SAI-Kuwait Different Procedures of IT Audit The 23

SAI-Kuwait Different Procedures of IT Audit The 23 rd Meeting of the INTOSAI Working Group on IT Audit February 2014 Prepared By State Audit Bureau of Kuwait

Establishment: The Constitution of the State of Kuwait, which was issued on November 11, 1962, clearly provided for the establishment of a commission for financial control in which its independence shall be safe-guarded by the law. Believing that public funds, that form the State's nerve and its corner-stone for prosperity, should be safe-guarded to insure full collection of revenues, avoid any loss, or negligence and expend these revenues for the welfare of the society without extravagance or unreasonable economizing. About State Audit Bureau of Kuwait

Objective: The main objective of SAB is to maintain an effective control over the public funds to safeguard them, prevent any misuse, and verify their proper utilization for the purposes they have been allocated for. Through performance of its control activity, SAB has concentrated on the creation of a full conviction over the audited bodies. That is, SAB is not looking for errors or deviations; instead, it aims primarily at the maintenance of public interests by safeguarding public funds and efficiently utilizing them for the aspects they have been allocated for. SAB has been able, through its constant cooperation and understanding and through communication with other authorities, to organize their financial and accounting transactions and devise the suitable solutions in order to reach the exemplary objective. About State Audit Bureau of Kuwait

Authorities subject to Audit: • The ministries, departments, and public agencies that constitute the administrative system of the State. • The municipalities and all other local bodies that have a public legal entity. • Public commissions, establishments, and organizations attached to the State, or the municipalities or the local bodies that have a public legal entity. • Companies and establishments in which the State or any other legal entity holds a share of no less than 50% of their capital or guarantees them a minimum profit. • Companies licensed to utilize or manage one of the State public utilities or granted a concession to utilize any of the natural resources in the State. About State Audit Bureau of Kuwait

Specialization: • • • Revenues. Expenditures. Personnel affairs. Tenders, practiced-tenders, contracts, and commitments. Imprests, public stores, and warehouses, the branches and the likes. Settlement accounts of imprests, safekeeping, current accounts, and regular accounts. About State Audit Bureau of Kuwait

Specialization: • Advances and loans granted by the State or one of the establishments or agencies having a public legal entity or granted in their interest. • The ways in which the State funds are invested. • The final accounts of the financial year ended for each of the State, the public bodies and establishments whose budgets are regulated by laws. • All accounts, or any other work entrusted by the National Assembly or the Council of Ministers for examination and checking. • Administrative, financial, and accounting by-laws. About State Audit Bureau of Kuwait

Audit Procedures: In order for SAB to actualize its objectives, two different Audit procedures were developed to serve as safeguard mechanisms which are practically deployed around two phases of a commitment. One is practiced before a commitment (Pre-Audit) and another after a commitment (Post-Audit). A third type has also been developed in order to serve as an empowerment and a support tool (Performance Audit): • Pre-Audit • Post-Audit • Performance Audit In SAB, IT Audit is adapted using the previously explain different procedures and appropriately named IT Pre-Audit, IT Post-Audit and IT Performance Audit. About State Audit Bureau of Kuwait

IT Pre-Audit: • The law obliges the concerned entities not to engage in any commitment or conclude any contract until they get the approval of SAB regarding financial commitments on the State or any other public legal entity if the value of a single tender, commitment, agreement, or contract is more than a 100, 000 K. D. ($354, 108. 00). • In this case, SAB will not give its approval until it investigates technically the subject tender, commitment, agreement, or contract and verifies that the allocations of the funds in the budget allow for engagement or conclusion, and that all procedures required have been taken into account in compliance with the established financial regulations and rules. IT Pre-Audit

IT Pre-Audit: • Pre-Audit ensures that the disqualified vendors have been disqualified fairly and according to the Terms of the tender. • Ensures that the winning vendor has met the government entity’s requirements. • Verifies that the allocated funds in the budget are technically related to the engagement. • Verifies the adherence of the contract to governmental policies and procedures. • Reviews the contract for adequate protection of the government entity’s rights. • An ongoing routine procedure. IT Pre-Audit

