By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

What is well-being?

Well-being can be understood as “how people feel and how they function, both on a personal and a social level, and how they evaluate their lives as a whole.”[1]

When people are in a state of mental and physical well-being at work, they are able to be productive, build positive relationships with others, develop resilience and cope better with stress, and develop their potential more fully.

Higher employee well-being is associated with higher productivity and firm performance

The World Health Organisation’s (WHO) research indicates that work environment and work organization can have a significant impact on the health and well-being of workers [2]. Good working conditions can benefit health and well-being. Negative working conditions, or occupational risks on the other hand, can add to or exacerbate existing mental or physical health problems.

Well-being has been linked to higher levels of employee engagement and lower levels of absenteeism and turnover [5, 6, 7]. Human relations theory states that higher employee well-being is associated with higher morale, which, in turn, leads to higher productivity. Emotions theory argues that employees’ positive emotions lead to improved attitudes and motivation and hence better job outcomes and organisational citizenship [7].

Large-scale evidence-based studies confirm this relationship. In a meta-analysis of 339 independent studies originating from 230 independent organisations across 49 industries in 73 countries, London School of Economics researchers found a direct correlation between employee well-being, employee productivity and firm performance across all industries and regions. [4]

Poor mental health and well-being has a detrimental effect on a person’s cognitive, behavioural, emotional and social and relational functioning. The capacity to participate in work is impaired through a reduction in productivity and performance, and difficulty in retaining or gaining work. Through presenteeism (or lost productivity at work), absenteeism and staff turnover, workers, employers and the wider economy is affected [2].

In addition, the WHO has recently classified burn-out in the 11th Revision of the International Classification of Diseases (ICD-11) as an occupational phenomenon as is defined as  a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions: (i) feelings of energy depletion or exhaustion (ii) increased mental distance from one’s job (iii) feelings of negativism or cynicism related to one's job and (iv) reduced professional efficacy”[3]

COVID-19 and its impact on well-being

The COVID-19 pandemic has resulted in a significant shift in the way that we work. While remote work arrangements have increased work-life flexibility and balance, it has decreased opportunities for connecting with colleagues face-to-face, resulting in feelings of isolation and loneliness. Constantly being online and ‘on call’, the blurring of work/life balance and the fear of job loss has resulted in feelings of fatigue, stress and burnout amongst many people.  This is compounded by wider societal anxieties around COVID-19 and the lack of a clear endpoint of the pandemic.

As the world begins to realise that the “long tail” this emergency may go on for many months, executive leaders and middle management are beginning to respond to the challenge of ensuring the well-being of their people and managing productivity levels. This is especially relevant to SAIs and their staff, who are facing considerable pressure to step up their audit activities in response to the pandemic - to ensure they are able to monitor pandemic-related public procurement and the unprecedented levels of expenditure associated with the pandemic. This blog explores how SAI leadership and management can promote well-being, build staff resilience and maintain productivity during and after the pandemic.

How to increase well-being, engagement and productivity in your workplace

Workplace leaders are able to create work environments where people feel safe, calm, connected and engaged throughout the COVID-19 pandemic and beyond. This section contains recommendations on how to do so.

1. Communicate clearly and regularly

Business leaders must engage with their employees and communicate with empathy on a regular basis. Leadership development models must focus on care, human connection and resilience.

Managers are encouraged to maintain a consistent level of contact with their teams. Some options are setting up daily and/or weekly 30-minute (virtual or in-person) team meetings and sending weekly email updates. Setting aside a dedicated time each day to check-in with your team via online meetings, phone calls or online chat will instil a level of trust that will make staff comfortable and allow them to open up more about how they are truly feeling.

Managers are also encouraged to ask their team members ‘how they are coping’ on a regular basis using the OARS technique:

• Open-ended questions that elicit more than just yes/no/maybe responses

• Affirmations to let people know that you care about the person rather than just the work. It’s important that these are genuine and not scripted.

• Reflection - Echo back what you are hearing from your team member. This helps to clarify what you are hearing and can also help you both to come up with solutions.

• Summarise - Come back to the key points and lay them all out. From here, you can effectively problem-solve together

Leaders are also encouraged to use language that demonstrates care and support for the health and well-being of your staff. Let everyone know it is normal to feel stress, anger, sadness and anxiety. This is a new situation and we all are learning how to manage. Reframe the language you use to talk about the pandemic in your communications with staff so that it promotes care and solidarity. This also helps to mitigate feelings of panic [9].

2. Establish a safe and healthy working environment

For teams transitioning back into working in an office environment, management must work to create a safe working environment by doing the following:

• Introduce a minimum area per person within the office to decrease density

• Supply PPE and train employees on how to properly use it

• Increase the frequency of office deep cleaning

• Create visual instructions and prompts (circles around desks, lanes in corridors, standing spots in lifts etc.) to reinforce social distancing around the office.

Leaders are reminded to encourage their staff to take regular breaks to rest and look after themselves and their families. This will have a positive impact on productivity and staff engagement over time.

3. Make policy relevant and accessible

Policies can demonstrate to employees how the organisation values them and their contributions. COVID-19 means current policies or processes may no longer be fit-for-purpose and may need to be reviewed. You might want to consider reviewing and updating your Code of Conduct, leave policies (specifically sick leave policies), Health and Safety policies and Flexible Work policies. When writing or reviewing policies consider the following questions:

• Do they enable staff to work to the best of their abilities?

• Do they demonstrate fair and equitable approaches to work?

• Do they centre people or processes? [8]

4. Allow your people an element of flexibility

If you are returning to the office, give your team members the opportunity to choose whether they continue working remotely or work from the office - be balanced by educating them about the safety measures being taken in the office while also highlighting the risks to themselves and their colleagues. It is also worth outlining the benefits of getting back to work in the office as well.

Further to flexibility surrounding whether or not employees have to attend the office for work, you could also introduce an element of flexibility around working hours as well - staggered work patterns will mean that not everyone arrives or leaves at the same time, reducing the risk of unnecessary contact in lifts, lobbies or stairwells. Not only will this ease any concerns your employees may have about travelling during peak hours, but it will also protect office based workers by keeping employee density low.

Flexible hours should be extended to your remote workers as well. It may be the case that they are juggling childcare or other family commitments with work, especially if their partner is working as well. Adjusted hours whilst working from home mean that they can take shifts and swap over the family duties at some point in the day. Easing the load in this manner is a great way to improve employee well-being, engagement and productivity

5. Facilitate socialising between team members (with social distancing)

It is almost inevitable that employees will be feeling somewhat isolated from their colleagues. This is likely to continue even when a return to the office occurs because staff may be spread around the office to manage staff density within the office space. In this scenario, the responsibility falls on management to facilitate some safe socialising.

