Supreme Audit Institutions (SAIs) are standard bearers of transparency, accountability and public trust. As such, for the Court of Auditors of Portugal (Tribunal de Contas, TdC), keeping pace with technological advancements is both a strategic objective and a duty to citizens. The transformative potential of data and new technology-driven methodologies for conducting audits have brought about an imperative for the TdC to advance an ambitious digital transformation agenda.

This chapter explores the TdC’s digital transformation journey in a number of strategic and operational areas that are critical for the TdC’s data-driven assessments of public procurement risks. This includes a discussion about the current state and areas for improvement concerning the TdC’s 1) strategy and organisation; 2) people and culture; 3) technology and process; and 4) environment and partnerships. The following sections use these domains as a framework for assessing the TdC maturity to undertake data-driven risk assessments of public procurement. Specifically, the chapter focuses on the following issues:

• Strategy and organisation. The section provides an overview of the TdC’s Digital Strategy and the extensive efforts to develop it. It also delves into the TdC’s organisational structure for strategy implementation and highlights the need for greater coherence among the TdC’s 12 digital initiatives. The chapter also highlights the importance of monitoring and evaluating these initiatives, including suggestions for the TdC when monitoring and evaluating its data-driven risk assessments in public procurement.

• People and culture. This section underscores the necessity of a strategic approach to change management, crucial for both the broader Digital Strategy and the success of the data-driven risk assessment initiative. It examines challenges and priorities in enhancing data literacy and digital skills, particularly for assessing risks in public procurement. The chapter also emphasises the need for auditors to be knowledgeable about data ethics and privacy.

• Technology and process. This section addresses various IT, digital tool, and data integration challenges faced by the TdC. These challenges have wider implications for the TdC’s Digital Strategy and overall audit work, but the chapter highlights specific issues for the TdC to address in terms of data integration, interoperability and tools for assessing risks in public procurement.

• Environment and partnerships. This section highlights several opportunities for the TdC to enhance its digital maturity, with a specific focus on the relevance and sustainability of its initiative for data-driven risk assessments. These include the formalisation of data-sharing protocols and collaboration with data owners to improve the TdC’s training programmes.

Digitisation, digitalisation and digital transformation are concepts that are often used interchangeably. Nonetheless, the distinctions between these concepts are critical for understanding the TdC’s priorities for data-driven risk assessments, key challenges and its future priorities. Definitions of these concepts vary. For instance, many definitions of digital transformation focus on the economic and societal benefits of digitisation and digitalisation. At the institutional level, digital transformation strategy involves organisational change, innovation and addressing cross-cutting management or operational challenges concerning the use of digital technologies and data (Bumann, 2019[52]; Otia, 2022[53]). Digitisation and digitalisation have a more narrow focus, as illustrated in Figure ‎2.1.

The TdC’s initiative to strengthen its assessment of risks in public procurement through better use of data and advanced analytics is primarily an exercise in digitalisation. But as described in later sections, several parallel initiatives complement and feed into this effort, including changes to procedures and IT systems, which will have a disruptive effect on traditional approaches. This includes changes to the TdC’s data management and governance, as well as changes in work processes for auditors given the introduction of new tools. In general, the dimensions commonly seen in frameworks for understanding what drives digital transformation are similar to those for digitalisation and specifically, assessing “digital maturity” for leveraging data and advanced analytics on a project level.

This chapter does not aim to assess the TdC’s broader digital transformation strategy or its implementation. The TdC is still in the first year of its 3-year Digital Strategy, and at the time of writing it is too early to evaluate implementation challenges (and it is beyond the scope of the project). Moreover, to its credit, the TdC itself has conducted several self-assessments recently to develop the current strategy, as described below. Nonetheless, these dimensions and the key practices associated with them (see Annex II) offer a useful framework for understanding some of the opportunities and challenges for the TdC’s initiative to enhance data-driven risk assessments in public procurement as part of its broader pursuit of digital transformation.

This dimension focuses on leadership's guidance for digital transformation, emphasising the integration of technology and data into organisational strategy. It's essential to define roles and responsibilities clearly and prioritise data management policies, including privacy, quality, and consistency, as key elements of this process. This section provides an overview of the TdC’s Digital strategy and the extensive work carried out to develop it. In addition, it provides insights concerning the TdC’s organisational structure for implementing the strategy and raises the need to strengthen coherence between the TdC’s 12 digital initiatives. The section also explores the importance of monitoring and evaluating the TdC’s digital initiatives, with suggestions for its data-driven risk assessments in public procurement.

