1 / 83

About State Audit Bureau of Kuwait

SAI-Kuwait Different Procedures of IT Audit The 23 rd Meeting of the INTOSAI Working Group on IT Audit February 2014 Prepared By State Audit Bureau of Kuwait. Establishment:

cornish
Download Presentation

About State Audit Bureau of Kuwait

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAI-Kuwait Different Procedures of IT AuditThe 23rd Meeting of the INTOSAI Working Group on IT AuditFebruary 2014Prepared ByState Audit Bureau of Kuwait

  2. Establishment: The Constitution of the State of Kuwait, which was issued on November 11, 1962, clearly provided for the establishment of a commission for financial control in which its independence shall be safe-guarded by the law. Believing that public funds, that form the State's nerve and its corner-stone for prosperity, should be safe-guarded to insure full collection of revenues, avoid any loss, or negligence and expend these revenues for the welfare of the society without extravagance or unreasonable economizing. About State Audit Bureau of Kuwait

  3. Objective: The main objective of SAB is to maintain an effective control over the public funds to safeguard them, prevent any misuse, and verify their proper utilization for the purposes they have been allocated for.Through performance of its control activity, SAB has concentrated on the creation of a full conviction over the audited bodies. That is, SAB is not looking for errors or deviations; instead, it aims primarily at the maintenance of public interests by safeguarding public funds and efficiently utilizing them for the aspects they have been allocated for. SAB has been able, through its constant cooperation and understanding and through communication with other authorities, to organize their financial and accounting transactions and devise the suitable solutions in order to reach the exemplary objective. About State Audit Bureau of Kuwait

  4. Authorities subject to Audit: • The ministries, departments, and public agencies that constitute the administrative system of the State. • The municipalities and all other local bodies that have a public legal entity. • Public commissions, establishments, and organizations attached to the State, or the municipalities or the local bodies that have a public legal entity. • Companies and establishments in which the State or any other legal entity holds a share of no less than 50% of their capital or guarantees them a minimum profit. • Companies licensed to utilize or manage one of the State public utilities or granted a concession to utilize any of the natural resources in the State. About State Audit Bureau of Kuwait

  5. Specialization: • Revenues. • Expenditures. • Personnel affairs. • Tenders, practiced-tenders, contracts, and commitments. • Imprests, public stores, and warehouses, the branches and the likes. • Settlement accounts of imprests, safekeeping, current accounts, and regular accounts. About State Audit Bureau of Kuwait

  6. Specialization: • Advances and loans granted by the State or one of the establishments or agencies having a public legal entity or granted in their interest. • The ways in which the State funds are invested. • The final accounts of the financial year ended for each of the State, the public bodies and establishments whose budgets are regulated by laws. • All accounts, or any other work entrusted by the National Assembly or the Council of Ministers for examination and checking. • Administrative, financial, and accounting by-laws. About State Audit Bureau of Kuwait

  7. Audit Procedures: In order for SAB to actualize its objectives, two different Audit procedures were developed to serve as safeguard mechanisms which are practically deployed around two phases of a commitment. One is practiced before a commitment (Pre-Audit) and another after a commitment (Post-Audit). A third type has also been developed in order to serve as an empowerment and a support tool (Performance Audit): • Pre-Audit • Post-Audit • Performance Audit In SAB, IT Audit is adapted using the previously explain different procedures and appropriately named IT Pre-Audit, IT Post-Audit and IT Performance Audit. About State Audit Bureau of Kuwait

  8. IT Pre-Audit: • The law obliges the concerned entities not to engage in any commitment or conclude any contract until they get the approval of SAB regarding financial commitments on the State or any other public legal entity if the value of a single tender, commitment, agreement, or contract is more than a 100,000.000 K.D. ($354,108.00). • In this case, SAB will not give its approval until it investigates technically the subject tender, commitment, agreement, or contract and verifies that the allocations of the funds in the budget allow for engagement or conclusion, and that all procedures required have been taken into account in compliance with the established financial regulations and rules. IT Pre-Audit

  9. IT Pre-Audit: • Pre-Audit ensures that the disqualified vendors have been disqualified fairly and according to the Terms of the tender. • Ensures that the winning vendor has met the government entity’s requirements. • Verifies that the allocated funds in the budget are technically related to the engagement. • Verifies the adherence of the contract to governmental policies and procedures. • Reviews the contract for adequate protection of the government entity’s rights. • An ongoing routine procedure. IT Pre-Audit

