issue 22 October 2005 Why not visit the INTOSAI website: country profile

Transcription

1 issue 22 October 2005 Why not visit the INTOSAI website: country profile

2 into 2 IT IT editorial IntoIT is the journal of the INTOSAI Standing Committee on IT Audit. The journal is normally published twice a year, and aims to provide an interesting mix of news, views and comments on the audit of ICT and its use in Supreme Audit Institutions (SAIs). Material in the journal is not copyrighted for members of INTOSAI. Articles from intoit can be copied freely for distribution within SAIs, reproduced in internal magazines and used on training courses. The Editor welcomes unsolicited articles on relevant topics, preferably accompanied by a photograph and short biography of the author, and short news items for inclusion in future issues. The views expressed by contributors to this journal are not necessarily those of the editor or publisher. editorial address Contributions should be sent to: The Editor of intoit National Audit Office, Buckingham Palace Road, London SW1W 9SP United Kingdom As I wrote the editorial for the last edition, I was looking forward to the meeting of the INTOSAI IT Audit Committee in Bhutan in April. Needless to say, it now seems a long time ago, but just thinking about it brings back many happy memories. Bhutan is a beautiful country and the people very friendly and hospitable. The Auditor General and the staff of the Royal Audit Authority really went out of their way to make the Committee s stay most enjoyable and we all felt privileged to have the opportunity to visit. The main focus of the meeting was the Committee s project on auditing e-government and this is the main theme of this edition. This phase of the work has identified risks associated with e-government projects throughout the lifecycle of those projects, and the way in which those risks can be mitigated. This information has been gleaned from experiences of Committee members and research of other published material, but even though e-government is growing rapidly, that experience is relatively limited. So, for this work to be taken further, so that the Committee can develop audit methods, we need more information! We have established a database of published material at default.asp Please help us to expand the material so that we can undertake further analysis of experiences so far and take the project to the next stage. Instructions on how to contribute to the database are included on the web page. Also in this bumper edition our country focus is on Sweden and the work of the Riksrevisionen, plus an article on the IT support there, Austria tell us about their e-card for access to medical services, Russia report on their information and telecommunications systems support for the work of the Accounts Chamber, and Australia tells about how CAATs can BYTE down south. And our old friend Ian Petticrew, now enjoying his well earned retirement, looks back to the early days of wireless (and he doesn t mean Bluetooth). And there s even more that I don t have room to mention! Enjoy! No editorial would be complete without the usual plea to keep those articles coming. Just to repeat although we publish in English, if English is not your first language we are only too happy to help with translation and editing. The theme for the next edition is Electronic Records Management (ERM), so if you are, or have been involved in implementing or auditing an ERM project, please let me know. A large number of short articles would be most welcome! Steve Doughty Editor intoit@nao.gsi.gov.uk Web site

3 contents into IT Country Focus: Sweden 2 Auditing e-government 8 E-Card 20 IT support at Riksrevisionen 22 The Information and Telecommunications System for SAI Russia Support 26 CAATs that Byte 30 Accounts Chamber of the Russian Federation: DEA approach 34 IT Audit in Nanjing 40 A look back at wireless 42

4 2 into IT Sweden Country Focus Intro country focus

5 into IT 3 Brief Facts about Sweden Official name: The Kingdom of Sweden Political system: Parliamentary democracy Area: 450,000 km 2 Population: 9 million Capital: Stockholm Language: Swedish Average life expectancy: women 82 years, men 77 years Currency: 1 krona=100 öre 1 euro = 9.30 kronor Sweden, State Audit and Riksrevisionen Politics and Laws Sweden is a constitutional monarchy, but royal power has long been limited to official and ceremonial functions. The legislature is the Swedish Parliament (the Riksdag) with 349 members. Riksrevisionen (the Swedish National Audit Office) is one of three agencies working under the auspices of Parliament. The Constitution is based on the principles of popular sovereignty, representative democracy and parliamentarianism. Executive power in Sweden rests with the Prime Minister and the Cabinet. Ministerial decisions are usually made collectively and not by individual ministers. Since 1995 Sweden has been a member of the European Union. Swedish State Audit State audit has existed in some form in Sweden since the sixteenth century. Riksrevisionen began operations on 1 July 2003 with the purpose to considerably strengthen the checks and balances provided by Parliament. The operations of the Parliamentary Auditors and the Riksrevisionsverket (RRV) were discontinued at the same time. Riksrevisionen s overall goal is to carry out independent audits of all government activities, and in this way promote cost-effective use of resources and effective administration. Riksrevisionen forms part of the powers of control of Parliament and thus plays an important role in the Swedish democracy. country focus

6 4 into IT Riksrevisionen its tasks Riksrevisionen audits all state activities, e.g. the Parliamentary Administration and bodies associated to Parliament, the Government Offices, government agencies, state-owned companies and foundations, and national subsidy transfers to households, business and government bodies as well as taxes and fees. Riksrevisionen is responsible for auditing the accounts of government agencies through fee-based financial audits, and for auditing the effectiveness and efficiency of government undertakings through performance audits. The independent status of Riksrevisionen, which is embodied in constitutional law, is also ensured by its form of governance. The three Auditors General decide on what is to be audited, how the audit is to be carried out, and which conclusions are to be drawn from each audit. Riksrevisionen also carries out certain international audit activities. Parliament and the Government are the most important recipients of the results of the work of Riksrevisionen. Every year Riksrevisionen produces performance audit reports, audit statements for about 270 agencies and 60 state-owned companies and foundations and also a consolidated annual report with the most important findings and observations. The Advisory Board for Riksrevisionen, appointed by the Riksdag, among other things puts forward proposals to Parliament resulting from the audits of Riksrevisionen. Organization Riksrevisionen has about 300 employees. The total budget for 2004 is approximately SEK 320 million. Riksrevisionen consists of twelve departments, six for financial audit and six for performance audit. Riksrevisionen also has three special divisions: the international division, the quality and methods division, and the division for the audit of public companies and special audits. The Auditors General have each taken responsibility for a certain audit area, and those are: Public safety, coordination and administration of finance Welfare and health Education and development Organization chart PERFORMANCE AUDIT Board Auditor General Auditor General Auditor General Internal Audit Human Resource division Information division Finance & Administrative division IT division PA 1 PA 2 PA 3 PA 4 Auditors General Secretariat Scientific Advisory Council FINANCIAL AUDIT FA1 FA2 FA3 FA4 The division for the audit of public companies and special audits International division Quality and methods division Legal division PA 5 PA 6 FA5 FA6 country focus

7 into IT 5 IT Audit at Riksrevisionen Organization of IT Audit There is no separate IT audit department at Riksrevisionen and the auditors at Riksrevisionen all work as general auditors, with some focused on IT auditing. As for performance audit, there is no special function for IT audits. Each department conducts its own IT-focused audits as and when required. However, one division has as its special audit area IT policy and the Government s control of IT in the State administration. Among the financial auditors there is a network of IT auditors, several of whom are qualified Certified Information Systems Auditors (CISAs). They form part of the audit teams which are each responsible for auditing a set of agencies. How specialist support should be organized in future for auditing government agencies that rely heavily on IT is currently under discussion. Within Riksrevisionen s division for public companies and special audits, sector-wide audits are conducted, in close co-operation with other audit divisions concerned. The division s audits are focused on matters that affect several agencies within a number of audit areas, and in planning its operations the division also develops proposals for such audits, including IT audits, in consultation with other divisions. A particular aim in this connection is to carry out audits where financial auditors co-operate with performance auditors. The division is also responsible for a certain development of audit models in order to develop a model for auditing IT security. The advantage of working as we do without a specialist function is, among other things, that the IT audit is incorporated into the regular audit work. This is the obvious way to go for a SAI auditing an administration probably being among the earliest computerized in the world. And Riksrevisionen will continue to devote considerable attention to the training of general financial auditors in IT audit information security being the first priority. The drawback is that it is difficult to maintain a driving, cutting-edge expertise within the area. As for the habit of using IT tools it could be mentioned though, that already in 1989 all personnel in the Swedish SAI had their own PCs linked to a common network. Results and aims of IT Audit Traditionally, the aim and direction of IT audits has differed between performance audits and financial audits: Financial auditors have examined accuracy and orderliness and audited the security of the IT systems that affect items in the annual accounts. They have also undertaken the audit of procurement of IT services. Performance auditors have audited government agencies IT management, the benefits/effects of IT investments in the operations, and the costs generated by the use of IT. In this respect, the RRV audited the IT support of major government agencies (the police, the prisons and probation service etc). Government agencies co-operation through IT-based information exchange and the management of common structures for such co-operation were targeted in some audits. During the RRV s final year, audits covered the investment process and how management in government agencies control their capital expenditure on IT. There was also an audit of adaptation of about 90 government web sites to needs and prerequisites of immigrants, the elderly and the disabled with disappointing results. The IT audits conducted by financial auditors within Riksrevisionen are always based on a risk analysis done in connection with the planning of work on various audit objects (overleaf). If there proves to be insufficiently experienced and competent staff within the assignment to carry out IT audits, this competence will be sought primarily from within Riksrevisionen itself and only secondarily will these services be outsourced. country focus