The TdC’s 2023-2025 Strategic Plan for Digital Transformation (i.e., the “Digital Strategy”) outlines its commitment to embracing the challenges posed by the accelerated pace of digital transformation. The TdC’s Digital Strategy builds on the broader Strategic Plan and encompasses the Strategic Development Plan for Information Systems (PDESI), which the TdC developed previously and aims to align information systems with the TdC’s organisational strategy. At nearly 50 pages, the Digital Strategy outlines the Court’s vision, priorities and activities, supported by in-depth analyses of challenges. It emphasises digital transformation as the goal—the adoption of new technologies and approaches that require fundamental changes to how the TdC operates. The Digital Strategy includes initiatives in the PDESI that were ongoing at the time of its development, and it focuses on the following core objectives (Tribunal de Contas, 2023[57]):

The TdC arrived at these objectives through an internal collaborative process, led by the Auditing Standards Committee and by the IT Committee with technical support from the Centre of Innovation, Technology and Methodologies (CITM) (Tribunal de Contas, 2021[58]), as well as a series of assessments. The assessments included an IT Audit Self-Assessment (ITSA), sponsored by the European Organization of Supreme Audit Institutions (EUROSAI) and involving Spain’s Court of Auditors as independent facilitators of the review. The shaping of the TdC’s Digital Strategy also relied on internal self-assessments, such as an analysis of strengths, weaknesses, opportunities, and threats (i.e., a SWOT analysis), as well as an assessment of its digital maturity using a questionnaire of a private company (i.e., Gartner’s Digital Government Urgency, Maturity and Maturity Assessment). The TdC also engaged an external consultant in 2021 to independently assess the IT architecture and infrastructures in specific Chambers of the TdC, focusing on functionalities of the document management (GDOC) and entity management (GENT) systems, detailed below.

The shaping of the TdC’s Digital Strategy also relied on an internal analysis involving TdC employees that focused on strengths, weaknesses, opportunities and threats (i.e., a SWOT analysis). The SWOT analysis is depicted in the figure below and further demonstrates the extensive diagnostic analysis that contributed to the TdC’s current Digital Strategy and was a driver of the initiative to strengthen its data-driven analysis of irregularities in public procurement.

In addition to the SWOT analysis, in August 2022, the TdC conducted another self-assessment using a tool developed by a private company to assess its digital maturity and maturity, and the urgency of specific needs. This tool offered further insights for the TdC to identify key areas for improvement and set priorities in relation to its digital transformation. The assessment is organised into seven key areas: vision and strategy, delivery and quality of services, the organisation, the organisation and its context, digital projects and investments, data and analytics, and the functions of the Chief Information Officer. The self-assessment includes a maturity model, which classified the TdC as a “cautious mover organisation, acting under low urgency and maturity.” The TdC scored the highest on aspects related to leadership and focusing on value, while other elements like metrics, its data ecosystem, platforms, service model and technology had lower levels of maturity.

These assessments led to the launching of twelve different initiatives, including the TdC’s project to advance data-driven risk assessments in public procurement. A key recommendation from the TdC’s internal assessments was that it could identify projects to achieve “quick wins” that demonstrate positive improvements to leadership. In this context, the TdC’s initiative to strengthen its data-driven risk assessments in public procurement is a follow-up to this recommendation and is an approach that aligns with leading practices. Overall, the TdC’s approach to developing its Digital Strategy checks the box on many of the leading practices for strategy development and aligns with guidance for SAIs that focus on this process.1 Nonetheless, it could take additional steps to ensure the coherence between these initiatives, as discussed in the following section.

The Department for Innovation, Technology and Methodologies (CITM) is a central entity the TdC established to lead the development of the Digital Strategy. Prior to the creation of the CITM, the TdC had a longstanding IT function, the Directorate of Information Systems and Technology (DSTI). Together, the CITM and DSTI are driving the TdC’s spearheading the implementation of the Digital Strategy and its initiatives, including enhancing data-driven risk assessments. The specific aim of the CITM is to “monitor, adapt, promote and support” the use of technology, methodologies and tools for auditors” (Tribunal de Contas, 2021[59]). The CITM (with the DSTI) has a formal mandate to drive technological change, which comes with responsibilities that span the aforementioned dimensions of the digital maturity framework. The DSTI is responsible for aligning IT processes with the TdC’s strategy and ensuring the integration of business areas in applications. It also maintains the global data model, reduces information redundancy, and develops, acquires and maintains integrated applications for technical and administrative functions.

The CITM is an operational unit within the Directorate General of the TdC and it has two main areas of focus, as shown in Figure ‎2.5. This model is similar to other SAIs. For instance, the Centre for Data Management and Analytics Office within the Comptroller and Auditor General of India provides guidance to field offices on analytics and pioneers research and development on future directions for using data and analytics. In some SAIs, like those in the U.S., U.K., and Norway, a combination of Innovation Labs and methodological specialists fulfils these roles.

Defining roles and responsibilities internally, including the designation of an entity to implement the Digital Strategy with an organisation-wide mandate and access to leadership, is a key practice for driving digitalisation and digital transformation. For instance, INTOSAI’s guide for SAIs on Managing Information Communications Technology (ICT) highlights both the critical importance of having an ICT function as well as the consideration for its level of visibility within the SAI and whether it has senior representation. The same could be said of other functions within an SAI that serve cross-cutting roles, such as Innovation Labs or teams that offer support in advanced analytics or statistical methodologies, such as the CITM (INTOSAI, 2015[60]). Within the TdC, this role is critical given the breadth of initiatives that fall under the Digital Strategy. These initiatives have action plans, but interviews with the TdC official demonstrated that efforts remain siloed and there is a risk of incoherence and inefficiencies when implementing the broader strategy.