  10. IT Post-Audits: • Post-Audits are performed after signing of a contract and usually after the contractual period. • They are characterized by being a sort of an investigative work and therefor it must be noted that they are not concerned with providing recommendations and/or measuring performances. • Specialized in performing contract-compliance audits related to vendor and beneficiary sides by auditing the execution of IT tender projects. • Emphasize finding and reporting direct financial implications of system(s) and the surrounding operations. • Other goals can be investigating fraud or misuse claims on specific systems. • Usually initiated by request of other departments that specialize in financial-audit and sometimes as a special assignment by the upper management, National Assembly or the Council of Ministers. IT Post-Audit

  11. IT Performance Audit: • Performance audits irrespective of contractual engagements. They are more oriented towards studying areas of the IT universe, management, control and governance. And unlike post-audits, performance audits are not concerned with the specifics of financial implications/findings. • It may be described as an independent auditing process aimed at evaluating the measures instituted by management, or the lack of these measures; ensuring that resources have been acquired economically and are utilized efficiently and effectively. • Such audits are specialized in the benchmarking against international IT standards and guidelines. Thus, performance audits reports are fashioned in a way to provide guidance to the auditee on how to improve on the area under review. • Initiated by request of the Performance Audit Department. IT Performance Audit

  12. IT Pre-Audit Case Studies

  13. Organization Type: Ministry • Contract Period: 12 Months • Contract Subject: The ministry would like to update and enhance its Kuwait Integrated Maintenance Management System. The required changes and enhancements were requested through a tender that was conducted by the Consultants Selection Committee. IT Pre-Audit Case Study (1)

  14. IT Pre-Audit Study Details: A review of the RFP, the proposal of the winning consultant and the previous contracts was performed. Meetings were conducted with the ministry where discussions about the history of the system and the current state took place; and the following was identified: • The Maintenance Management System was commissioned in 1997 and since then it has been severely underused. While it should have been a system that would monitor the state of the country’s infrastructure and provide guidance on maintenance schedules, it was merely used as a maintenance request issuing system. IT Pre-Audit Case Study (1)

  15. IT Pre-Audit Study Details: • It was evident that the Ministry is unaware of the significance of the requested changes/enhancements as the Ministry was targeting to put to use the real benefits of the system while the RFP contains only enhancements of UI and application forms. The Ministry was also unaware of the real problem which was identified as the lack of input data on the readings related to the conditions of the country’s infrastructure. The lack of such data renders the system useless as its main functionality depends on it. IT Pre-Audit Case Study (1)

  16. IT Pre-Audit Study Details: • The ministry had no preconception on the outcome of the requested consultancy services as there was no thorough study of the reasons behind the current inactivity of the system. • It was found that the current consultant is requiring the original Source Code of the application in order to implement changes while it was identified that the Ministry has no possession of the Source Code which can hinder the progress of the requested consultancy. IT Pre-Audit Case Study (1)

  17. IT Pre-Audit Study Details: • The Ministry did not make a comparison study between: • Proceeding with the current change/enhancement request which includes fees of the consultant for research/analysis of the current situation, supervise the implementation of changes/enhancements in addition to fees that will go to software development companies to make the actual implementation works. IT Pre-Audit Case Study (1)

  18. IT Pre-Audit Study Details: • The Ministry did not make a comparison study between: • Investigate the possibility of replacing the current aging system with a more recent technology that could be more cost efficient/effective and provide better functionalities. • IT Pre-Audit Study Result: Approval was denied due to the previously discussed findings. IT Pre-Audit Case Study (1)

  19. Organization Type: Central Committee • Contract Period: 60 Months • Contract Subject: The Central Committee would like to sign a consultancy contract to design, implement and maintain an information system to manage the national program of environmental rehabilitation. IT Pre-Audit Case Study (2)

  20. IT Pre-Audit Study Details: Due to the unique nature of this subject as it is the starting point to carry out the national environmental rehabilitation projects based on compensations provided through the United Nations after the 1990 invasion, it was given a special attention by the Bureau to make sure that the committee has been thorough in its consultancy requirements and preparation to start this important endeavor. IT Pre-Audit Case Study (2)

  21. IT Pre-Audit Study Details: The system is essentially a focal point for the affected countries and it will be used as a central supervision workplace for the United Nations to oversee the progress of the rehabilitation projects as compensations are provided accordingly. IT Pre-Audit Case Study (2)

  22. IT Pre-Audit Study Details: The bureau’s study included going over all related documents of the consultancy agreement and meetings with the committee where the following was covered: • Previous or current projects that specialize in environmental data which were used to put together the requirements for the current intended consultancy. • The methodology of the committee to ensure the comprehensiveness of the current requirements to cater for all aspects of the rehabilitation programs and the guarantee success. IT Pre-Audit Case Study (2)