In a remote work setting, managers are encouraged to arrange daily virtual coffee catch ups over Zoom or Google Hangout, and will be a welcome break from the working day for your teams. That way, both groups of remotely based and office based employees can communicate in a more social and less work-related setting.

These strategies will help to increase staff well-being, and will contribute to an engaged, resilient and productive workforce. How does your SAI build staff well-being and resilience?

What’s next?

Stay tuned to read more about the following topics upcoming in our blog series:

• SAI Independence

• Data governance and data management.

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

References

[1] New Economics Foundation (2012) Measuring Wellbeing: A guide for practitioners, London: New Economics Foundation.

[2] World Health Organisation. Mental Health and Work.
https://www.who.int/publications/i/item/9789240053052

[3] World Health Organisation. Burnout an “occupational phenomenon”: International Classification of Diseases https://www.who.int/news/item/28-05-2019-burn-out-an-occupational-phenomenon-international-classification-of-diseases

[4] Krekel, C.,Ward, G. and DeNeve, J. (2019). Happy employees and their impact on firm performance. https://blogs.lse.ac.uk/businessreview/2019/07/15/happy-employees-and-their-impact-on-firm-performance/

[5] Haddon, J. (2018). The impact of employees’ well-being on performance in the workplace. Strategic HR Review volume 17, pp. 72-75. https://doi.org/10.1108/SHR-01-2018-0009

[6] McKinsey (2018). The overlooked essentials of employee well-being. https://www.mckinsey.com/business-functions/organization/our-insights/the-overlooked-essentials-of-employee-well-being

[7] Isham, A., Mair, S. and Jackson, T. (2020). Wellbeing and productivity: a review of the literature. Report of the Economic and Social Research Council. https://www.researchgate.net/publication/338899227_Wellbeing_and_productivity_a_review_of_the_literature/link/5e31b252458515072d6e0123/download

[8] COVID-19 Workplace Resource. (2020). Mental Health Foundation of New Zealand. https://www.mentalhealth.org.nz/get-help/getting-through-together/workplace-wellbeing/

 ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19. 

For more information about PASAI refer www.pasai.org

By Nicole Ayo von Thun, Senior Advisor, International Engagement; and Matt Chan, Director, Data and Analytics, Office of the Auditor-General in New Zealand

Supreme Audit Institutions (SAIs) are operating in an increasingly digital environment. COVID-19 has sped up the adoption of digital technologies by several years and it is expected that these changes are here to stay. Keeping up-to-date with the digital transformation of the workforce is important for SAIs to continue to add value and remain relevant.

Throughout the year PASAI has shared blogs on the topics of online collaboration, building digital resilience and cyber security. Adding to this digital theme, this blog looks at the benefits for a SAI in building digital literacy. Digital literacy is the knowledge and ability to use computers and related technology efficiently and effectively. In the past, digital literacy may not have been apriority for your SAI, however COVID-19 has increased the urgency for all SAIs to focus more on this issue. COVID-19 has prompted many SAIs to reconsider their competencies and make some strategic shifts to the way they work. Has your SAI assessed its current strengths and weaknesses in digital competency and literacy?

Digital literacy is not about investing in massive technological platforms or even becoming technology experts. It is about equipping auditors with the digital skills, tools and key competencies required to audit in an environment that is increasingly reliant on technology and where large amounts of data are generated. Auditors need to understand how to harness the power of Data Analytics, Big Data, and Artificial Intelligence to audit more efficiently and effectively – using them as tools to capture, verify and track transactions using large data sets, with lower cost (in some instances) and limited human intervention.

An understanding of data governance and management is also required and is key to effectively manage data as one of our most valuable assets. This area includes the development of a data governance framework, policies and procedures, and will be covered in greater detail in a forthcoming blog.

A recent INTOSAI Capacity Building Committee Occasional Paper on The future-relevant and value-adding auditor[1] outlines competencies that auditors require to build digital literacy. The Paper recommends that to build digital literacy SAIs must embrace new technologies to remain ‘future-relevant and value-adding’, even if these new technologies seem daunting. Increasing digital literacy can be achieved by both the SAI as a whole and their individual staff members by working towards some critical competencies. The CBC paper sets out seven competencies and these are presented below:

More information on the recent INTOSAI Capacity Building Committee Occasional Paper on The future-relevant and value-adding auditor can be found here. The Paper provides more detail on 3 other competency areas that SAIs need to focus on in order to remain future-relevant and value-adding: https://www.intosaicbc.org/wp-content/uploads/2020/11/20201106-The-Future-Relevant-Value-Adding-Auditor_CBC_Nov-2020.pdf

What’s next

Stay tuned to read more about the following topics upcoming in our blog series:

• SAI Independence

• Managing staff productivity and well-being.

• Data governance and data management.

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

[1] INTOSAI Capacity Building Committee (2020, November 6). Occasional paper on the future-relevant value-adding auditor. https://www.intosaicbc.org/wp-content/uploads/2020/11/20201106-The-Future-Relevant-Value-Adding-Auditor_CBC_Nov-2020.pdf.

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19. 

For more information about PASAI refer www.pasai.org

By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

The COVID-19 pandemic and resulting travel restrictions presented the world with a significant challenge. We have responded by pivoting and turning this challenge into an opportunity by accelerating our digital transformation program - which includes an investment in educational technology and the adoption of blended learning (online and face-to-face delivery) as a more efficient and sustainable delivery model.

Due to current border and travel restrictions, our short-term focus is on delivering our capability development programmes online using our Learning Management System (LMS). The PASAI LMS was launched by Mr. Ajay Nand (Auditor-General of Fiji and current Chairperson of the PASAI Governing Board) on 26 November 2020, during our 24th Governing Board meeting.

Our Moodle-based LMS is a centralized repository of our capability development material. It provides us with a platform to host our online courses and supplementary material, including an integration of multimedia content such as templates, guides, checklists, videos and articles. It also allows for an interactive element to be built into programme delivery – such as discussion forums, chat groups and online communities of practice.

Our programmes are evaluated to ensure that they are effective and to build in a continuous improvement loop in our programme design and development process. We will use our LMS to monitor and report on our learners’ progress and the effectiveness of our programmes using quizzes, self and peer assessments and in-built analytics and reporting features. Over time, we will be able to program our LMS to track participant progress and align it to a Capability Development Framework. We celebrate learner achievement and progress by issuing certificates and badges to learners through our LMS.

Our short-term focus on online learning increases accessibility to our e-learning material and enables us to widen the scale and reach of our capability development programmes during the response and recovery periods of the COVID-19 pandemic. We are able to re-shape the learning experience of public auditors in the Pacific region by combining formal and informal learning strategies, and providing learners with the option of self-directed learning – accessible any time, any place and at their own pace.