Having established the CITM, and together with the DSTI, the TdC has in place the governance structure to drive greater coherence between digital initiatives. The CITM and the DSTI can continue to facilitate regular communication, decision-making and alignment of goals across the 12 digital initiatives. The sections below that emphasise monitoring and evaluation, change management and strengthening of digital skills can also serve as mechanisms for breaking down siloes across digital initiatives and ensuring that different digital initiatives do not just coexist but actively complement and enhance each other.

In 2022, EUROSAI evaluated 20 European SAIs to understand how they use technology and identify challenges. The survey results revealed a unanimous belief among SAIs that digital transformation enhances the effectiveness and efficiency of audits, and they identified the adoption of digital technologies as a crucial strategy for improving SAI performance. However, the survey also highlighted a monitoring shortfall, with only 30% of SAIs evaluating the impact of digital technologies on audit outputs (EUROSAI, 2023[61]). Continuous monitoring and evaluation of the performance of digital initiatives, based on objectives and metrics, are critical for understanding the effectiveness of activities and adapting them, as needed.

In its handbook, the Strategic Management Handbook for Supreme Audit Institutions, the INTOSAI Development Initiatives outlines key learning points for monitoring an SAI’s strategy. The points reflect many of the basics of performance monitoring, including developing a monitoring framework that not only focuses on the broader strategy, but also accounts for the operational level and specific initiatives. This involves developing a framework that has:

• Indicators: A quantitative or qualitative measure that shows the level of achievement of envisaged change, most notably at the outcome and output level and for some crucial capacities.

• Baselines: The status of the indicator at the beginning of the strategic period.

• Milestones and Targets: On what level the indicator should be, or to what extent activities should be implemented at a given time (INTOSAI Development Initiative, 2020[62]).

The TdC’s Digital Strategy has a section on the implementation and monitoring of the strategy that recognises the need for monitoring the strategy, including general references to the use of indicators for assessing digital initiatives. Future iterations of the Digital Strategy could develop the indicators further. At the onset of the project with the OECD, the TdC defined several indicators to measure the impact of the initiative. These can serve as a starting point. Table ‎2.1 explores possible indicators to build on these with a more operational context in mind, taking inspiration from indicators in the IDI’s Handbook for monitoring the performance of SAIs, the quality assurance models of the UK National Audit Office (NAO),2 the US Government Accountability Office’s (GAO) AI Accountability Framework (see Box ‎2.1), and the cost-benefit analysis methodology of the Comptroller General of Peru (CGR).

The indicators in the table reflect the TdC’s goals to move toward a more automated, AI-driven form of risk assessment. They focus on the use of such tools in the context of public procurement but could be applied to other areas as well. There are two types of indicators presented in the table. The first four focus on the effectiveness of the risk assessment tool itself, while the last four focus on data literacy and capacity more broadly. It is also important that a target value is established for each indicator to maximise their effectiveness. This table is not meant to be an exhaustive list but instead to provide a starting point for TdC to establish a framework for monitoring and evaluating its digital initiative for data-driven risk assessments in public procurement.

One challenge facing the TdC is the creation of indicators that go beyond monitoring activities and processes to monitoring outcomes. This typical measurement challenge is amplified by the inherent complexity of measuring the effectiveness and efficiency of data-driven risk assessments for irregularities. The indicators in the table above include some outcome-level indicators that can inform the TdC’s development of a more robust monitoring framework for the initiatives, which could focus not only on the impact of the risk assessment process itself but also on the use of AI and advanced analytics. GAO’s AI Accountability Framework offers some inspiration for the latter.

The GAO AI Accountability Framework comprises four key pillars: governance, data, performance, and monitoring. Its aim is to guide managers on responsible AI usage and to foster accountability in government AI initiatives. It delineates key practices across its pillars, focusing on the AI system's lifecycle from design to continuous monitoring. The "Data" pillar, for instance, emphasises documenting and continually monitoring data sources and preparations for data models. The Framework not only facilitates sound AI management but also can provide the TdC with insights for monitoring its own initiatives using AI or advanced analytics. Box ‎2.1 elaborates on this framework and key practices for monitoring and evaluating the performance of AI systems. The GAO’s is not the only example. For instance, Norway’s Office of the Auditor General (OAG) has integrated the auditing of AI as part of its suite of performance audits, and its current 2018-2024 Strategic Plan notes that “problem-solving will become more automated, and the use of [AI] will gradually take over tasks in both the public administration and the OAG.”3 Similarly, at the central level, the TdC can reference Canada’s Algorithmic Impact Assessment tool4 to inform its own assessment of AI performance and risks.

Another important consideration when investing in the development of a digital tool is the return on investment. Data-driven risk assessment models may improve the TdC’s ability to identify and respond to risks in public procurement, but this is only worthwhile if these benefits outweigh the costs of creating and perfecting such a tool. The CGR of Peru developed a cost-benefit analysis (CBA) methodology for evaluating its investments in concurrent control of infrastructure that could be informative for the TdC’s own assessment of its digital initiatives.5 The methodology focuses on calculating the net potential benefit of an investment by subtracting the potential financial and non-financial costs from the potential benefits in terms of potential economic damage avoided. Employing a CBA methodology could help the TdC identify whether an investment in data-driven risk assessment is worthwhile, comparing the investment in developing and maintaining an ongoing capacity for data-driven risk assessments with the benefits derived from more targeted and efficient audits.

