Post on 02-Jan-2016
1
Into-
2
What is IntoSAINT?
Intosai Self Assessment INTegrity
vulnerabilities Integrity controls
3
Two day workshop
With cross section of employees
4
Utilises knowledge and experience of employees
Promotes integrity awareness
!
5
Quick results
Practical and applicable recommendations
6
Ownership
Integrity
7
SAI leads by example
Integrity in public sector
9
Mini-workshop
10
Assessment methodology
Object definition- organisation
- processes
Assessment vulnerabilities
Assessment Maturity level
Integrity Control System
Gap analysis
Recommendations - Reducing vulnerability - Strengthening controls
11
Vulnerabilities
• Vulnerable processes exist in all government organisations
• Some activities and processes are inherently more vulnerable than others
• Some factors can make processes more vulnerable
12
Inherent vulnerabilitiesElements Vulnerable areas /activities /actions
Relationship of the entity with its environment
Contracting procurement, tenders, orders, assignments, awards
Payment subsidies, benefits, allowances, grants, sponsoring
Granting / Issuance
permits, licenses, identity cards, authorizations, certificates
Regulating conditions of permits, setting standards / criteria
Inspection / audit
supervision, oversight, control, inspection, audit
Enforcement prosecution, justice, sanctioning, punishment
Managing public property
Information national security, confidential information, documents, dossiers, copyright
Money treasury, financial instruments, portfolio management, cash/bank, premiums, expenses, bonuses, allowances, etc.
Goods handling, management and consumption (stocks, computers)
Real estate buying / selling
I nherent vulnerabilities
0,00
0,50
1,00
1,50
2,00
2,50
3,00
Contr
act
ing
Paym
ent
Gra
nti
ng /
issu
ance
Regula
ting
Insp
ect
ion /
audit
Enfo
rcem
ent
Info
rmati
on
Money
Goods
Real Est
ate
1 2 3 4 5 6 7 8 9 10
Sco
re AverageStDev
I nherent vulnerabilities
0,00
0,50
1,00
1,50
2,00
2,50
3,00
Contr
act
ing
Paym
ent
Gra
nti
ng /
issu
ance
Regula
ting
Insp
ect
ion /
audit
Enfo
rcem
ent
Info
rmati
on
Money
Goods
Real Est
ate
1 2 3 4 5 6 7 8 9 10
Sco
re AverageStDev
I nherent vulnerabilities
0,00
0,50
1,00
1,50
2,00
2,50
3,00
Contr
act
ing
Paym
ent
Gra
nti
ng /
issu
ance
Regula
ting
Insp
ect
ion /
audit
Enfo
rcem
ent
Info
rmati
on
Money
Goods
Real Est
ate
1 2 3 4 5 6 7 8 9 10
Sco
re AverageStDev
MR Average
14
Vulnerability enhancing factors
1. Complexity
2. Change / dynamics
3. Management
4. Personnel
5. Problem history
Vulnerability enhancing factors
0,000,200,400,600,801,001,201,401,601,802,00
Com
ple
xit
y
Ch
an
ge/d
yn
am
ics
Man
ag
em
en
t
Pers
on
nel
Pro
ble
m h
isto
ry
1 2 3 4 5
Score Average
StDev
Vulnerability enhancing factors
0,00
0,50
1,00
1,50
2,00
2,50
3,00
Com
ple
xity
Change/d
ynam
ics
Managem
ent
Pers
onnel
Pro
ble
m h
isto
ry
1 2 3 4 5
Sco
re AverageStDev
Vulnerability enhancing factors
0,00
0,50
1,00
1,50
2,00
2,50
3,00
Com
ple
xity
Change/d
ynam
ics
Managem
ent
Pers
onnel
Pro
ble
m h
isto
ry
1 2 3 4 5
Sco
re AverageStDev
16
Assessment maturity level Integrity Control System
What is the maturity level of the integrity control system?• Existence of controls• Operation of controls• Effectiveness of controls
Object definition
- organisation
- processes
Assessment
vulnerabilities
Assessment
Maturity level Integrity Control System
Gap analysis
Recommendations
- Reducing vulnerability - Strengthening controls
17
Integrity Control System General controls
1. Integrity policy framework Hard controls 2. Vulnerability / risk analysis Soft controls
3. Responsibilities 8. Values and standards
4. SAI legal framework 13. Recruitment and selection 9. Professional SAI standards
5. Integrity legislation and regulations
10. Integrity awareness
6. Administrative organisation / internal
control
14. Response to integrity violations
11. Management attitude
7. Security 12. Organisational culture
15. Accountability and transparency
16. Audit and monitoring
18
Maturity levelsLevel Criteria
0 - The measure does not exist
1 - The measure exists
- The measure is not implemented / observed
2 - The measure exists
- The measure is implemented / observed
- The measure is not effective
3 - The measure exists
- The measure is implemented / observed
- The measure is effective
19
IntoSAINT webpage
http://www.courtofaudit.nl/IntoSAINT