IT Post-Audits: • Post-Audits are performed after signing of a contract and usually after the contractual period. • They are characterized by being a sort of an investigative work and therefor it must be noted that they are not concerned with providing recommendations and/or measuring performances. • Specialized in performing contract-compliance audits related to vendor and beneficiary sides by auditing the execution of IT tender projects. • Emphasize finding and reporting direct financial implications of system(s) and the surrounding operations. • Other goals can be investigating fraud or misuse claims on specific systems. • Usually initiated by request of other departments that specialize in financial-audit and sometimes as a special assignment by the upper management, National Assembly or the Council of Ministers. IT Post-Audit

IT Performance Audit: • Performance audits irrespective of contractual engagements. They are more oriented towards studying areas of the IT universe, management, control and governance. And unlike post-audits, performance audits are not concerned with the specifics of financial implications/findings. • It may be described as an independent auditing process aimed at evaluating the measures instituted by management, or the lack of these measures; ensuring that resources have been acquired economically and are utilized efficiently and effectively. • Such audits are specialized in the benchmarking against international IT standards and guidelines. Thus, performance audits reports are fashioned in a way to provide guidance to the auditee on how to improve on the area under review. • Initiated by request of the Performance Audit Department. IT Performance Audit

IT Pre-Audit Case Studies

• Organization Type: Ministry • Contract Period: 12 Months • Contract Subject: The ministry would like to update and enhance its Kuwait Integrated Maintenance Management System. The required changes and enhancements were requested through a tender that was conducted by the Consultants Selection Committee. IT Pre-Audit Case Study (1)

• IT Pre-Audit Study Details: A review of the RFP, the proposal of the winning consultant and the previous contracts was performed. Meetings were conducted with the ministry where discussions about the history of the system and the current state took place; and the following was identified: 1. The Maintenance Management System was commissioned in 1997 and since then it has been severely underused. While it should have been a system that would monitor the state of the country’s infrastructure and provide guidance on maintenance schedules, it was merely used as a maintenance request issuing system. IT Pre-Audit Case Study (1)

• IT Pre-Audit Study Details: 2. It was evident that the Ministry is unaware of the significance of the requested changes/enhancements as the Ministry was targeting to put to use the real benefits of the system while the RFP contains only enhancements of UI and application forms. The Ministry was also unaware of the real problem which was identified as the lack of input data on the readings related to the conditions of the country’s infrastructure. The lack of such data renders the system useless as its main functionality depends on it. IT Pre-Audit Case Study (1)

• IT Pre-Audit Study Details: 3. The ministry had no preconception on the outcome of the requested consultancy services as there was no thorough study of the reasons behind the current inactivity of the system. 4. It was found that the current consultant is requiring the original Source Code of the application in order to implement changes while it was identified that the Ministry has no possession of the Source Code which can hinder the progress of the requested consultancy. IT Pre-Audit Case Study (1)

• IT Pre-Audit Study Details: 5. The Ministry did not make a comparison study between: a. Proceeding with the current change/enhancement request which includes fees of the consultant for research/analysis of the current situation, supervise the implementation of changes/enhancements in addition to fees that will go to software development companies to make the actual implementation works. IT Pre-Audit Case Study (1)

• IT Pre-Audit Study Details: 5. The Ministry did not make a comparison study between: b. Investigate the possibility of replacing the current aging system with a more recent technology that could be more cost efficient/effective and provide better functionalities. • IT Pre-Audit Study Result: Approval was denied due to the previously discussed findings. IT Pre-Audit Case Study (1)

• Organization Type: Central Committee • Contract Period: 60 Months • Contract Subject: The Central Committee would like to sign a consultancy contract to design, implement and maintain an information system to manage the national program of environmental rehabilitation. IT Pre-Audit Case Study (2)