Organisational digital maturity hinges on employee expertise, skills, and commitment, encompassing digital literacy, advanced programming, and understanding ethical data use, along with sector-specific and legal knowledge for data privacy and security. A digital-ready culture also requires leadership and employees to align around digital goals, supported by policies promoting technological experimentation and skill-enhancement training. This section highlights the need for taking a strategic approach to change management, which has implications for both its broader Digital Strategy and the success of its data-driven risk assessment initiative. The section explores challenges and priorities for strengthening data literacy and digital skills, especially in the context of assessing risks in public procurement, as well as the need for auditors to have the knowledge and awareness of core issues concerning data ethics and privacy.

Of the key practices described in the framework above, developing and implementing a change management and continuous learning plan is one of the most critical in the TdC’s context. Interviews with TdC officials, responses to the OECD questionnaire and the TdC’s own self-assessments highlight a reoccurring theme: existing siloes between Departments and audit teams threaten the success of its Digital Strategy. Institutional siloes also pose challenges at the project level, including the TdC’s initiative to use data and advanced analytics for assessing public procurement risks.

Strengthening its strategy and approach to change management can help address these siloes and increase the chance of success of the TdC’s digital initiatives and, therefore, its broader digital transformation strategy. Change management encompasses both initiating the necessary shifts within an organisation and adeptly navigating the intricacies of change by planning, executing, and sustaining these transformations (European Court of Auditors/U.K National Audit Office/OECD SIGMA, 2007[64]). While technology and strategies are important, the people involved are the backbone of any transformation. A change management plan can act as a roadmap, guiding the TdC through the complexities and challenges that arise during its transformative journey.

To sharpen its approach to change management, the TdC can take inspiration from one of the seminal frameworks in this field: the eight Steps to Accelerate Change.6 This framework represents “steps” that are not necessarily linear and can be carried out simultaneously and iteratively, as the TdC’s own experience demonstrates. The steps include:

From the perspective of implementing its Digital Strategy, it is notable that CITM has already taken several of these steps, such as formulating a strategic vision and initiatives that can be short-term wins, which includes its data-driven risk assessment in public procurement, according to TdC officials. However, the principles within Kotter's framework can be relevant for specific projects, particularly when the impact of the project crosses teams or requires a change in behaviours and habits. The TdC’s project to strengthen its data-driven risk assessments has these characteristics. Table ‎2.2 explores these steps further with this initiative as a focus, including actions the TdC is already taking as well as additional steps it can consider.

The actions described in the table provide the foundation for a more robust change management plan, the primary objective of which would be to facilitate a transition from current processes and mindsets to new, digitally inclined ones. They aim to instil confidence within the TdC, assuring auditors that while changes are forthcoming, they are calculated, beneficial, and supported at every level of the organisation. Involving all layers of the organisation in the change management process will not only help in achieving the goals set out in the Digital Strategy but will also aid in breaking down the existing siloes between Departments and audit teams for the benefit of individual digital initiatives. While the table above focuses on accelerating change of a specific project, the same concepts can apply to bigger plans for digital transformation, helping the TdC to not simply adopt new technologies but evolve as an institution. Box ‎2.2 provides an example from the U.S. General Services Administration and its IT Change-Maturity Program: Culture Pre-Assessment Guide. It offers further support for the TdC that is more focused on technology modernisation than the 8 steps and can assist in troubleshooting key areas.

In this context, CITM faces a number of challenges to convince auditors to embrace new ways of working and promoting a data-centric culture. The TdC’s Digital Strategy recognises this challenge, highlighting the need for investments in training, development of human resources and equipping staff with knowledge and skills to operate in a digital era. Moreover, for some initiatives, the TdC has adopted a good practice of piloting and experimenting, including its initiative to strengthen data-driven risk assessments in public procurement. These are critical aspects of developing a data-centric culture, but there are ways to further formalise and enhance the TdC’s approach, going beyond the current Digital Strategy, starting with digital and data literacy.

Data literacy—the ability to read, interpret, create and communicate data as information—is a key requirement of modern auditors’ skillset, evidenced by numerous trainings, workshops and guidance for SAIs. While critical, data literacy is just one component of a broader set of digital skills. These skills reflect a range of abilities to use digital devices, applications, tools and networks to access and manage information. Specifically, auditors with digital skills are not only data literate, but they are also equipped to ask strategic questions while understanding opportunities and limitations of techniques and tools. Moreover, they are more likely to have realistic expectations about time and resources when planning the use of data and deciding on methodological trade-offs. Having more robust data skills also increases the likelihood that auditors will adopt the tools developed by the CITM and the DSTI, and in the future, facilitate and promote improvements and innovations.

Within the TdC, digital skills are largely consolidated in the CITM and the DSTI. These are small teams with a cross-organisational mandate, as described above. At the time of writing, CITM employed five individuals, including a data scientist, and DSTI’s team included 22 IT technicians, among several other roles, with responsibility for ensuring the IT and data needs of the TdC’s 9 audit departments are met. According to TdC officials, outside of these teams, auditors’ skills with data and tools typically involves Excel-based data processing and analysis.