We are in the process of converting our learning material into an e-format to offer through our LMS. We have delivered webinar-style training programmes ‘packaged’ with interactive discussion, supplementary material (such as templates, guides, articles, videos) to translate learning into action. We are following up our online workshops with 1:1 SAI-level coaching sessions to track progress and fully embed learning.

The Secretariat acknowledges the support of our Governing Board and development partners, and extend special thanks to our colleagues in the INTOSAI Development Initiative (IDI) and the AFROSAI-E Secretariat for their support in the initial scoping and development of this project.

What’s next

Stay tuned to read more about the following topics upcoming in our blog series:

• How to effectively collect and monitor data at your SAI.

• SAI Independence.

• Managing staff productivity and well-being in a remote working environment.

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific. It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards. Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.

For more information about PASAI refer www.pasai.org

By Jonathan Keate, Senior Solicitor Sector Manager, Office of the Auditor-General in New Zealand

This blog post provides public auditors with a brief history of environmental audit in PASAI and encourages future environmental audit work. The blog post also highlights helpful guidance and training activities from the INTOSAI Working Group on Environmental Auditing (WGEA) and the ACAG PASAI Regional WGEA (RWGEA).

Background

PASAI members have had a strong interest in environmental audit for many years, reflecting the importance of the environment and good environmental management to people in our region. Significant milestones include:

• The establishment of a RWGEA for the region 20 years ago, with the SAI of New Zealand as chair and co-ordinator (PASAI congress, Sydney 2000).

• Agreement to focus on environmental topics for the first series of co-operative performance audits (CPA) under PASAI’s CPA programme [1].

• 10 RWGEA meetings between 2001 and 2018, from the first meeting in Melbourne in 2001 to the 10th meeting in Brisbane in 2018 (The 11th RWGEA meeting was to be held in May 2020 in Sydney, but was postponed due to COVID).

• From 2009, seventy-six staff from 16 PASAI audit offices have taken part in CPAs on the topics of solid waste management, access to safe drinking water, sustainable tuna fisheries management and climate change adaptation and disaster risk recovery. This was a significant investment in building capacity in environmental audit for the region.

A survey of PASAI members for the 2018 RWGEA meeting showed a substantial appetite for further environmental audit work in PASAI (100% of survey respondents). PASAI members asked for an environmental auditing training programme for the region to build capacity in this area. PASAI’s strong participation over the last couple of years in online environmental auditing training courses, including the courses known as MOOCs, is further evidence of the interest in environmental auditing in the region.

Opportunities continue even if face-to-face meetings are not possible

The RWGEA will consider next steps for 2021, either by reconvening the postponed 2020 meeting if travel within the region is possible, or moving to online events. The RWGEA will likely continue with the planned strong focus on environmental audit training, by looking at some of the sustainable development goals (SDGs) from an environmental perspective (using plastic waste and climate action to illustrate). Plastic waste and climate action (specifically climate finance) are part of the INTOSAI WGEA 2020-2022 work programme. Climate finance is funding from developed countries to developing countries to help them adapt to climate change impacts.

Plastic waste and climate finance are highly relevant for the PASAI region, and could be suitable topics for future co-operative audits in the region.

The SAI of Finland, the WGEA chair, is organising the next WGEA assembly meeting for 19-21 January 2021 as a virtual event. The meeting will focus on the concept of ‘circular economy’. In the context of waste management, this involves eliminating waste from the system, for example, by eliminating packaging and ensuring products are re-used or recycled, so that they keep ‘circulating’ in the economy rather than becoming waste. The first day of the Assembly will be dedicated to familiarising participants with the circular economy concept and exploring how auditors could make use of the concept in their work.

It should be possible for interested SAIs to attend the first day of the Assembly, even if they are not WGEA members. The second and third days of the Assembly will be more focused on the WGEA work programme topics, to discuss progress with the work programme and with the chance to share their relevant audit experiences as well as suggest ideas and input to the further work of the projects.

The WGEA also has a new award for Inspiration in Environmental Auditing. The topic for the first award, to be awarded at the January 2021 Assembly meeting, is for “Best visualisation in an environmental audit”. The topic comes from a research paper Visibility of Environmental Auditing, which the WGEA published in 2019. By choosing visualisation as a first topic for the award, the WGEA Group wishes to make the SAI community aware of the importance of using material such as infographics and other visual representations of information to summarize audit findings. The SAI of New Zealand was involved in the Visibility of Environmental Auditing project, and will be on the judging panel for the new award.

How can we do more environmental audits in PASAI?

Findings from the 2018 RWGEA environmental audit stocktake and survey included:

• A small number of PASAI members have separate environmental audit teams or do environmental audits as part of their performance audit mandate, but several do not.

• The PASAI members that have done environmental audits have largely done so only through PASAI’s CPA programme.

• PASAI members saw scope to undertake follow up audits in the CPA topic areas, as a way of re-starting environmental audit activity.

• Several ACAG and PASAI members were planning to do environmental audits during the next few years. Potential topics included climate change adaptation, waste disposal, renewable energy, fisheries, and environmental impact assessment.

• There was interest in the region in doing CPAs on environmental topics in the future, including on the environmentally focused SDGs.

• Barriers or challenges to undertaking environmental audits included report writing, availability of subject-matter experts, constrained resources, lack of current mandate, basic awareness and understanding of environmental issues, technical capacity in the office, and high staff turnover.

Despite the challenges, Pacific Island offices were keen to take up the challenge of environmental audit.

SAIs with experience in environmental auditing continue to face similar issues and challenges, including:

• choosing good topics;

• getting to grips with complex subjects;

• obtaining reliable environmental data, and data analysis;

• making the best use of experts;

• focusing on root causes, results, and outcomes, as well as compliance and processes.

Pacific region SAIs can examine environmental issues to determine the degree of government compliance with environmental commitments, including the implementation of national legislation, policy, and action plans. As with any audit, auditors are able to make recommendations that lead to improvements in the design, implementation, and outcomes of government policy and programmes, which contribute to better environmental outcomes. Ideally, audits would also focus on progress in improving environmental outcomes, as well as compliance and implementation of policies and plans.

Key considerations for planning and undertaking performance audits on environmental topics

The following tips include key considerations for planning and undertaking performance audits on environmental topics:

• For those SAIs that took part in the CPA programme, consider undertaking a follow up audit on one of the CPA topics – solid waste, drinking water, sustainable fisheries, or climate change adaptation - to assess progress, and as an easy way of re-starting environmental audit activity.