• IT Pre-Audit Study Details: Due to the unique nature of this subject as it is the starting point to carry out the national environmental rehabilitation projects based on compensations provided through the United Nations after the 1990 invasion, it was given a special attention by the Bureau to make sure that the committee has been thorough in its consultancy requirements and preparation to start this important endeavor. IT Pre-Audit Case Study (2)

• IT Pre-Audit Study Details: The system is essentially a focal point for the affected countries and it will be used as a central supervision workplace for the United Nations to oversee the progress of the rehabilitation projects as compensations are provided accordingly. IT Pre-Audit Case Study (2)

• IT Pre-Audit Study Details: The bureau’s study included going over all related documents of the consultancy agreement and meetings with the committee where the following was covered: 1. Previous or current projects that specialize in environmental data which were used to put together the requirements for the current intended consultancy. 2. The methodology of the committee to ensure the comprehensiveness of the current requirements to cater for all aspects of the rehabilitation programs and the guarantee success. IT Pre-Audit Case Study (2)

• IT Pre-Audit Study Details: 3. The role of the other environment-related governmental organizations and the degree of coordination and involvement considered since the committee will be in charge of some responsibilities that might overlap with such organizations. 4. The role of the Central Agency for Information Technology and the coordination to facilitate the use of Kuwait Information Network and other related resources for the project. IT Pre-Audit Case Study (2)

• IT Pre-Audit Study Details: 5. The coordination with other governmental bodies that will be in charge of parts of the environmental rehabilitation projects starting after the completion of the intended consultancy. 6. Future plans and subsequent stages to the project. • IT Pre-Audit Study Result: Approval granted. IT Pre-Audit Case Study (2)

• Organization Type: Ministry • Contract Period: 36 Months • Contract Subject: The ministry would like the approval for a tender contract in order to start the project of developing a portal with electronic content to support e-learning. Additionally, the contract includes outsourcing technical consultants to support the developed solution and its users. IT Pre-Audit Case Study (3)

• IT Pre-Audit Study Details: After reviewing the tender documents, it was noticed that the development period of the portal and electronic content is 8 months that is followed by another 12 months period of warranty, support and maintenance that ensures the ministry a continuous trouble free operations of the solution. The support technical consultants; requested to be offered in the same contract were identified to be starting from the initial sign-up of the contract and will be providing support to the developed solution and its users. IT Pre-Audit Case Study (3)

• IT Pre-Audit Study Details: For the consultants to start their duties from the beginning of the contract is found to be pointless since the initial 8 months are dedicated for development purposes and there will be nothing for them to support until the solution is formally accepted by the ministry. IT Pre-Audit Case Study (3)

• IT Pre-Audit Study Result: Approval was granted partially, only to the development phase while the ministry requested to postpone the part containing the technical consultants as it will be resubmitted for approval after the completion of the initial development phase. IT Pre-Audit Case Study (3)

• Organization Type: Ministry • Contract Period: 3 years • Contract Subject: Electronic Payment Services Agreement IT Pre-Audit Case Study (4)

• IT Pre-Audit Study Details: The ministry would like to sign a non-tender contract with the sole e-payment company in the country to provide epayment services to governmental organizations in order for them to utilize in collecting governmental income. The cost is on a per transaction rate that varies based on transaction volume. It is also agreed that there will be sub contracts or for each benefiting organization in order to govern the provided services. IT Pre-Audit Case Study (4)

• IT Pre-Audit Study Details: The bureau approached this subject with special attention because of the fact that e-payment is a new concept for the government to implement. The bureau is targeting to assure the maximum benefit from this contract to the government. One of the major areas of focus during the audit was making sure that the offered rates are reasonable. Additionally, the bureau discussed with the ministry’s officials the procedures in place in order to facilitate the proper execution of the contract by coordinating with the rest of the government organizations. IT Pre-Audit Case Study (4)