The TdC carries out an annual diagnosis of training needs, with its current iteration likely to lead to a three-year training plan that envisions a component on data management and analysis. Courses taught in the past and that will be repeated include: “Challenges of digital transformation for auditing”, Power BI and Advanced Power BI, Digital Transformation and Data Science, and the Application of Artificial Intelligence in Auditing. In previous years, the TdC also carried out trainings on specific methodologies, including financial auditing standards and planning, identifying, and assessing risks when conducting financial audits.

In the context of this project, which envisions a data-driven risk model for public procurement that is used across audit teams, there are specific digital skills and areas of expertise that the TdC could cover in its training plan. These are focused on this specific activity given the objective of the project with the OECD, but the technological and quantitative skills are applicable for other purposes. For instance, the TdC could develop further its course offering concerning data-driven risk assessments, with a focus on building auditors’ skills in quantifying risks, structuring data and ways to monitor the performance of the risks model. In addition, the TdC could consider adding courses to its current offerings on data visualisation, which include the use of Power BI and Microsoft Excel, but that focus more on visualisation of large-scale datasets. The use of AI or advanced analytics for assessing public procurement risks typically relies on the ability to handle large-scale datasets (i.e., 100 thousand or million observations) and implement advanced statistical methods like binary logistic regressions, matching, or principal component analysis. Presenting user-friendly results makes it easier to interpret and respond to risks, and it is helpful for those responsible for creating and using dashboards to have advanced knowledge of data visualisation principles and software (e.g., R Shiny package or Tableau).

In the context of assessing risks in public procurement, cross-functional teams and a domain expert with intimate knowledge of public procurement processes and risks are critical. Auditors may only be periodically exposed to public procurement issues and risks, as their responsibilities and audit engagements constantly change. Therefore, having a domain expert in public procurement ensures the effective design, implementation and updating of a data-driven risk model. In the early stages of its initiative, TdC officials involved experts in public procurement as part of its exercise in identifying risks, a practice that can be formalised in the future. Figure ‎2.8 below elaborates further on the specific contributions of different roles for using advanced analytics to assess public procurement risks, and it is broadly applicable to other digital initiatives. Some roles may be combined, but it offers the TdC a conceptual description of roles to aid future planning and engagement of cross-cutting teams in its digital initiatives.

The European Union’s Digital Competence Framework (DigComp) offers further information for the TdC to ensure its trainings to build digital skills are fit-for-purpose. Box ‎2.3 below explains DigComp and includes additional competencies from the OECD’s own analysis that can help the TdC to set goals and metrics for each training programmes that draws from a well-defined list of competencies. For the TdC, these competencies are shared across teams, including management, CITM and audit teams working with data. As such, trainings can target the entire organisation, while tailoring modules to specific roles and responsibilities concerning the TdC’s Digital Strategy.

CITM has identified the importance of adopting and utilising technology to shift auditing from a reactive and retrospective exercise to a proactive, predictive, and future-oriented practice. This transformation presents an opportunity to produce audits of higher quality, but it also necessitates a sustained commitment and investment in bridging current capacity gaps. While having a robust training plan is critical, not all skill development and capacity building needs to be formal. One way to be able to keep a consistent pulse on the needs of auditors, while promoting the sharing of practices and knowledge, would be to develop an informal community of practice. This could focus on specific initiatives or themes that are relevant across TdC audit teams. For instance, multiple audit teams will ultimately use the data-driven risk assessment that the TdC is developing, which could be a focal point for a community of practice to aid adoption and collective addressing of challenges.

Other SAIs have developed such communities and resources with a dedicated focus of developing digital competencies, such as the Austrian Court of Audit’s (ACA) “R-Community.” This community of auditors with skills in data analysis exchange about methodologies and uses of the open-source statistical software “R.” The goal of the community is not to make all of the ACA’s auditors experts in using R, but rather to generate sufficient knowledge about what data analysis can do and for what purposes it can be used (Mayrbaeur, 2023[68]). In Belgium, the Supreme Audit Institution created a discussion group called “DataLab” to help integrate analytics across the organisation through monthly meetings, trainings and expert advice from data scientists.7 The TdC may also find numerous resources online to bolster data literacy internally without reinventing the wheel, such as the online data and analytics course provided by the Netherlands Court of Audit.8

In the context of accessing and processing public procurement data for purposes of financial inspection, SAIs are obliged to have unrestricted access to pertinent data for conducting their audits, as per INTOSAI auditing principles and standards. This includes data protected by specific regulations or control protocols, such as those commonly applied in the commercial, banking, medical and national security domains. In Portugal, auditors’ use of external data sources is aligned with the stipulations in the RGPD and the TdC Regulation, as well as principles found within the TdC’s Audit Manual.

In relation to data use and its ensuing disclosure in the TdC’s reports and decisions, there are several noteworthy points. As per Article 13 of the TdC’s Regulations, the TdC must devise a "communication strategy, suitable for the fulfilment of its mandate, in compliance with the principles of transparency, accountability and protection of personal data, namely through the dissemination of results in a timely manner." Moreover, the TdC follows the LOPTC, the TdC Regulation, and, in a secondary capacity, the Code of Civil Procedure (CPC), maintaining that data processing is the purview of the presiding judge within the TdC. This principle dictates that case information should be made public, unless it is covered by personal data or secret protection provisions.9

Current legislation permits the release of information in circumstances where the public interest outweighs the interests safeguarded by the protection rules. However, this is subject to the principle of minimisation and assessed on a case-by-case basis by the responsible judge. Guidelines in Resolution No. 3/2018-PG provide a roadmap to ensure the TdC does not disclose more personal information than required. For instance, "the publication of judgments, audit reports and other acts of the Court should only contain the personal data that are indispensable for informing society about the use of public financial resources and guaranteeing the accountability of the managers of these resources and those responsible for finances." In cases of ambiguity regarding personal data that may be included in published court acts, the Court's Data Protection Officer should be consulted.

