APPROVED by Order No. V-204 of Auditor General of the Republic of Lithuania of 25 November 2014

NATIONAL AUDIT OFFICE OF LITHUANIA

INFORMATION TECHNOLOGY STRATEGY OF THE

NATIONAL AUDIT OFFICE 2015–2020

25 November 2014

Vilnius

2

Contents

1. INTRODUCTION .............................................................................................................................................. 3

2. ANALYSIS OF THE ENVIRONMENT .................................................................................................................. 5

2.1. External environment .............................................................................................................................. 5

2.1.1. Legal environment of information technology ................................................................................ 6

2.1.2. Development trends in information technology.............................................................................. 7

2.2. Internal environment .............................................................................................................................. 9

2.2.1. Information architecture ................................................................................................................ 10

2.2.2. Information technology resources ................................................................................................. 12

2.2.3. Information technology governance maturity ............................................................................... 16

3. SWOT analysis .............................................................................................................................................. 16

4. IT STRATEGIC GOALS AND INDICATORS ....................................................................................................... 19

5. IMPLEMENTATION, MONITORING AND ASSESSMENT ................................................................................ 22

ANNEXES ...................................................................................................................................................... 23

3

1. INTRODUCTION

The National Audit Office of Lithuania (NAO), as the Supreme Audit Institution, has always paid

special attention to planning its activities. The NAO planning system is based on a coherent set of

planning documents of varying length (Fig. 1), the implementation of which allows the institution

to increase its business efficiency and to ensure results-oriented management.

The Public Audit Strategy (PAS) is the key long-term planning document of the NAO performance,

defining the vision, mission, values, and strategic objectives of the institutions for five years.

Implementation and monitoring of this Strategy is carried out by developing annual reports and

approving annual action plans.

In addition to the most important short-term planning documents, such as the Public Audit

Programme and annual departmental plans, there is a Business Risk Management System

introduced at the NAO, which is another element of the planning system and means that every

year the relevant appointed key business process owners review and assess the identified risks

and provide activities for response to the most significant risks. The Risk Management Plan is

approved by the NAO Strategic Planning and Business Risk Management Committee. The activities

provided for in all planning documents are reflected in the annual plans of the relevant structural

units, whose management reports on the implementation of the plan to the Council of the

National Audit Office.

Public Audit Strategy

Annual PAS

Implementation Plan

Annual departmental

plans

Risk Management

Plan

Strategic Plan

Public Audit

Programme

IT Strategy

IT Strategy

Implementation Plan

Long-term planning documents

(3 years and more)

Short-term planning documents

(up to 3 years)

4

Figure 1. Cascade of the planning documents

The NAO planning documents given in Figure 1 above cover all the most important business areas

of the institution and the business processes. In this respect, the NAO information technology

governance is no exception. However, the existing planning documents do not reveal the

information technology (hereinafter - IT) governance aspects in a sufficiently systematic and

detailed manner and are not based on the best IT governance practices.

Modern information technology is one of the key instruments that ensures efficiency and

effectiveness of private and public sector organisations. However, organisations must ensure that

their information technologies are properly managed and closely linked to the organisation’s

objectives and needs. Therefore, a large number of successful organisations also prepare

specialised information technology strategies of different duration and actions plans in addition to

their general business planning documents. The implementation of such strategies and action

plans allows to bring IT governance in the organisation to a higher level of maturity, to map

business and IT goals, which enables a more efficient use of information technology resources,

improvement of the service quality, and enhancement of IT security and reliability.

To improve the NAO strategic planning and business risk management and to ensure sustainable

development of its information technology and contribution to achieving the business goals of the

institution, a working group (hereinafter – the Working Group) was established by Order No. V-74

of the Auditor General of 14 April 2014 for drafting the Information Technology Strategy 2015–

2020 (hereinafter – the IT Strategy). The Working Group was composed of the NAO officials and

civil servants representing various business areas of the institutions (such as strategic planning,

public auditing, administration, information technology governance).

When drafting the IT Strategy and setting IT strategic goals, the Working Group used the

standardised links between enterprise business goals and information technology goals. The work

was based on the Control Objectives for Information and Related Technology (hereinafter –

COBIT), which is a methodology and set of best practices for IT governance and management

published by the Information Systems Audit and Control Association (hereinafter – ISACA). The

strategic goals formulated by the Working Groups were arranged in the perspectives of the

balanced scorecard given in COBIT 5.

5

2. ANALYSIS OF THE ENVIRONMENT

2.1. External environment

The importance and application of information technologies in Lithuania has been continually

increasing.

According to Statistics Lithuania1, at the beginning of 2012, 91 per cent of public administration

institutions with the staff of 10 or more employees had a website or a web page on a website

shared by institutions from various regions of the country providing specific public services.

In 2012, the proportion of services moved to the electronic environment in Lithuania stood at 82

per cent. In Lithuania, the following e-services are already provided at the highest possible maturity

level: individual income declaration, job search, issue of driving licences, reporting to the police,

declaration of the place of residence, declaration of social contributions for employees,

declaration of profit and value added taxes, establishment of a new company, submission of

customs declarations, execution of public procurement.

At the beginning of 2012, 98 per cent of institutions were using broadband internet connection,

more than 60 per cent had fibre-optic lines, and 44 per cent were using mobile internet

connection. The share of the staff using computers at work accounted for 83 per cent and of those

using the internet was 72 per cent.

Although most of the institutions have been providing public and administrative services in a

traditional manner (by mail, telephone, or accepting visitors in the institution), electronic servicing

via social networks (e.g. Facebook, MySpace) is becoming more and more popular. At the

beginning of 2012, 10 per cent of institutions provided information and consultancy in social

networks.

At the beginning of 2012, 75 per cent of the institutions performed electronic exchange of

documents with other State and municipal authorities and agencies.

Document management (preparation, registration, scanning) systems were used by 72 per cent of

the institutions, enterprise resource planning (ERP) systems – 17 per cent, customer relationship

management (CRM) systems –3 per cent of the institutions.

The employees of 57 per cent of institutions were using secure digital signature in sent

documents; 57 per cent of institutions had remote access to the institution’s e-mail system,

documents or special applications.

1 Statistics Lithuania. Information Technology in Lithuania, ISSN 2029-3615, 2012.

6

To reduce their costs, many institutions use open-source software. Based on the survey data, 42

per cent of institutions were using open-source operating systems, 87 per cent – browser, 53 per

cent – office software, 36 per cent – other open-source programmes in at least part of their

computers.

