1 Business continuity process not implemented
Risk of interrupting the organization's activities
In a significant number of the institutions audited is managing the continuity of IT services. It was found that 54% of the audited institutions had not implemented a process to provide IT service continuity. The process of managing continuity of IT services seeks to prevent IT services from interrupting the organization's activities and to keep the most critical information available according to the level of service required.
2 Lack of staff responsible for IT security
In 51% of the audited institutions, there was no responsible persons or unit designated to carry out information security management. Due to the broad, varied range of activities related to managing information security, it is mandatory to designate people or units formally to perform these tasks.
3 Acquisition results not monitored
Return on ivestement remains unknown
The formalization of the acquisition process for IT solutions was observed at the majority of the audited institutions. Nevertheless, it was found that this process and the subsequent process of managing IT contracts were not monitored. In addition to implementing processes to contract IT, it is necessary to constantly monitor the results achieved to enhance the process in itself and also to minimize deviations and waste.
This monitoring was not done in 39% of the institutions audited. The allocation and optimization of resources must be controlled according to the established goals and priorities using the agreed upon goals and metrics.
Following this, return on investment must be compared to the goals, the causes of any deviations must be analyzed and corrective measure to resolve the underlying causes must be initiated.
4 Lack of objectives to improving IT governance
Process for continues improvement absent of ineffective
Many agencies lacked a process for continuous improvement on IT governance. No actions were identified that aimed at diagnosing the level of IT governance maturity or to define governmental objectives for the next years. Another very common deficiency observed was the lack of a formal personnel structure to allocate personnel to improve IT governance.
In other institutions, despite having approved IT Director Plans (ITDP), there is no formalized comprehensive system of objectives related to improving IT governance, performance indicators for each goal, objectives for each indicator and mechanisms to monitor routinely these indicators. IT governance goals were not defined or formalized in the ITDP based on governance parameters, business needs, and important risks, nor were there indicators to monitor and evaluate the fulfillment of these objectives.
5 Lack of strategic planning
Lower level of preparedness for change and resourses related risks
A significant percentage of the audited institutions (39%) do not have a functioning IT process in place. This means that these institutions, although they might have some IT plan, do not have the culture of strategically planning their actions and, in the majority of situations, can only react to demands and changes that occur in their area of activity, making it difficult to plan IT activities.
The incorporation of an IT planning process minimizes the possibility of inadequate allocation of resources. Further, this process avoids organizational dependence on specific persons. Moreover, even if a significant number of professionals leave, the IT area could continue to follow the planned direction, concluding on-going processes and continue to function adequately.
Background
Governance of information technology (IT) has a special place due to its natural importance and to the growing dependence of public institutions on new technologies developed and put at everyone's disposal.
Although data processing equipment has been used since the beginning of the last century, the use of information technology experienced exponential acceleration beginning in the 1970s. With the development of microcomputers and their popularization, the IT market and users have witnessed a real revolution.
Presently, there is a deep dependence on IT that is revolutionizing the way public administration conducts its business. Maximum use of IT is essential for the public sector to achieve its goals and fulfill its institutional mission.
Undertaking coordinated audits facilitates sharing knowledge and experience among the supreme audit institutions (SAIs) in the chosen themes. The coordinated audit on IT governance is in line with strategic goal 3 (Knowledge Management) in the OLACEFS 2011-2015 Strategic Plan. The SAIs involved in the coordinated audits can share costs derived from recruiting consultants, developing preliminary studies, and realizing reference panels and seminars. The international norms and best practices can also be publicized more effectively to each auditor through the coordinated audit strategy. Moreover, the existence of internationally accepted norms for IT governance facilitates sharing and exchanging experiences among the audit teams from different countries.
Objectives
The main objective of this coordinated audit is to assess the situation of IT governance in the OLACEFS member countries, based on audits carried out in institutions representing various areas of public administration in each country. A total of 41 audits in public institutions of 11 different participating countries used the same planning matrix.
In order to define the areas of IT governance to be audited and to organize the work, four large areas were selected to focus the field audit: IT Structure and Governance, IT Planning, IT Contracting and Information Security.