1. Introduction
Executives are tasked by government, boards and in some cases by law to exercise the necessary controls over the organization, be it public, private or not for profit. While traditionally the Audit Committee has oversight over the controls that are in place to mitigate risk (particularly in Finance) , often, those controls over ICT are loose and misunderstood. The aim of this chapter is to provide a broad non- technical framework that will enable the Audit Committee and Public Service Executives, specifically tasked with the oversight of risk, to ask the right questions, and not necessarily to be experts in the technology involved.
2. Technology and Organisational Complexity
The use of technology in organisations vary. Consider the difference between a financial services organisation, a not for profit organisation and a manufacturing concern.
It is to be expected that the financial services organisation will operate in a highly regulated environment. Access to its systems and security issues would be high priority. Audit trails of data changes would be mandatory. Perhaps real time business continuity and disaster management would be high on the agenda. The spend on ICT would form a larger part of turnover. Systems are complex and varied. The ICT management team is skilled and specialised.
A medium size, not for profit organisation may have a more simple environment involving donor management and disbursements. A simple accounting infrastructure may be present with perhaps some contact management software for fund raising initiatives. Access and security ,while important, are perhaps less important than that of the financial services organisation. Verification of controls would also be less complex. It may have a small ICT support staff or perhaps be outsourced.
A manufacturer on the other hand could use very complex enterprise resource planning software to plan and manage the organisations supply chain. These may have many modules including a financial transaction layer, procurement, sales, inventory and manufacturing planning and control. Often support here is a combination of highly skilled internal ICT staff and external applications support.
The public service is understandably one of the more complex environments, as it contains elements of a service organisation, procurement, project and contract management, treasury and finance, with a large footprint in both delivery to its constituency, as well as performance management within its own organisation, notwithstanding the political complexities within it operates.
It can be seen from the above that depending on the type of organisation, the complexity of its ICT environment, and its reliance on these systems for survival and daily operation, Audit Committees have different questions to ask. They may also need to have external assistance when verifying that risk is mitigated.
3. The Governance role of the Public Service Executive
We are concerned here with Governance as opposed to Political Governing, which in the case of a public service professional, may be a juggling act. A recommended approach would be to equate the governance role in the same light as the duties commonly ascribed to directors of private and public companies, broadly:
-Take the necessary steps to practice due care in the management of the department , organisation or ministry
-Verify that the steps taken are adequate to achieve the delivery and service objectives, inline with policy, legislation and cost
-The actions taken, when measured against a reasonable man, should stand up in the light of public scrutiny
-Implement continual processes in due diligence, accountability and responsibility
-Implement the appropriate activities to monitor protection mechanisms
-And finally, maintaining the mechanisms put in place
Delivery in public service is often the largest area of concern, with public service professionals almost in a state of paralysis or limbo, waiting for decision to be taken by the government of the day. Alternatively, public servants might hold too much power in the opinion of politicians, thus delaying the implementation of policy if it is in conflict with the public servant’s political affiliations.
A non partisan public service is in truth probably not a reality, but, if the same principals of good governance in company law and responsibilities of directors is applied, by inference, the “right” actions will be taken. One must recognise the symbiotic relationship between the politician and public service staff, and to a large degree the unequal power sharing arrangement in place i.e. the politician should by democratic rights hold more power.
However, there is little reason not to create and implement the optimum mechanisms for delivery to streamline the implementation process, while waiting for decisions to be reached. Politicians come and go, but governments need to have a sense of permanence.
Practical examples of this could be:
-A defined tender and request for quote process that does not need to be redeveloped every time a project is agreed upon.
-A pre qualification process for major projects
-Processes and procedures in place to ensure that delivery is expedited
-Financial governance and control
-Health and pensions systems
The point here is that there is always a framework, business process, pre design, broad scoping exercise, information gathering, some or other pro-active activity etc that can be done while awaiting a government decision (good management needs to take place). Also, there is existing policy that will guide a proactive executive. Waiting and inactivity increases the chance of poor delivery.