2.1.1. Legal environment of information technology

Before the adoption of the Law on Management of State Information Resources of the Republic of

Lithuania2, the main requirements for development, management and security of state

information systems were approved by resolutions of the Government of the Republic of Lithuania

and were applicable to all institutions and agencies subordinate to the Government.

After the adoption of the law, the legal regulation of information resources management applied

to all state institutions, state agencies, state enterprises, public institutions, which establish,

create and/or manage state registers, departmental registers, state information systems and other

information systems and which are authorised to perform public administration.

For the National Audit Office, which is accountable to the Seimas of the Republic of Lithuania, this

meant new requirements set for the development and security of information systems and new

internal legislation which had to be drawn up and approved by the institutions concerned.

As on 31 October 2014, the following internal legal acts implementing the requirements of the

Law on Management of State Information Resources were adopted by the NAO:

– Regulations for secure handling of business planning and monitoring information in the

information system of the National Audit Office, Business continuity plan for this system, and User

administration rules approved by Order No. V-15 of the Auditor General of 24 January 2014;

– amended Regulations for data security of the information system of the National Audit Office

approved by Order No. V-19 of the Auditor General of 30 January 2014;

– amended Rules for secure handling of electronic information in the information system of the

National Audit Office approved by Order No. V-88 of the Auditor General of 8 May 2014, Business

continuity management plan for the information system of the National Audit Office, and

amended Rules for administration of users of the information system of the National Audit Office.

Compliance evaluation of the NAO information technology security to the established

requirements was carried out in 2014 to ensure organisation and control of implementing the

requirements of security policy documents in accordance with the Methodology for information

technology security compliance assessment approved by Order No. 1V-156 of the Minister of the

Interior of the Republic of Lithuania on 6 May 2004 “On the approval of the Methodology for

2 Republic of Lithuania Law on Management of State Information Resources No XI-1807 of 15 December 2011.

7

information technology security assessment” and Lithuanian standard LST ISO/IEC 27001: 2006

(ISO/IEC 27001:2006-11) “Information technology. Security techniques. Information security

management systems. Requirements”.

The requirements laid down in the Lithuanian Law on Management of State Information

Resources cover not only the development, management and security of information systems, but

also strategic planning of information resources, management of information technology

resources, and security assessment.

In order to strengthen links between business processes of the entities managing state

information resources and information technologies, the law defines an important function of the

authorised person for data management (data owner) and their rights and duties in planning

information resources development, supervising development, drafting budgets of the state

information system or register, and supervising compliance to legal requirements. The law

provides for that the authorised person for data management – the head of a structural unit in

charge of an institution’s business function, and in case such a structural unit does not exist, a

relevant employee in charge of such function – should be appointed for every register, state

information system, or subsystem.

Even before adoption of the above-said law, the National Audit Office following good practices set

responsibilities of business units for the data and information they manage pursuant to Order No.

V-60 of the Auditor General of 3 April 2007. The procedure was revised by Order No. V-172 of the

Auditor General of 14 October 2014, providing further rights and responsibilities for the units.

2.1.2. Development trends in information technology

Short-term global trends in information technology are continually reviewed by various

international research and analysis centres and market research groups, such analyses are

commissioned by governments worldwide, who later publish the analyses results. Most of them,

e.g. the US company CSC having 50 years of experience and 80,000 employees around the world,

predict that in 2014-2020 information technology will develop rapidly in the following directions,

in addition to the usual ones:

Outside-In

Until recently, innovation, information and IT value were created internally in the organisation.

However, many of today’s IT technologies and techniques — including cloud3, social networks4,

3 Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of

computing resources (e.g. networks, servers, storage, applications, and services), that can be managed with minimal service provider interaction. 4 Facebook, Twitter, Linkedin, Google+, Instagram, MySpace, etc.

8

crowdsourcing5 – are happening outside the organisation, and this trend has been increasing. IT

managers will need to re-architect their organisations’ internal networks, making them more like

the Internet. And these changes will need to be done quickly.

BYOD shifts to BYOT

The BYOD (short for “bring your own device”) trend is just the tip of a much larger iceberg. Many

employees want not only to use their personal mobile devices at work, but also to use their own

applications and to connect to their personal Internet services. As a result, BYOD shifts to BYOT

(“bring your own technology"). The restructuring of IT security in accordance with this principle

will cause of a lot of concerns in the fields of security, working time accounts, and work

organisation.

Multi-clouds

Multiple clouds – public clouds, private clouds, and hybrid clouds – will become increasingly

commonplace, and organisations will have more than one of each. Some of these clouds will be

built by internal IT departments, while others will be sourced from external third parties. This will

deliver new efficiencies for organisations. But it will also create new challenges, such as how to

avoid losing control over information and data in such multi-cloud landscape. Thus new cloud

management platforms will emerge, as well as organisation app stores, which will help IT

managers deploy IT workloads into various clouds in a quick and safe manner.

Big data gets fast

Big data will be processed more quickly, conclusions the development of which used to take

several days will now be drawn in a few hours due to faster calculations. Such rapid information

processing will lead to the emergence of many new applications designed to handle large amounts

of data.

The Internet of things

Computers usually process information. But in future, thanks to the rapid emergence of Internet-

connected sensors and things, computers will also process physical systems and devices. What has

been called the Internet of Things is already transforming automobiles, personal healthcare

devices, TVs, and electrical equipment. Countless other goods will be connected to the Internet,

too. Manufacturers, trying to keep up with these technologies, have been connecting to the

Internet more and more of their production facilities and work equipment, which opens up new

opportunities to develop and use programs for controlling such equipment and/or performing an

audit.

5 People's suggestions.

9

Governments as IT leaders

Government agencies and organisations often receive a bad rap as IT backwaters. In near future,

that is going to change. For the first time in decades, governments will emerge as IT leaders.

Openness is the key. Government agencies and organisations are quickly moving to open systems,

open innovation, and open software. All this openness enables more efficient interaction with

citizens, while citizens are provided with unlimited opportunities to contribute their ideas,

insights, even code to their governments. Behind this change is a shift from excellent or perfect

technology to IT that is “good enough.” For the public sector, this shift will be massive.

Given the rapid development of new information technologies around the world in recent

decades, it is likely that these development trends will soon to be visible in Lithuania as well.

