processing credit card payments,
whereas the Agency's fee was 25p.
5 - Hong Kong: e-Government Strategy Yields Big Operational Savings.
According to Hong Kong’s Legislative Council their e-Government strategy saved
£49.6m in the 2001/02 financial year. Some £32.7m was saved through redeployment
and cuts in civil service posts made possible through computerisation, and the remainder
through voluntary retirement and savings in operating expenditure. The government lost
a total of 1,656 civil posts during the year, but without resorting to involuntary
redundancy. The e-Government strategy, issued in May 2001, set out how the
administration could “use e-business solutions to modernise government operations,
enhance efficiency and optimise the use of limited resources.” It set an overall eGovernment target to provide 90% of public services amenable to electronic delivery by
the end of 2003. 81% were available by the end of 2002, among which were searches
for cases of bankruptcy and compulsory winding up of companies, and submission for
applications for civil service posts. A territory-wide identity card replacement exercise will
start in July 2003 in which citizens will be able to book appointments online to replace
their current identity card with a smart identity card.
6 – Singapore: e-Citizen Portal (http://www.ecitizen.gov.sg/)
The e-Citizen Portal provides a one-stop shop for public services, with two out of three
citizens claiming to have used it. The site was recognised as the best e-Government site
by the Stockholm Challenge Awards, a non-profit initiative that seeks to recognise
projects that aim to bridge the digital divide. The site offers a comprehensive guide to
public services, with almost 80% of services being online, such as transport, education
and libraries; for example, citizens can find out the library books you they are holding, or
have been reserved and are available to pick up, and can receive reminders on their
mobile phone if they have an overdue book. However, approximately 60% of homes in
Singapore have computers, with more than 50% online, and three out of four citizens
own a phone. Singapore is looking at e-voting; currently citizens can only find
information about where they have to go to vote.
7 – Canada: NETFILE (http://www.netfile.gc.ca/)
The Government of Canada is committed to developing electronic options to
better serve Canadians. Rolled out to all Canadians in 2001, NETFILE is one of
the Canada Customs & Revenue Agency’s electronic tax-filling options. This
service allows individuals to file their income tax returns over the Internet in a
fast, easy-to-use, and secure way. NETFILE streamlines the tax-filing process
and offers the following benefits: security and confidentiality; faster refunds
(within two weeks, as opposed to six or eight weeks); greater accuracy; paperfree, no form or receipts to send in; immediate confirmation of receipt.
In 2002, approximately 38% of the tax filing population or 8.9 million people filed
electronically, with 2.3 million using NETFILE. In 2003, it is expected that 50% of
tax filers will use electronic means to file their income tax returns.
31
Auditing e-Government
Annex B: The survey questionnaire
QUESTIONNAIRE
Name of SAI:
Name and mail address of person to contact:
1
Has the SAI done any analysis of challenges, risks, and potential lines of
audit enquiry related to the e-Government area?
If analysis work or audit survey work has been done in this area in your SAI,
please give a short written description of the conclusions concerning:
a) Challenges
b) Risks
c) Potential lines of audit enquiry
2
Is auditing e-Government one of the current audit priorities of your SAI?
Please provide a short explanation.
3
In general which three special risks/areas does the SAI see as most
important in auditing e-Government from a financial or performance audit
aspect?
Please chose from the list below and/or add other areas to the list
Yes
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
No
Strategic planning
Vision and priorities
Governance
Funding and costs
Privacy and security
Legal
Project management
Performance measurement
Take-up
Ease of use
Social exclusion
32
Auditing e-Government
l)
m)
n)
o)
p)
Benefits
Sustainability
Technology
Business transformation
Others
Please provide a brief description as to why this is a potential risk area at
the present |
or in the future
4
Has the SAI done or plan to perform financial or performance audits
(including IT-audits) in the e-Government area?
If audit work has been done in this area in your SAI, please give a short
written description of:
4.1 Financial audit:
a) The area audited
b) The scope
c) Audit objectives
d) High level audit criteria used in the audit
e) Audit methods
f) The findings and conclusions
g) Web reference to the report if applicable
4.2 Performance audit:
a) The area audited
b) The scope
c) Audit objectives
d) High level audit criteria used in the audit
e) Audit methods
f) The findings and conclusions
g) Web reference to the report if applicable
5
Are there any audit reports concerning e-Government that you would like to
mention (from any relevant aspect) and, if so, what aspect make them
worthwhile to mention? Please provide a short description
5.1 Financial audit:
1.
2.
3.
4.
5.
Timing of results
Impact on auditee
Audit perspective and audit questions
Audit methodology
Observations/recommendations
33
Auditing e-Government
6. Others
5.2 Performance audit:
1.
2.
3.
4.
5.
6.
Timing of results
Impact on auditee
Audit perspective and audit questions
Audit methodology
Observations/recommendations
Others
6
Does the SAI use or plan to use internally developed (or also imported and
adjusted) audit methodology for auditing the e-Government area or do you
use or plan to use external sources and methods?
6.1
If internal methods are being used by the SAI in auditing e-Government,
please give a short written description:
a) Is the method based on International standards (please specify the
name of the standard)
b) What areas/themes does it cover (e.g. business processes, application,
infrastructure, others)
c) Strengths (what themes or areas does it cover well)
d) Weaknesses (what themes or areas does it not cover well)
e) Type of audits the methodology are used for (financial/performance)
f) Would you be willing to share your methodology with other SAI’s (via the
web site)
6.2
If you use an external standard/methodology, please specify the name and
give a short description of the components used, its
a) Please specify the names of the standards used
b) What areas/themes of the standards/methods are used in your work?
c) Strengths (what themes or areas does it cover well)
d) Weaknesses (what themes or areas does it not cover well)
e) Type of audit standards used for financial/performance audits
f) Is there any copyrights restrictions that would prevent to share this
methodology with other SAI’s?
7
Which special challenges and risks do you foresee in auditing eGovernment for your SAI?
a) Unclear audit mandate
b) Finding relevant matters of potential significance
c) Need for special audit skills and knowledge
34
Auditing e-Government
d) Need for special audit approaches and methods for selecting audit
objectives and criteria
e) Gathering data/information
f) Analyzing data/information
g) Others
8
Would you consider taking part in a concurrent audit?
Here we mean an audit that is made roughly at the same time in several
SAI’s, using common methods and frames of reference with the possibility
to organize mutual support during execution – in one of the areas pointed
out as particularly important in the report from this project’s first phase?
9
If your answer to question above is yes, please state if the audit most likely will be
performed in a division mainly performing:
a) Financial audit
b) Performance audit
10
In which areas and in what ways do you think the INTOSAI IT-Committee
best can contribute to the SAI’s work regarding e-Government ?
Please rank the items listed
Areas:
Audit/concurrent audits
Development of audit perspectives
Methodology development
Sharing audit methods
Sharing lessons learned
Training/education
Information gathering
Building a network of e-Gov auditors
Create a homepage for e-Gov auditing
Others
11
Ranking
Would your SAI be interested to produce a paper on your experience in
auditing e-Government?
Please return the questionnaire electronically to riksrevisjonen@riksrevisjonen.no
or by fax ++47 22 24 10 01 to the SAI of Norway by May 26nd 2003.
If you have any questions, please contact: erna.lea@riksrevisjonen.no
Thank you for participating!
35