The legal and regulatory framework for the TdC’s data protection, as well as its inclusion in internal audit manuals, demonstrates the TdC’s adherence and commitment to the protection of privacy and ethical use of data. Nonetheless, the introduction of new tools, particularly a risk model that heavily relies on external data source and possibly additional personally identifiable information, creates incentives for the TdC to revisit existing policies, guidelines and trainings for auditors regarding who may use these tools. The aforementioned trainings could include a module on topics of data ethics and privacy. Going beyond this, even though it is not legally required, the TdC can also consider how it would promote transparency of its activities that involves the use of data for its digital initiatives, particularly those that could be considered sensitive. For instance, the TdC could periodically review (and publish) its code of conduct to ensure it keeps pace with its use of data and AI as its digital initiatives evolve. While a national initiative, the TdC could take inspiration from the United Kingdom’s National Fraud Initiative (NFI) Code of Data Matching Practice, which promotes transparency and ethical use of data, while laying out principles and practices for protecting citizens’ right to privacy (see Box ‎2.4).

Digital maturity relies on technology, like IT systems and software, but it shouldn't be the sole focus. Instead, the broader vision for digital transformation should drive technology choices, tailored to specific needs. Considering the varied complexity and functionality of digital services and tools, a pragmatic approach involving cost-benefit analysis is vital for responsible technological investments. This section explores several challenges the TdC faces from the perspective of IT, digital tools and data integration. Some of these challenges have broader implications for the TdC’s Digital Strategy and audit work in general. Where appropriate, this section offers a more narrow discussion on issues concerning data-driven risk assessment in public procurement.

As noted, in 2021, the TdC conducted an IT Audit Self-Assessment (ITSA) with the Court of Auditors of Spain facilitating the process. The primary goal of the ITSA was to examine the functionality and performance of the TdC’s existing IT systems and conduct a gap analysis of the TdC’s maturity in relation to key COBIT processes that impact TdC's operations.10 The ITSA demonstrated that although the TdC had a level of IT maturity that was in line with similar institutions in the European Union (i.e., Level 3—documented communicated processes), key gaps remained. In response to the results of the ITSA, the TdC implemented the following improvements:

• Improved communication methods with those being audited, accomplished through the implementation of an “eAccounts” portal.

• Developed a project for electronic audit management, which culminated in the creation of the “ModInAudit” application.

• Established and updated training programmes for auditors on an annual basis (Court of Auditors of Portugal, 2023[70]).

Since the TdC’s ITSA, advancements in technology necessitated further assessments and refinements that would ultimately lead to the TdC’s current Digital Strategy. To further advance its digital maturity, the TdC engaged an external consultant in 2021 to independently assess the IT architecture and infrastructures in specific Chambers of the TdC, focusing on functionalities of the document management (GDOC) and entity management (GENT) systems.11

Findings from this assessment offer some insights into the evolution of these systems that play a critical role in the TdC’s digital transformation initiatives, including carrying out data-driven risk assessment and the IT challenges the TdC faces. According to TdC officials and questionnaire responses, some of these challenges are still ongoing as of December 2023. For instance, the user/system interface of the GDOC and GENT applications could be improved to cater better to specific user tasks and needs. Moreover, there is a need to further improve and define processes concerning various applications, and address challenges related to both information systems and technological infrastructure, including (but not limited to) the following:

• Development of the "portal of external services" to facilitate information exchange with external entities.

• Implementation of the "TdC in real-time" project to achieve interoperability with other public administration organisations. This depends on the interoperability between the TdC's information system and the information systems of public administration organisations where data on entities under control and jurisdiction reside.

• Creation of an internal services portal to provide TdC employees with easy access to information systems.

• Execution of the eContas project for prior inspection and implementation of responsibilities, integrating different stakeholders and aligning functional profiles with relevant information and tasks.

• Automation of procedures for internal verification of accounts and issuance of reports.

Several of these issues are directly relevant for the TdC’s initiative to enhance its data-driven risk assessment in public procurement.

Within TdC, all database management systems have a relational nature, meaning that, in theory, they share the same structures and types of data. The consistency in using relational databases provides for a unified approach to data management, which is particularly helpful for the TdC to query complex datasets and structured data. In some cases, there is the possibility of functional and semantic interoperability, in which certain fields in a system depend on fields in another system, enabling the integration activities. Achieving this interoperability is complex, given the need to maintain data integrity and synchronise data across different systems. The integration of functional and procedural activities across various systems poses additional challenges, particularly for real-time data processing and maintaining transactional consistency.