2.2. Internal environment

The information technology governance and control system of the National Audit Office is based

on examples of good practice provided in the COBIT framework developed by ISACA, suggested

instruments and process-oriented management models. The key principles of the IT governance

and control framework are as follows:

- Primacy of the main business of the organisation over IT-related activities;

- Process-oriented management and control model;

- IT internal control is integrated into the overall internal control system;

- Assessment of the IT management and control system.

The primacy of the main business of the organisation over IT-related activities means that IT goals

are set taking into account general objectives of the NAO performance, i.e. it is ensured that the

business operator (customer) will accurately determine the needs and direction, meanwhile IT

(service provider) - what should be done and how.

This principle is enforced by the Information Technology Management Committee of the National

Audit Office (hereinafter – the IT Committee) in its activities and is also invoked in the internal

legislation setting roles and responsibilities of the Information resources management coordinator

and information resources (data) owners.

Activities of the National Audit Office (in relation to IT) are described following the process-

oriented management and control model which is used to appoint process managers, to set their

roles and responsibilities, process inputs and outputs. This allows to use and to integrate other

process-based management models and techniques, such as the Business Risk Management

System of the National Audit Office and the Quality Management System which is in line with the

IS0 9001 Standard.

10

The IT internal control system is based on the overall internal control system and comprises it’s

integral part. This ensures primacy of the main business of the organisation over IT-related

activities, so general internal control instruments (policies, internal procedures, organisational

structures, best practices used) are designed to be consistently applied to the IT field. For

example, the Business Risk Management System of the National Audit Office – one of the

components of its internal control – is consistently applied to the IT field.

The IT management and control system is subject to assessment – the National Audit Office has

relevant methodology and practice in applying it, assessments performed are repeatable. The IT

management and control system was first assessed in 2003, with the assistance of experts from

the Netherlands Court of Audit, then in 2006 an independent assessment was carried out, which

identified a number of maturity gaps in the IT management, which were taken into account when

developing the IT Management Strategy of the National Audit Office 2007-2011.

The National Audit Office has extensive experience in assessing public sector business processes

and linking them to IT processes. This experience is used not only in maturity assessments of the

internal IT management and control system, but also in audits of IT management and control

systems (general controls, IS development control) of public sector.

2.2.1. Information architecture

Information architecture is the main source of information about IT responsiveness to business

requirements, and provides reliable and consistent information needed for decision-making by the

management and seamless integration of applications into business processes.

Information architecture can be seen as a layer of broader and more complex enterprise

architecture6, pointing out it’s importance of integrating business and technology.

In the COBIT framework, information architecture is similarly understood as part of broader IT

architecture, it is also one of the four COBIT resources (information, applications, infrastructure

and people) aligning the enterprise’s business and technology (Fig. 2).

6Enterprise architecture is defined as business logic and practice that deals with the enterprise’s business using

information and other resources in order to increase the maturity of the enterprise, integrating its strategy, business and technology EABOK – Enterprise Architecture Body of Knowledge, © 2014 The MITRE Corporation. http://www2.mitre.org/public/eabok/planning_an_ea/purpose.html

11

Figure 2. Enterprise architecture for IT, source – COBIT 4.1, © 2007 ISACA, p. 11

Requirements for the information architecture are determined by COBIT 4.1 process PO2. The

achievement of PO2 goals requires establishing and enhancing the data administration function

assigned to the business, using standardised and

documented methods, procedures and tools, as well as

staff training.

An important aspect of aligning business and

information technology, which is enforced in the

Lithuanian Law on Management of State Information

Resources, defines the function of the authorised

person for data management (data owner) and

establishes the duties and responsibilities of this person.

The internal IT legislation is debated and agreed at the IT Management Committee taking into

account the requirements of the law and applicable COBIT best practices, and then approved by

orders of the Auditor General.

The appropriate positioning of information architecture ensures well-balanced use of information

resources, aligning them with the business strategy in a highly flexible manner, strengthening

accountability for data integrity and security, and enhancing efficiency and control of data

exchange between different systems.

In order to ensure the confidentiality, integrity and availability of the National Audit Office data

and active participation of its structural units in decision-making on NAO information

management, on 3 April 2007 the Auditor General issued Order No. V-60 “On the responsibility of

the units for the processing of their data and information” (as amended by Order No. V-172 of 14

October 2014), thus enhancing the role of the structural units in the information management

process.

PO2 goals:

• Establish an enterprise data model

• Reduce data redundancy

• Support effective information

management

12

To create an environment in which all, without exception, information resources are given

adequate attention in order to make the right decisions for their development, design,

maintenance, and security, the National Audit Office should classify all its managed and processed

data according to its importance and define data integrity and consistency principles

2.2.2. Information technology resources

The links between the NAO business requirements, information technology processes, and

information technology resources is best illustrated by the COBIT cube7, where the enterprise’s IT

resources are managed by IT processes to achieve IT goals consistent with the business

requirements (Fig. 3).

Figure 3. COBIT cube

Information technology resources are defined as a whole of people, information, infrastructure,

and applications. To provide the information that the enterprise requires to achieve its objectives,

the enterprise needs to invest in and manage and control IT resources using a structured set of

processes to provide the services that deliver the required enterprise information.8

The importance of IT resources is also emphasised in COBIT 5, where people, information,

applications, and infrastructure are defined as three of the seven enablers that have to be

managed in a holistic way (i.e. taking into account their interdependence).

Applications

The applications of the National Audit Office include interconnected, to varying degrees,

components of the information systems ViPSIS and VKIS managed by the NAO, which

7 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, Fig. 22 COBIT

cube, p. 25. 8 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p 10.

13

automatically exchange their data (TeamMate, KOPA, KONTORA, STEKAS, ARAP, Internet and

intranet pages of the NAO, electronic mail) and individual specialised or standard office

applications that are not interconnected into the systems. A diagram of the software components

is given in Annex 1.

The main components of the NAO information systems ViPSIS and VKIS are installed in the virtual

environment. All workplaces have the Microsoft Office 2007 suite of applications and client

components of the business planning and monitoring system ViPSIS. Specialised workplaces run

additional software development and multimedia editing programs developed by Microsoft, Corel,

Adobe, etc., which are used for various NAO information system development and modernisation

tasks.

Over the last ten years, the NAO information system integration degree has changed from heavily

centralised and closed (VAKIS) to more flexible, consisting of separate modules connected in semi-

open way (ViPSIS and VKIS).

