Julia Bastian
Advisor
Sector Programme Good Financial Governance
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH

The Covid-19 pandemic has highlighted the relevance of information technology (IT) for all spheres of society and government. Though the extend depends on the country context, Covid-19 has exposed gaps in technology adaptation in the public and private sector everywhere. In cases where businesses and services that depend on physical access and interaction have no digital work-around, the continuity of operations is threatened.

Supreme Audit Institutions (SAIs) as crucial actors to ensure government accountability on the funds used to address the pandemic’s effects have been affected by Covid-19, too. As organisations that “classically” send auditors to “go undertake an audit” contact restrictions and travel limitations have posed a threat to continue business as usual. For example, in the survey on theme I “Information Technology for the Development of Public Administration” of the 2019 International Congress of SAIs (INCOSAI) 83 percent (53 out of 64 respondents) stated that they are doing data analysis at the audit site. In some cases, limited IT infrastructure has complicated remote working for auditors, especially in the beginning of the pandemic.

The good news is that the SAI community has sprung into action to discuss the gaps and ways to address them. The Policy, Finance, and Administration Committee (PFAC) of the International Organisation of Supreme Audit Institutions (INTOSAI) fostered exchange and knowledge management on the role of SAIs during the Covid-19 pandemic, for example, through a dedicated website. A grant for “SAI continuity during Covid-19” was launched. Regional SAI organisations have been active to promote peer learning putting focus on the potential of the digital transformation of SAIs (for example, virtual seminars of EUROSAI ITWG and OLACEFS or this blog).

Covid-19 definitely pushed the topic of digital transformation of SAIs and technology in the audit process to the top of the agenda. The technologies discussed include distributed ledger technology (DLT), data analytics, robotic process automation (RPA), drones technology, artificial intelligence (AI) and machine learning (ML), natural language processing (NLP), deep learning (DL), smart contracts and cloud solutions. Calls for an “auditor of the future” or the “future-proof auditors” that adapt flexibly to emerging technology are growing (Cf. Suffield/ECA Journal 1/2020). OLACEFS, the Latin American and Caribbean Organization of Supreme Audit Institutions, and its members are already taking on a variety of these technologies. To better address the potential of the use of geotechnology, the regional Capacity Building Committee (CCC, led by SAI Brazil) created a dedicated taskforce (led by SAI Colombia).

The not so good news is that the debate of how to make audit future-proof points to the difficulties experienced in stemming these organisational change processes in SAIs. Looking carefully, the debate on the digital transformation of SAIs has been ongoing for a while. The 2019 XXIII INCOSAI Theme I – in preparation since 2017 – discussed the potential for SAIs extensively. Though the digita transformation of SAIs is higher on the agenda, we can expect that many of the obstacles identified before the pandemic remain relevant. The aforementioned INCOSAI survey identified as main problems for IT audit:

• lack of corresponding professionals;
• technical challenges (e.g. stemming from diverse technological environment);
• insufficient budget and investment in IT;
• lack of top-level design for IT audit, or poor implementation of IT audit plans.

INCOSAI discussions highlighted the need of awareness and leadership by SAIs’ top management as well as the need to speak the same language within the organisation. This shows that in order to address these obstacles change processes need to be set up as whole-of-organisation processes to enable digital transformation that has the buy-in of the top management as well as the staff.

• “How to ensure that SAIs keep up with continuous technological development?”,
• “How to bring digital transformation from digital enthusiasts to the whole organisation and what needs to be prioritised?”,
• “How to bridge the potential gap between experts on technology and auditors/users?”, and
• “How to cater for country-specific factors?”

These were the questions that from mid-2019 guided the reflection and development process that resulted in the Supreme Audit Institutions Information Technology Maturity Assessment (SAI ITMA). Based on the revision of existing assessment tools (e.g. SAI-PMF, IT and IT-Audit self-assessments by the EUROSAI ITWG) and case studies of selected SAIs, the idea was to create guidance for SAIs but also their stakeholders, e.g. development partners that accompany digital transformation, on how to improve the use of technology when fulfilling their mandate. This guidance was then moulded into the SAI ITMA maturity model to assess SAIs’ maturity in the use of information technology in a way that brings together different perspectives and knowledge held in the organisation. While all pilot application shave been undertaken virtually with external facilitation through consultants, SAI ITMA could also be applied through a self-assessment and in a workshop setting.