  23. IT Pre-Audit Study Details: • The role of the other environment-related governmental organizations and the degree of coordination and involvement considered since the committee will be in charge of some responsibilities that might overlap with such organizations. • The role of the Central Agency for Information Technology and the coordination to facilitate the use of Kuwait Information Network and other related resources for the project. IT Pre-Audit Case Study (2)

  24. IT Pre-Audit Study Details: • The coordination with other governmental bodies that will be in charge of parts of the environmental rehabilitation projects starting after the completion of the intended consultancy. • Future plans and subsequent stages to the project. • IT Pre-Audit Study Result: Approval granted. IT Pre-Audit Case Study (2)

  25. Organization Type: Ministry • Contract Period: 36 Months • Contract Subject: The ministry would like the approval for a tender contract in order to start the project of developing a portal with electronic content to support e-learning. Additionally, the contract includes outsourcing technical consultants to support the developed solution and its users. IT Pre-Audit Case Study (3)

  26. IT Pre-Audit Study Details: After reviewing the tender documents, it was noticed that the development period of the portal and electronic content is 8 months that is followed by another 12 months period of warranty, support and maintenance that ensures the ministry a continuous trouble free operations of the solution. The support technical consultants; requested to be offered in the same contract were identified to be starting from the initial sign-up of the contract and will be providing support to the developed solution and its users. IT Pre-Audit Case Study (3)

  27. IT Pre-Audit Study Details: For the consultants to start their duties from the beginning of the contract is found to be pointless since the initial 8 months are dedicated for development purposes and there will be nothing for them to support until the solution is formally accepted by the ministry. IT Pre-Audit Case Study (3)

  28. IT Pre-Audit Study Result: Approval was granted partially, only to the development phase while the ministry requested to postpone the part containing the technical consultants as it will be resubmitted for approval after the completion of the initial development phase. IT Pre-Audit Case Study (3)

  29. Organization Type: Ministry • Contract Period: 3 years • Contract Subject: Electronic Payment Services Agreement IT Pre-Audit Case Study (4)

  30. IT Pre-Audit Study Details: The ministry would like to sign a non-tender contract with the sole e-payment company in the country to provide e-payment services to governmental organizations in order for them to utilize in collecting governmental income. The cost is on a per transaction rate that varies based on transaction volume. It is also agreed that there will be sub contracts or for each benefiting organization in order to govern the provided services. IT Pre-Audit Case Study (4)

  31. IT Pre-Audit Study Details: The bureau approached this subject with special attention because of the fact that e-payment is a new concept for the government to implement. The bureau is targeting to assure the maximum benefit from this contract to the government. One of the major areas of focus during the audit was making sure that the offered rates are reasonable. Additionally, the bureau discussed with the ministry’s officials the procedures in place in order to facilitate the proper execution of the contract by coordinating with the rest of the government organizations. IT Pre-Audit Case Study (4)

  32. IT Pre-Audit Study Result: Approval was granted along with conditions/recommendations as per the following: • That all sub-contract belonging to each governmental organization must be presented to the bureau for approval. • For the ministry to coordinate with all governmental organizations in order to accelerate the implementation of the e-payment services in accordance to an agreed schedule in order to benefit from lower rates as soon as possible. IT Pre-Audit Case Study (4)

  33. IT Pre-Audit Study Result: Approval was granted along with conditions/recommendations as per the following: • For the ministry to revisit and review the offered rates after actual use of the services and before renewing the contract with the company. • For the ministry to seek alternatives among competing e-payment service providers in order to find the best services and prices. IT Pre-Audit Case Study (4)

  34. IT Post-Audit Case Studies

  35. Organization Type: Ministry • Subject: Auditing the National Rationing System • IT Post-Audit Study Details: The case required the audit of a Rationing system developed by the IT department of the Ministry to automate and optimize the delivery of essential subsidized commodities to eligible beneficiaries. The Ration Department is in charge of setting the rationing regulations and laws by setting eligibility criteria and determining quotas and prices. IT Post-Audit Case Study (1)

  36. IT Post-Audit Study Details: The IT department of the ministry is in charge of the Rationing System to: • Issue, renew and amend the ration card data for beneficiaries using the Ration Card sub-system. • Distribute the goods to consumers branches of Co-operative wholesale societies using the Ration Distribution sub-system. IT Post-Audit Case Study (1)

  37. IT Post-Audit Study Details: As reported by the Ration Department, the system is expected to deliver the following benefits: • Provide the information on beneficiaries, ration cards and transactional data in an electronic format for easier accessibility and accuracy. • Non-issuance of duplicate ration cards per beneficiary. • Avoid the current manual issuance and indexing of ration cards. • Link the branches to the main system at the ministry to automate exchange of data. IT Post-Audit Case Study (1)