In view of the global trends in the development of information systems, it is proposed to maintain

the openness of the NAO information system modules which are being created or upgraded, the

simplicity of the links between them, and the assurance of standard interface. Such an approach

would not only be consistent with the principles of architecture applicable to information

resources, but also reduce the risk of purchasing a singular, closed and non-standard information

system, the development and maintenance of which would be more expensive than of analogues

due to lack of competition among service providers.

The modernisation of the information system should follow “Buy vs. Build“ principle”9 , and the

acquisition of the source code should be ensured when purchasing system modules or the service

of their development in cases provided for by the law.

Information

The information of the National Audit Office means the whole of the electronic and paper

documents received, created, used by and stored in the institution. Paper documents are stored in

workplaces and in the NAO archive. Electronic documents, depending on their type and purpose,

and stored both on servers and in computerised workplaces. In workplaces, data is stored both in

standard Microsoft Office formats and in specific formats typical of various NAO subsystems. The

prevailing data formats in computerised workplaces are standard ones.

The data stored on servers is copied to backup servers on a regular basis. The staff can

independently copy important documents to the backup servers from their computerised

workplaces.

9 COBIT 5 A Business Framework for the Governance and Management of Enterprise IT, © 2012 ISACA, p. 85.

14

The largest number (up to 80 per cent) of all electronic data is stored in the NAO information

systems VKIS and ViPSIS. The amount of net unduplicated electronic data in the National Audit

Office is about 1 TB. The disc space occupied by data warehouses, servers, and workstations which

is needed for handling this electronic data and storing its backups is approximately 4 TB.

Infrastructure

Infrastructure is composed of technology and equipment in the environment of which applications

are implemented. The hardware of the NAO information technology encompasses servers,

electronic data warehouses, computerised workplaces, and printers. The diagram of the hardware

is given in Annex 2.

Servers and electronic data warehouses were developed following the Hewlett-Packard

technology. The main servers are connected into clusters which ensure business continuity in the

event of equipment failure. The computerised workplaces of the administration are equipped with

desktop computers, auditors use portable computers. For convenience, portable computers have

external keyboards and monitors. Working documents are printed by multifunction printing

devices and conventional printers connected to a common computer network of the National

Audit Office.

The servers run Hyper-V virtual environment along Microsoft Windows Server 2008 R2. The

electronic data warehouses are hard drive arrays built using RAID-5 technology, which ensures

data protection in the event of warehouse failure. The servers also have IT infrastructure

components, such as ActiveDirectory, printer control processes, service discs of departments,

divisions and staff members, control programs for video surveillance cameras watching the

territory. These components are available to the authorised staff of the National Audit Office from

their computerised workplaces via web browsers and through specially tailored programmes.

Standard computerised workplaces use Microsoft Windows Vista and Microsoft Windows 7

operating systems. All workplaces have Microsoft Internet Explorer and Mozilla Firefox browsers.

The National Audit Office started using different information systems after abandoning technical

support for the audit documentation subsystem TeamMate. This hinders smooth operation of the

information systems, creates an additional administrative burden on the Information Technology

Division. 2015. The final transition to the new information system ViPSIS in 2015 will allow

harmonising the operating system versions installed in the computerised workplaces. There are

two alternatives to be considered: to purchase licences for separate operating systems along with

computers, as it is now, or to purchase a corporate licence with upgrade option.

Servers and data warehouses are in good technical condition which will remain unchanged for

another 3-4 years. With technical resources becoming scarcer, the use of cloud computing could

be considered as an alternative to procurement of new expensive servers and warehouses. The

situation is worse in computerised workplaces: compared to 1-2 year old computers used in the

administrative units, auditors are working with 4-5 year-old devices that regularly crash and

prevent timely completion of their tasks. To be able to manage the risk of technological failure in

15

computerised workplaces, funds should be allocated for replacing at least one fifth of the

computers with new ones.

The NAO electronic communications equipment is a set of hardware and software consisting of

wired and wireless computer network elements and applications for ensuring the interoperability

of the elements. The communications equipment diagram is given in Annex 2.

The National Audit Office uses a territorially distributed 100MB/GB Ethernet/TCP-IP type network

whose Vilnius, Kaunas, Klaipėda, and Panevėžys segments are connected into a common scheme

using the secure public data network service provided by the state enterprise Infostruktūra. The

territorial computer network of the Training Centre of the National Audit Office located in Giruliai

uses the access service to the public network provided by TEO. Computerised workplaces are

connected to the NAO computer network by Category 5 Ethernet cabling, using HP’s third

generation network switches. If necessary, non-professional wireless network equipment is used

for connecting the portable computers, tablets and smart phones of the NAO staff and visitors to

the network.

The wired segments and network connections of the computer network in the old building of the

National Audit Office are worn out, their replacement costs would be very high. An alternative

considered is to install a wireless computer network at the National Audit Office. When working at

auditees, auditors use their portable computers to connect to the NAO computer network using

the infrastructure of the auditee, which means that there is a risk of breaching the network

security requirements of the auditee entity or those of the National Audit Office. Another option

could be to purchase the service of mobile Internet connection or virtual private networks for all

or part of auditors (audit team leaders).

People

There were 401.5 positions at the NAO, including 6 ones at the Information Technology (IT)

Division of the General Affairs Department based on the data for the first half of 2014. The

positions at the IT Division include the head and five chief specialists: system administrator,

hardware administrator, two system designers, and a specialist performing various assignments

(such as public procurement, documentation, technical assistance, staff consulting) delegated to

the division. In addition to their main functions, all employees of the IT Division provide

consultations to the NAO staff on information technology issues and, within their competence,

participate in the NAO committees, commissions, and working groups.

The IT Division staff has been working at the National Audit Office from 5 to 20 years, therefore

specialists are very familiar with the main institution’s activities, information systems and

technology development. They have completed the basic courses on the use of software and

hardware related to their daily activities and have relevant certificates; however, the rapid

development of information technology and scarce allocation of money for the training increases

the risk that the IT staff’s skills will lag behind the average of specialists in this field on the market,

which may negatively affect all information technology-related business processes of the National

16

Audit Office. In order to maintain the current qualification and to gain new necessary skills,

specialised training in the field of IT should be provided for, seeking EU funding for this purpose.