SAI ITMA assesses IT maturity integrating IT auditing, data analysis as well as IT use for more administrative processes within a SAI in order to facilitate a broad perspective on how to improve the SAI’s overall performance through technology. The assessment targets, among others, the SAI’s mandate, the whole audit process from risk-based planning to quality assurance as well as other functions that are relevant for the digital transformation, such as recruiting and training. The currently excel-based assessment is structured in five pillars; in each of which a SAI can reach a maturity level from 0 to 5 by rating different requirements as “achieved” or “not-achieved”. Requirements draw upon international standards and good practices wherever possible, such as those already included in the INTOSAI Framework for Professional Pronouncements or ISO. As the requirements are formulated openly, the SAI ITMA should be able to capture new technological developments, if repeatedly applied.

Figure 1: Screenshot from a previous SAI ITMA version

SAI ITMA allows for contextualisation to the country context and facilitates strategic discussion at SAI level. The SAI ITMA incorporates the country’s results in the E-Government Development Index as a point of reference as well as some general open questions to better consider the context. SAI ITMA is designed to be completed by a group of professionals from different backgrounds permitting discussion and collection of “proof/documentation” before a decision on the rating is made. In case a requirement is not achieved, root cause analysis is required to explain why this has not been achieved yet. Both steps facilitate a common understanding within the group of participants and the setting of priorities for future action in the assessment report. The presentation of the objectives and the draft assessment report at the kick-off and conclusion of a SAI ITMA is an opportunity to ensure buy-in of the top management. The repetitive use of SAI ITMA can be a way to keep track of developments and ensure they are taken up by the SAI.

The OLACEFS region has taken important steps towards the improvement and application of the SAI ITMA, supported by a coordinated effort of German development cooperation. While originally conceptualised by the Sector Programme Good Financial Governance, implemented by the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH on behalf of the German Federal Ministry for Economic Cooperation and Development (BMZ), the further refinement and piloting was coordinated by the CCC Taskforce on Geotechnology. After pilot-testing the first version in SAI Colombia, the instrument was revised to incorporate this first experience and better capture geotechnology aspects in the instrument. Further virtual applications in SAI Chile and SAI Guatemala allowed for further improvement of the tool. For this review process, the support of the Regional Programme on strengthening external audit in the environmental field was crucial as was the collaboration with the Agenda 2030 programme for the roll-out in Guatemala. Accompanying materials for roll-out, training, and application of the SAI ITMA are currently being prepared.

Currently, further steps are being taken to highlight the need for digital transformation of SAIs and upscale the use of SAI ITMA in the OLACEFS region. A first virtual regional training session introducing the SAI ITMA is scheduled for next week, December 7-10, 2020. This workshop brings together participants with different profiles from the SAIs of Costa Rica, Ecuador, Dominican Republic, Peru and Paraguay. It is a first step to create a pool of knowledgeable experts and change agents as well as to promote the SAI ITMA in the region. It will generate insights for the region and provide a basis for activities in the next year. Given this outlook, 2021 promises to be a very exciting year for the digital transformation of SAIs.

On the author:

Julia Bastian works for German development cooperation (GIZ) since 2014. She spent almost five years supporting the regional programme Good Financial Governance in Africa, three of which as a technical advisor supporting the General Secretariat of the African Organisation of Supreme Audit Institutions (AFROSAI) in Yaounde, Cameroon. Currently she is part of the Sector Programme Good Financial Governance in Bonn, Germany and provides sectoral advisory services to the German Federal Ministry for Economic Cooperation and Development (BMZ) with a focus on accountability and public procurement. Before joining GIZ, she held other positions working on Public Financial Management and Development, as a consultant, among others. She holds a Master’s Degree in International Relations and Development Policy.
Julia Bastian | LinkedIn

Presenting the first SAI ITMA version at a meeting of the OLACEFS Taskforce on Geotechnology in November 2019 in Bogotá, Colombia. (Copyrights SAI Colombia):