Achievements at a glance
- Better allocation of social assistance benefits, improving the lives of socially vulnerable families
- Improved controls in digital public procurement processes, leading to better relationships between government and suppliers
- Leading by example in assessing needs, receiving and coordinating support
IT audits from SAI Georgia are ensuring that digitalization of the Georgian government´s system effectively produces greater benefits to citizens.
The State Audit Office of Georgia (SAO) IT Audit reports on the recently developed e-government system are ensuring that services provided to citizens through digital systems are effective. The audit of the Social Security Assistance program, undertaken in 2018, had an immediate impact and response. The Social Service Agency is responsible for identifying, scoring and supporting socially vulnerable families. SAO identified weaknesses in the data that the agency uses to calculate the parameters of the score. This leads to poor allocation of benefits, and thus a misuse of public funds. Attention attracted by media put pressure on the government and half a year later, the Social Service Agency is already working to establish automatic controls for utility expense validation.
Another audit report that made impact was the audit of State eProcurement system from 2016, which obtained vast attention from the media and civil society. It showed lack of effective controls to protect confidentiality of tender data. Two years later, in 2018, the Service Development Agency has started implementation of public key Infrastructure and today, digital signatures are used for tender documentation. Like these, there are other audits tackling areas within the e-government systems that are currently critical for the interest of the population and for the economy. In addition to e-government initiatives, SAO focuses its efforts on Critical Information Systems and reports to the parliament regarding the state of information security.
Georgia has been improving its service delivery model to citizens by incorporating advanced technological solutions during the past decade. As the government relies more on computerized systems and the use of big data, the need to ensure the security and efficiency of the IT infrastructure underpinning this work continues to grow.
Although SAO did not have IT auditors prior to 2013 its leadership did not hesitate in taking the challenge and contributing towards the country objectives throughout delivery of high-quality IT audits.
Developing SAO’s capacity in this regard was not an easy undertaking, but thanks to the strong commitment by SAO leadership and a stable, coordinated support from international donors the institution has been able to meet the challenge and fulfil their mandate to audit and report on the government’s IT infrastructure.
The initial steps
SAO managed to establish an IT Audit Division after obtaining the necessary hardware and IT audit software as well as human capacity during the past 5 years. Initial steps entailed self-assessments to understand where the organization was in terms of IT audit capabilities, and to decide their capacity development strategy.
Having identified the gaps in their organisation, SAO began to look for external support. In January 2014 the SAI submitted a concept note to the Global Call for Proposals (GCP) programme, provided by the INTOSAI-Donor Cooperation. The GCP is a mechanism intended to empower SAIs in developing countries to put forward capacity development proposals at the country, regional and global level. After SAIs submit proposals it then seeks to match with donor and / or INTOSAI funding.
After various rounds of revision, the INTOSAI-Donor Secretariat (IDS) and SAO had ensured the proposal had the right elements and scope to give it the highest chance of receiving funding. SAO’s proposal was then circulated to donors.
Receiving and coordinating support
Soon the World Bank (WB), through the SAI Capacity Development Fund, an IDC mechanism for financing SAIs initiatives, voiced its interest in supporting Georgia’s IT audit develop efforts. The Norwegian Ministry of Foreign Affairs (MFA) voiced their interest as well. The IDS coordinated the initial matching and shortly SAO and donor partners moved into direct bilateral discussions on how to support specific project components.
Current SAO IT Audit Division head David Shavgulidze was part of the team which sent in the GCP proposal and worked with the donors during the initial phases.
Donor support during this start-up period, he says, was key.
“Once the proposal had been taken up,” David recalled, “we had full assistance from the donors, such as the Norwegian MFA and the WB. We worked with them to plan and implement our activities. When we faced challenges, we had full support from the team.”
SAO split the project into two parts, each handled by one of the partners. This harmonized approach helped to ensure that there was no overlap in efforts, and that the contributions of the WB and the Norwegian MFA would complement one another throughout the project. SAO and donors together determined roles and responsibilities. The IT audit team took lead in planning and activities, while the WB advised on procurement and project management. Key factors such as a SAI-led planning phase and coordination of support ensured the accomplishment of the development phase.
