SLOVENIA: IT audit - Managing cooperation with the users of IT service
In December 2023, the Court of Audit of the Republic of Slovenia published the report of its audit regarding the efficiency of the Ministry of Public Administration in managing cooperation with its IT service users.
Between 2015 and 2020, the Government of the Republic of Slovenia undertook a project of centralising most public sector IT services under the Ministry of Public Administration (MOPA). Although the centralization project officially concluded in 2020 with a generally positive assessment, previous audits by the Court of Audit of the Republic of Slovenia (court of audit) highlighted ongoing ambiguities in IT governance and management responsibilities.
Due to the significant risks posed by unclear delineation of responsibilities, particularly in IT security and data protection, the court of audit initiated an audit to evaluate MOPA's efficiency in managing cooperation with its IT service users. This audit comprised two primary components:
The first component aimed to assess the general conditions of IT services offered by MOPA and determine the clarity of responses to key questions:
- What services does the MOPA offer?
- Who is entitled to use them?
- Under what conditions may a particular entity utilize MOPA's services?
The audit scrutinized the regulatory framework implementing centralization of IT services, along with MOPAs documentation such as IT service catalogue, general terms and conditions.
The court of audit found several significant issues with MOPA's management of its IT services. Firstly, MOPA only released a comprehensive catalogue of its IT services at the end of the audited period. Furthermore, detailed descriptions for the majority of services were lacking, leading to confusion among public sector organizations regarding service availability and the obligations of both contractual parties. It was also unclear which organizations were required to use MOPA's IT services and which organizations could opt to use them voluntarily. Additionally, the criteria for payment for MOPA's IT services were ambiguous. For the majority of its IT services MOPA also failed to publicly disclose the manner of opting into the service; the general conditions of use and the shared responsibility for service management.
The second part of the audit focused on evaluating individualized IT service conditions to ascertain the clarity of responsibilities between the service provider (MOPA) and its clients (other public sector entities). This assessment involved a review of various contractual agreements, notably Service Level Agreements and Operational Level Agreements.
The audit found that MOPA inadequately managed contractual agreements. Among others, it did not keep accurate and up-to- date record of contractual agreements and lacked valid versions of several contractual agreements. There were also instances of service provision without written contracts. Regarding the content of contractual agreements, the audit found many agreements lacked specificity regarding service subjects due to inconsistencies in naming conventions across legal bases and public documents, leading to confusion as to which IT service certain agreement refers to. Additionally, rights and obligations of parties, particularly concerning information security and personal data protection, were often not defined. Moreover, the majority of agreements failed to establish service quality indicators.
Based on these findings, the Court of Audit of the Republic of Slovenia concluded that MOPA's management of cooperation with the users of its IT services was inefficient and proposed 37 recommendations for operational improvement.
Audit infographic is available at
https://www.rs-rs.si/fileadmin/user_upload/Datoteke/Revizije/2023/IS-MJU-SLA/ENG/MOPA-IT-services-infographic.pdf
Full report (in Slovene language)
https://www.rs-rs.si/fileadmin/user_upload/Datoteke/Revizije/2023/IS-MJU-SLA/IS_MJU_SLA_RSP_Revizijsko_P.pdf