8 6 into IT Riksrevisionen s competence development programme for all financial auditors includes two courses on IT auditing. The objective of these courses is to give general auditors a knowledge of general controls and application controls, and an insight into the importance of IT in analyzing risk. The aim is to enable them to carry out simple IT audits without assistance and to function as competent procurers/ purchasers of more technically advanced IT audits. Financial auditors are now working together with the division for public companies and special audits to develop an audit programme for government agencies management and control of their IT security work. The aim is for all financial auditors to be able to use this. As concerns performance audit-directed IT audits, the focus during 2003 and 2004 has been on e-government and the provision of 24-hour e-government services. Recently published audit reports shed light on various aspects of e-government. These deal with matters concerning the decisions of Parliament, Government control and reporting to Parliament, the capability of government agencies to invest in the right e-services, and the problems affecting citizens and businesses contacts with e-services. IT projects in 2004 and onwards In 2004, Riksrevisionen focused its audit operations on IT issues in two areas: Government s management and control of the 24-hour reform IT security About the 24-hour reform In spring 2004, Riksrevisionen published an audit report on the reform work done in Sweden to enable electronic government and 24-hour e-government services. Riksrevisionen found that the Government had not succeeded in creating the sufficient prerequisites, legislation, government targets etc., for the work done by government agencies to develop e-services. As a result, important e-services have either not been developed or are not functioning in the right way. Riksrevisionen drew particular attention to the problem of , which is a basic service of e-government and the most important route for citizens wishing to contact the e-government services. Citizens demand to be able to formally use s, but the agencies are not legally bound to answer them or attend to enclosures. There is a great risk for deficiencies in the electronic communication and this leads to imperfections in the agencies services concerned. Riksrevisionen found that the Government needs to appreciably improve its control of the reform work done to enable electronic government, including laying down clearer rules and guidelines for government agencies handling of . IT Security Project During 2004, Riksrevisionen initiated several IT security projects. Electronic government is opening up agencies to threats from the outside world and both performance and financial auditors have identified the need for systematic audit. country focus

9 into IT 7 These projects aim at creating prerequisites for delivering more secure opinions on: management s control and administration with respect to IT security; accuracy and orderliness in government agencies IT security work. The auditing will comprise examination of whether the important prerequisites for good security exist. The audit question will be: based on the prevailing standards, are government agencies working effectively on their IT security? In order in the longer term for this work to be taken care of by Riksrevisionen s general financial auditors, an audit program including a pre-audit web survey is also being prepared based on, inter alia, ISO and the manuals of the GAO (Government Accountability Office, USA). The work will be concluded in June Co-operation and contacts with other SAIs Riksrevisionen, like the former RRV, supports co-operation with other SAIs (Supreme Audit Institutions), either for shared competence development or in order to learn from one another. Riksrevisionen has, for example, studied the GAO s (General Accountability Office, USA) audit models and how these may be adapted to Swedish government administration. The GAO has also recently paid a visit to Riksrevisionen and shared a joint seminar with us on the theme of IT security. Under the leadership of SAI Norway, Riksrevisionen and other SAIs have developed an audit model Auditing IT Service Management within the framework of the work done by the INTOSAI IT Committee. Riksrevisionen has also had contacts with Norway regarding development of IT support and setting up of IT courses. Participation in INTOSAI and EUROSAI During the1990s, Sweden was a very active member of the INTOSAI IT Committee. The RRV hosted the two first committee seminars in 1995 and Riksrevisionen is currently taking part in a working group and a committee project on e-government. Various IT projects have been presented in earlier articles in IntoIT, including Communication Security on the Internet. Sweden has been a member of the EUROSAI IT Working Group since its establishment in Here, too, both performance and financial auditors from Riksrevisionen have taken part. Together with the United Kingdom and Russia we have assisted in producing a guide in the area of Electronic Records Management, which was presented in 2004 at the IT Working Group s meeting in Bern. Riksrevisionen is currently considering the possibilities of using a joint EUROSAI tool for IT Self Assessment. Plans for the future Riksrevisionen s aims with respect to future IT audit have not yet been decided. But the indication is that e-government will be an important audit area for at least the next few years, as the public administration s migration to e-government will take a long time. One important aspect of e-government to be audited will be the follow up of the effects of implemented e-services, but also the costs of this extensive reform. E-services can only gain acceptance among citizens and businesses if the services are secure and inspire confidence. The Government s use of IT systems in its control of public administration and for reporting back to Parliament is another possible area for audit. The issue of security to a considerable part caused by the migration to e-government will also stay in focus. Authors This article is a joint effort of colleagues in the Performance audit, Financial audit, IT, Information and International Departments of the Riksrevisionen. country focus

10 8 into IT Auditing e-government Life-cycle risks and setting up a database Biography Erna Lea is a Deputy Director General at the Office of the Auditor General of Norway (OAG). She has a degree in economics from the University of Oslo, and has been with the OAG since Her dealings has been with financial audit and questions related to the remits of the Ministry of Finance, Ministry of Labour and Social Affairs and Ministry of Education and Research. Since 2003, she has been coordinating the INTOSAI IT-Committee Task Force s work on Auditing e-government. Background At its 11th Meeting, held in New Delhi in November 2002, the INTOSAI Standing Committee on IT Audit agreed that e-government posed new risks and challenges for auditors as well as Governments, and that these should be investigated with a view to issuing guidance and sharing best practice in this area. A task force was set up with participation of the SAIs of the United Kingdom, the USA, Canada, Sweden and chaired by Norway. The first stage of the project was presented in the report Auditing e-government submitted to the Committee at its 12th Meeting in Oslo The report was based on a survey of all SAIs to establish trends and developments worldwide, the aim being to identify common issues and problems for further discussion and investigation. The report also proposed further work in the e-government area aimed at meeting the main risks and challenges identified by the SAIs in the survey: Sharing lessons, information and knowledge on e-government; Developing audit methods and audit perspectives on e-government. Training and education; Joint (concurrent/cooperative) international audits. The survey showed the need to focus on work that did not depend on a SAI s level of maturity in auditing e-government, and which would provide a sound basis for more in-depth work at a later stage. At the IT-Committee s 14th meeting last April, the task force submitted a report aimed to meet these needs. It produced a detailed look at the life cycle of e-government programmes and projects and at the risks associated with each phase. It also proposed a database of reference material on the IT-Committee s web-site where SAIs could share audit methods and perspectives on e-government. For the database to be a success, it is important for all SAIs to submit their relevant work to populate the database. By doing so, they will provide information for the Committee to take up more in-depth work later on. auditing e-government

11 into IT 9 for reference material Scope and definition The design of this work has been to cover areas that were of particular relevance to e-government, rather than to IT in general. The focus was on services, management, technical solutions, legal and audit risks that relate to the delivery of e-government services and solutions. The report Auditing e-government included a definition of e-government, a description of the levels of e-government service maturity, and an outline of the main challenges and risks they pose as they had been presented for the SAIs in the conducted survey. Given the broad perspective of an SAI s work in the public sector, the definition of e-government was selected to be: e-government is the online exchange of government information with, and the delivery of services to, citizens, businesses and other government agencies. Life-Cycle risks in e-government Introduction E-Government is said to have the potential to transform the way that governments operate. Some countries and agencies have not yet started to transform services into e-services, while others are working with their visions, demands, and capabilities to develop e-government services. Some countries and agencies have progressed quite far along the road of delivering sophisticated e-services. But the road leading to a seamless e-government is not an easy one. There are many risks involved, which if they mature will have a detrimental impact on the economy, efficiency, and effectiveness of e-government investments. In the report Auditing e-government, we identified three broad risk areas: Risks related to initiating and supporting e-government investment proposals; Risks related to implementing (developing, running, delivering, and maintaining) e-government services; Risks related to the consequences (value for money, effectiveness) of performing e-government services. It is crucial for countries and agencies to identify the risks they face in developing their e-government services, and to develop appropriate strategies for managing them. E-Government systems have different characteristics from internally focused, closed information systems. E-Government solutions are open systems and are exposed to more and different risks from traditional systems. The widespread use of technology provides new challenges to governments, organizations and auditors. Such widespread distribution increases the need to provide security, control, and privacy, and there are already many examples of failure to do so, both in the public and private sectors. Auditing e-government is in many ways similar to auditing other areas including IT-systems and projects. The practical experiences of task force members in conducting audits in e-government made it clear that rather than focusing on producing specific checklists which would include methods for use in related areas, it would be more useful to focus on issues and risks to be specifically aware of when considering the development of e-government services. It should provide guidance so that SAIs can prepare their own checklist to examine those risks specific to the project or programme they are auditing and to judge whether they are being appropriately managed. auditing e-government

12 10 into IT Life-Cycle in e-government The life cycle of e-government projects is a continuous circular chain of activities, divided into four phases: Initiation, Planning and implementing, Operations and Monitoring. Initiation This is the phase in which Governments first articulate their intention and vision which ultimately will lead to Service Transformation. If Service Transformation is the ultimate outcome of the Life Cycle Process, Initiation will be the very beginning. It is articulated in a vision statement a statement of intent of the Government to embark on this journey. It is perhaps the most important phase, as all other subsequent phases will depend largely on the clarity and realism that is incorporated in the first phase. The boundaries of e-government systems, the services to be provided, the resources necessary for planning and implementation, operations and monitoring would be defined in this phase. Planning and implementing Typically, human and financial resources are two most important factors that contribute to success. Applications must be deployed to provide the services specified, but also at the right time, so that user take-up is optimized. Change management is another important issue in this phase. Typically, again, several applications can be developed simultaneously ranging from the simple to the extremely complex. Getting rid of silos and allowing sharing of information is one of the goals of e-government, and coordination to ensure inter-operability is another concern. This and issues of technology, user friendliness, availability, scalability, ownership and pricing of services will dominate this phase. Operations The operations phase has two objectives. The first is reliable day-to-day operations and the second is the progressive integration of systems to achieve service transformation. Monitoring Monitoring relates to optimization of services. E-government projects can take a long time to permeate. Confidence of users to transact business through the impersonal machines does not come easily. It needs strong day-to-day monitoring. Building up the services, capturing and resolving customer feedback are prime concerns during the monitoring phase. Monitoring Operations e-government Project Life-Cycle Initiation Planning and implementing auditing e-government