Building IT Audit Capacity
Infrastructure is a critical component in IT auditing. Before taking on the task of carrying out large-scale IT audits, SAO team had serious technical issues to contend with. The team needed a specialized system to manage securely massive amounts of sensitive data from the government. High-performance servers and new software were all brought in and set up by the team.
Once the physical infrastructure was in place, the IT Audit team needed to build the office’s human capacity to conduct the job. Auditing IT systems presents unique challenges and requires a distinct skillset not always available in traditional auditing. After a trial-and-error approach in bringing in more human resources from other parts of SAO, the IT Audit team decided to shift their hiring practices.
“In the end, we found it was easier to train IT specialists in audit than it was to train auditors in IT” says David. “…so we decided to start hiring computer science professionals and train them in audit instead of trying to bring existing staff into the IT Audit department.”
The team focused on building up on their professional qualifications; nowadays 4 out of 6 auditors are Certified Information Systems Auditors (CISA).
SAO received extensive support from the US Government Accountability Office’s Center for Audit Excellence (CAE) in this area. During 2016-2018 the CAE delivered a training course on Information Security Audit and later, assisted SAO to conduct 2 pilot IT audits. Pilots used criteria and audit guidelines based on ISSAIs, INTOSAI guidelines, ISO Standards, best practices and ISACA frameworks. SAO led the process while CAE would assist with the planning, fieldwork and reporting stages of the audit. Cooperation with US GAO CAE was successfully completed by quality assurance services for the IT audit of the Education Management Information System, in 2018.
The good practices of development initiatives, from supply-driven support to demand-driven
The encouraging results on IT audits have also been a consequence of strong and sustained partnerships through time that has allowed SAO first, to strengthen basic areas of auditing and subsequently, pass to building up capacity on new type of audits such as in IT.
It started with the modernization of accountability arrangements in Georgia, which was initially driven by the EU as part of their Neighbourhood Policy. The SAI´s leadership (appointed in 2010) committed to bringing SAO in line with INTOSAI standards.
SAO has, for long, worked closely with two development partners, GIZ and the Swedish National Audit Office (SNAO). Both partners have supported SAO when threats of independence have appeared. The provision of support to SAO was initially ‘supply driven’ – both GIZ and SNAO approached SAO and offered assistance. The process is now ‘demand driven’. SAO runs detailed needs assessments, based on a ‘gap analysis’, SWOT analysis, and SAI PMF assessment, that feed the SAI’ Strategic Plan. This results in a list of development activities for which SAO needs external financial and technical support.
All support is coordinated by the Strategic Planning Department, which maintains a detailed project mapping matrix. GIZ and SNAO have generally supported different functions within SAO. Support provided by other donors (WB, EU, the Norwegian MFA and USAid) has been built around the core support provided by GIZ and SNAO. There is a quarterly newsletter explaining about each capacity development project. One of the keys to SAO’s obtaining support has been to know exactly what it is they want and which donor might be interested. Having identified the need for a public communications strategy, SAO approached the WB as one of their development objectives in Georgia is citizen engagement.
SAO has not participated actively in country level PFM policy dialogue. However, the Ministry of Finance established a PFM Council that includes SAO and other PFM institutions. Donors also attend. The PFM Council annual meetings gives SAO the opportunity to set out their achievements and present their current development needs. The PFM Council is regarded as an effective mechanism for sharing experience and coordinating support.
Moving to the Future
There is still a long way for SAO to continue building on its good work with IT Audit in the coming years. They have also engaged with Parliament to update relevant audit laws.
The development of SAO´s IT Audit work is an example of how SAI-led plans with coordinated donor support, harmonized around the SAI´s strategy can scale-up and strengthen development efforts and lead sustainable results. These are the MoU principles of the INTOSAI-Donor Cooperation. Initiatives such as the Global Call for Proposals is one way that the INTOSAI-Donor Cooperation promotes this approach and streamlines the entire process.
“I think the GCP played a huge role in receiving support,” David said, when asked about the role of the GCP in helping their project come to fruition. “In the GCP, we elaborated one project which was distributed to 20 or more donors, and we then had the opportunity to address all the donors all together. In other cases, you have to approach one donor, and then another one, and so on. It’s a long process and it’s not very efficient. I think with the GCP we had better coordination and faster results.”