2.2.3. Information technology governance maturity

Legislative requirements, although continually improved, are designed to ensure only minimal

information technology governance maturity. In order to achieve higher maturity levels, analysis

of the best IT governance practices is required, selecting only the parts that can be tailored to the

needs of the National Audit Office in the most efficient (fastest and least expensive) way.

To be able to reach a higher IT governance maturity level, the National Audit Office goes beyond

the compliance to the requirements of the law only, and uses the best practices recommended by

COBIT and their analysis and application methods.

Assessment of the IT management and control system is carried out using the Capability Maturity

Model described in COBIT 4.110 and following the self-assessment methodology prepared by the

project “Information Technology Self-Assessment in Supreme Audit Institutions” managed by the

EUROSAI IT Working Group.11

The maturity assessment carried out in 2006 indicated the average maturity of COBIT 4.1

processes12 selected for the assessment 1.21. A review of the said processes carried out in 2014,

and considering the maturity improvement measures taken over the period 2007-2014, showed

better results13 (1.50).

3. SWOT analysis

The NAO IT governance strengths and weaknesses, opportunities and threats were identified

taking into account results of the analysis given in Chapter 3 of this document. The IT governance

risks are provided in the NAO Risk Management Report 2013.

Strengths

- Skilled IT staff with many years of experience in the NAO information systems;

- Modern data processing and storage equipment – the main servers and data warehouses

were purchased two years ago;

- Secure and fast computer network based on optical communications technology and cyber

security service provided by the state enterprise Infostruktūra, which ensures modern

10 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 17-21 and

175. 11

More about the project: http://www.eurosai-it.org/documents/activities/flyer_it.pdf 12

The processes assessed in 2006: PO1, PO2, PO8, PO10, AI1, AI4, AI5, DS1, DS4, DS11, ME1. 13

COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 10.

17

communications with the NAO units situated in other towns as well as with other

institutions;

- Worldwide IT technologies are used in the NAO servers and data warehouses, such as

Microsoft Server, Microsoft SQL Server, Hyper-V Virtualisation;

- Quick communication – the Intranet and Internet sites of the NAO were developed and

have been maintained and continually updated by the NAO staff, there is a possibility of

video conference with the NAO units situated in other towns as well as with other

institutions;

- Modern audit data, document and audit process management systems - ViPSIS are flexibly

integrated with other subsystems.

Weaknesses

- Failure to develop IT planning documents in a systematic and comprehensive manner;

- Lack of methodical and practical experience in IT project management;

- Outdated hardware and software in workplaces;

- Obsolete internal computer network components – cables and connectors;

- Insufficient regulation of the services – type and quality of services and feedback –

provided by the IT staff to other NAO employees;

- Lack of communication between the IT staff with the employees of the NAO structural

units when addressing information technology problems;

- IT staff professional development is lagging behind the rapid technological change, there is

a lack of training;

- The computer literacy of the NAO staff should be improved.

Opportunities

- Wireless internal computer networks;

- Improving computer equipment at relatively decreasing costs;

- Cloud computing – the number of companies providing these services is going up, and their

prices are going down;

- Rental software solution with upgrades is used for the main servers and computerised

workplaces of the National Audit Office, which enables upgrading the software more often

and thus spending less working time for public procurement as well as simplifying the

budget planning for the procurement;

18

- Mobile encrypted Internet connection, which provides the NAO staff secure access to the

computer network of the institution from other workplaces (at auditees, on business trips,

at home);

- Decreasing software costs ensure secure access to the NAO computer network in case

employees brings their own device (BYOD procedure);

- IT staff training;

- Access to funds of the financial perspective 2014 to 2020.

Threats

- The growing number of cyber threats all over the world increases the risk of damage to the

NAO information systems – unauthorised access to, alteration and destruction of

important and/or sensitive data;

- The risk of insufficient IT financing of budgetary institutions, depending on and related to

the economic situation of the state;

- Frequent amendments of the legal requirements for government bodies, organisations and

agencies, delayed drafting of legislation;

- Brain drain of skilled IT staff;

- Potential significant enlargement of the functions of the National Audit Office that will

have an impact on IT.

19

4. IT STRATEGIC GOALS AND INDICATORS

In determining the IT strategic goals, the Working Group used the analysis carried out in Chapters

2 and 3 of the IT strategy and standardised links between the institution's performance goals and

information technology goals described in well-known ISACA methodologies and

recommendations.

The NAO strategic goals for information technology in terms of balanced scorecard (BSC)14:

Respective indicators were used to assess the level of achievement of NAO IT strategic goals. The

current values of these indicators are given in Annex 3.

1. SUSTAINABLE DEVELOPMENT OF INFORMATION TECHNOLOGY

This strategic goal requires maximum involvement of the management of the institution, all

process managers, and IT staff, as well as coordination of actions. The goal focuses on long-term IT

development and projects with strategic or economic importance for the NAO performance (e.g.

installation of new IT systems or improvement of the existing ones, cloud technologies, computer

equipment rental services). To achieve this goal, we will seek innovative solutions and investment

based on the best cost-benefit ratio for the institution.

Indicators

All IT strategic goals of the National Audit Office are aligned with the NAO business goals laid down in

the Public Audit Strategy.

Every year the IT performance of the National Audit Office is discussed in at least four meetings of the

Information Technology Management Committee.

14 A detailed description of the method for setting NAO IT strategic goals using COBIT goals cascade is given in Annex

4.

20

The average amount of funds allocated for IT resources during the last three years15 shall not exceed 4

per cent of the NAO budget.

2. IT SERVICES THAT SATISFY CUSTOMER NEEDS

We will prioritise the IT services provided to the customers and see to it that they are provided on

time and in good quality. We will continually assess the quality of our IT services and seek to

ensure that they meet the needs of IT users. We will introduce the IT services that are relevant to

and needed by the customers, taking into account the developments in information technology

and the needs of IT users.

Indicators

95 per cent of the services are provided under fixed service level agreements (SLA, OLA).

80 per cent of the computer equipment is not older than five years.

Customer evaluation of the IT services is scored 7 (out of 10).

3. IT GOVERNANCE IN LINE WITH BEST PRACTICES

We will ensure that IT services are provided continuously and that potential interruptions are

insignificant to the NAO performance. We will ensure the confidentiality and security of electronic

information in accordance with relevant legislation, ISO 27000 requirements, and best practices

recommended by COBIT and other methodologies. In improving the IT governance and IT service

management, we will follow ISO 38500 and ISO 20000 requirements and the models and best

practices recommended in the Open Group Architecture Framework (TOGAF), COBIT, and

Information Technology Infrastructure Library (ITIL).