Ensuring the accuracy of results in any data-driven approach hinges on two fundamental aspects: the volume and the integrity of the data. Additionally, effectively integrating data from various sources plays a pivotal role in this process. This integration requires parsing, correcting, standardising, matching and consolidating to ensure data usability. For purposes of the TdC’s initiative to assess public procurement risks, there are three high-priority databases, shown in the table below along with a matching variable.

Analytical indicators can be obtained at different levels of aggregation and require additional fields to enable integration of various data sources, which can present several challenges. For instance, requirements for firm-level indicators might benefit from combining multiple databases that would naturally be matched using the tax numbers (e.g., one containing information about procurement activities and another concerning firm tax information). See Chapter 3 for further discussion on the data sources and variables that are relevant for the TdC’s risk assessment methodology.

Despite the relevance of the data sources of the entities in the table below, data integration and interoperability present challenges. One of the main issues is the diversity of systems and formats used to store and manage data. Institutions typically have their own systems, databases, and software, all of which can make it difficult to establish interoperability. Moreover, data governance and security measures can vary across institutions, including concerns about data privacy and sharing protocols. In Finland, the National Audit Office was forced to develop its Risk Detector Tool for public procurement using open data due to data protection regulations and controls the prohibited more direct access to the data (see Box ‎2.5).

The lack of standardised data schemas and protocols, primarily amongst data owners, further hampers integration efforts. Data quality standards and inconsistent data-entry practices can introduce errors and inconsistencies that reduce the accuracy and reliability of integrated data. Concerning the data for assessing risks in public procurement, many of these challenges reside with IMPIC. The TdC’s initiative represents the first time in which it is directly accessing IMPIC’s datasets in high volumes. To facilitate this data exchange, the TdC made several adjustments to its IT infrastructure. Nonetheless, challenges concerning data quality (e.g., high levels of duplicates) remain at the time of writing this report. Overcoming these challenges will require ongoing collaboration between the TdC and IMPIC, as well as other data owners to the extent needed, to ensure standardised frameworks and robust data management strategies underpin improvements to data integration and interoperability.

Robotic Process Automation (RPA) is described as the next frontier for SAIs, after data analytics (Otia, 2022[53]). The TdC’s Digital Strategy emphasises the need to advance the automation of processes as one of its key initiatives to maximise efficiencies and the value-for-money of audits (Tribunal de Contas, 2023[57]), allowing auditors to reallocate their time to critical-thinking tasks, like data analysis and developing findings. By minimising manual data processing, automation also has the potential to reduce errors. For instance, risk dashboards that offer automated alerts could help auditors in conducting more targeted, co-ordinated audit selection.

While the TdC recognises the value of automation in its Digital Strategy, many of its core processes rely on manual methods and traditional tools, highlighting a gap between strategy and practice. Automation, especially in public procurement, could transform mundane tasks like risk identification and data management, allowing auditors to spot irregularities in a more efficient and co-ordinated manner. Bridging the gap between strategy and practice requires not only automation, but also equipping auditors with the necessary tools. The use of applications like Microsoft Excel and Caseware IDEA dominate the TdC’s current practices. Some audit departments reported using Power BI and R software in responses to the OECD’s questionnaire. Questionnaire respondents from multiple audit departments did not identify specific needs or gaps in software or tools available when asked. This suggests that within the TdC there is either general satisfaction with current tools or a lack of awareness of the benefits of other technologies. As the TdC develops its digital initiatives and integrates new approaches in its audit practices, including its data-driven risk assessment methodology, the TdC could consider conducting a deeper evaluation of current tools to ensure alignment between strategy, practices and the modern auditing needs of TdC’s auditors.

Concerning data-driven risk assessments for public procurement, the “tool” or mechanism to collect, disseminate and potentially visualise the results of the assessment is equally as critical as the underlying methodology. An effective dashboard, for instance, centrally developed and managed by CITM or DSTI, can promote a co-ordinated approach that avoids duplication between audit departments and creates a horizontal feedback loop. Chapter 1 presents ALICE, an RPA tool used by Office of the Comptroller General (CGU) and the Federal Court of Accounts of Brazil (TCU). ALICE utilises an algorithm to asses unstructured data, in particular, to extract monetary values from non-uniform text in PDF bidding notices. It then organises this data using a Random Forest classification method to analyse the "materiality factor," an estimated risk value associated with these bids. ALICE effectively uses data and analytics to identify irregularities and improve auditors' efficiency in procurement, even amongst auditors without expertise in machine-learning or AI. Its success hinges on two factors:

• Senior management support was crucial in identifying irregularities in public procurement. This backing, seen as vital for fostering a culture of integrity, led to innovative auditing practices. For example, TCU Counsellors agreed to sign an ordinance validating a new workflow, enabling auditors to make use of the AI-based technology and act efficiently to address the risks of irregularities.

• To manage data overload and human limitations in data processing, the CGU and TCU implemented two strategies to aid auditors. Firstly, ALICE sends daily emails summarising key bid information and alerts, helping auditors focus their analysis. Secondly, they developed a specialised dashboard that offers various filters to streamline their search and access detailed bid analyses and irregularities identified by ALICE (OECD, 2022[73]).

