IT-report and IT Audit Statement strengthen the governance of the digital government

We see that the business sector and the government are rapidly digitizing. Assurance of the proper functioning of information technology is of national importance in this context. The Netherlands is one of the most digitized countries in the world, and Amsterdam holds a prominent position as an IT hub globally. It is becoming increasingly important nationally that all information technology within organizations works flawlessly and continues to function. Both within the administration and among regulators, we see a growing need to be demonstrably 'in control' of information technology. This need is expanding not only for the organization itself but also for a broad group of stakeholders and chain partners. These stakeholders attach increasing importance to assurance regarding the proper functioning of information technology. We see this in banks that must grant loans, as well as among suppliers, consumers, rating agencies, regulators, and in the broader context of society. An IT report from the management to communicate this or to inform chain partners and other stakeholders is ideally suited for this purpose.

Highberg performs many governance assignments in the public sector. Here, we observe that representatives increasingly want to be informed about the quality of digitization and the resilience of government organizations against cyberattacks. Digitization plays an essential and undeniable role in achieving societal goals.

IT incidents in government organizations often lead to a barrage of (parliamentary) questions and many ad hoc reports (often highly technical) to representatives. This has resulted in a jungle of reports, investigations, and factual records where the big picture is no longer visible due to the trees. There is an urgent need for more transparent and standardized reporting. We are not the only ones who think this. The Netherlands Court of Audit (Algemene Rekenkamer) has also published on this matter.

In the report 'Grip op digitalisering: rode draden uit tien jaar Rekenkameronderzoek' (March 2020), the Netherlands Court of Audit states that to be able to verify whether the government is actually achieving its digital ambitions, the right information is needed first and foremost. Information about what digital systems cost, what they yield, and how (well) they function. According to the Netherlands Court of Audit, this information is often incomplete, and its quality could be improved. Due to a lack of standards in this information, comparisons between government organizations, and over time, cannot be made. This makes it difficult for the House of Representatives (lower house of States General) to control and for the government to learn from and improve its mistakes. The risk is that the same mistakes are made repeatedly.

The Netherlands Court of Audit is unequivocal in stating that the provision of information by ministries and implementing organizations to the House of Representatives concerning ICT is incomplete: information often concerns large renewal projects, while information about management and maintenance is missing. This leaves Parliament insufficiently able to make decisions based on a wide range of information. The Netherlands Court of Audit also calls for strengthening governance by working according to a growth model and a gradual harmonization, including in legislation and regulations.

In our opinion, the scope of the annual reports of government organizations, which are often strongly oriented towards external effects and finances, is too limited to form an adequate picture of IT management governance and the control of digitization projects. Not to mention that there is not enough room in a financial report, for example, for an organization to be accountable for its resilience against cyberattacks and whether digitization is prepared for the near future. A new reporting format in the form of an IT report is urgently needed to strengthen governance in the digital government.

An IT report and an IT Audit Statement provide government organizations with an excellent opportunity to report on IT management and the control of digitization in a structured and integrated manner, the growth phase in which the organization finds itself, and the remaining challenges. It is imperative that the organization's management takes the lead in this. Subsequently, it is up to the auditor to confirm with a statement that the presented picture corresponds to reality. With such an integrated and structured approach, it is prevented that a separate accountability has to be given for each incident, and an incoherent and possibly even unqualified view of digitization control is created.

At present, there are many specific legal accountability requirements for government organizations and administrative levels, often requiring accountability on a large number of the same subjects and control measures. Enormous efficiency and quality gains can be made by transitioning to a standardized form of reporting. However, substantial steps still need to be taken to arrive at a widely accepted standard.

Many organizations are not yet in a position to provide a comprehensive overview of all digitalization activities. Therefore, it will require a significant effort from organizations to compile an integrated IT report. This will often need to be set up as a project with the necessary internal and external experts. The involvement of an independent internal or external auditor also requires effort and incurs costs.

On the other hand, the introduction of an IT Report and an IT Audit Statement should not be too complicated in practice. In the current practice of financial audit, the IT management of financial systems is already audited by the IT auditor. The scope of the examination can be expanded by the IT auditor from merely financial aspects to the entire IT organization.

Efforts should be made to prevent chain parties that collaborate in an agreement framework from demanding accountability from each other. Accountability should be primarily directed towards representatives (horizontal accountability). Where different government levels collaborate, as in agreement frameworks, the central government may rely on the horizontal accountability of other government levels for its statutory supervision. For vertical supervisory purposes, the horizontal accountabilities and associated assurances from chain parties (public and private) can be used. This reinforces the need/desire for standardization. We see that current legislation often still requires detailed and specific reporting. To bring more standardization to this, legislative changes will often be necessary. This is a multi-year process.

The introduction of an IT report does require a growth path, where not all strict requirements are immediately applied, but room is allowed for learning and development. It is wise to first work on a good IT Report and, when this is well-structured, provide an IT Audit Statement. This allows organizations the opportunity to learn and grow in maturity.

Efforts should be made to prevent the IT report from being used to "hold the organization accountable" and to be used for political purposes. 'Good governance' requires that the "political use" of the IT report and "cherry-picking" must be prevented. In our view, this can be achieved by introducing strong standardization in reporting and a standardized audit approach.

A good IT report should mention how IT management has taken place in the past year and what the organization has done to prevent the recurrence of incidents. Learning experiences and the growth path can also be included. The IT report should also indicate how IT within an organization is future-proof and what digitalization projects are currently underway or planned. This is the most relevant information for various stakeholders. The IT report should therefore cover both generic topics (such as information security and continuity) and topics that are crucial for the sector in which the organization operates. In the case of the government, it is essential for the IT report to indicate how digitization contributes to achieving the sector's policy goals.

The following topics can be included in the IT report:

• Outlook (1-3 years)
• IT strategy
• Use of modern IT
• Significant projects
• Risk analysis related to the use of IT
• Patching
• Version control
• Continuity
• Access security
• Incident management
• Change Management
• Security
• Cybersecurity
• Outsourcing
• Investments in IT
• Quality of project management
• Quality of system development
• Dependence on third parties
• Innovation capacity

NOREA believes that there is a logical need for an independent and expert assessment or judgment of such an IT report. This can take the form of an assurance report. The exact details of the assessment or judgment and the criteria to be used still need to be worked out.

For questions about the IT report or the IT Audit Statement, you can contact our lead IT Auditor:

Drs. Joep GM Janssen RE MIM