13 into IT 11 The Issues Within each phase of the life-cycle we have addressed the issues that were identified as the main challenges and risks to e-government, during the work with the last report Auditing E-Government. By doing so, we also saw a need to identify different risks depending whether they were related to a state and government level or a department level. The issues and risks are therefore sorted accordingly within the four phases of the life-cycle. Addressed issues within the four phases sorted on levels Life-cycle phase Level Issues Initiation State or government Vision Strategic objectives Political will and context Country readiness Department Vision Objectives Strategy Strategic management Horizontalization/ Justification Cross cutting Readiness of the Customer segmentation/ organizations and Identifying potential users their users Ownership Planning and State or government Visions and objectives implementation Department Planning Funding/Budget Technological Issues Requirements Process reengineering Security and privacy Interoperability Project Development Cycle User system Manage changes Clustering of services Take up Operations State or government None Department Service management Open complex systems Culture and awareness Security and privacy Risk management Data management Ownership Performance Monitoring State or government Performance measurement Follow up Department Performance measurement Auditing Assurance Assessment of internal controls auditing e-government

14 12 into IT Selected risks The Task Force has identified approximately 170 risks, based on its own experience and reports from SAIs. The risks are not presented in any priority order and the same risk may occur at different governmental levels. As more SAIs gain experience, risk factors will need updating. The full listing is too long for an article like this but is included on the website at intosaiitaudit.org/bhutan/agenda-item-4-sai- Norway.pdf. As a taster we include just the first section covering the risk factors at the State level in the Initiation phase. Initiation State and government level Issues Vision Strategic Objectives Political Will and Context Descriptions E-Government is said to have the potential to transform the way that governments operate. E-Government investments are often proposed by Cabinets and Parliament. Cabinets also give orders or directives to specialist agencies/departments to develop different kinds of e-government support mechanisms, such as standards to be used in the development of e-government. Successful management requires significant cultural and organizational change, such as strong political leadership stretching across departmental boundaries, complex governance structures, multi-level funding, and communications and relationship skills extending beyond that which a single organisation project requires. Of foremost importance is a vision statement reflecting the determination of the Government to support e-governance. A vision statement is not a political statement but underlines the political will to see through change and face the challenges including those of failure. Such a statement gains credibility when it emanates from the Head of the Government. The imperatives for implementing major e-government programmes should focus on clearly defined strategic objectives agreed by the major stakeholders. There must be appropriate levels of leadership and ownership (perhaps involving an overseeing department and ministerial responsibility). Country readiness A country s readiness considers issues such as technological infrastructure, educational level, laws and regulations and skills in implementing e-government solutions. auditing e-government

15 into IT 13 Risk Factors Vision Lack of vision, unclear vision or a vision that is not really a vision (e.g. objective). A vision statement can be a political slogan. A vision statement can be a sincere statement but not supported by other requisites like commitment of funding or other resources. Political Will and Context Political will is lacking. Even when political will is there, it may not be an informed one and hence the support that is necessary at the right time may not be forthcoming. In a situation of political flux, a vision statement, even by the Head of the Government may not carry conviction. In democracies with quick changes in the government, the political will may not represent a long-term commitment. A vision statement may not reflect the capability of the Government including bureaucracy s capacity to manage change. Political risks created by or tied to unclear demands, requirements, e-policies, and strategies from Parliament and Cabinet. Absence or inadequacy of a central body playing a strategic role at federal, central or local level bear the risk of uncoordinated planning and introduction of e-government services. If design and implementation of systems are left to individual agencies, technologies such as electronic signatures might not be implemented as such a solution might not be profitable for one agency alone, but could be profitable for the public sector as a whole. The human capital that is required to make the e-governance successful in the long term may be yet to be developed. In many countries, one of the most important technological issues can be related to the human capital one. When such projects are implemented by multi lateral donor agencies, the hardware and software may not be widely used and hence the human capital needed to support the services in the long run (e.g. hardware repair) may not be available thus jeopardizing the survival of the system. Visions can be driven by external pressures like international funding agencies, or to gain temporary political mileage in the face of a dissatisfied populace. Strategic Objectives Lack of objectives. Unclear objectives. Objectives that cannot be measured. The Government may go for major e-governance system without a proper technical infrastructure. The Information and Communication Technology (ICT) infrastructure among citizens may be too low. Internet accessibility may be too low to make any web based services useful. Services may be offered to such section of population which have the least access to or expertise in using computers (old age pension, welfare schemes for the disadvantaged). auditing e-government

16 14 into IT Database Introduction At the first meeting of the Task Force in February 2004, it was agreed to incorporate all three projects in a database made available to all SAIs through INTOSAI s web-site. Collecting e-government materials from SAIs and others in project 1 and 3 showed the need for engaging the contributors of the materials the SAIs themselves in submitting their own reports into the database. The work of the Task Force would thus be to set up the database for material retention, devise a template to ensure the database is populated consistently and formulate and agree keywords to provide a search capability. It was also decided that the database was to be set up so as to allow expansion for future use for other materials and projects in this area. As SAIs submit reports and gain more experiences in auditing e-government, the database enables us to make use of this material to develop further audit methods and perspectives. To make this a useful tool in exchanging scopes, audit criteria and experiences of SAIs and governments in developing e-government, it is essential that every SAI engage in submitting relevant material. The database The database is at default.asp The user can see a full list of the reports on the database. Filters allow the list to be viewed by SAI, Author, Category or Keyword. Each report in the database may have only one SAI sponsor, only one Category but any number of keywords. The SAI, Author, Category and Keywords are assigned as the report is entered onto the system. Keywords can also be amended subsequently. auditing e-government

17 into IT 15 auditing e-government

18 16 into IT Keywords When submitting a report or document for inclusion in the database the sponsoring SAI must provide a summary of the report by using a fixed set of keywords (currently 106). Based on the risks in Section 2 above, these keywords facilitate searching the database. Keywords that apply to the document need to entered at the time the document is submitted to NAO for entry into the database, but they can also be assigned subsequently. auditing e-government

19 into IT 17 List of keywords Acceptance Justification Diagnostic Service Cluster Assessment Laws and Regulations E-forms Service Transformation Assurance Legacy Systems E-Government Skills Auditing Legal Issues E-learning Stakeholders Awareness Legal Risks Strategic Management Benefits Life Cycle Equitable Strategy Capacity Manage Changes Functionality Streamline Competencies Managing Data Gateway Success Factors Confidential Data Measurable Targets Government On-Line Take Up Configuration Management Measurement Information highway Target Reach Credit Card Monitoring Integrated Training Cross Cutting Objectives Interactive Users Culture Operations Intrusion detection Vision E-governance Ownership Links Vision Statement Electronic Services Performance On-line Web-enabled E-Policies Planning On-line payment Wireless Experience Political Will On-line service Feasibility Study Privacy On-line text Follow Up Process Paths Framework Process Re-engineering Personal Digital Assistants Funding Project Development Personal information Horizontal Integration Quality Criteria Points of access Human Capital Readiness Portal Implementation Accessibility Resistance Infrastructure Authentication service Resources Initiation Citizen-centred Risk Assessment Internal Controls Client satisfaction Risk Management Internet Accessibility Client-centred Roadmap Interoperability Common look and feel Secure Channel Consent Security Cross-reference auditing e-government

20 18 into IT auditing e-government

21 into IT 19 Submission template When submitting a report or document for inclusion in the database, the sponsoring SAI must fill out a template with the required information on: which SAI is submitting category of paper publication date contact number and of person submitting document address publication summary file reference keywords Challenges ahead Work on establishing the life-cycle risks and devising the database, shows that whilst there is a wealth of information about e-government there is relatively little SAI experience in auditing e-government, or that information has not been available to the task force. The established database will allow SAIs to submit reports for inclusion in the database and thus enable the IT Committee to make use of this material to develop further audit methods. The identified and selected list of risks related to the life-cycle of e-government, will be in need of updating as more experience is gained. The task is assigned to a member of the task force. Setting up the database has been the responsibility of the Task Force, with the SAI of UK handling the technical solution and the database administration and maintenance. The database is designed to be expanded to incorporate other projects in the area as the IT-Committee takes them up. To make this database a useful tool in exchanging scopes, audit criteria and experiences of SAIs, it is essential that all SAIs in the next phase contribute to populate and make use of the database. A letter of invitation to do so was forwarded to all SAIs from the Chair of the IT Committee, the SAI of India, in June this year. The contributions will in addition to be of use to all SAIs, and give the IT Committee information to do more in-depth work in this area. auditing e-government

22 20 into IT Health Insurance card in Austria E-CARD The electronic health insurance card (dubbed e-card ) is an electronic ID for using medical services from health insurance in Austria; on the reverse side, it incorporates a printed image of the European Health Insurance form. As an additional feature, the e-card may be also used as a Citizen Card after a no-charge certification process. The Austrian Health Insurance Card As of January 2006, the e-card will replace the paper-based health-insurance voucher ( Krankenschein ) in Austria. The card holder s personal data are both printed on the card and stored electronically. Upon presentation to an established doctor or a hospital, information on the insurance status of a patient is retrieved from the Central Association of Austrian Health Insurance Providers. A check performed whether the patient has insurance cover and with health insurance fund. This entitlement check performed when reading the e-card also serves as a control for the subsequent invoicing of medical services. The card holder data is stored and adminstered centrally in two parallel computing centres and made available online depending on the application and the access rights. Data is transmitted after encryption and signature; the signature is activated without a PIN code when the e-card is inserted in the card reader. Authors Bruno Walter and Johann Vilanek Rechnungshof, Austrian Court of Audit E-card

