Auditoría Coordinada sobre Gobernanza de Tecnologías de la Información - Resumen Ejecutivo
Report ID: 225

La gobernanza de TI es la parte de la gobernanza corporativa que busca asegurar que el uso de la TI agregue valor al negocio con riesgos aceptables. Con ese objetivo, la gobernanza de TI busca evitar o mitigar deficiencias en la gestión de una institución, tales como procesos de planificación inadecuados, presencia de proyectos de TI sin resultados y contrataciones de TI que no logran sus objetivos, reflejando en pérdida de calidad y eficiencia.

La Auditoría Coordinada sobre Gobernanza de TI se realizó en el marco de las actividades previstas en la meta estratégica 3 (Gestión del Conocimiento) del Plan Estratégico 2011-2015 de la OLACEFS. Dicha auditoría contó con la participación de las EFS de Bolivia, Brasil (Coordinadora), Chile, Costa Rica, Perú, Ecuador, el Salvador, Guatemala, Honduras, Panamá y Paraguay; y el financiamiento del BID.     

El objetivo de la auditoría fue evaluar la situación de la gobernanza de la tecnología de la información (TI) en los países miembros de la OLACEFS, a partir de las auditorías realizadas en instituciones representativas de diversos segmentos de la Administración Pública de cada país participante.

La auditoría buscó obtener informaciones que permitan la elaboración de estrategias para elevar el nivel de madurez de gobernanza de TI y la diseminación de los conocimientos y técnicas utilizadas en los trabajos de campo realizados.

Como criterio de auditoría, además de la legislación aplicable de cada país, se adoptaron los controles previstos en la norma ISO/IEC 27002:2013, código de buenas prácticas para gestión de la seguridad de la información; en la norma ISO/IEC 27005:2008, que trata de gestión de riesgos de seguridad de la información; en la norma ISO/IEC 38500:2008 y en el Cobit 5 de la Isaca, que proveen modelos de buenas prácticas para gobernanza de la tecnología de la información.



International Coordinated Parallel Audit of Public Debt Management Information Systems
Report ID: 254

During 2013-2014 the Supreme Audit Institutions of Brazil, Bulgaria, Fiji, Georgia, Moldova, Romania, Ukraine, Yemen, and Zambia carried out the International Coordinated Parallel Audit of Public Debt Management Information Systems under the current Strategic Plan of the INTOSAI Working Group on Public Debt (WGPD). The SAIs of China, Egypt, Mexico and Russian Federation took part in the project as observers.

The audit was conducted on the basis of the Common Parallel Audit Programme 1, elaborated in 2012 by the Accounting Chamber of Ukraine (as parallel audit coordinator), according to the International Standards for Supreme Audit Institutions (ISSAI) and best national practices. Summaries of national audit reports, developed by the participating SAIs within the framework of the parallel audit, complement the Joint Parallel Audit Report.

The parallel audit was focused on assessment of efficiency of Public Debt Management Information Systems (PDMIS) functioning in jurisdictions of the participating SAIs. The primary objective of the audit was to ascertain:

  • whether the management and control processes of national Public Debt Management Information Systems were in place, and
  • whether the reviewed information systems were equipped with adequate general and application controls and if they were properly implemented.

EUROSAI IT Working Group Parallel Audit on Biometric Passports
Report ID: 261

At the 8th Meeting of the EUROSAI IT Working Group (ITWG), held in Paris, France, in 2013, the SAIs of Switzerland (Audit coordinator), Portugal, Belgium, Latvia, Lithuania and Norway, decided to carry out Parallel Audit on Biometric Passports

The objective of the audit was to assess whether adequate management and control processes are in place relating to the biometric passport production process. Within the primary objective, auditors were expected to ascertain whether the process to obtain a reliable and secure biometric passport is well defined and properly implemented.

The main goal of this audit was to validate the following areas with regard to the production process, including the risk mitigation aspect: Benefit realisation, Security, Effectiveness and efficiency

The evaluation of the reported results showed that the overall passport process is generally under control while a couple of high-risk findings were identified in the non-process-specific assessments. In the non-process-specific assessments, most of the countries found deficiencies and weaknesses related to the IS/IT system and the IT management. Medium risks have been identified in the area of laws and regulations, cost-benefit realisation and transparency, as well as in security regulations relating to internal and external personnel.


Coordinated Audit on Information Technologies Governance – Executive Summary
Report ID: 316

IT governance is the part of corporate governance that seeks to ensure that the use of IT adds value to the business with acceptable risk. To that end, IT governance seeks to avoid or mitigate deficiencies in the management of an institution, such as inadequate planning processes, the presence of IT projects without results and IT contracts that do not achieve their objectives, reflecting in loss of quality and efficiency.

The Coordinated Audit on IT Governance was carried out in the framework of the activities foreseen in strategic goal 3 (Knowledge Management) of OLACEFS' Strategic Plan 2011-2015. This audit was carried out with the participation of the SAIs of Bolivia, Brazil (Coordinator), Chile, Costa Rica, Peru, Ecuador, El Salvador, Guatemala, Honduras, Panama and Paraguay; and with financing from the IDB.

The objective of the audit was to assess the situation of information technology (IT) governance in the OLACEFS member countries, based on the audits carried out in representative institutions of various segments of the public administration of each participating country. The audit sought to obtain information that would allow the development of strategies to raise the level of maturity of IT governance and the dissemination of the knowledge and techniques used in the field work carried out.

As an audit criterion, in addition to the applicable legislation of each country, the controls provided for in the ISO/IEC 27002:2013 standard, a code of good practice for information security management; in the ISO/IEC 27005:2008 standard, which deals with information security risk management; in the ISO/IEC 38500:2008 standard and in the Cobit 5 of Isaca, which provide models of good practice for information technology governance, were adopted.


Auditing the resilience of critical information systems and digital infrastructures to cyber attacks
Report ID: 419

Digitalisation and the growing use of information technology in all aspects of our daily lives is opening up a new world of opportunities. In turn, the risks to individuals, businesses and public authorities of falling victim to cybercrime or a cyber attack have increased, and so has their societal and economic impact. In the EU, cybersecurity is a prerogative of the Member States. The EU has a role to play in creating a common regulatory framework within the EU’s single market and creating the conditions for Member States to work together in mutual trust.