• IT Pre-Audit Study Result: Approval was granted along with conditions/recommendations as per the following: 1. That all sub-contract belonging to each governmental organization must be presented to the bureau for approval. 2. For the ministry to coordinate with all governmental organizations in order to accelerate the implementation of the e -payment services in accordance to an agreed schedule in order to benefit from lower rates as soon as possible. IT Pre-Audit Case Study (4)

• IT Pre-Audit Study Result: Approval was granted along with conditions/recommendations as per the following: 3. For the ministry to revisit and review the offered rates after actual use of the services and before renewing the contract with the company. 4. For the ministry to seek alternatives among competing epayment service providers in order to find the best services and prices. IT Pre-Audit Case Study (4)

IT Post-Audit Case Studies

• Organization Type: Ministry • Subject: Auditing the National Rationing System • IT Post-Audit Study Details: The case required the audit of a Rationing system developed by the IT department of the Ministry to automate and optimize the delivery of essential subsidized commodities to eligible beneficiaries. The Ration Department is in charge of setting the rationing regulations and laws by setting eligibility criteria and determining quotas and prices. IT Post-Audit Case Study (1)

• IT Post-Audit Study Details: The IT department of the ministry is in charge of the Rationing System to: 1. Issue, renew and amend the ration card data for beneficiaries using the Ration Card sub-system. 2. Distribute the goods to consumers branches of Cooperative wholesale societies using the Ration Distribution sub-system. IT Post-Audit Case Study (1)

• IT Post-Audit Study Details: As reported by the Ration Department, the system is expected to deliver the following benefits: 1. Provide the information on beneficiaries, ration cards and transactional data in an electronic format for easier accessibility and accuracy. 2. Non-issuance of duplicate ration cards per beneficiary. 3. Avoid the current manual issuance and indexing of ration cards. 4. Link the branches to the main system at the ministry to automate exchange of data. IT Post-Audit Case Study (1)

• IT Post-Audit Study Details: As reported by the Ration Department, the system is expected to deliver the following benefits: 5. Issue/print the new ration cards. 6. Better management of inventory and governing of transactions. 7. Provide accurate statistical reports in a timely fashion with ease. IT Post-Audit Case Study (1)