23 into IT 21 The e-card system was designed as an online system and can be expanded for future uses, such as for electronic prescriptions, or patients electronic case histories. European Health Insurance Card The reverse side of the e-card shows a printed optical image of the European Health Insurance Card. It replaces the existing paper forms used to prove health insurance entitlement when travelling within the European Union, the EEA, and Switzerland. Citizen Card Apart from replacing the health-care voucher, the e-card can also be used in e-government as a Citizen Card with a safe electronic signature. The certificate and the record linking identity data with source PIN ( Personenbindung ) is installed on the e-card as part of the required no-cost registration procedure. Rollout of the e-card The rollout of the e-card was started on 30 May 2005 and will be completed by early December At that time, more than 8 million persons will have received an e-card and some 12,000 contracting partners (general practitioners, hospitals) will have been equipped with the technical infrastructure for the e-card system. The average number of entitlement checks per day is expected to reach 300,000. Audit of the e-card project by the Austrian Court of Audit In this project which had been launched in 1997, the Austrian Court of Audit examined the legal framework, the awarding of contracts, organisation and technical implementation. In particular, the Court looked into the use of external consultants contracted for this type of project. Its findings have been published in the activity reports 2004/4 and 2005/8. E-card

24 22 into IT SWEDISH STYLE IT Support at Riksrevisionen The auditors at Riksrevisionen are supported by an IT-infrastructure which amongst other things encompasses: Portable computers with internal modems and mobile telephones for all financial auditors A shared local area network, with shared utilities like network drivers, printers etc Intranet, with support information for the auditors Office automation package in the form of Windows Office XP, including , word-processing and spreadsheet functionality Access to the Internet, enabling the retrieval of information on government issues and data regarding auditees. Financial Audit and the Tool For financial audits, Riksrevisionen has developed an IT-application, named Verktyget (direct translation the Tool ). It is based on the audit methodology decided upon by Riksrevisionen. The Tool supports all phases of the audit process, i.e. analysis, strategy and planning, documentation of performed audits, conclusions and reporting. The emphasis of the development and thereafter lies in: Automation wherever possible in the process, enabling the auditor to focus his/her attention on more analytical work. Enabling Riksrevisionen to manage quality and uniformity. Central Server.NET client objects User interfaces.net server objects Sync Functional Forms Business logic Business logic Data base access Data base access GUI Sync Local client - portable PC SQL Server it support at riksrevisionen

25 into IT 23 Supporting the auditors needs for availability and portability regardless of physical place. Supporting the continuing process of improving the efficiency of operations. The Tool is an in-house computer system owned by Riksrevisionen. It has been developed in close co-operation between employees and outside IT consultants. Early on it was decided to base the Tool on the standard applications already in use at Riksrevisionen: implementing GUIs that had a high level of look-alike in comparison to Microsoft Windows XP; actually using, first and foremost, the standard applications of Microsoft Word and Excel. The Tool is a Microsoft.NET application using standard SQLservers. By using the existing platform the development costs were decreased considerably. Functional forms were developed with VBA to support the work process. The demand for portability was solved by using a replicating system between a central joint database and individual databases on each personal computer, enabling work without connection to Riksrevisionen s computer network. Replication is performed via xml web services, so that the auditor can replicate whenever a connection to the Internet is available. All communication is secured by encryption. Acceptance by the users has been measured and confirmed to be high. The Tool is now used by all audit teams and for all financial audits of the government agencies. it support at riksrevisionen

26 24 into IT Performance Audit and IT support For performance audit the IT support could involve the following: Services rendered by the common network such as shared network folders for documentation in audit projects. Programs for statistical analysis: MS Excel, MS Access and SAS. Internet for web-based questionnaires and of course for general published information. A self-developed application called Metodminnet (the institutional memory system). This application permits electronic filing of significant information about audits that have been carried out. The system primarily contains information about the experiences of methods used in the audit projects, but also information about the area of audit (ministries and agencies), the problems and questions analyzed, key concepts and general reflections on the project. The system also contains an electronic library with short descriptions of the 25 most common methods used in performance audit. The IT Infrastructure of Riksrevisionen Vital statistics 300 PC workstations, of which 170 are portable PCs Operating system, Windows XP Office automation, Windows Office XP with Outlook for based on Microsoft Exchange 2000 VPN service through Citrix Metaframe it support at riksrevisionen

27 into IT 25 Overview Domain controller 1 Domain controller 2 Citrix DNA phone admin Call manager system SAN Management Appliance Server IIS server for web applications Video conference Agresso business administration Ethernet Veritas Cluster server Failover Print / file / IIS / SQL / Exchange SANswitch SANswitch PIXFW Enterprise Virtual Array DMZ MSL5030Bandrobot Nfuse/Antivirus mailscan Outlook webaccess/ Secure gateway Authors SNAOs website Audit tool application syncserver This article is a joint effort of colleagues in the Performance audit, Financial audit, IT, Information and International Departments of the Riksrevisionen. it support at riksrevisionen

28 26 into IT State Financial Control in Russia The Information and Telecommunications System for SAI Russia Support The history of state financial control development in Russia 1656 is considered to be the date when state financial control began in Russia. In the reign of Alexei Mikhailovich, the Accounts Department (Prikaz), or the Department for Accounting Affairs, was established, aimed at increasing efficiency of financial management. In 1720, the Emperor Peter I established a special controlling authority for managing finances called Revision Collegium. In 1810, Emperor Alexander I established the Supreme Administration for Revision of State Accounts headed by State Comptroller Baron Baltazar Kampenhausen. In 1892, the first Law on State Control in Russian history was adopted. The turn of the 19th and 20th centuries was the time of search for more efficient forms of financial control applicable for Russian conditions, taking into account the incipient separation of powers into legislative and executive ones. During the Soviet period, the state financial control system was constantly changing. In 1994, the State Duma of the Federal Assembly of Russian Federation adopted the Federal Law On the Accounts Chamber of the Russian Federation. In 1995, the first session of the Collegium of Accounts Chamber took place. Russian State Control The powers and responsibilities of the Accounts Chamber of the Russian Federation According to the Federal Law On the Accounts Chamber of the Russian Federation : The Accounts Chamber is a standing body of state financial control The Accounts Chamber exercises control over the fulfilment of the federal budget based on the principles of legality, objectivity, independence, and openness The Collegium of the Accounts Chamber consists of the Chairman of the Accounts Chamber, the Deputy Chairman of the Accounts Chamber and auditors of the Accounts Chamber. The term of office of the Chairman of the Accounts Chamber, the Deputy Chairman of the Accounts Chamber and auditors is six years. The Chairman of the Accounts Chamber and a half of the auditors are appointed and released from their duties by the State Duma of the Federal Assembly of the Russian Federation, while the Deputy Chairman of the Accounts Chamber and the other half of the auditors are appointed and dismissed by the Federation Council of the Federal Assembly of the Russian Federation. In April, 2000, Sergey Vadimovich Stepashin became Chairman of the Accounts Chamber of the Russian Federation, and in January, 2005, he was re-appointed to that office. The Accounts Chamber carries out annual and current planning of its activities. The plan of work of the Accounts Chamber is a combination of control measures, as well as expert, analytical, and other kinds of work. Once the draft annual plan is considered and adopted by the Collegium of the Accounts Chamber, it becomes mandatory for all authorities and state officials. The Accounts Chamber informs the Federal Assembly on the outcomes of inspections and audits carried out, in particular, on the loss to the state and on the legal violations identified. Based on the results of the control measures, the Accounts Chamber writes to the public authorities of the Russian Federation and heads of audited bodies to take steps to eliminate the violations found, to compensate for the damage inflicted on the state and to call to account officials guilty of violation of the legislation of the Russian Federation and economic mismanagement. When violations are found, the Accounts Chamber may give mandatory instructions to the administration of the enterprises, institutions and organizations audited. In case of repeated failure to fulfil the instructions or in case of improper execution thereof, the Collegium of the Accounts Chamber may, as agreed

29 into IT 27 Order of Formation of the Accounts Chamber of the Russian Federation The State Duma of the Federal Assembly of the Russian Federation The Federation Council of the Federal Assembly of the Russian Federation Chairman of the Accounts Chamber of the Russian Federation 6 auditors 6 auditors Deputy Chairman of the Accounts Chamber of the Russian Federation with the State Duma, decide to suspend all kinds of financial, payment and clearing transactions concerning the accounts of the audit body. When an embezzlement of state cash or tangible assets or other dishonesty are found in the course of an audit or inspection, the Accounts Chamber immediately sends the control documentation to the law enforcement authorities. During the period from 1997 to 2004, the Accounts Chamber recovered more than 66.7 billion Roubles for the treasury. A unified federal budget control system has been developed by the Accounts Chamber. It involves continuous three-year control cycles over the administration of budget for each fiscal year in several stages such as: preliminary control of the draft budget for the current year; current control during the fulfilment of budget for the current year; comprehensive documentary inspection of the budget already fulfilled. In the preliminary control stage, the draft budget parameters are compared with live data on the fulfilment of budget for the current year, information on the social and economic situation in the country as a whole and in individual regions and industries. Current control is carried out during the whole year; it is a combination of control, expert and analytical measures. After the fiscal year is over, the Accounts Chamber starts comprehensive documentary inspection of the budget fulfilled. Therefore, the trinity of preliminary control, current control and comprehensive documentary inspection forms a base of the unified system of the Accounts Chamber for control over the fulfilment of budget. This is supplemented with the results of audit measures carried out both under instructions of the Federal Assembly chambers and by initiatives from the Accounts Chamber itself. The Accounts Chamber is making increasing use of performance audit to help improve the national economy. Performance audit demonstrates the result of using state funds while proving not only the legality and designated purpose but also the efficiency of solutions to nationwide problems. The Accounts Chamber is increasing the efficiency of audit measures through its increasing emphasis on determining the efficiency and expediency of budget spending and use of federal property. Beside the control function, performance audit ensures transparency of regulatory bodies activity and gives the general public precise and comprehensive information on the outcomes of the activity of such bodies. By introducing performance audit into the working practices of the Accounts Chamber, the existing forms and methods of financial control are being reformed, and appropriate amendments are made to legislation. The priority for IT is the support and monitoring of audit, examinations, expert and analytical activities. The Accounts Chamber plans to establish and develop sophisticated information technologies for use during the whole financial control process. Russian State Control