• Choose a topic where there is guidance and training material available. Note that there is considerable guidance available from the WGEA on different environmental topics. See the WGEA’s visual representation of the 50 guidance and training products – https://wgea.org/publication/studies-guidelines/

• Use the WGEA website and guidance and other resources such as the WGEA newsletter Greenlines to look at how other SAIs have audited the environmental topic of interest.

• See if there is interest from fellow SAIs in cooperating on an environmental topic and sharing experiences and methodologies – this is a good way to share knowledge and expertise, and enhance the impact of environmental audit findings.

• Use twinning arrangements in place to seek help from twinning partners that might have more environmental audit experience. They might also be able to help with methodology and finding subject matter experts.

• Environmental topics are often of high public interest. SAIs should be able to make use of this interest to help get impact and engagement, and to increase visibility and relevance on environmental issues.

• Many environmental audits rely heavily on data and science, and audit credibility can be enhanced through use of data analytics, data dashboards, and subject-matter experts. Several offices have data analysts to support audit teams.

• Data analytics has great potential but needs to be approached in a strategic way. It is important to establish the relevant data early on and assess any issues with its integrity and quality, with expert assistance if required, rather than ask for more data than is needed and waste time.

• Focus on environmental outcomes and results - impact is greater when audits focus on the achievement of environmental outcomes or on the root causes for a lack of achievement, as well as whether policies and plans have been properly implemented (often they haven’t).

PASAI and the RWGEA would be pleased to help PASAI members who wish to begin or resume environmental audits, including by linking members to the WGEA resources and providing training in 2021 in the WGEA focus areas for 2020-22 – plastic waste, and climate action (focusing on climate finance).

For further information about the WGEA see https://www.environmental-auditing.org/

If you have any questions or comments about the RWGEA please contact the RWGEA coordinator: jonathan.keate@oag.parliament.nz

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

[1] The CPA programme began as part of the Pacific Regional Audit Initiative, a capacity building programme for the region, with support from PASAI, the Asian Development Bank, the INTOSAI Development Initiative, the Australian and New Zealand governments, and the RWGEA.

---------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific. It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards. Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.

For more information about PASAI refer www.pasai.org

Following on from our May blog on Cybersecurity: Building Digital Resilience in a Virtual World this blog will look in more depth at phishing scams. In an increasingly online work environment due to Covid-19, phishing scams are becoming more common and anyone can be targeted. As with many risks, prevention is the best approach. This is why PASAI is encouraging all member SAIs to increase your cyber resilience to phishing scams so that you are less vulnerable to phishing scams.

What is a phishing scam?

A phishing scam is a cybercrime that tricks people into giving confidential personal or organisational information. People hand over this information because they trust the source of the request and believe that the party is acting with the best intentions.

In a phishing email, cybercriminals will typically ask for your:

• Date of birth

• National ID numbers

• Phone numbers

• Credit card details

• Home address

• Password information (or what they need to reset your password)

This information is then used by cybercriminals to impersonate the victim and apply for credit cards or loans, open bank accounts, and other fraudulent activity.

Protecting yourself and your SAI against phishing scams

Cybercriminals and scammers can produce phishing emails that look very legitimate. There are some key things to look for to determine if a text message or email is a phishing scam:

• The email is poorly written: Read the message carefully, look for anything that isn’t quite right, such as tracking numbers, names, attachment names, sender, message subject and URLs.

• It contains unsolicited attachments: typically, authentic institutions don’t randomly send emails with attachments, especially when there is no previous relationship involved. If in doubt, contact the legitimate company by searching for their website.

• It requests sensitive information: Emails that ask you to send sensitive information, such as banking details or login credentials, are likely a phishing email. Do not provide personal information to unverified sources. Remember that reputable organisations locally and overseas - including banks, government departments, Amazon, PayPal, Google, Apple and Facebook - will not call or email to verify or update your personal information.

• There’s urgency involved: Some scammers use urgency in their emails – often with threats of account expiration, fines or even prize giveaways – to encourage people to make quick decisions without proper thought.

• It sounds too good to be true: Scammers often include ‘limited’ and unmissable’ prize giveaways in their phishing emails in an attempt to lure people in.

• It doesn’t address you by name: many phishing scams are sent to multiple people, with no (or limited) personalisation involved. Before opening an email, consider who is sending it to you and what they’re asking you to do. If you are unsure, call the organisation you suspect the suspicious message is from, using contact details from a verified website or other trusted source.

• The email address looks altered: Scammers can make their email address look legitimate by including the company name within the structure of their email. Hover over links to make sure they don’t look altered.

• Check that URLs are legitimate: On a PC or laptop, hover your mouse over links to see if the embedded URL is legitimate, but don't click. Do not open attachments or click on links in unsolicited emails or messages.

• Check if others have received similar messages: Google information such as the sender address or subject line to see if others have reported it as malicious.

Examples of an email phishing campaign

Compromised Credit Card

The cybercriminal knows the victim made a recent purchase at an online store, and sends an email disguised to look like it is from the online stores customer support. The email tells the victim that their credit card information might have been compromised and to confirm their credit card details to protect their account.

Transfer Funds

An urgent email arrives from a SAI staff member who is currently traveling. The email asks the recipient to help out the staff member by transferring funds to a foreign partner. This phishing email tells the victim that the fund request is urgent and necessary to secure the new partnership. The victim doesn’t hesitate to transfer the funds, believing they are helping both the SAI and the staff member.

Social Media Request

A Facebook friend request arrives from someone who has the same Facebook friends as you. You don’t immediately recognise the person but assume the request is legitimate because of the common friends. This new friend then sends you a Facebook message with a link to a video which when clicked installs malware on your computer and potentially the wider SAI network.

Fake Google Docs Login

A cybercriminal creates a fake Google Docs login page and then sends a phishing email hoping to trick someone into logging into the faked website. The email might read “We’ve updated our login credential policy, please confirm your account by logging into Google Docs.” The sender’s email is a faked Google email address, for example accountupdate@google.org.com.

What’s next

• Stay tuned to read more about the following topics upcoming in our blog series:

• The upcoming work of the Working Group on Environmental Auditing and how your SAI can get involved.

• How to effectively collect data at your SAI.

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

-----------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19. 

For more information about PASAI refer www.pasai.org

By Sarah Markley, Deputy Secretary-General; and Nicole Ayo von Thun, Senior Advisor, International Engagement, Office of the Auditor-General in New Zealand

Following on from our last blog on Gender Equality and Inclusion: A Strategic Priority for SAIs this blog post provides public auditors with high-level guidance and best practice recommendations on how to conduct performance audits on gender equality policies and programmes.