Indicators

The implementation of the strategy will result in the achievement of maturity level 3 (according to COBIT

CMM model) in five main (out of 11) selected processes and maturity level 2 in other six main (out of 11)

selected processes.

The annual accessibility of the information system should be at least 90 per cent during business hours on

weekdays (for third category information systems).

4. HIGH DEGREE OF EMPLOYEE EXPERTISE IN IT

With the rapid development of information technology, it is very important to ensure that the IT

staff knowledge and competence is sufficient to ensure the efficient management of the NAO

information technology and services, their innovation and optimisation. Therefore, adequate

resources should be allocated for specialised IT training of the IT staff. An equally important factor

15 IT staff salaries, expenses for purchasing IT services and assets.

21

is training IT skills and computer literacy if IT users. The NAO staff should be continually introduced

to IT innovation.

Indicators

Continual improvement of the IT staff qualification, with 10 academic hours of specialised training in IT

per employee per year on average.

Continual improvement of the NAO staff qualification, with 3 academic hours of training in IT user skills

or computer literacy per employee per year on average.

Continual improvement of the qualification of the NAO staff whose activities are related to the

management of IT processes and IT resources at the National Audit Office, with 4 academic hours of

specialised training in IT per employee per year on average.

22

5. IMPLEMENTATION, MONITORING AND ASSESSMENT

The IT Strategy is implemented by developing and executing annual IT Strategy implementation

action plans, which establish activities for reaching desired goals, and achieving expected results,

performance measures, deadlines, and responsibilities.

Annual IT Strategy implementation action plans are developed by the IT Division and submitted to

the IT Management Committee for consideration. If approved, the plans are adopted by order of

the Auditor General.

The IT Strategy implementation is monitored using ViPIS, and the implementation of the action

plan is discussed in IT Management Committee meetings at least twice a year.

The IT Division prepares annual report on the implementation of the IT Strategy implementation

action plan, which is submitted to the IT Management Committee at the end of the year (usually

the report is presented together with the plan for the next year).

The maturity assessment of eleven the most important COBIT 4.1 processes selected using the

method described in Annex 4, namely, PO1, PO2, PO8, PO10, AI1, AI4, AI5 DS1, DS4, DS11, ME1 (if

needed, other processes are assessed as well), is carried out three times until 2020. The list of the

implementation measures may be revised after the assessment.

The maturity of the important COBIT processes, PO1, PO2, P08, PO10, AI1, AI4, AI5 DS1, DS4,

DS11, ME1, to be achieved by 2020 should be as follows:

the maturity score for 5 processes (out of 11) is 3

the maturity score for 6 processes (out of 11) is 2.

Auditor General Giedrė Švedienė

_________________________________________

The Information Technology Strategy of the National Audit Office 2015–2020 was prepared by Deputy

Auditor General Arūnas Keraminas, Director of the Information Systems and Infrastructure Audit

Department Dainius Jakimavičius, Director of the Audit Development Department Mindaugas Macijauskas,

Director of the General Affairs Department Žydra Bartkevičienė and Deputy Director Selvina Buragaitė,

Head of the Information Technology Division Arturas Sadauskas and Chief Specialist Genovaitė Gasiūnienė.

23

ANNEXES

Information Technology Strategy of the National Audit Office 2015–2020 Annex 1

Structural scheme of information systems of NAOL

Information Technology Strategy of the National Audit Office 2015–2020 Annex 2

Scheme of computer network of NAOL

Information Technology Strategy of the National Audit Office 2015–2020 Annex 3

Current values of the IT strategic goals implementation indicators

Goals and indicators Current value/explanation of the

indicator

Assessment Notes First

assessment Assessment frequency

1. Sustainable development of information technology

1.1. All IT strategic goals of the National Audit Office are aligned with the business goals set out in the Public Audit Strategy.

The indicator has not been assessed.

2014 Assessment is carried out in the case of the alteration of the strategic goals of public audit.

Link with Indicator 1.2: IT strategic goals are reviewed at the Information Technology Management Committee. In case the strategic goals of public audit have been altered, new IT strategic goals have to be set within 3 months.

1.2. Every year the NAO IT performance is discussed in at least four Information Technology Management Committee meetings.

Pursuant to the Regulations of the Information Technology Management Committee, the assessment of the IT performance is supposed to be carried out at least twice a year. Over the period 2012–2014, the NAO IT performance was discussed 3–5 times a year.

2015 Assessment is carried out four times a year.

The assessment of the indicator is related to the activity of the Committee and monitoring of the implementation of the IT strategic goals. Link with Indicator 1.1: The monitoring function carried out by the Information Technology Management Committee ensures the alignment of the strategic goals of public audit and IT strategic goals.

26

1.3. The average amount of funds allocated for IT resources during the last three years should not exceed 4 per cent of the NAO budget.

The indicator has not been assessed. The average amount of funds allocated for IT resources over the period 2011–2013 totalled 3.8 per cent of the NAO budget. (the average amount of funds allocated for IT resources over three years was LTL 935,145 [EUR 270,837])

2014 Every year IT resources include IT staff salaries, expenses for purchasing IT services and assets, excluding the costs of training. Link with Indicator 2.2.

2. IT services that satisfy customer needs

2.1. 95 per cent of the services are provided under fixed service level agreements (SLA, OLA).

The indicator has not been assessed.

1st quarter 2015

Every year Following the IT infrastructure management principles (ITIL) which are based on best management practices and oriented towards work optimisation and quality assurance in the field of IT, IT Process Management Rules will be developed and approved at the National Audit Office in order to regulate the IT process management, the scope and techniques of the provision of IT services to the NAO structural units, and cooperation between the IT Division of the General Affairs Department of the NAO and the structural units of the NAO in the field of IT. The Rules will include the following

27

components of the IT process: incident and request management; problem management; configuration management; service level management; change management. The Rules will define the services to be provided by the IT Division, so it will be possible to assess this indicator and Indicator 2.3.

2.2. 80 per cent of the computer equipment is not older than five years.

In 2014, 70 per cent of the computer equipment used in the NAO was older than five years.

2 January 2015

Every year The indicator is measured by estimating the time of the use of the portable and desktop computers in all computerised workplaces of the National Audit Office. The assessment is carried out annually, when planning next year’s procurement.

