Auditing Efficient and Safe Environments for Remote Work in the Public Sector in Georgia with IT Governance
Creating an effective and safe environment for remote work in the public sector requires clear policies, careful planning, technology and infrastructure, data security, performance measurement, and focus on productivity of employees, and public sector auditing organizations have a role to play in ensuring this environment.
With digitization of public sector, dependence of organizations on information technologies (IT) has been growing at a rapid pace. This dependence results in the need for effective and efficient IT management, which is achieved by coordinated actions of the high and middle management. In particular, decisions made in IT processes at the strategic and operational levels should contribute to the achievement of the main goal of the organization, which is primarily the effective management of the business process and information security. Therefore, it is a prerequisite to have predefined strategy, policies, procedures and action plans for effective IT governance.
Effective IT governance has become increasingly important since the onset of the COVID-19 pandemic, when public organizations shifted to remote working in response to social distancing requirements. This transition created an emergency situation for the agencies, and along with effective decisions on the part of the management, raised the need for the necessary material and technical work resources. According best practices, having common rules and standard conditions for the performance of work in an emergency situation helps the organization to make optimal decisions.
The State Audit Office of Georgia (SAOG) studied administrative decisions taken by audited ministries in order to switch to the remote working mode, and the effectiveness of their implementation during the pandemic in Georgia. From the review, SAOG has found the following circumstances:
- Audited ministries had not developed business continuity and recovery plans that would have helped them respond to the pandemic timely. In addition, the audited entities did not have a remote work policy with minimum information security requirements. In particular, for telework, agencies should develop policies that define conditions and limitations related to the telework. Having such a policy would help the audit entities better use assets and comply with information security principles when switching to remote working mode.
- In the process of transitioning to the remote working mode, many employees of the audited Georgian entities could not be provided with appropriate computer equipment by the agencies, and had to use their own devices for work purposes. In some cases, despite the provision of computer hardware, some employees still used personal devices due to low performance or outdated devices provided by the offices. In this direction, the following circumstances and conclusions have been noteworthy:
- Among the audited organizations, the Ministry of Economy and Sustainable Development of Georgia, and the Ministry of Environmental Protection and Agriculture of Georgia have not registered and classified informational assets within the organization. At the National Agency of Public Registry, identification of assets in relation to the existing business processes and preparation of the corresponding register were just in progress;
- During the use of personal computer devices by the employees, the activities corresponding to the minimum information security requirements have not been carried out.
Consequently, audited entities were unable to assess the IT assets in their possession according to their need, and were unable to make optimal decisions regarding the allocation of equipment and to determine the appropriate level of security.
- During remote work, employees of the agencies needed to use external networks, which are not controlled by the IT services of the agencies and, therefore, are less protected. One of the best practices for solving this problem is to use a virtual private network (VPN). While the audited entities provided VPN services to their employees in a timely manner, it was used by some employees to access only work-related services (for example, intranet), thus leaving them exposed to the risks stemming from unlimited access to the unprotected external network (see image 1).
Image 1: Prerequisites for efficiency and security remote work environment
In order to improve the IT service continuity process, the three audited entities – the ministries of Economy, Agriculture and Registry were issued two primary recommendations.
- First, the entities were advised to establish a management system identifying personnel with appropriate authority, qualification and competence who would be responsible for planning, implementing and responding to relevant activities for continuity of management process. As a point of departure, ministries were asked to take initial steps to develop service continuity plans that would support the continuity of critical business processes in the organization, and to carry out regular (at least annually) gap analysis in relation to the continuity of IT services to determine the current and desired state of the organization.
- Second, in order to address information security risks, ministries were advised to develop a policy or procedure to ensure timely licensing and updating of operating systems and software.
Apart from the key to success in providing an effective and safe remote work environment, it is important to balance the needs of the organization with awareness raising among the employees with regular communication, and demonstrate a commitment to improvement. This audited case study shared by the SAOG demonstrates the importance of essential elements of efficiency and security of remote work environment, and lessons can be shared and learned through the international auditing community.
About the authors
Dr Nino Kereselidze, Head of International and Donor Relations Division, State Audit Office of Georgia
Mr Giorgi Kapanadze, Head of Performance Audit Department, State Audit Office of Georgia