FINLAND: ICT and digitalization as performance audit targets

In addition to conventional IT audits, the National Audit Office of Finland (NAOF) also conducts performance audits targeted at ICT and digitalization. In their present form, performance audits with the ICT and digitalization perspective date back to 2006, when the NAOF recruited the first performance auditor specialized in audits of this field. Before this, the NAOF had carried out a few performance audits targeted at IT projects.

The number of personnel at the NAOF has equalled approximately 150 person-years. The maximum number of performance auditors focused on ICT and digitalization-related topics that have been simultaneously employed by the NAOF has been five. Both an applicable doctor's degree and certifications in auditing (e.g. CISA) have been considered assets in the recruitments.

However, instead of formal qualifications, the NAOF has emphasized the auditor's practical experience in ICT and digitalization and interest in developing their own and the entire agency's competence in audits related to these topics. The NAOF has succeeded quite well in recruiting top experts, but the employee turnover has been higher than usual among auditors in this field. This is, nevertheless, also typical with other professions in ICT and digitalization.

The topics of ICT and digitalization-related performance audits have been varied. Audits have been targeted at both central government and regional development projects. Typical topics have included procurement of IT systems by government agencies and centralization of central government ICT services. In this millennium, central government ICT services have been organized in increasingly large entities. During the years, the NAOF has conducted several audits where the functionality of the service centre model has been assessed from several perspectives.

Certain “eternal themes” have come up in the performance audits conducted in recent years – regardless of the topic. They include at least 

• problems with the strategic steering of digitalization
• insufficient interoperability and overall architecture of information systems
• prolonged initial difficulties of the service centre model
• defects in the assessment of the total costs of purchases and the lifecycle of systems
• cyber security.

Audits related to ICT and digitalization have encouraged the public administration to take action. Legislative amendments have been made, for example, to enhance the interoperability of general government information systems and the smoothness of electronic transactions by both citizens and enterprises.

Society and general government do not operate without information systems. The fast technological development keeps offering new opportunities to increase the efficiency of public administration and improve the digital services it provides. At the same time, the problems and risks related to the digitalization of services and the utilization of ICT are becoming more diverse and more difficult to solve.

The challenge that Supreme Audit Institutions will be facing in the next few years is how to integrate the ICT and digitalization perspective more often with performance audits. Although any performance audit, in practice, could nowadays include parts related to information systems and electronic services, it is still very usual to exclude information systems and their operations from them. Performance audits could try to meet this challenge, for instance, by utilizing standard-form audit questions related to the purchase of information systems and the quality of cost estimates, for example. Even if we managed to provide a larger group of auditors with basic ICT and digitalization competence, we will still continue to need special experts in this field. To be able to retain these top experts at the NAOF, we will have to keep coming up with ideas of new and more challenging audit topics. In the future, it would be important to always identify the significance of ICT and digitalization for the audit topic and take it into account in the planning of performance audits.