2.3. Customer evaluation of the IT services is scored 7 (out of 10).

The indicator has not been assessed.

2nd quarter 2015

Every year The indicator will be measured by conducting user surveys provided for in the IT Process Management Rules (see the explanation of Indicator 2.1 above).

3. IT governance in line with best practices

3.1. The implementation of the IT Strategy will result in the achievement of maturity level 3 according to (COBIT CMM) in five main (out of 11) selected processes and maturity level 2 in other six

The indicator was assessed over 2003–2006. The scores given to the selected processes in 2006 were as follows:

the maturity score for 1 process (out of 9) was 3

2003 Until 2020, maturity assessment will be carried out three times, every two years

Link with Indicator 1.2: The interim results of the process maturity assessment are discussed at the Information Technology Management Committee and used for revising the measures provided

28

main (out of 11) selected processes.

the maturity score for 2 processes (out of 9) was 2

the maturity score for 6 processes (out of 9) was 1

on average.

in the IT Strategy implementation action plan, including an external process maturity assessment to be conducted in March 2015 together with experts from the Swiss Federal Audit Office.

3.2. The annual accessibility of the information system should be at least 90 per cent during business hours on weekdays (for third category information systems).

The indicator has not been assessed.

4 January 2016

Every year The electronic logbook of requests, incidents and problems filled in at the Information Technology Division of the General Affairs Department will allow identifying the downtime of the NAO information system. The condition of the information system is regarded as inaccessible when user(s) of the information system is not able to use at least one of the structural parts of the information system specified in Annex 1 due to technological reasons which do not depend on the computerised workplace.

4. High degree of employee expertise in IT

4.1. Continual improvement of the IT staff qualification, with 10 academic hours of specialised training in IT per employee per year on average.

The number of academic hours of specialised training in IT per one employee of the IT Division over 2011–2013 was 7 hours.

2014 Every year Specialised training in the IT field for the IT staff.

4.2. Continual improvement of the NAO staff qualification, with 3

The number of academic hours of training in IT user skills or

2014 Every year All staff of the National Audit Office.

29

academic hours of training in IT user skills or computer literacy per employee per year on average.

computer literacy per one employee of the IT Division over 2012–2014 was 1 hour.

4.3. Continual improvement of the qualification of the NAO staff whose activities are related to the management of IT processes and IT resources at the National Audit Office, with 4 academic hours of specialised training in IT per employee per year on average.

The indicator has not been assessed.

2016 Every year Link with Indicator 1.2: Specialised training is intended for IT resource managers, IT Management Committee members, and other employees whose functions are related to the management of IT processes and IT resources at the National Audit Office.

Information Technology Strategy of the National Audit Office 2015–2020 Annex 4

Method for setting strategic goals for the information technology of the National Audit Office

This annex contains information on how strategic goals are set for the information technology of

the National Audit Office, when the key business goals are in place.

The links between the NAO business goals, IT goals and COBIT processes were established and

specified on the basis of the ISACA research of public sector business goals and information

technology goals16, links between business goals and information technology goals provided in

COBIT 4.117, links between business processes and COBIT processes identified during the project

“Information Technology Self-Assessment in Supreme Audit Institutions” implemented by the

EUROSAI IT Working Group18, and links between business processes and COBIT processes

identified by the National Audit Office during IT audits in Lithuanian public sector institutions and

offices.

Establishing links between business and IT goals involves not only the standard goals cascade used

in COBIT 5 (17 standard business goals of the enterprise are linked to 17 standard IT-related goals),

but also more accurate links received during public sector research19. More accurate methods

than those used in the COBIT 5 goals cascade allow determining which IT goals are more important

– this is achieved by measuring the strength of links between business and respective IT goals.

1. Setting standard goals for the NAO IT in line with standard business goals

The following strategic objectives are set out in the Public Audit Strategy:

Improvement of public audit process

Dissemination of public audit results

Development of communication and cooperation

Quality improvement of public audits Optimisation of NAO business processes

Enhancement of professional expertise

Development of international cooperation

16 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI

17 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, p. 169.

18 More about the project: http://www.eurosai-it.org/documents/activities/flyer_it.pdf

19 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI

31

The most important standard NAO IT goals in line with the performance objectives specified in the

Public Audit Strategy and defined in four BSC (balanced scorecard) perspectives are obtained by

expressing the strategic objectives (business goals) provided in the Public Audit Strategy in terms

of the public sector business goals and information technology goals 20:

BSC perspectives The most important NAO IT goals (in brackets – standard COBIT 5

IT goal) Importance

Financial perspective

1. Align the IT strategy with the business strategy (01) 24

5. Drive commitment and support of executive management (03) 12

6. Improve the IT’s cost-efficiency (05) 10

Customer perspective

2. Provide service offerings and service levels in line with business requirements (07)

21

Internal business processes

perspective 3. Make sure that IT services are reliable and secure (10) 13

Learning and growth perspective

4. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation (17)

13

7. Acquire, develop and maintain IT skills that respond to the IT strategy

10

Table 1. The most important standard NAO IT goals in line with the NAO performance objectives set out in the Public Audit Strategy

The column “Importance” shows how strongly the information technology goals are linked to the

key strategic objectives (business goals) of the National Audit Office identified in the Public Audit

Strategy.

2. Link between the NAO strategic objectives and standard IT goals

The correspondence of the four NAO IT goals to the standard IT goals (described in COBIT 5) is as

follows:

SUSTAINABLE DEVELOPMENT OF INFORMATION TECHNOLOGY:

- Align the IT strategy with the business strategy (01)

- Drive commitment and support of executive management (03)

- Improve the IT’s cost-efficiency (05)

IT SERVICES THAT SATISFY CUSTOMER NEEDS:

- Provide service offerings and set service levels in line with business requirements (07)

IT SERVICES IN LINE WITH BEST PRACTICES

- Make sure that IT services are reliable and secure (10)

20 Understanding How Business Goals Drive IT Goals. Executive Briefing, © 2008 ISACA, ITGI

32

HIGH DEGREE OF EXPERTISE IN IT

- Acquire knowledge and expertise in emerging technologies for business innovation and

optimisation (17)

- Acquire, develop and maintain IT skills that respond to the IT strategy (COBIT 4.1 (09) IT

goal – although this IT goal is not present in COBIT 5, it is taken into account when

identifying related IT processes)