30 28 into IT IT support During the decade of the Accounts Chamber activity, the Information and Telecommunication System of the Accounts Chamber (ITCS) has developed from equipping departments with personal computers through to the establishment of a corporate local network with modern hardware and advanced application software. ITCS development is included in the medium term (3-year) programme specified in annual working plans. ITCS enables: data exchange between the participants of the budget procedure, planning, control and analysis of audit measures, information and analysis for all stages of control over the fulfilment of the federal budget and the budgets of state extrabudgetary funds. ITCS underpinning strategy is to move gradually towards paperless technologies for activity information support. There is a unified database, integrating: current collection and processing of primary payment documents relating to the administration of the federal budget, accounting data embracing about 250 subjects of budget process, and indices of social and economic development of the country. Much information is still coming on paper because of general unwillingness to work with modern electronic technologies. The greater part of the information coming on paper is scanned and placed on the Accounts Chamber database, where it becomes available to all users. ITCS has also given its users direct access to public databases through the Internet and to corporate databases such as the Federal Agency of State Statistics. The amount of information resources available for ITCS users has tripled over the last four years. Maintenance The ITCS technical architecture is based on Cabletron and Cisco communication equipment, Hewlett- Packard servers and INTEL work stations, both foreign and Russian made. The basic ITCS infrastructure is a local network covering all users in all departments of the Accounts Chamber. Over 30 servers and 1,000 workstations are on this network. The users workstations are mostly connected to the network at 10 Mbps. The trunk lines run at 100 Mbps. The internal trunks are constructed from multi-pair copper cables and multimode fibre cables. At the core of the data storage subsystem is a fail-safe, scalable, high-end HP StorageWorks XP128 RAID box with a maximum capacity of 5 TB. This consolidates the Accounts Chamber s data storage. The servers are connected via 16-port 2 Gbps Fiber Channel Brocade switches to the Storage Area Network (SAN) dedicated network. A 4/40-capacity 4Tb HP StorageWorks tape library with a throughput of 216 Gbph is used to back up the data. The administrators use Hewlett- Packard (HP) OpenView Operations/ Performance software. This software integrates the management of numerous controls products over all ITCS components into a unified system. The network administrators are provided with up to 20 different services. Software Generally, the Accounts Chamber employs HP UX 11i, Linux and Microsoft Windows NT/2000/2003/ XP operating systems. As a DBMS corporate platform, it uses Oracle 9i Database Enterprise Edition, while several applications use Microsoft SQL Server. The application software is aimed both at providing basic activity and automating the activities of support departments (financial and accountancy system, personnel management system, record keeping automation, etc.). The Accounts Chamber has commissioned special application software from a Russian software house. This software maintains information used by all types of control activities conducted by the Accounts Chamber, i.e. preliminary, current and follow-up controls. For preliminary controls, the software provides a financial commentary on draft federal budgetary laws for the next fiscal year. It models and forecasts yield income from the federal and consolidated budgets. It monitors and forecasts macroeconomic indices reflecting the formation and execution of the federal budget. The current control includes evaluation of the legality of current federal budget execution and approved summary list of incomes, expenses and sources of federal budget deficit financing, as well as control of the Russian Federation state internal and external debts, and monitoring and analysis of budget execution in the subjects of the Russian Federation based on live data. For follow-up control, the system allows the inspector to: input and analyse data on the federal budget execution from the audits; analyse all the accumulated information on the federal budget execution; Russian State Control

31 into IT 29 Strategy of the use of information technologies in the activities of state federal bodies till 2010 The major objectives of this IT Strategy are: to improve access to open information on the activities of state federal bodies for citizens and organizations, including Internet access; to develop a unified protected telecommunications infrastructure for public needs, authentication centre systems in the area of electronic digital signature and electronic interaction environment, in order to provide an efficient intersectoral exchange of information; to set up a unified system for the monitoring and performance audit of information technologies used by state federal bodies; to update the legislative and other regulatory and legal frameworks in order to improve the efficiency of information technology applications by state federal bodies, taking international practice into account. analyse revealed divergences and violations and work out remedy proposals; and analyse federal budget interrelations with the budgets of subjects of the Russian Federation, carry out performance audit of accountability, public property privatization and management. The auditing application software provides activity planning and control of plans execution, automation of technological processes and operations when an inspector carries out a specific auditing procedure. Currently, five applications supporting basic activities of inspectors (auditors) have been introduced as well as four applications for automating support activities, and three inquiry systems. The citizens can view the activities of the Accounts Chamber through its web-site ( where news on the Accounts Chamber and the Accounts Chamber bulletins with auditing reviews are regularly published. Future developments Within the framework of unified Concept of the use of information technologies in the activity of federal authorities till 2010, the Accounts Chamber is introducing an internal Intranet portal aimed at integrating the existing information resources of the Accounts Chamber into a unified Web access system and organizing one-window access to applications. A gradual transition is under way from paper record keeping to electronic document management. To support the decision-making process of the administration of the Accounts Chamber, the Situation Center system is being introduced. The implementation of Situation Center will provide situation analysis in macroeconomic, monetary, taxation, investment, structural, and foreign economic policy of the state. It will allow simulation modelling of the budget process in order to provide different scenarios of situation development; and this will also provide the administration of the Accounts Chamber with up-to-date aggregated financial, economic, political and other information to inform their decision making process. An important long-run objective is the establishment of a unified information network of control and accounts bodies of the Russian Federation. The purpose of the network is to exercise centralized control over data storage and processing resources. The network of data processing centres of control and accounts bodies will have a 4-level hierarchic structure, the data centre of the Accounts Chamber being its top level. Information interaction will be carried through communication channels available to departments of control and accounts bodies in a given region. The introduction of a unified information network of control and accounts bodies of the Russian Federation will provide telecommunication interaction between these bodies; enable joint use of databases and knowledge and unification of software tools. Electronic Russia Objectives: Creation of conditions for development of democracy, and An increase of efficiency of the economy, government management and local self-government Through the introduction and large-scale distribution of information and communication technologies. Stages: Stage Stage Stage Preconditions The establishment of an up-to-date infrastructure of state information systems ensuring effective information interaction between authorities and citizens; Establishment of an information infrastructure supporting effective state management processes; Reform of national regulation of the information technology market; Formation of a large-scale communications infrastructure. Russian State Control

32 30 into IT CAATs that Byte Amy Fox is a Senior IT Auditor at the Australian National Audit Office (ANAO) in Canberra, Australia. Amy is a Certified Information Systems Auditor, and a Chartered Accountant. amy.fox@anao.gov.au caats that byte

33 into IT 31 CAATs that Byte The office of the Auditor General was established in 1901 under the authority of the Audit Act 1901, the fourth act to be passed by the first assembly of the Commonwealth Parliament in Australia. In 1997, the Auditor-General Act 1997 replaced the Audit Act, and was enacted on the 1 January Under this Act the independence and mandate of the Australian National Audit Office (ANAO) was further strengthened, as the Auditor-General had become an Officer of the Parliament. The Information Technology Audit section (IT Audit) is part of the Assurance Audit Services Group (AASG) of the ANAO and exists to provide an integrated audit support service to all business units within the organisation. The IT Audit team has the responsibility for the management and delivery of IT audit activities to two separate groups, being AASG and the Performance Audit Services Group (PASG). The primary objective of the IT Audit section is to provide independent information technology (IT) assurance through the detection and evaluation of risks faced by Australian Government entities in their adoption and use of existing and emerging technologies. There are currently seventeen members of IT Audit, each with a range of educational and workplace skills and experiences. The variety of technical, accounting, auditing and graduate backgrounds provides the ANAO with a diverse team capable of successfully undertaking many of the challenges with which it is faced. One of the key services offered by IT Audit is the provision of Computer Aided Audit Techniques (CAATs) to analyse and interrogate client data. The Australian Auditing Guidance Statement (AGS) 1060 Computer Aided Audit Techniques issued by the Auditing and Assurance Standards Board of the Australian Accounting Research Foundation defines CAATs as computer programs and data the auditor uses as a part of the audit procedures to process data of audit significance contained in an entity s information systems. CAATs Development Over the past two years, the ANAO has committed and invested considerable time and resources into the development of an integrated and standardised approach to the use of CAATs within our organisation. Top-level commitment, including the individual commitment of Audit Managers to refining their audit methods, has been essential in developing this approach. Various initiatives and activities have been required to enable CAATs to be used effectively within our organisation: The rollout and support of local and network versions of IDEA software; Provision of in-house, IT Audit developed training on the use and application of IDEA software; Staff attendance at externally provided training, including MS Access and SQL; Purchase and implementation of SAP Assure audit software, including the Assure Integrity SAP Analysis module; Externally provided staff training in the configuration and use of SAP Assure software; Purchase and implementation of BindView IT Security and Configuration software; Externally provided staff training in the configuration and use of BindView software; Purchase of a dedicated, high performance, high capacity server; Purchase of portable data storage devices; Assignment of resources to complete projects for standardised CAATs suites; Alterations to our audit methodology have been made; and Increased liaison and integration with financial statement auditors. caats that byte