4. Role of the Audit Committee in the Public Service
Traditionally Audit Committees remit is focussed around the evaluation of Risk. The question is however whether this will be appropriate in the future or whether the scope needs to be expanded. For example, if the strategic focus is around the effectiveness of services delivery, then the Audit function must be geared to ask the right questions, understand what the outcomes should be, understand the value drivers and make recommendations to improve delivery where it is lacking.
Another area which is often overlooked is non financial audit for example, effective provisioning of the military, effectiveness of government ministers, how good is the public service performance management system, or are public records secure from identity theft?
Often the dilemma is faced whether to play an active or passive role in audit. If the objective is to improve value delivery, drive effectiveness of government, improve performance of public servants, then being a passive reporter is totally inadequate. The future role of the public service audit function as an active participant in public service governance, responsible for playing a value added role in is self evident. The Chairman of the Audit Committee should not lose the opportunity to influence and contribute to the success of the organisation and of government. It may well be that the status of the Chairman of the Audit Committee be elevated to one of the highest and most influential political or public appointments in government. The skills here are in the areas of commercial, financial, program management and corporate governance acumen. Its not a legalistic approach if the intention is to get value delivery.
While it might not always be appropriate to drive standardisation of business processes, the Audit Committee needs to understand the value of a solid baseline of delivery. It’s all about alignment to achieve the objectives. An example of this would be a single, agreed upon, transparent and auditable process for procurement. All public service departments buy, why should it be different?
The role and responsibility of the Audit Committee in the Public Service needs to be redesigned if it is to drive and enable change.
5. Understanding ICT
It is not necessary to have to specialise or be an expert in the detail of the organisations deployed technology in order to ask some sensible questions. Ask any Managing Director of a company with diverse operations if this is true. However, it does make sense that the more complex the environment, the more assistance will be required. Also, the larger the organisation, the more chance there is that you have a Chief Information Officer, Chief Technology Officer , Chief of IT Governance or a combination of the above to provide the necessary ICT input.
What is important is that there is a framework in place to guide the Audit committee to ask the right questions. It may be feasible to develop a tool from scratch, or use one or a combination of the many frameworks or tools for ICT governance that are available to guide the process. It is never a decision about which one is used, although they have different areas of focus which you would need to be aware of, but more about how the tool is used, and what are the objectives being pursued. Remember that ICT is a changing environment, and therefore the tools need to be dynamic as well.
Fortunately, there are many well developed tools that are available, with good support to ensure that the tools are updated and reflect changing trends in ICT. The figure below seeks to position the toolsets /frameworks in an understandable way.
6. COBIT Example
Control Objectives for Information and related Technology (COBIT)[1] is a set of best practices (framework) for information technology (IT) management. Because of its pragmatic framework, it may be used to address Governance, process improvement and most importantly of all, service delivery. Even if public servants just manage each area mentioned below at a high level, i.e. ask the right questions, ensure that mechanisms are in place to rectify shortcomings, and measure results, there may be an immediate improvement in service delivery.
7. Information Systems are part of the solution
Historically when new governments or individuals are placed in power, the knee jerk reaction is to throw out the old and in with the new.
A policy change or new political appointment is not an excuse for doing away with good practice. As an example, a new individual heads up Finance. Nothing changes in the principles of good accounting practice, GAAP, IFRS etc remain the same. Financial prudence and control of risk, fiduciary duty remains the same.
Lets expand this to ICT. What makes ICT good is the existence of sound business practice, well identified business processes, solid measurement and remedial action of outcomes, and most importantly of all, the political and managerial gravitas to enforce compliance and discipline. Here politics must be separated from the responsibility of employees in public service to actually be held accountable for performance.
ICT alone cannot make up for or be the elixir to the absence of good governance.
8. Steps to Excellent Service Delivery
-Don’t get rid of useful things when discarding inessential things (Knee Jerk)
-Complex is not always the answer
-Know what is the most important public requirement and build your outcomes around this.
-Remember that there is balance between a wish list and practical reality
-If it cannot be articulated on paper, and I mean down to the last detail, it cannot be translated into technology, not ever.
-ICT fails because of this “we need a system to do “this”, but what “this” is we’re not sure”
-Kick butt and expect excellent results
[1] Toolsets and frameworks referred to may be trademarks of their respective owners.
No comments:
Post a Comment