• IT Post-Audit Study Details: The goal of the audit is to: Investigate the data quality, validity and reliability of both sub-systems (Ration Card, Ration Distribution) with the comparison to the rules and regulations set forth by the Ration Department in order to make an assessment of soundness of the Ration system and its related operations IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (1): It was found through data analysis that the Ration Card sub -system allows the registration of beneficiaries without a verification mechanism for their legal eligibility. The users working on the system can register/add non-eligible beneficiaries to the system without any restrictions. Additionally, they system also allows the addition of any number of non-eligible beneficiaries as dependents on another eligible or non-eligible parent beneficiary and making up family without a verification mechanism for the type of relationship. This lack of control or verification against governing laws can lead to fraudulent transactions of consumables. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (2): It was found that the system lacks input controls and data entry verifications methods. Cases of registered beneficiaries with erroneous national ID number, very short names or no name at all were found. It was also found that some of these beneficiaries have received some ration which means they are active beneficiaries. It was also found that the aforementioned beneficiaries were registered over a period of three months which means that there isn’t any auditing or cleanup process or that it is not frequent enough to mitigate fraudulent transactions. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (3): The Ration System assigns a quota of consumables depending on the number of beneficiaries within a family. The quota is reset each month. It was found that if dependents were removed from a parent beneficiary and reassigned, it will automatically reset the quota on the spot and during any day of the month. This can be abused by illegally increasing the quota of a beneficiary. Additionally, this can be done multiple times within one month. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (4): As per the business requirements; the system should issue one ration card per house hold, usually to the head of the family. The rest of the family members are linked as dependents. It was found from the data analysis of the ration card subsystem that there are ration card holder that are not defined in the system as head of a household. Additionally, these same ration card holders are linked as a dependent on another head of a family. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (4): This means that such beneficiaries can have duplicate ration quotas; once as a card holder and once as a dependent. Further data analysis of transactions found the aforementioned beneficiaries have actually received ration which concludes that the finding is not only a database discrepancy. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (5): The system uses a process to deactivate beneficiaries and ration cards based on multiple business reasons. Regardless of the reason, any deactivated beneficiary or ration card is archived in a historical database to keep track of them. It was found through data analysis of ration transactions and comparing to the historical databases that there active ration cards (receiving rations as seen in the transactions) that belong to deactivated beneficiaries or belonging to a non-existent beneficiary. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (5): This is an indicator to a weakness and lack of processing controls on the system. Additionally, it is not known whether the system users are aware of this issue and if it is being abused or not. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (6): The system allows the grouping of ration quotas under one house hold where a number of dependents are added to one ration card holder. This also means that all household members must have the same street address while it was found during the data analysis that there were some ration card holders who had dependents having different street addresses. Such additional lack of input controls and verifications adds more risk to the possibility of adding fake beneficiaries to the system. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (7): The system holds a definition database containing all subsidized commodities. Additionally, the daily sales transaction database show what has been sold for the day using the common definition codes. It was found that the daily sales transaction database contains transactions for unidentified commodities on the system. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (7): The existence of such transactions for unidentified commodities, obviously does not reflect the actual sales and quantities and it makes it very difficult to generate trusty statistical reports with real information regarding sales and transactions. Additionally, the existence of unidentified commodities could be a sign for some kind of fraud. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (8): The system holds a pricing database containing all subsidized commodities and the prices per sale unit. It was found that there are transactions for commodities with prices different than the ones defined in the pricing database. Additionally, some of such found transactions had an unrealistically small prices or amounts. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (8): Such finding is a dangerous indicator to a price calculation problem with the system which leads to incorrect amounts being collected from the beneficiaries. Additionally, the discrepancies in pricing could be an indicator to some kind of fraud in the process of sales and collection. IT Post-Audit Case Study (1)

• IT Post-Audit Study Key Finding (9): It was found from analyzing the transactional databases that there are some transactions that occurred during nonregular working days. Additionally, the norm is that each transaction record indicates the distribution center of where it originated while it was found that some of the aforementioned transactions happened in an unidentified distribution center. IT Post-Audit Case Study (1)

• Organization Type: Committee • Subject: Public Sector Salaries Transfer Mechanism Contract with the National Banking • IT Post-Audit Study Details: The Committee signed a tendering contract to purchase hardware for the current environment used to transfer the monthly salaries of the public sector employees from the Central Bank of Kuwait to their respective bank accounts. IT Post-Audit Case Study (2)

• IT Post-Audit Study Details: The current situation is that the servers reside in the IT environment of each Bank concerned in the agreement. According to the Committee, the current servers are old and are not sufficient enough to carry out their job and the new servers are meant as a replacement. IT Post-Audit Case Study (2)

• IT Post-Audit Study Details: The bureau covered the following in the audit: • The extent of implementation of the contract scope of work. • Verification of the purchased hardware servers being in use. • Verification of the hardware servers being used for their true intention. • Evaluate the true necessity for acquiring the new servers and the retiring procedures of the old equipment. • Conformity and adherence to the contractual agreement between to Committee and the local Banks IT Post-Audit Case Study (2)

• IT Post-Audit Study Key Finding (1): When studying the agreement between the Committee and the local banks, it was found that it is the liability of the local banks to acquire the hardware servers that will reside in any of the concerned banks premises in order to facilitate the technical integration according to the imposed methodologies by the Committee and its information exchange service providers. IT Post-Audit Case Study (2)

• IT Post-Audit Study Key Finding (1): It was evident from the audited contract and discussions with the Committee that the new replacement servers are paid for by the Committee instead of the banks which violates the agreement. In addition to that, the Committee is taking on the responsibility by hosting the servers instead of installing them in the banks premises instead. IT Post-Audit Case Study (2)