Pacific region SAIs can examine gender equality through a performance audit to determine the degree of government compliance with national and international commitments to gender equality, including the implementation of national legislation, policy, and action plans. This approach enables auditors to identify and examine the gender-specific impacts of government programmes. As with any audit, auditors are able to make recommendations that lead to improvements in the design, implementation, and outcomes of government policy and programmes, which contribute to better gender equality outcomes. The resulting published audit reports on gender quality help to raise awareness within and outside of Pacific regional governments of gender equality issues and their impact on the lives of citizens.

The following four steps will give you a number of key considerations and best practice recommendations to help your SAI bring a gender focus to your performance audits:

Step 1: Audit topic selection and definition

The first step in the performance audit process is to select and define a topic. While planning processes and criteria used to select and define audit topics vary widely across the Pacific region, identifying gender equality as a strategic focus can be done as part of a SAIs long-term or strategic planning process. If gender equality has been confirmed as a strategic focus it enables this lens to be considered when selecting and defining each audit topic. You can do this by:

• Assessing individual organisations and programmes as well as government-wide initiatives to determine whether gender equality is a relevant and significant issue in their context.

• Selecting an organisation that is well-suited for a gender equality audit, by looking at whether the audit scope may include a gender-based assessment of policy and programme objectives by focusing on the impact to clients and beneficiaries. Or alternatively the audit could focus on the programme structure and related internal processes.

• Assessing the level of emphasis placed on gender equality in an organisation or programme of interest.

If your SAI has identified gender equality as a strategic theme to be examined in its long-term or strategic planning process, you could consider auditing the compliance of government agencies with legislation or policy directives on gender equality, such as gender representation in the workforces. Another alternative is to look into programmes that aim to enhance gender equality in specific sectors, such as issues related to primary and secondary education including girls’ enrolment and completion rates.

Step 2: Planning

Once the audit topic has been selected and defined, your SAI can begin the detailed planning of the audit. A crucial decision during the planning stage is determining whether gender equality issues should be included in the scope of an audit. Auditors may consider the following gender equality matters that SAI auditors may consider during the audit planning phase, such as:

• Evaluate the information collected in the knowledge acquisition or scoping phase from a gender equality perspective.

• Consider whether audit team members possess sufficient knowledge of gender equality to conduct the audit.

• Consider whether the audit team will need the support of an expert to plan and conduct the audit.

• Consider the types of findings likely to result from the audit, and ways to increase the impact of the audit report.

Examples of issues to focus on during the audit planning process include:

• Programme activities with differential impacts on women and men.

• Programme outcomes benefit men and women equally.

• Women and men participate in programme implementation.

• Programme design takes gender equality into account.

• Gender-specific targeting is supported by clear rationale.

• Women are remunerated on a different scale than men.

• Women are not visible in management positions.

During the planning phase, it is useful for auditors to discuss with the auditee the significance of gender equality in relation to the programme being audited. This could include discussing management’s attempts to achieve gender equality and plans for future improvements in order to better understand gender issues from a management perspective.

Step 3: Examination

While audits of gender equality will include evidence collection and analysis techniques common to all performance audits, the selection of audit procedures will also require some special considerations. The audit team may need to build capability in the following data collection and analysis techniques, such as:

• Gender-based analysis.

• Benchmarking.

• Surveys.

• Statistical analysis.

• Root cause analysis.

Step 4: Reporting

While the format and writing style for performance audits will be specific to your SAI, there are a number of techniques that can be used to increase the impact of audit reports. These apply in all cases including the audit of gender equality issues. Some key considerations include:

• Managing the reporting risks by validating findings and assumptions with subject matter experts.

• Clear messaging in audit reports and media communications is required to indicate if a higher degree of gender equality should be achieved with the same resources or whether improvements would require programme modifications.

• Data visualisation techniques (tables, charts, and graphs) and explanatory text may be used to convey audit findings in a concise and impactful manner.

• Rigorous quality control and peer review is applied to ensure evidence is robust and reporting standards are maintained.

If this blog post has sparked your interest in conducting a gender-focused performance audit, we recommend you refer to the Practice Guide on Auditing Gender Equality developed by the Canadian Audit and Accountability Foundation. In the Practice Guide you will find the complete audit methodology to sit along these key considerations and best practice guidelines. The full report can be found here: https://www.caaf-fcar.ca/images/pdfs/practice-guides/Practice-Guide-to-Auditing-Gender-Equality.pdf

What’s next?

Stay tuned to read more about the following topics forthcoming in our blog series:

• Environmental audit.

• Building resilience: managing productivity and staff wellbeing in a remote working environment.

• Upskilling for the future: what capabilities do auditors need in an era of AI and digitisation?

We welcome your feedback and look forward to hearing about other priority topic areas of interest. Please email: secretariat@pasai.org

  ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19. 

For more information about PASAI refer www.pasai.org

By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

Gender equality and inclusion is key to achieving positive economic and social outcomes for nations and communities. In recent years progress has been made to reduce the gender gap and create equal employment opportunities and outcomes for women and men, in line with the United Nations Sustainable Development Goal 5: ‘Achieve Gender Equality’ in the 2030 Agenda for Sustainable Development.

In the Pacific region, the Pacific Leaders Gender Equality Declaration 2012 underlines collective national and regional leadership commitment to lift the status of women in the Pacific and empower them to participate fully in economic, political and social life. Other notable regional commitments to implement gender equality include the Convention for the Elimination of All Forms of Discrimination against Women (CEDAW), the Millennium Development Goals (MDGs), the Revised Pacific Platform for Action on Advancement of Women and Gender Equality (2005 to 2015), the Pacific Plan, and the 42nd Pacific Island Forum commitment to increase the representation of women in legislatures and decision making.

The COVID-19 pandemic has exacerbated gender inequalities with negative economic, health and social impacts on women, girls and other marginalized populations. To ensure that momentum towards achieving greater gender equality is maintained, public and private sector entities are encouraged to adopt a strategic approach to mitigate this risk and achieve a thriving and inclusive society.

Supreme Audit Institutions (SAIs) play a critical role in promoting gender equality in the public sector by role modelling relevant strategies, policies and practices, and by creating an awareness of the importance of gender equality through their audit work and recommendations. SAIs can create and promote a diverse, gender-balanced and inclusive workplace by identifying gender equality as a strategic priority and building inclusive internal practices that lead to gender equality in an organisation.

In addition to aligning strategic planning and priorities with overarching whole-of-government gender policy,  SAIs may consider the following action points to promote gender equality and inclusiveness in their organisation by applying a gender lens to the following aspects of ongoing management practice:

1. Strategic planning

• Identify gender as a key strategic theme in the SAI’s long-term strategic plan. This will have a positive flow-on impact on SAI internal governance policies and practices, and will influence the identification and selection of audit topics with a focus on gender equality.

• Develop a gender strategy to promote a fair, inclusive and merit-based work environment. An effective gender strategy can be based on a root-and-branch survey of a SAI’s current gender metrics - including existing diversity, the potential for women and men to receive training and progress to senior and leadership positions, the inclusiveness of the working environment and retention rates filtered by gender.

