A broader view of internal audit for NSIs

transcript

Q2008 Conference, Rome, 11July08

- application in Ireland and issues to consider

Keith McSweeney,

Central Statistics Office (CSO),

Ireland

Introduction - context for presentation

• Internal Audit - useful for NSIs

• Gap in IT Controls and End-User Computing ?

User Confidence in Data quality

Public corporations NSIs

ESS Code of Practice

Modern IA - what is it?

• IA development

• TOTALITY OF RISKS that an organisation faces in the achievement of its objectives

• Risk-based auditing• Reputational risk (particularly important for

Financial only All risks

CSO - our IA/Quality structure

• Risk-based auditing (Corporate Risk Register)

• Q: What other developments are out there in the IA world and what are the implications for NSIs?

Strategic Reputational Operational Financial

Data quality

Quality & Audit function

Private sector Civil Service

SOX (Sarbanes-Oxley)• Why SOX ? - User Confidence (ENRON, WORLDCOM)

Auditorindependence

Corporateresponsibility

Internalcontrols

Fraudaccountability

White collarcrime penalty

Accountingpolicies

Anti-fraud programmes

IT controls Overall control

environment

IT controlenvironment

Programmedevelopment

& change by end-users

Computeroperations

Access to systems& data

End User computing (EUC) - what risks to NSIs?

• The IT issues to manage are common to all types of systems. More prevalent with EUC ? Question to ponder.

Testing / peer review before ‘go live’?

Documentation ?

Change & version control?

Access control?

System development done to standard?

Staff trained to set up and maintain systems?

Implications for NSIs of End-User Computing

Questions NSIs should answer:• Scale of EUC issue - what and where• What controls are in place to manage EUC?• Testing of systems before ‘go live’?• Code written to standard?• Systems documented? • EUC - may be necessary in some cases but it is

still a RISK that needs careful management

Implications for ESS Code of Practice

• 2 main inputs to produce results - staff (Principle 7- Sound Methodology) & IT (where explicitly?)

• No explicit mention that our IT systems need to be to standard

• P12 (Accuracy) “Data…outputs are assessed and validated”

• How can results be validated without reference to the systems used to produce them?

Conclusion

• IT systems - critical input for our work • IT systems need to be to standard • Can we use the Code of Practice to help drive

improvements in this area?• Need to make explicit what standard we expect

our IT systems to be at - implications for any future self-assessment/peer review exercise

Where is your organisation regarding IT Systems & Controls?

Positive

• EUC Central IT

Negative

Controls in place?

Flexibility Standards

Standards Flexibility

What do you think? Is it an issue?

Thank you

• Thank you for your attention

• Any questions or comments?

• Email: keith.mcsweeney@cso.ie

A broader view of internal audit for NSIs

Documents