  38. IT Post-Audit Study Details: As reported by the Ration Department, the system is expected to deliver the following benefits: • Issue/print the new ration cards. • Better management of inventory and governing of transactions. • Provide accurate statistical reports in a timely fashion with ease. IT Post-Audit Case Study (1)

  39. IT Post-Audit Study Details: The goal of the audit is to: Investigate the data quality, validity and reliability of both sub-systems (Ration Card, Ration Distribution) with the comparison to the rules and regulations set forth by the Ration Department in order to make an assessment of soundness of the Ration system and its related operations IT Post-Audit Case Study (1)

  40. IT Post-Audit Study Key Finding (1): It was found through data analysis that the Ration Card sub-system allows the registration of beneficiaries without a verification mechanism for their legal eligibility. The users working on the system can register/add non-eligible beneficiaries to the system without any restrictions. Additionally, they system also allows the addition of any number of non-eligible beneficiaries as dependents on another eligible or non-eligible parent beneficiary and making up family without a verification mechanism for the type of relationship. This lack of control or verification against governing laws can lead to fraudulent transactions of consumables. IT Post-Audit Case Study (1)

  41. IT Post-Audit Study Key Finding (2): It was found that the system lacks input controls and data entry verifications methods. Cases of registered beneficiaries with erroneous national ID number, very short names or no name at all were found. It was also found that some of these beneficiaries have received some ration which means they are active beneficiaries. It was also found that the aforementioned beneficiaries were registered over a period of three months which means that there isn’t any auditing or cleanup process or that it is not frequent enough to mitigate fraudulent transactions. IT Post-Audit Case Study (1)

  42. IT Post-Audit Study Key Finding (3): The Ration System assigns a quota of consumables depending on the number of beneficiaries within a family. The quota is reset each month. It was found that if dependents were removed from a parent beneficiary and reassigned, it will automatically reset the quota on the spot and during any day of the month. This can be abused by illegally increasing the quota of a beneficiary. Additionally, this can be done multiple times within one month. IT Post-Audit Case Study (1)

  43. IT Post-Audit Study Key Finding (4): As per the business requirements; the system should issue one ration card per house hold, usually to the head of the family. The rest of the family members are linked as dependents. It was found from the data analysis of the ration card sub-system that there are ration card holder that are not defined in the system as head of a household. Additionally, these same ration card holders are linked as a dependent on another head of a family. IT Post-Audit Case Study (1)

  44. IT Post-Audit Study Key Finding (4): This means that such beneficiaries can have duplicate ration quotas; once as a card holder and once as a dependent. Further data analysis of transactions found the aforementioned beneficiaries have actually received ration which concludes that the finding is not only a database discrepancy. IT Post-Audit Case Study (1)

  45. IT Post-Audit Study Key Finding (5): The system uses a process to deactivate beneficiaries and ration cards based on multiple business reasons. Regardless of the reason, any deactivated beneficiary or ration card is archived in a historical database to keep track of them. It was found through data analysis of ration transactions and comparing to the historical databases that there are active ration cards (receiving rations as seen in the transactions) that belong to deactivated beneficiaries or belonging to a non-existent beneficiary. IT Post-Audit Case Study (1)

  46. IT Post-Audit Study Key Finding (5): This is an indicator to a weakness and lack of processing controls on the system. Additionally, it is not known whether the system users are aware of this issue and if it is being abused or not. IT Post-Audit Case Study (1)

  47. IT Post-Audit Study Key Finding (6): The system allows the grouping of ration quotas under one house hold where a number of dependents are added to one ration card holder. This also means that all household members must have the same street address while it was found during the data analysis that there were some ration card holders who had dependents having different street addresses. Such additional lack of input controls and verifications adds more risk to the possibility of adding fake beneficiaries to the system. IT Post-Audit Case Study (1)

  48. IT Post-Audit Study Key Finding (7): The system holds a definition database containing all subsidized commodities. Additionally, the daily sales transaction database show what has been sold for the day using the common definition codes. It was found that the daily sales transaction database contains transactions for unidentified commodities on the system. IT Post-Audit Case Study (1)

  49. IT Post-Audit Study Key Finding (7): The existence of such transactions for unidentified commodities, obviously does not reflect the actual sales and quantities and it makes it very difficult to generate trusty statistical reports with real information regarding sales and transactions. Additionally, the existence of unidentified commodities could be a sign for some kind of fraud. IT Post-Audit Case Study (1)

  50. IT Post-Audit Study Key Finding (8): The system holds a pricing database containing all subsidized commodities and the prices per sale unit. It was found that there are transactions for commodities with prices different than the ones defined in the pricing database. Additionally, some of such found transactions had an unrealistically small prices or amounts. IT Post-Audit Case Study (1)

More Related