• Update existing HR strategy to include equal employment opportunities for recruitment, training, progression and leadership opportunities.

2. Operational planning and management

• Develop an operational plan that includes activities to promote gender equality.

• Review current operational practices to identify existing barriers to the equal participation and advancement of women within the SAI.

• Design an action plan to address barriers to equality and inclusion in the workplace and in the community.

• Review and update existing policies to promote gender equality.

• Develop a gender-responsive budget by allocating adequate resources towards internal projects and interventions designed to promote and increase gender equality and inclusion.

3. Monitoring, evaluation and reporting

• Collect disaggregated gender data and use gender-based analysis (GBA) to monitor, evaluate and improve the effectiveness of SAI policies and initiatives aimed at reducing gender inequality.

• Ensure top-down management commitment and establish mentors and champions to model and promote gender equality and inclusiveness, and to ensure that the established gender strategy is being operationalised and implemented.

• Develop appropriate internal and external communications and messaging to promote an inclusive and supportive work environment

• Report on gender issues and indicators in the SAI Annual Report to Parliament.

Impactful SAI policies and practices can result in gender equality at all levels within the SAI (including senior management), increased productivity and the recruitment and retention of top talent.

Auditing Gender Issues

Once gender equality has been established as a long-term strategic theme, SAIs can include gender as part of its audit program and progress with assessing gender issues as a part of performance audits in different sectors. SAIs may also consider adopting a gender lens in financial and compliance audits – such as auditing budget allocation towards programs and initiatives promoting gender equality (e.g. programs promoting women’s participation in business, education and community development).  

 The decision to undertake gender performance audits may present the need to balance and manage existing audit priorities and SAI capability. This may be especially relevant for SAIs with a small staff size and limited capability. During the audit selection and planning process, due consideration must be given to whether audit team members have sufficient subject matter expertise to conduct the audit, in the absence of which an expert may be engaged to plan and conduct the audit.

 Our next blog will focus on key considerations and best practice to conduct a gender-focused Performance Audit. In the interim we would like to draw your attention to a recent Performance Audit by SAI Fiji focusing on the effectiveness of the implementation of the Women’s Plan of Action. A special focus has been placed on the thematic area of ‘Elimination of Violence against Women’ to assess progress towards the commitment made by the Fiji Ministry of Women, Children & Poverty Alleviation to reduce violence against women – available here: http://www.oag.gov.fj/reports-to-parliament/

What’s next?

• Stay tuned to read more about the following topics forthcoming in our blog series:

• Gender performance audit: key considerations and best practice.

• Environmental audit.

• Building resilience: managing productivity and staff wellbeing in a remote working environment.

• Upskilling for the future: what capabilities do auditors need in an era of AI and digitisation?

We welcome your feedback and look forward to hearing about other priority topic areas of interest. Please email: secretariat@pasai.org

  ---------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19. 

For more information about PASAI refer www.pasai.org

By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

Effective procurement policies, procedures and practices are essential for public entities to ensure value-for-money, accountability and public confidence. This blog contains a series of questions auditors can use to assess the effectiveness of public entity procurement processes and procedures, and to identify gaps and areas for improvement to further strengthen them. These questions apply to both developed and developing countries in which our PASAI member SAIs operate.

Good governance for procurement

• Does your organisation have appropriate governance arrangements in place for procurement?

• Do these arrangements support effective accountability of management and relevant staff?

• Are there effective delegations to allow procurement to be managed effectively?

• Are there effective means for informing and engaging with relevant staff about procurements so they can make informed decisions when required?

Appropriate procurement staff delegations, reporting systems and a clear distinction between management and the governing body enable good procurement practice. While managers carry out day-to-day operations, the governing body ensures that appropriate systems and processes are in place, including setting the organisation’s procurement strategy and holding management to account. Overlaps of management and governance responsibility (such as when governing board members sit on tender evaluation panels) are not good practice and should be avoided.

Planning for significant capital projects

• How confident are you about your organisation’s capital expenditure forecasting and that enough resources are available to achieve current forecasts?

• How has your organisation engaged with suppliers to determine their capacity and levels of interest?

• Public entities must be encouraged to plan and monitor their future capital programmes pipeline and related procurement to achieve allocated budgets and deliver to the community. Early interactions with suppliers about upcoming work can increase supplier engagement and reduce barriers to supplier participation.

Conflicts of interest

• Does your organisation have adequate policies and processes in place for staff to:

o   declare and manage risks from conflicts of interest?

o   record gifts and hospitality from suppliers and potential suppliers?

• Conflicts of interest can have legal and ethical dimensions. Public entities can mitigate this risk by maintaining a register to declare conflicts of interest and their management, and the treatment of gifts, hospitality and other incentives from suppliers.

• In the context of ‘Small Island Developing States’ (SIDS) with close knit communities, this is normally a challenge. Hence it is vital to define and refine criteria or parameters to manage conflict of interest situations. 

Emergency procurement

• Does your organisation have guidance for staff about:

o   what constitutes an emergency

o   the procedures that should be followed for an emergency procurement.

• How does your organisation ensure that anyone making an emergency procurement can be appropriately held to account for their decisions and actions?

Public entities may need to quickly procure goods and services to respond to unforeseen and urgent circumstances – for instance procuring Personal Protective Equipment (PPE) to respond to the COVID-19 pandemic. While there can be some procurement flexibility in an emergency, public entities need to maintain accountability through full and timely documentation, including of decisions made. Conflicts of interest and other procurement risks need to be actively managed through clear procedures and guidelines for staff and procurement plans.

Procurement capability and capacity

• Does your organisation have enough staff capable of leading procurement practice?

• Are all relevant staff receiving appropriate procurement training, development, and support?

Public entities must ensure that relevant staff have the required skills and that policies and processes are kept up-to-date. If the entity has only one staff member responsible for procurement, it is recommended that they connect with staff from other organisations, regional working groups and communities of practice to share experience and expertise and to provide back up arrangements when needed.

Procurement policies and training

• Are procurement policies up-to-date to address new and emerging risks relative to national and international events affecting government priorities?

• What assurance is there that staff are complying with procurement policy and processes?

Regular training on current procurement best practice is essential. Supporting staff to gain professional procurement qualifications where the extent of procurement activity warrants it is also important. Undertaking regular internal audits of procurement activity, provides confidence to governance that policies have been implemented effectively and any issues arising are addressed. Good training and regular monitoring will promote good procurement practice.

Contract management

• Does your organisation know which suppliers it is contracting with and what its obligations are?