• IT Post-Audit Study Key Finding (2): The audit was concluded by February 2012 where the servers were acquire and installed by the supplier back in July 2011. When examining the servers, it was found that they contained no software and were sitting idle in a computer room. In other words, the servers haven’t been serving any useful purpose for the past 7 months. Further investigation revealed that the Committee hasn’t made the software ready in order to be moved to the new servers. The servers were acquired way ahead of time that 7 months have been wasted from the contract’s support period. IT Post-Audit Case Study (2)

• IT Post-Audit Study Key Finding (2): In the ideal situation, the Committee should have planned the project better in order to make a fast migration and better use of the time and support period. IT Post-Audit Case Study (2)

IT Performance Audit Case Studies

• Organization Type: Ministry • Subject: Audit of the Traffic Ticketing information system • IT Performance Audit Study Details: The Traffic Ticketing information system is a specialized system for the input, processing, management and payment collection of the traffic tickets. There are three types of traffic tickets issued by the ministry; direct tickets, indirect tickets and traffic enforcement camera tickets. IT Performance Audit Case Study (1)

• IT Performance Audit Study Details: To audit the system, the IS Auditors followed the standards and procedures of the General Audit Guide of the Bureau in addition to the Cobi. T framework and the Audit Guide of the ASOSAI. The audit included two areas of focus; the environment surrounding the system and the internal environment of the system that guarantee the quality of the system’s performance and safety. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Finding (1) “Workflow, processes and procedures external and internal to the system”: a) There is no documentation for the system in relation to the traffic laws that need to be applied. This kind of documentation is considered as a high-level yet very important; and the lack of such documentation is an indicator to possible mistakes in implementing the proper processes and procedures for all types of traffic tickets. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Finding (1) “Workflow, processes and procedures external and internal to the system”: b) It was also found that there is no documentation in regards to the process of traffic tickets entry into the system. This means that the data entry employees working on the system have no documented guidance in order for them to carry out their duties in the correct way. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Finding (1) “Workflow, processes and procedures external and internal to the system”: c) It was found that the system is not very restrictive in terms of different access levels and allowed permissions; which is considered a weakness due to the lack of proper internal controls, audit and review. Such situation makes it easy for users to abuse the system easily without consequences. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Finding (1) “Workflow, processes and procedures external and internal to the system”: d) The system does not allow the entry of tickets issued to vehicles with non-Kuwaiti registration. This raises the question as to how such tickets are being managed and collected. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (2) “Business Continuity and Disaster Recovery”: a) The documented business continuity plan is known only by one IT unit within the ministry. The rest of the units have only been communicated verbally on the plan. Even the IT Operations; being the most concerned with the plan does not have it in a documented format. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (2) “Business Continuity and Disaster Recovery”: b) The ministry does not own a disaster recovery site to assure business continuity in case of the primary site being down. c) The business continuity plan has not been tested in order to verify its effectiveness. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (3) “System Security”: a) There are no policies that govern user permissions. Any user is able to request any kind of permission on the system regardless of relative access level to the job description. b) In one ministry branch, the following was found: i. Three employees had permissions and access right that of a supervisor. ii. There is no audit function to review system reports. One employee with an auditor job title was in charge of entering traffic ticket information in the system, modify records and dispersing ticket booklets to officers while an auditor function ought to be reviewing reports. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (3) “System Security”: c) There is no limit to number of users to own any kind of permissions. Any kind of permission can be requested to any number of employees and it is usually granted without questioning. d) There is no periodical review of the user access list in order to identify inactive users. e) There is no security policy for information transfer and firewall rules. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (3) “System Security”: f) There is no periodical review or audit on the system reports specialized in security incidents or misuse. It was found that the reports are generated randomly in a less than frequently desired rate and this delays taking timely actions against offending users. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (4) “Information Management”: a. There are no clear and documented procedures to govern the data entry process. Tickets are entered into the system as-is with no review/audit function in place. b. There are no reports that show the number and type of mistakes made by the data entry users in order to implement more input controls. c. The systems allows the modification of multiple data fields of traffic ticket information which allows the opportunity to intentionally manipulate data in the absence of a periodic review/aduit. IT Performance Audit Case Study (1)

