50 !

into IT

auditing IT service management

risk assessment
favourable experiences with
a new tool for auditing IT
service manement
"IT service management" is the overall methodology for linking the various management
processes necessary to ensure a consistent supply of quality IT services.

In 1999, the Office of the Auditor General of Norway1 began a collaborative project with
the SAIs of the UK, Sweden, Japan, Russia and Canada to develop a guide on auditing IT
Service Management. Project co-ordinator Bernt Nordmark and Anne Grete Bangsund
describe the outcome.

management within or across several

Background
"Auditing IT Service Management - Risk
Assessment" was prepared for use by
auditors with little experience of auditing
IT Service Management. The completed
draft was presented at the INTOSAI IT
Audit Committee meeting held in
Slovenia in 2001, where Norway was
invited to incorporate feedback on the
Guide from the Committee's 26
member countries. The Committee also
decided to post the completed Guide on
their website2.
At last November's Committee meeting
in Delhi, Norway reported on the
project's implementation and on the final
product.
The Guide's structure and
content: a tool for
agencies
Auditing IT Service Management can be
used to review individual IT service
management activities or the overall
picture.
The Guide follows a model comprising
six sub-areas: policies and strategies;
operation; support; external drivers;
user interaction; and impacts on the
external environment. It can thus be
used in the areas of financial and
performance auditing to support
comparative evaluations of service
agencies. A key point is that the Guide
might also be used by agencies
themselves.
The Guide provides a systematic pres-
entation. It begins with a review of the
risk factors connected with senior
management's roles and responsibilities,
gives examples of the risk factors
associated with service management
activities, and provides practical and
useful examples of potential risk factors
and the impacts they might inflict.
Typical risk reduction strategies are also
described.
 into IT ! 51

The annexes describe overall IT service
management, systems development and
IT service management processes.
There are also explanations of risk
management, auditing the management
of IT infrastructure risks and examples
of audits of unsatisfactory IT projects.
Finally, there is a glossary of terms.
Auditing experience
To ensure user-friendliness we tested
the Guide both in Norway and in other
countries. We have used it at both an
overarching level and in connection with
reviewing major components of IT
service management within Statistics
Norway, the Norwegian Directorate of
Customs and Excise, the Norwegian
Directorate of Taxes, and in our audit of
the International Organization of
Migration (IOM) in Geneva. We have
also found the Guide useful in our
advisory activities.
When planning the IOM audit
programme in 2001, we decided that IT
service management was an important
The Guide has now been introduced Mastering the Guide might pose a
into the drive to improve IT service challenge, and adequate knowledge of
management and security solutions in how an organisation use and manage
public sector agencies elsewhere in their IT systems is really necessary to
Scandinavia. In this connection, project obtain the best results. One of our
coordinator Bernt Nordmark presented auditors remarked that "I am quite
it during a security seminar for major pleased with this tool, and we have
Scandinavian public sector agencies held profited from using it in our work.
in Frankfurt last November, and it was However, getting into it probably takes
also presented at a Nordic audit seminar some effort, and some background
in Helsinki in autumn 2001. The Guide knowledge about risk assessment and IT
has also been taught at a seminar for is required".
auditors held in northern Norway last
autumn.
Conclusion
Overall, we have received favourable
feedback from auditors on the Guide's
usefulness, while both our clients'
management and IT departments have
shown great interest in it. We have also
initiated a dialogue on improving our
clients' standards of IT service
management.

1
area to audit. We therefore focused on Strategies
potential risk factors, together with their and policies
attendant faults and problems, and on
possible risk reduction strategies. The
Guide proved a very useful tool both in

4 2 5 6
preparing the audit programme and in External User
conducting the audit. Drivers In Operation Internation Consequences
We used the Guide in the Directorate of
Customs and Excise, and Directorate of
Taxes audits (in both 2001 and 2002) to
uncover the risks inherent in their
operational and strategic IT service
management. The auditors looked for
3 Support

links between their IT and their agency

strategies. The tool uncovered risk
exposures and has also provided the The model followed by the guide
directorates with an improved basis for
continued work in this area. We have
taken these risks into account in our
future audit.

1 The Office of the Auditor General of Norway…. http://www.riksrevisjonen.no/

2 The Guide, which is in three parts, may be downloaded from… http://www.intosaiitaudit.org/pubindex4.html