• What assurance is there that:

o   your organisation is fulfilling its own contractual obligations

o   suppliers are meeting contracted performance requirements, and that actions are taken when performance falls below contracted levels?

• Does your organisation monitor contracts throughout their life cycle to ensure that they deliver the intended value for money?

Public entities need to monitor, manage and evaluate supplier performance to assess value for money. Having trained staff and systems and processes for recording contracts, tracking supplier progress and managing supplier non-performance are essential to ensure output quality and value for money.

Achieving broader outcomes through procurement

• Is your organisation clear about its role in promoting the holistic (social, economic, environmental) well-being of citizens by reducing inequality and increasing inclusiveness of disadvantaged and marginalised population?

• Does your organisation understand how procurement can contribute to those outcomes?

• How have those outcomes been incorporated into your organisation’s procurement policy and processes?

Public entities must be encouraged to consider appropriate broader outcomes when purchasing goods, services or works. These outcomes or ‘secondary benefits’ can include environmental, social, economic and cultural benefits to create greater equality and a more inclusive society.

Source: https://oag.parliament.nz/2020/local-govt-procurement/docs/local-govt-procurement.pdf

What’s next?

Stay tuned to read more about the following topics forthcoming in our blog series:

• A focus on gender equality and inclusiveness in audit practice.

• Staying productive in a remote working environment.

• Ensuring staff wellbeing in an online setting.

• Upskilling for the future: what capabilities do auditors need in an era of AI and digitisation?

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

  ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.  

For more information about PASAI refer www.pasai.org

By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

The COVID-19 pandemic has changed the way we work. Social distancing requirements in full and partial lockdowns have led to the swift adoption of remote access technology. This rapid digital transition brings with it cyber security risks associated with sharing, transmiting and storing information securely.

Organisations worldwide face an increase in cyber threats[1] in a changing virtual landscape. A McKinsey global expert survey indicated 75% of management executives considered cybersecurity to be a top priority – but only 16% were well prepared to manage cyber risks[2]. This is a concern, especially given a reported increased in malicious cyber activity – e.g. 181.5 million ransomware attacks were reported in the first six months of 2018 - a 229% increase from 2017[3].

Organisations now have to move quickly to build their IT capability to mitigate emerging cyber risks. By accessing and corrupting data, devices and systems cyber criminals compromise the integrity of an organisation’s IT infrastructure and data, and have an impact on business continuity.     

The security of SAIs IT systems is always critical but as SAIs work to monitor the unprecedented public expenditure related to COVID-19 response and recovery effort, their IT systems, data, and other information must be kept secure. This blog explores how SAIs can mitigate cybersecurity risks to ensure that they can operate effectively in a remote working environment. 

How do cyber attacks take place?

Cybercriminals use a variety of methods to compromise systems and access confidential information. The most common methods are listed below:

1. Social engineering - Cybercriminals leverage their understanding of human psychology to  manipulate people into divulging confidential information[4]. For example, an email with an urgent payment instruction send on Friday at 5pm, or an email from a trusted source with links to fake e-Christmas or e-birthday cards - with an aim to install malware on computers and retrieve banking credentials.

2. Malicious software or ‘malware’ involves tricking individuals into opening infected files to introduce viruses, spyware and trojans[5] to access and corrupt data, devices and systems.

3. Phishing – malicious emails from a trusted source containing fake information or a link from an authentic looking website are used to obtain confidential information (user names, passwords, credit card details). This activity is also used to download malware into a device or system. Phishing attempts can be easy to spot because the malicious email address or website URL will usually be different from the original email address or URL. Phishing emails generally try to get recipients to do something – e.g. click a link, send an email, provide information.

4. Ransomware – a type of malware that threatens to lock systems and block data access until a ransom is paid. Such an attack is typically carried out using a Trojan.

5. System vulnerabilities – Unchanged root passwords and systems that do not regularly patch system security upgrades are easy pathways to access IT systems. Cybercriminals are adept at gathering information about a company’s IT infrastructure to target its vulnerabilities until a patch is applied.

Solutions to protect your systems and information

The first step for SAIs is to develop an understanding of the cybersecurity legislative framework and national policies that may exist in their respective juridsdictions.  In addition, there are a number of safeguards which can be used to reduce the risk of cyber attacks:

1. Policies and procedures - A strong information security policy provides staff with clarity around risks. Well defined business continuity and incident response plans and protocols are critical internal governance documents to establish how your SAI would function in the event of an emergency.

2. Regular updates of network security controls and software including laptops and phones prevent hackers from identifying and infiltrating vulnerable systems. Remember to disable user profiles and access of staff who are no longer employed by the SAI.

3. Use the right defences to protect your IT system – such as encryption, firewalls, anti-virus software, SPAM filters and website penetration testing. With remote working arrangements becoming the new norm it is important to ensure the same security controls for remote access as with your onsite computer network – multi-factor authentication and Virtual Private Networks (VPNs) can be used to achieve this.

4. Ensure password safety by ensuring staff regularly change their passwords and use a combination of upper and lower case letters and symbols %@*$ to create complex passwords that are difficult to replicate.

5. Implement dual verification for financial payments to safeguard from phishing schemes and invoice fraud.

6. Maintain regular backups to protect data loss or corruption in case of a hack.

7. Monitor latest trends and update new best practices to respond to evolving methods and tools by cybercriminals.

8. Build staff awareness about how to identify and respond to cyber attacks through upskilling. Use clear communication focusing on what to do (rather than what not to do). Continuous education will empower SAI staff to identify and challenge the unusual and follow response protocols.

 Responding to cyber threats: a recent example

A phishing email was recently sent to several staff of the Office of the Auditor-General New Zealand asking for assistance to purchase gift cards for friends. This email was supposedly sent by John Ryan (Auditor-General).

Once OAG staff reported the email to the IT Operations team, the team escalated this incident to their anti-SPAM provider to block future emails of this particular strain. The team also sent out an email to all staff to create awareness of this email, including tell-tale signs that staff can use to identify the malicious nature of this email.

These tell-tale signs include the use of:

·       an external/unofficial email address - officialdirectmail@gmail.com

·       an unusual tone and writing style– clearly different from John Ryan’s other emails

·       a request of an unusual nature – asking for a favour to purchase a gift card/product for John’s friends at the hospital

·       incorrect spelling and grammar – in this case US English instead of UK/NZ

·       non-standard signature to sign off.

A strategic approach to cybersecurity

Cybersecurity issues need to be considered when developing a digital strategy and action plan as part of the SAI internal governance and planning process. An effective cybersecurity strategy has four components (i) a business risk assessment (ii) the capabilities required to manage this risk (iii) a target state (iv) initiatives to achieve the target state[6].