3. Identification and maturity of COBIT 4.1 processes related to standard NAO IT goals (or strategic IT goals)

Using standard COBIT 5 goals cascade, identified IT goals are linked to COBIT 5 processes, followed

by the selection of the key COBIT 5 processes which are rated above 15 (primary link “P” between

IT goals and COBIT 5 processes is scored 5, secondary link “S” is scored 2). As a result, seven COBIT

5 processes are identified:

COBIT 5 process EDM01 EDM02 APO01 APO02 APO07 APO08 BAI02

Rating 19 (22) 17 (24.5) 16 (18.5) 17 (21.5) 16 (18.5) 17 (21.5) 16 (19)

Here, the first rating value indicates the strength of a link between the relevant COBIT 5 process

and five most important (their importance ranges from 12 to 24 in Table 1) IT goals and the second

one (in brackets) shows the strength of a link with all seven IT goals, i.e. two least important (in

Table 1, their importance is scored 10) goals are additionally taken into account.

Similarly, using the table on relation of IT goals to COBIT 4.1 processes 21, COBIT 4.1 processes are

obtained where the strength of links with the identified IT goals score above 7:

COBIT 4.1 process PO1 PO4 PO10 DS1 ME1 PO7 AI5

Rating 10 10 10 10 10 7.5 7.5

Table 2. The key COBIT 4.1 processes the maturity of which should be improved to achieve the NAO IT strategic goals

Mapping matrices are used to determine links between COBIT 5 and COBIT 4.1 processes, taking

into account the control objectives and/or governance/management practice. The following

processes are added to these COBIT 4.1 processes (as above):

(1) key public sector COBIT 4.1 processes identified during IT audits since 2006;

(2) key COBIT 4.1 processes of the National Audit Office, identified by NAO IT auditors;

21 COBIT 4.1: Framework, Control Objectives. Management Guidelines. Maturity Models, © 2007 ISACA, Appendix I –

tables linking goals and processes, p. 169-170

33

(3) key COBIT 4.1 processes at the National Audit Office identified during IT self-assessment in

2006 (Method I);

(4) key COBIT 4.1 processes at the National Audit Office identified during IT self- assessment in

2006 (Method II).

COBIT 4.1 processes

(processes given in Table 2) PO1 PO4 PO7 PO10 AI5 DS1 ME1

(1) PO1 PO2 PO10 DS1 DS4 DS11 ME1

(2) PO1 PO10 DS1 DS4 ME1

(3) PO1 PO2 PO8 AI1 AI5 AI8 DS4 DS5 DS8

(4) PO1 PO3 AI1 AI2 AI4 DS1 DS7 DS11 DS13

Table 3. The key COBIT 4.1 processes identified under circumstances (1)–(4) above

Considering the reiteration of the relevant processes in the table, the following values are

obtained in Table 4 below (the red colour shows the key COBIT processes, meanwhile the less

important processes are given in blue; the number of reiterations contained both in Table 2 and

Table 3 is also provided: PO1 is repeated 5 times, PO2 – 2 times, etc.).

PO1 PO10 DS1 DS4 ME1 PO2 PO7 PO8 AI1 AI5 DS11

5 3 4 3 3 2 2 2 2 2 2

Table 4. The key COBIT 4.1 processes identified under the circumstances given (and reiterated) in Table 3

Considering the processes evaluated at IT self-assessment seminar in 2006 and their maturity

grades:

PO2 PO7 PO8 AI1 AI4 AI5 DS1 DS4 DS5 DS7 DS8 DS11 ME1

1.1 - 0.1 2.0 0.8 1.7 0.2 1.0 1.9 1.4 1.8 1.0 -

Table 5. Processes evaluated at the self-analysis seminar in 2006 and their maturity grades

an IT process table is drawn up which includes the following:

PO1, PO10, DS1, DS4, ME1 – currently the most important IT processes (marked in red in

Table 4);

PO2, PO8, AI1, AI5, DS11 – processes which are currently of secondary importance (marked

in blue in Table 4), but have insufficient maturity according to 2006 evaluation results (their

maturity in Table 5 < 2.0);

34

AI4 - currently is not important, however, its maturity in 2006 was below 1.0.

The maturity of these 11 processes was assessed using the CMM maturity evaluation model

(the assessment criteria are provided in COBIT 4.1). The evaluation of the selected processes

showed the following maturity in 2006 and 2014:

COBIT 4.1

processes PO1 PO2 PO8 PO10 AI1 AI4 AI5 DS1 DS4 DS11 ME1

Maturity in 2006 3.00 1.10 0.10 - 2.00 0.80 1.70 0.20 1.00 1.00 -

Maturity in 2014 2.13 1.85 1.13 1.24 1.32 1.35 1.39 0.08 2.61 1.54 1.91

Table 6. The NAO processes assessed in 2006 and 2014 and their maturity (higher maturity in this assessment is

marked in red, lower maturity – in blue; the value in black means that the maturity cannot be compared):

The most important COBIT processes that are in line with the NAO IT goals and where IT

governance maturity is to be raised are as follows:

COBIT 4.1

processes PO1 PO2 PO8 PO10 AI1 AI4 AI5 DS1 DS4 DS11 ME1

Maturity in 2014 2.13 1.85 1.13 1.24 1.32 1.35 1.39 0.08 2.61 1.54 1.91

Table 7. The relevant NAO control processes and their maturity (maturity in red means that it is lower than in 2006,

the blue colour denotes maturity higher than in 2006, meanwhile the value in black means that the process was not

assessed in 2006)

These processes will have to be monitored and evaluated in order to raise the maturity level of 5

processes (out of 11) to 3.0 and of 6 processes (out of 11) to 2.0.

4. Additional information – standard goals used in COBIT 5 and their assessment criteria

Standard enterprise goals used in COBIT 5 and their sample metrics are provided in COBIT 5:

Enabling Processes, Figure 6.

Standard IT goals used in COBIT 5 and their sample metrics are provided in COBIT 5: Enabling

Processes, Figure 7, and in the descriptions of each of the 37 COBIT 5 processes related to these IT

goals.

Standard process goals used in COBIT 5 and their sample metrics are provided in COBIT 5: Enabling

Processes, in the descriptions of each of the 37 processes.

The IT goals and COBIT processes sample metrics can be used in the preparation of annual IT

Strategy implementation actions plans and development of criteria for assessing the

implementation of the measures provided for in these plans.