34 32 into IT The Challenges and the Benefits The benefits of adopting CAATs within our audit methodology have not been immediate, as our organisation has had many challenges to overcome. A high degree of commitment has been required from all levels of the ANAO, from those designated with decision making responsibilities to those assigned project and field work tasks. Modifications to existing and accepted work practices have had to be made that have required change management approaches to overcome resistance and obstacles. Challenges faced before some of the tangible benefits of CAATs have been realised have included: Setup costs; Training costs; Time required to initially develop a data analysis approach; Understanding the differing data structures between applications and entities; Ability to retrieve data from environments with a nondownloading security policy; Data privacy requirements; Data security classifications; Data processing and technology constraints; and Data storage restrictions. These challenges have provided our staff with the opportunity to apply and develop their management, technical, and problem solving skills. As a result, our organisation has a staff profile that is increasingly skilled and competent in the use of various data analysis applications and techniques. The continuing ability of our organisation to adapt to a changing audit environment has been demonstrated by its commitment to the adoption of new audit technologies such as CAATs. The application of CAATs within the audits undertaken by the ANAO is dynamic, and the use of data analysis techniques is expected to provide the ANAO with ongoing benefits. The benefits and efficiencies realised by the ANAO in the development, adoption and implementation of CAATs have included: Time and resource savings; Capacity to analyse larger quantities of audit related data; Financial efficiencies; Broader testing coverage; and Improved knowledge and understanding of data structures and audit environments. Analysis Undertaken CAATs are used by the ANAO IT Audit team to provide assurance in both Financial Statement and Performance audits. Various types of data analysis are undertaken, and the suite of tools used and the capacity of the team is continuously expanding. Examples of the CAATs undertaken by the IT Audit team include: Reasonability checks; Comparisons against business rules; Cross matching; Gap and duplicate detection; Exception reporting; Recalculations; Identification of data anomalies; Verification of segregation of duties; IT Security benchmark and gap analysis; Transaction authorisation and delegation checks; Population analysis; and Audit sampling. caats that byte

35 into IT 33 The Outlook for CAATs within the ANAO Although the use of data analysis techniques by auditors is not a new concept, the implementation of a developed CAATs approach by the ANAO is a relatively recent initiative. Whilst the benefits of the implementation of CAATs have not always been realised immediately, with the continued support and commitment from all areas of our organisation, and the ongoing support of our audit clients, the adoption of CAATs across the ANAO service groups is becoming increasingly prevalent. It is anticipated that through the continued use of enabling technologies and products such as IDEA and SAP Assure that the suite of CAATs able to be provided by the IT Audit team will continue to rapidly develop. The use of CAATs and similar audit techniques by the IT Audit team and other areas of the ANAO makes it apparent that CAATs are rapidly becoming firmly ingrained in the current and emerging audit methodologies used by the ANAO. caats that byte

36 34 into IT The experience of the Accounts Chamber of the by A.A. Piskunov, V.A. Shirobokova Introduction Our country is in the process of re-orientating the whole budget system towards achieving maximum economic and social efficiency. As a result, the Accounts Chamber is faced with new, more complicated problems as compared to financial audit. Efficiency or performance audit is becoming the top priority, not so much at the stage of assessing the results of activities, but rather the stage of forming state development programmes for activities or regions. Therefore, the development and application of software for non-financial audit is one of the priority tasks for the IT department of the Accounts Chamber. The Accounts Chamber has long used CAATs to improve the quality of our audit and in turn the operational quality of the controlled objects (CO) themselves. However until recently, we could not create adequate analytical tools for evaluating efficiency. The reason for this failure lay in the extreme complexity of functioning processes of economic systems taking place in a multi-dimensional parameter space, with these parameters being heterogeneous in their nature and interconnected in complicated relationships. When evaluating the efficiency of controlled objects as an economic relations system, we have to make a complex assessment of the efficiency of bodies, objects and management processes as a single cybernetic system (Figure 1). Data Envelopment Analysis (DEA) methodology has been used by the Accounts Chamber of the Russian Federation to make a socio-economic diagnosis of several regions of Russia. This methodology is the outcome of interdisciplinary research conducted in the last two decades in the field of economics, system analysis and operations research. It also uses the fundamental provisions of mathematical economics, production theory and Pareto principles of optimality. American scientists A. Charnes and W. Cooper are the founders of this approach [1, 2]. Currently, over 1,000 works related to these subjects have been published and approved in dozens of companies, banks etc in many regions and countries of the world. Two large international conferences were held in 2004 in Toronto in June (NAPW2004) and in England in September (DEA2004). The essence of the DEA approach is to study the production objects with multiple input and output parameters and to analyze their activities. In terms of mathematics, use of the DEA can be described as solving and analyzing a large family of optimization problems. The advantage of this approach is the possibility of system correlation of heterogeneous factors affecting management decision-making, with consequent improvement in the evaluation of its performance. In Russia, this line of investigation has been successfully developed by a research group under the guidance of V. E. Krivonozhko, Doctor of physical and mathematical sciences. Russian IT Support

37 into IT 35 Russian Federation in the use of DEA approach Russian specialists have obtained a number of important results providing for a broad approach to the analysis of complex economic and social systems. They have created novel algorithms for visualizing a multi-dimensional economic space by generating 2D and 3D sections. They have also created a computer system «EffiVision» (Efficiency Vision) with interesting performance capabilities. It implements a new class of software models, novel in their approach and directed towards modern economic analysis [3-5]. A brief description of the DEA approach The DEA methodology and «EffiVision» software package enable us, after quantifying measures of efficiency, to visualize the performance dynamics and trends of the controlled objects. At the same time, the controlled objects per se are considered to be a set of Production Objects (PO) processing their inputs (resources) into outputs, constituting, on the whole, the vectors of the input (the results of financial audit) and output (performance indices) parameters (Figure 1). The actual economic objects function in a multi-dimensional economic space. There is only one way of visualizing and studying this multi-dimensional space, and to do that it is essential to generate various sections of a production possibility set and through various objects. Figure 2 shows two sections of the set of production possibility in a 3D space. The «EffiVision» software can build any sections in a multi-dimensional economic space. In particular, the sections built may be generalizations of such well known economic functions as the production function, isocost, isoquant, etc. Figure 3 shows the section of a production function in a model with one input index and one output index. Russian IT Support

38 36 into IT The production possibility set of controlled objects shown on Figure 3 is very informative, as it gives us an idea of the comparative efficiency of objects. This efficiency, i.e. the terms better or worse, for the transformation of inputs into outputs, X Y, in the given functioning environment, is determined by the position of the point characterizing the controlled object under consideration with coordinates (X,Y) as opposed to the boundary of this set: if the point is located at the efficient boundary, e.g. the points (X1,Y1), (X2,Y2), (X3,Y3), (X4,Y4) in the Figure, the object works with a 100% efficiency; if the point is located within the set, e.g., the point (X5,Y5) in Figure 3, its distance from the efficient boundary will measure the efficiency score the larger the distance is, the worse the efficiency of the object with coordinates (X5,Y5) will be. The DEA approach allows us: to determine the quantitative measure of the object efficiency, i.e. the distance from the efficient boundary; to determine the reference set for each inefficient object, i.e. the efficient objects whose structure is the closest to it (objects (X2,Y2) and (X3,Y3) for the object (X5,Y5) in the Figure); to find the optimal directions of efficiency improvement. to determine the stability zones of an object, i.e. the areas of parameters (X,Y), where the regarded object does not change its status (either efficient or not). In Figure 3, the stability zone for object 5 will be the sphere with the centre at point (X5,Y5) tangent to the efficiency boundary; to monitor the dynamics and reveal the trends in the object development. Finally, the DEA approach allows us to design the optimal development strategies with better substantiation, both for structure units and for the Controlled Objects as a whole. In the scientific literature on DEA, the boundary set is often called the frontier. It turns out that the frontier coincides with the set of weakly Pareto-efficient points of the production possibility set, see, for example, [3]. According to the determination, a production object is weakly Pareto-efficient if it is not possible to improve all inputs and outputs simultaneously, see [4]. The use of the DEA approach for the purposes of the Accounts Chamber of the Russian Federation The Accounts Chamber has used the DEA approach to analyze the budget functioning efficiency of the Russian regions. DEA model. This model studies the level of revenues collected subject to the level of population income, commodity circulation, industry, agriculture and transport. Inputs: the volume of the industrial output plus the volume of the agricultural production plus the volume of the construction work in the region, all in million rubles per capita; the retail turnover plus the services to the population plus the wholesale turnover, all in million rubles per capita; the income of the population per capita; the transport turnover of goods in the region per capita. Outputs: revenue collected in the region, in rubles (1000s) per capita. The production volumes of key industries as well as the monetary income of the population have been chosen as the primary factors affecting the tax potential of the regions. The latter index has been used, for it is a substantial tax-forming factor in the above-mentioned regions. The resulting index was the gross income collected in the regions. All indices were used per capita, since these regions differ greatly in their size. The research covered We used data from the Federal Service of State Statistics and the Federal Tax Service accumulated in the databases of the Accounts Chamber. The statistical bases for modelling are data on Russian southern regions plus data on the Southern District as a region, in total 11 regions, each over a period of four years, the same region for different years being considered as a separate production unit. The model density is increased by this method as it allows us to use considerably more production units in constructing the frontier. In addition the data on the regions across time enable us to construct a development trajectory of each region in a multi-dimensional social and economic space. Russian IT Support

39 into IT 37 Figure 4 shows an intersection of the frontier in five-dimensional space with the two-dimensional plane for the Volgograd Region for 2000 with respect to the DEA model. In the figure, the horizontal line is determined by input vector X0 of the Volgograd Region for 2000, and the vertical line corresponds to output. The scale is such that point (X0,Y0)=(1,1) corresponds to the Volgograd Region for Line 1 is a trace of the frontier on the two-dimensional plane. Line 2 is an intersection of the frontier with the two-dimensional plane that goes through the Volgograd Region for Dots on line 3 are projections of points, associated with the Volgograd Region for the years 2000, 2001, 2002 and 2003, onto the two-dimensional plane. Line 4 is determined by dots that are projections of points associated with the Southern Federal District for the years 2001, 2002 and Lines 3-4 are trajectories of development of the above-mentioned regions. Naturally, in the course of our investigation we constructed crosssections through every production object (region). But in order to compare dynamic behaviour of different regions we projected several regional trajectories onto the same two-dimensional plane. In a similar way we compared trajectories of development in accordance with the DEA model for the Kabardino-Balkarian Republic. Figure 5 represents an intersection of the frontier in five-dimensional space with a two-dimensional plane for the Kabardino-Balkarian Republic. Lines 1 and 2 are traces of the frontier on the two-dimensional planes going through this regions for 2000 and 2001 respectively. Dots on line 3 are projections of points, associated with the Kabardino-Balkarian Republic for the years 2000, 2001, 2002 and 2003 onto the two-dimensional plane. Lines 3 and 4 are trajectories of development of this republic and the Southern Federal District, respectively. Russian IT Support