In the Pacific region, Fiji, PNG, Solomon Islands, Tonga and Vanuatu participated in the Cyber Security Regional Standardisation Enhancement Program designed to strengthen cyber security in the region. The report[7] published in January 2020 outlines the way forward for the project, with the aim to ensure governments and citizens in the Pacific are protected from ever increasing cyber security threats.

SAIs need to be aware of ongoing regional programs and developments to adequately plan for and build a secure and resilient IT infrastructure. The resulting business continuity will ensure that SAIs continue to provide an independent voice to achieve good governance and accountability in the Pacific region.

What’s next?

Stay tuned to read more about the following topics forthcoming in our blog series:

·       Strengthening public procurement practice: key questions for auditors.

·       Staying productive in a remote working environment.

·       Ensuring staff wellbeing in an online setting.

·       Upskilling for the future: what capabilities do auditors need in an era of AI and digitisation?

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

  ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.  

For more information about PASAI refer www.pasai.org

References

[1] https://www.cyber.gov.au/threats/threat-update-covid-19-

malicious-cyber-activity

[2] https://www.mckinsey.com/featured-insights/internet-of-things/our-insights/six-ways-ceos-can-promote-cybersecurity-in-the-iot-age

[3] https://www.helpnetsecurity.com/2018/07/11/2018-sonicwall-cyber-threat-report/

[4] https://en.wikipedia.org/wiki/Social_engineering_(security)

[5] Trojan – a type of malicious code of software that looks legitimate but can take control of your computer and/or network once downloaded

[6] https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-blog/at-the-core-of-your-cybersecurity-strategy-knowing-your-capabilities

[7] https://www.standards.org.au/getmedia/952ea009-ffc2-490a-905f-8f731fa84a52/Pacific-Islands-Cyber-Security-Standards-Cooperation-Agenda.pdf.aspx

By Annie Subactagin-Matto, Director – Monitoring, Evaluation and Reporting, PASAI

The global COVID-19 pandemic has disrupted our traditional way of working. With an increased need to monitor the unprecedented public expenditure and procurement related to COVID-19 response and recovery efforts, it is critical that SAIs continue to operate effectively in a remote working environment to detect fraud and ensure accountability of public funds.

In a national or regional lockdown situation, the necessity to work remotely provides us with both a challenge and an opportunity to leverage digital technology to re-shape the way we work – as individuals and collaboratively across teams. This blog explores how we can use technology solutions and tools to operate effectively and thrive in an environment of constant change.

Creating a collaborative online platform: core digital technologies and tools  

There is a pressing need for SAIs to establish and maintain a base of core digital technologies and online tools (a “tech stack”) that enable audit teams to work collaboratively and productively while operating from different locations. Given the varying IT capability and capacity across Pacific SAIs, there are a range of tools that may be considered by SAIs to plug existing gaps and enhance online collaboration.

The following user-friendly tools are examples of solutions that you may be able to integrate into your existing SAI software without the need for complex or expensive system changes. These tools can be used by SAI staff to:

· work collaboratively as a team - share files, manage projects and workflow, host and record audio and video meetings. The tool we suggest is Microsoft (MS) Teams as it allows this functionality and enables users to create separate channels for each team or stream of work. Users can also direct message individuals to facilitate specific (and group) conversations. MS Teams is easy to install and integrates well with the Office 365 suite of software. It also works well with weak to moderate internet coverage.

· host a video conference by using a dedicated URL. Zoom is an audio/video conferencing platform that also allows users to call in by phone and provides options for recording and transcribing conversations. Users can share their screens with other meeting attendees enabling them all to view the document being discussed. It is also an effective tool to deliver online training sessions and workshops. Zoom allows free use for meetings up to 40 minutes, and requires a business subscription for longer meetings. Zoom may not perform well with a weak internet connection.

· enable simultaneous update of a document by multiple users while working from different locations - without having to email different versions of the same document to your team. For example, Microsoft SharePoint allows multiple users to access and edit a single document at the same time, allowing for efficient version control and editing. MS SharePoint works well with the Office 365 suite of software and can be accessed without an upgrade to the SAI IT system. This tool works well with a weak to moderate internet coverage.

· manage, access and transfer files. The tool we suggest is Dropbox. It can be used as a secure knowledge management system, in which security settings can be actively managed to ensure secure access and editing rights are provided to staff who require it. Dropbox operates well in environments with varying internet coverage.

· store and easily access large amounts of data - cloud file storage solutions are useful option to make your data more accessible, and works well with varying internet coverage . Two examples of cloud storage platforms are Google Drive and Dropbox. Although Dropbox is also feature-rich, Google Drive offers more storage space (15 GB versus only 2GB on Dropbox) on the free version. Caution is advised to manage data security – covered in an upcoming blog on managing cyber risk.

· scan and share documents using a smartphone or tablet. Scannable (by Evernote) is a tool that captures high quality images that can be saved and shared via email and Google Drive. Easy to use, reduces the need for access to equipment that you might not be able to easily access in the Office during lockdown or restricted access periods and works well with varying internet coverage.

Developing a digital strategy: a phased approach to building ICT capacity and capability

Given the varied SAI IT capability and resources available across the Pacific region, SAIs may want to consider a phased approach to gradually build their “tech stack” and staff capability to use these tools effectively.

A digital strategy and action plan are useful internal governance and planning documents to map this transition and to identify infrastructural and IT assets required (such as a more robust internet connection and a VPN to enable remote access to a secure intranet storing work folders) and the need to build IT capability within SAIs - including expertise and IT solutions to mitigate cyber security risks.

Planning for and building a scalable and resilient IT infrastructure will ensure SAI business continuity enabling effective operations in a changing environment requiring remote work. This will ensure that SAIs continue to provide a credible voice and ensure good governance and accountability in the Pacific region.

 What’s next?

Stay tuned to read more about the following ICT-related topics forthcoming in our blog series:

·       Managing cyber risk

·       Staying productive in a remote working environment

·       Ensuring staff wellbeing in an online setting.

We welcome your feedback and look forward to hearing about other priority topic areas of interest to you. Please email: secretariat@pasai.org

  ------------------------------------------------------------------------------------------------------------------------------------

The Pacific Association of Supreme Audit Institutions (PASAI) is the official association of supreme audit institutions (SAIs) in the Pacific region, and a regional organisation of INTOSAI and promotes transparent, accountable, effective and efficient use of public sector resources in the Pacific.  It contributes to that goal by helping its member SAIs improve the quality of public sector auditing in the Pacific to recognised high standards.  Due to the global coronavirus pandemic (COVID19), this has restricted PASAI’s delivery of our programs to our Pacific members and in lieu of this PASAI will be providing a series of blogs on various topics that may help auditors think about some implications to service delivery as a result of COVID19.  

For more information about PASAI refer www.pasai.org