• IT Performance Audit Study Key Findings: Findings (4) “Information Management”: d. When waiving/cancelling a ticket from a system there is a data field called “reason for cancellation” that should be filled. Nonetheless, the field is not mandatory and this hinders the function of review/audit on cancelled traffic tickets. e. The traffic enforcement camera used are old and require manual processing of images and entry into the system which could result in evidence damage or human errors. The market now offers digital cameras that do not require such manual intervention. IT Performance Audit Case Study (1)

• Organization Type: Ministry • Subject: Performance Audit for the E-Government Readiness • IT Performance Audit Study Details: The ministry has been audited previously for its performance in preparing for the e-government. It has previously received recommendations that are now due for a follow up. The follow up now consists of benchmarking the performance of the ministry in accordance to several parts of the Co. Bi. T 4. 0. Additionally, the ministry’s service automation project was highlighted during the audit and will be mention in some findings as “the project”. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (1): It was found that the IT Department has no strategic plan. There was also an absence of tactical plans in order to support its general strategy and the strategy of the ministry as a whole. Additionally, the ministry is not aware of the importance of IT strategic planning that should reflect the general strategy of the ministry. Also, the absence of a strategic plan is a direct cause for the absence of yearly work programs and related follow up reports which was evident in the ministry’s case. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (2): It was found that there is no documentation for the IT processes and procedures related to the management, operation and maintenance of systems. The ministry is focused more on documenting processes and procedures of the users and beneficiaries while neglecting the importance of the internal IT processes and procedures. This means that such processes are not being carried out based on clear procedures that are approved by the ministry and substituted with dependence on the skills and abilities of specific employees. Such practice does not support information safety and is considered as an indicator that the infrastructure is not well prepared to face errors and failures. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (3): Even though the ministry has enough human resources, it has still depended on a third parties to plan, execute and operate its most important project which basically automates most of the ministries services offered to the public. It was evident that the IT personnel of the ministry were not involved during any of the stages of such an important and big project. This can result in difficulties when it is time for the handover in a later stage. And a handover to inexperienced personnel might result in poor operation of the project and might result in continued dependence on third parties. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (4): It was evident during the audit that the ministry is not aware of the importance and significance of implementing “change management” processes. The ministry simply implemented changes after reviewing them from a business point of view without considering the technical implications. This can lead to an increased frequency of errors and risks that might affect the systems and the information integrity. Additionally, not documenting performed changes will lead to difficulties in maintaining the systems and complicate the process of further changes or development. All of this will ultimately increase running costs of the system. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (5): The ministry focuses only on measuring the productivity of a system user, neglecting other importance areas of performance measurement like information systems, hardware and human resources. This lack of proper performance measurement and the absence of measurement tools makes it difficult for the ministry to predict future loads on IT resources. This usually leads to a reactive IT department to cater for immediate needs rather than organized future planning. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (6): It was found during the audit that the ministry is not aware of the possibility to implement policies to govern access rights. The absence of access rights policies for IT systems leads to a loose control over any type of transaction going through the system. This in result compromises the safety, security and privacy of data in addition to complications when dealing with incidents of error, neglect or deliberate sabotage due to loss of responsibility. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (7): It was found that the ministry has no information on security management of the system which is due to the reliance on third party to run everything. It was also found that ministry did not even specify and security standards and procedures in order for the third party to follow. IT Performance Audit Case Study (2)

• IT Performance Audit Study Key Finding (8): The ministry does not maintain records of incidents that occurred on the system. There is not even a mechanism to follow up on incidents or trouble tickets issued by the users. The absence of incident and trouble ticket management makes it difficult to run the system efficiently. It also stands in the way of identifying the weak points of the system. IT Performance Audit Case Study (2)

Thank You