40 38 into IT In Figure 6, the horizontal line is an isocost (a line where the sum of inputs is constant) and the vertical axis corresponds to the output in the DEA model. Lines 1 and 2 are intersections of the frontier with twodimensional planes that go through the isocosts and the Volgograd Region for 2000 and 2003, respectively. Isocosts for construction are chosen in parallel in order to compare these two sections of the frontier explicitly. The scale of the isocosts is such that point (0,1) corresponds to the Volgograd Region for Line 3 is a projection of the trajectory of the Volgograd Region development onto the two-dimensional plane. The positive direction of the horizontal line corresponds to the increase of population income and the decrease of the sum of other inputs. In a similar way, we constructed the trajectory of development of the Kabardino-Balkarian Republic in the multidimensional space, Figure 7. Russian IT Support

41 into IT 39 The Pareto efficiency surface in this study reflected the actual obtainable level of the revenues collected in this group of regions with the existing development indices of the key industries and the level of the monetary income of the population. The Volgograd Region has shown a significant growth of the main development parameters during the period, as well the growth of the efficiency of the use of tax potential, as compared to the other regions of the group in question. Kabardino-Balkaria, on the contrary, along with the factual stagnation of the main production factors, has decreased the efficiency of the use of tax potential almost by one third. The growth of revenues collected in the South Federal District is quite obvious. At the same time, in contrast to the Volgograd Region where we can see a high efficiency level retention (proximity to the Pareto efficiency surface) and an essential growth of fiscal revenues, the Kabardino- Balkarian Republic is characterized by a low increase in budget system revenues, with a drop in efficiency (remoteness from the Pareto efficiency surface). To summarise we now have new tools which enable us to obtain quantitative assessments of the efficiency parameters, to visualize the outcome and to facilitate the elaboration of standards for assessing efficiency of each branch of industry. The results of this research have been submitted to the President of the Russian Federation as part of analytical documents characterizing the social and economic condition of the subjects of the Southern Federal District. Success with DEA depends on certain critical decisions, including choosing the right objects of analysis and input parameters as well as correctly interpreting the results. However, our experience proves that proper statistics can help to solve the problem of identification of the sections of efficiency functions, including the proposals on efficiency audit standards aimed at certain types of control. References 1. Banker R.D., Charnes A. and Cooper W.W. (1984). Some models for estimating technical and scale efficiency in data envelopment analysis. Mngt Sci 30: Cooper W.W., Seiford L.M. and Tone K. (2000). Data Envelopment Analysis. Kluwer Academic Publishers: Boston. 3. Krivonozhko V.E., Utkin O.B., Volodin A.V., Sablin I.A. and Patrin M.V. (2004). Construction of economic functions and calculations of marginal rates in DEA using parametric optimization methods. Journal of the Operational Research Society, Volume 55, pp Dvorkovich A.V., Krivonozhko V.E. and Utkin O.B. (2004). Modeling of Large-Scale Systems Development. Encyclopedia of Life Support Systems, 5. Krivonozhko V.E., Utkin O.B., Volodin A.V. and Sablin I.A. (2002). Interpretation of Modelling Results in Data Envelopment Analysis. Managerial Finance, Volume 28, Number 9, pp Russian IT Support

42 40 into IT CNAO hosted the 2nd International Seminar on ITAudit in Nanjing IT Audit in Nanjing

43 into IT 41 The 2nd International Seminar on IT audit sponsored by China National Audit Office was held in Nanjing from 1 to 4 September participants from 18 countries and regions attended the Seminar including Bhutan, Brazil, Canada, China, Germany, Hungary, India, Japan, Netherlands, Norway, Pakistan, Poland, Romania, Russian Federation, Sweden and UK, of which many are from the INTOSAI Standing Committee on IT Audit. Mr. Li Jinhua, Auditor General of the CNAO made a warm welcome speech at the opening ceremony and Mr.Liu Jiayi, Deputy Auditor General of the CNAO delivered his presentation named IT Audit in China: the present and prospect. The two themes of this seminar were Online Audit and Formulations of IT Audit Standards. Based on these two themes 22 country papers were presented at this Seminar covering topics on legal and regulatory requirements of online audit, data collection techniques in online audit, integrity and security of data transmission in online audit, application of data collected in online audit, operational system security audit standards, telecommunication security audit standards and access security audit standards. Seminar Participants shared the view that there is still much place in the field of IT audit where SAIs can make further research, cooperation and exchanges. During the seminar, participants also visited the Nanjing Resident Audit Office of the CNAO and Jiangsu Provincial Audit Office and they were very much impressed by what these offices have achieved in the field of IT audit. After seminar discussion participants also visited Yangzhou, a city famous for its famous cultural and historical sites. Mr. Li Jinhua gives a welcome speech IT Audit in Nanjing

44 42 into IT Wi-Fi is all the rage and wireless, a term that lay dormant for decades, has re-entered common use. But linking up computers using wireless is a rather different application to that conceived by its developer, Guglielmo Marconi. Ian Petticrew looks back to the early days of wireless and to the event that, more than any other, brought it to public attention. No man will be a sailor who has contrivance enough to get himself into jail; for being in a ship is being in a jail, with the chance of being drowned. Doctor Johnson s sagacious observation flashed through my mind as I watched the panicstricken steerage passengers portrayed in the 20th Century Fox blockbuster, Titanic, locked below decks as the great liner slowly sank. I trained for a career in the British Merchant Navy. Considering the demise that once great fleet was to suffer, it was perhaps fortunate that things didn t run quite according to plan. Nevertheless, I have retained an interest in matters nautical, so on coming in from a spot of gardening to find the family engrossed in James Cameron s epic, I naturally shed the muddy boots, and with a reviving whisky and soda in hand sat down to compare Hollywood s analysis of events with those of my former mentors. Despite the unfortunate myths that the movie perpetuates, Cameron s direction and Horner s score between them do an excellent job imparting the sense of awesome catastrophe that must have befallen Titanic s passengers and crew in the early hours of the 15th April, Although the tragic tale is well recorded, it s worth recounting the salient details. Built for the White Star line s North Atlantic service, at 46,328 tons and 882 feet overall length, Titanic was at the time the world s largest ocean liner. On 10th April 1912, she set out from Southampton on her maiden voyage to New York with 2,300 on board. Four days later, in disregard of ice warnings, the great liner was steaming at a reckless pace for the prevailing conditions and with an inadequately equipped lookout. Shortly before midnight an iceberg was sighted a short distance ahead. Despite the watch officer promptly ordering the helm hard over and the engines to be reversed, Titanic struck the berg a glancing blow sustaining grievous underwater damage to her for ard end. Her pumps and watertight compartments proved incapable of holding the sea at bay, and almost three hours later she went down, claiming some 1,500 lives. By good fortune the sea was calm and those who succeeded in getting away in the liner s woefully inadequate complement of lifeboats mainly women and children were rescued by the Cunard liner Carpathia who arrived on the scene not long afterwards. Two inquiries one American, one British failed to attribute blame were it rightly lay; there were reputations to protect, not least of which was that of British shipping. Until the dawn of this century ships great and small sailed for distant ports and, once they had passed over the horizon, were lost to the world until weeks or months later when they were again sighted on shore. Once out of sight of land those who went down to the sea in ships belonged to another world a world of stark loneliness and utter silence. Ships burned or foundered in storms with not so much as a whisper reaching land to tell their fate. The crew of a sinking or burning ship fought their battle for life, silently and alone. Wireless telegraphy with its magic powers was to wrest from the sea its ancient terror of silence and to give speech to ships which had been mute since the dawn of navigation. Karl Baarslag, SOS to the Rescue, 1935 Titanic

45 into IT 43 Guglielmo Marconi, then in his teens, read an account of the experiment. Unlike Hertz, who regarded the phenomenon as a scientific curiosity, Marconi saw the spark transmitter s commercial potential. Using his family s considerable wealth and substantial business contacts, plus his undeniable talent for scientific investigation and improvisation, Marconi set about exploiting communication without wires ( wireless ) commercially, mainly to provide something never before possible, a means of communicating with ships beyond the horizon. In 1900, Marconi formed the Marconi International Marine Communication Company to install and operate services between ships and land stations. Twelve years later his company would become inextricably linked with the Titanic. For me, one fact stands out. But for wireless, then in its infancy, all the hapless participants in this disaster might easily have perished in the North Atlantic s freezing wastes in circumstances that would remain a mystery. Indeed, the drama surrounding Titanic s distress calls, telegraphed on her primitive spark transmitter; of Carpathia s frantic dash through the ice fields in response; and of the Californian lying stationary nearby, her watch officers oblivious to the true nature of the events they were witnessing, must surely account for much of the continuing fascination and controversy surrounding this among all maritime tragedies. Wireless and the spark transmitter Everyone has heard the crackle caused by switching a light on or off near to a radio. A spark, caused by unquenched switch contacts, propagates electromagnetic radiation that the radio detects. With the addition of a modicum of tuning and an aerial (fig. 1 overleaf), the spark transmitter (fig. 2 overleaf) exploits this phenomenon. The German physicist, Heinrich Hertz, first demonstrated the existence of radio waves in He charged up a capacitor linked to a pair of metal rods placed end to end, but separated by a small air gap. When the rods received sufficiently high opposing charges to cause a spark to jump the air gap, the resulting current oscillated back and forth generating radio waves that he was able to detect over a short distance using similar circuitry. As for Hertz, he died in 1894 at the age of 36, before wireless had come of age, but his name lives on in the unit of frequency (i.e. waves per second) as hertz (Hz), kilohertz (KHz), megahertz (MHz), etc. The diode and the triode Radio s next significant development came in 1904 with the invention of the thermionic valve (fig. 3 on page 46), so called because when heated, the input electrode (cathode) gives off electrons that can be attracted to a positively charged output electrode (anode). In this condition, current flows from cathode to anode, but not in the reverse direction. This important property enabled the diode to address a difficult problem, that of detection. Radio waves captured by an aerial need to be converted from alternating to direct current in order to drive an electromechanical output device, such as a printer, headphones, or speaker. Detection had been carried out using crude electromagnetic devices that were neither particularly sensitive nor reliable. The diode offered a much-improved electronic solution. The two-electrode diode was followed in 1906 by the three-electrode triode, which would eventually lead to major strides in the development of radio and, later, digital computing. The triode was in effect a diode with the addition of a fine mesh or grid between cathode and anode to provide a means of controlling the current flowing through the valve. In principle, the grid performs the same function as a mechanical valve used to control a high-pressure flow of water through a pipe; tightening the valve restricts or stops the flow of water while loosening it has the opposite effect. In the same way, extremely faint radio waves picked up by an aerial, when fed to a triode s Titanic

