Feature story from Finland: Increasing IT auditing capacity – Experiences of SAI Finland
Finland is one of the leading countries in the digitalized public services. One indication of that is the European Commission's annual Digital Economy and Society Index (DESI) (https://digital-strategy.ec.europa.eu/en/library/digital-economy-and-society-index-desi-2022), which regularly monitors and tracks EU member states' progress in digitalization. Finland has been on the top of the DESI index in recent years, ranking first 2022, 2020 and 2019 and second in 2021.
Because of the digitalization, the audit environment of SAI Finland has changed considerably over the last two decades, and nowadays the Finnish government administration and public service processes are mainly digital. The standardization and digitalization of service processes have enabled the centralization of services to service centers and larger administrative units and the deployment of shared IT systems. At a consequence of the digitalization, the financial and IT audit areas have intertwined. And because the risks and controls in the digital world are not similar than in the world of paper and manual-based processes, knowledge of common and relevant IT risks and controls has become the essential skill for financial auditors.
One reason for the digitalization progress in Finland has been the fast aging of the population. Finland’s old-age dependency ratio (population aged 65 and over as a proportion of the population aged 20-64) is projected to increase from 25% in 2000 to 43% in 2025 compared with an OECD average of 22% in 2000 and 33% in 2025 (https://www.oecd.org/finland/oecdrecommendsfinlandtodomoretohelpolderpeoplestayinwork.htm). Amid a shrinking working-age population and rising levels of vacancies, it is more challenging for employers to hire employees who have sufficient skills for vacancies. Eg. when we are talking about IT audit, the prerequisite is the good understanding of the audit methods, operational environment and information technology, which usually takes several years of work experience.
One of the actions to ensure the audit is comprehensive and relevant also in the digital environment, SAI Finland launched the ICT audit training program for financial auditors in 2016. The aim of the program was to enable financial auditors to audit better IT related issues. The focus of the program were access controls and user rights, application controls and interfaces of the stand-alone financial information systems in the government agencies, eg. grant administration systems. In addition to the training program, SAI Finland has produced the compact manual of IT-related audit issues. One of the tools we have utilized in training and developing manual has been WGITA – IDI Handbook on IT audit.
Finland has been one of the first countries which have faced the digital revolution with all its benefits and challenges. One lesson we have learned in increasing IT audit capacity is the learning from others’ experiences and the need of co-operation both in the SAI and internationally.
One of the most significant challenges in increasing IT audit capacity is the complexity and continuous evolution of the information technology. It is not easy task to hire (IT) auditors or to develop trainings or manuals which are sufficient for audit but not too overwhelming for auditors. So, it is always a compromise. However, it is good to point out that trainings and manuals are just the first step. The more important is to learn by doing and make improvements to cope with the ever-evolving information technology.