46 44 into IT Figure 1: The aerial, resonance and tuning All wireless whether transmitting or receiving requires some sort of aerial (or antenna), which is an arrangement of electrical conductors optimised for wireless use. When acting as a transmitter, a wireless frequency alternating current (in Titanic s case, from a spark gap oscillator) is applied to the aerial causing it to radiate an electromagnetic field. Conversely, when placed into an electromagnetic field, the reverse applies, and the aerial produces a wireless frequency alternating current in response. In both cases the aerial s performance is optimised to a particular frequency using a property that physicists call resonance. Aerials come in all shapes and sizes depending on the frequency range in which they are to work. They range from long wires at the low frequency end of the spectrum, through whip aerials to satellite dishes for handling very high frequencies. Titanic used long wires, being fitted with a "T" type aerial comprising four vertical risers, connected at one end to the transmitter room and at the other to four horizontal wires (held apart by spreaders at each end) strung between the ship s two masts, some 200 feet above sea level. All systems have certain normal modes of vibration. Applying a periodic force will cause a system to vibrate or oscillate with a frequency proportional to the force. This type of vibration is known as forced oscillation. Normally forced oscillation is of small amplitude, but this grows very quickly as the system approaches its resonant frequency. At resonance, the amplitude of oscillations would in theory approach infinity were they not limited by friction in mechanical, and by resistance in electrical, systems. In an electrical circuit, resonance occurs at the frequency at which the circuit s inductive and capacitive components are of equal magnitude. This causes electrical energy to oscillate between the magnetic field of the inductor and the electric field of the capacitor. In a wireless receiver, this property is exploited in the aerial circuitry by tuning it to resonate at the broadcast frequency of the selected transmitter, thus separating the required signal from thousands of other unwanted signals. This is can be achieved by varying the tuning circuit s capacitance or inductance. grid, can control a strong current passing through the valve. The amplified output signal - a facsimile of the weak aerial signal fed to the grid - can then be channelled to the detector, thereby making intelligible much weaker signals than had previously been possible. Likewise, a further triode can be used to amplify the detector s output to provide an audio signal capable of driving speakers rather than headphones (fig. 4 on page 46). Of equal significance to power amplification was the discovery that by feeding back part of a triode s output signal into its grid, a technique called positive feedback, the circuit became self-regenerating. In other words, the triode became a radio frequency oscillator (i.e. a generator of radio frequency waves) 1. Hertzian spark gap oscillators of the type used in marine wireless of the Titanic era were notorious for their dirty, broadband radio frequency outputs. Like the emanations from a badly suppressed electric drill, they were rich in harmonics that wiped out large areas of the radio spectrum. The triode was to supersede the spark gap oscillator and dispense with the heavy iron-cored induction coils needed for powerful spark generation, thus making radio transmitters far more portable. Furthermore, unlike the spark gap, the triode could generate continuous clean waves at a single frequency, thus permitting communications over a single narrow channel. As we shall see, had these applications of the triode valve been exploited in the marine wireless of the time, the role of the Californian in the Titanic disaster might have been different. Alas, the means to produce a good vacuum on a commercial scale were not available in 1912, resulting in the thermionic valves of the time being short-lived, unreliable, expensive to manufacture and little used. 1 Hold a microphone near to an audio speaker and a deafening whistle will result. Such audio oscillations are caused by the microphone detecting noise from the speakers, feeding it back into the amplifier causing the noise to increase still further, and so on this is positive feedback. Titanic

47 into IT 45 Figure 2: The Spark Gap Transmitter The simplest wireless transmitter consists of a power supply and a wireless frequency oscillator. Before the valve oscillator, wireless frequency waves were generated using a spark gap. The Rhumkorff coil, used by Marconi, combined the necessary circuitry primary coil, spark coil, interrupter, and spark gap into a single unit. spark struck, causing insulation break down; to high temperatures and hence to cooling difficulties; and to wear on the electrodes. All would be a nightmare for today s health and safety inspectors! Unsurprisingly, their use is now prohibited in many countries In a Rhumkorff coil, the interrupter s contacts were wired in series with the battery and primary coil. Closing the Morse key applied power to the primary coil and the resulting magnetic field pulled the interrupter contacts apart, breaking the circuit and causing the magnetic field to collapse. The collapsing field released the contacts, which then closed, causing the entire cycle to repeat. In effect, the Morse key operated a giant electric buzzer. The interrupter s rapidly opening and closing contacts caused an equally rapid rising and falling magnetic field in the primary coil. Acting as a step-up transformer, the primary induced a sufficiently high voltage in the induction coil (i.e. the secondary coil) to cause arcing across the spark gap, which in turn generated a wireless frequency alternating current in the aerial circuit. The operator controlled the transmitter s output by turning it on and off (in Morse code) using a special telegraph key fitted with large contacts to carry the heavy current. Although spark transmitters were simple, they blotted out large areas of the radio frequency spectrum. They also gave rise to technical problems due to the very large induced voltages when the Modern warfare is noted for its technical spin-offs. Shortly before the outbreak of WW1, the French acquired a practicable means for producing an excellent vacuum and their military scientists quickly employed the technique to produce a reliable and efficient triode valve for use in military communications. Only when the war ended did large numbers of cheap and reliable valves appear on the surplus market, thus making possible the development of highly selective and sensitive radio transmitters and receivers. By the 1920 s, engineers had learned to modulate the amplitude of wireless waves, thereby allowing the transmission, not only of the on/ off Morse code used in wireless telegraphy, but of voice and music. And so entered the golden age of radio broadcasting. Keep out! Shut up, shut up! I am busy Although primitive by modern standards, Titanic s wireless equipment was the best then available. Built by the Marconi Company, her spark transmitter guaranteed a range of 250 miles under any weather conditions but could usually maintain communications over at least 400 miles. It was operated and maintained by two Marconi Company operators 2 assigned to Titanic for the voyage, their primary task being to handle the lucrative telegram traffic generated by the many wealthy and highly influential passengers on board. 2 Spark gap transmitters are the reason why wireless operators came to be nicknamed sparks. Titanic

48 46 into IT Figure 3: the diode and the triode The electrodes are enclosed in evacuated glass tubes, hence in some countries what the Brits call valves, or thermionic valves, are referred to as vacuum tubes. 21:00 (approx), 14 April Californian to Titanic: "Say, old man, we are stopped and surrounded by ice". 21:10 (approx), 14 April Titanic to Californian: Keep out! Shut up, shut up! I am busy, I am working Cape Race. 21:15 (approx), 14 April Titanic to Cape Race, Newfoundland: "Sorry, please repeat. Jammed". Figure 4: the wireless receiver The basic wireless receiver can be separated into five components: The aerial increases the surface area of conducting material available to the transmitter s electromagnetic waves to interact with. The tuner separates the required signal from the thousands that interact with the aerial. The tuner s output is then passed to the detector, where the alternating current signal is converted to direct current suitable for operating the speaker of headphones. The detector s output is then amplified in strength before being passed to a speaker or headphones. The speaker or headphones convert the amplified direct current signal into audible mechanical energy. In 1912, valve amplifiers were uncommon outside of the telephone business where they were used to amplify traffic on long-distance circuits, and would not have been used in the crude wireless equipment of the ships that communicated with Titanic. Indeed, it is on record that Titanic s two Marconi operators struggled to hear the barely perceptible unamplified signals from other ships over the fierce roar of escaping steam from her boilers (released to prevent explosions as the cold sea water rose around them). Prior to the iceberg collision, Titanic had received several wireless messages warning of ice ahead. They were not acted on. Among them was a message from the Californian, which was in Titanic s vicinity. Her sole Marconi operator had been transmitting ice warnings since the previous afternoon, and that evening had tried to warn Titanic that the Californian was stopped, surrounded by ice. But Titanic s duty operator had told the Californian to keep out as he was exchanging passenger traffic with the Marconi station at Cape Race, Newfoundland. Californian s transmission was jamming Titanic s signals. In an age before thermionic valves were widely used in marine wireless, the spark transmitter s dirty signal, coupled with the insensitivity of the magnetic detectors and crystal receivers then in use, meant that brute force power was necessary to ensure that a signal reached its intended recipient. Bandwidth as a specification for transmitters and selectivity for receivers had yet to become established design criteria. The result was that whoever hit the air first occupied most of the spectrum, thereby denying stations within close distance the ability to communicate with others. Whatever the frequency Titanic