TdC’s development of its own data-driven risk assessment in public procurement could benefit from these findings about its institutional context and Brazil’s example by keeping in mind opportunities for automation, auditors' current digital literacy, and the need for a risk dashboard to support non-technical users. Brazil's experience with ALICE, particularly in analysing unstructured data to address financial irregularities, underscores the potential of advanced analytics in this domain. However, the scope of effective methodologies in public procurement is not limited to financial aspects alone.

TdC's commitment to assessing a wide range of irregularities and risks, including both financial and non-financial risks that can affect the efficiency of public procurement, points to the need to consider a diverse set of tools and approaches. Text mining techniques, as demonstrated in the academic context of Morocco's green public procurement initiative, can provide inspiration. The box below explores the use of text mining for scrutinising unstructured data in procurement documents and it highlights the potential for analysing the extent to which environmental considerations are integrated into tendering processes. For an organisation like TdC, aiming to encompass both financial and non-financial risks, as well as analyse both structured and unstructured data, Morocco's approach provides valuable insights and highlights the possibilities for its own risk assessments.

Similarly, researchers in Belgium conducted a longitudinal study and used text-mining analysis to identify patterns in sustainable public procurement practices (SPP) over time. They used a concept of SPP that targeted seven categories: 1) environmentally friendly procurement, 2) circular economy, 3) social return on investment, 4) ethical trade, 5) local and/or SME-oriented procurement, 6) Innovation-oriented procurement and 7) the use of sustainability labels. Among other findings, they found that public authorities implemented SPP in more than 70% of the notices reviewed, which was a higher rate than what had been self-reported previously. Nonetheless, they also found a gradual decrease in the implementation of SPP during the years studied (2014-2016). Overall, the researchers demonstrated the value of text-mining as a tool for assessing unstructured data and the implementation of SPP in public procurement notices to identifying patterns, which would not have been possible with other methodologies, such as conducting surveys or interviews (J. (Jolien) Grandia, 2020[75]).

The TdC’s risk assessment methodology could ultimately integrate both structured and unstructured data. As a starting point, TdC could first concentrate on developing a risk assessment methodology that incorporates structured data as an initial proof-of-concept, and then build on this in the future with additions to the methodology that incorporate unstructured data and text analysis, as illustrated in the examples of this above. For instance, as discussed in Chapter 1, the TdC’s entity management system (GENT) includes unstructured data based on information in the Official Government Gazette of the Portuguese Republic that could be leveraged for refining future risk assessments. This phased and iterative approach would allow the TdC to prioritise its resources and first demonstrate the value of its risk assessment methodology internally, using structured data that capitalises on the progress made with integrating IMPIC’s data, before turning to other types of risk assessment techniques.

National laws and directives play a pivotal role in institutional digital transformation, shaping the digital governance and data management framework. This legal backdrop can either limit or advance technology adoption, impacting digital project success. In addition, fostering collaborative relationships between entities is crucial for digital maturity. This section highlights several opportunities for the TdC to enhance its digital maturity with specific consideration for the relevance and sustainability of its digital initiative for data-driven risk assessments. They include the formalisation of data-sharing protocols and collaboration with data owners to enhance the TdC’s own training.

INTOSAI’s Working Group on Big Data conducted a survey that revealed 45% of SAIs lack data-sharing mechanisms and regulations for big data use, 41% have limited international co-operation on big data, and 32% face challenges in inter-departmental data exchange (INTOSAI Working Group on Big Data, 2022[76]). These survey results suggest a gap in establishing effective data sharing and co-operation mechanisms, despite intentions and examples of SAI collaboration on big data audits.

Timely access to data is crucial for the effective implementation of the TdC's new risk assessment methodology. The primary users of this methodology, the real-time and ex post audit teams, rely heavily on the availability and accessibility of relevant data to conduct audits on ongoing and completed activities, contracts, and projects. As is often the case for SAIs, data access poses one of the greatest risks and bottlenecks for the TdC’s digital initiatives, in particular, its goals to enhance its assessment of risks in public procurement. The initial access to IMPIC’s database, Portal BASE, and the collaboration established during the project for data sharing marks a significant step forward. However, challenges remain in accessing other databases, as elaborated in Chapter 3 (e.g., IRN’s database of beneficial owners). Future iterations of the risk model for assessing public procurement risks could be enhanced by addressing these challenges, thereby broadening the data sources available for the risk model and improving risk coverage.

According to TdC officials, challenges for accessing data reflect inter-institutional dynamics as much, if not more, than any legal or regulatory provisions that restrict the TdC’s access to data for audit purposes. Engaging with legal and policy frameworks to foster a conducive environment for data sharing is crucial. Continuous dialogue with policymakers and stakeholders to advocate for supportive laws and regulations may also help beyond the scope of this project. CITM and DSTI are critical drivers of this effort. To keep the momentum after the project, the TdC could establish a broader dedicated task force to oversee the development and implementation of data-sharing protocols, providing a more focused and collective approach to overcoming the identified challenges. This task force could also serve as a liaison between, or even include, the TdC and data owners that are relevant for the TdC’s audit work, promoting a more harmonised approach to data sharing that ensures alignment with the goals of TdC’s digital transformation journey.

Looking across government at the various owners of databases the TdC uses, opportunities exist to strengthen a co-ordinated and collaborative approach to enhancing data literacy and knowledge-sharing. As detailed in Chapter 3, the TdC relies on many external databases for its current and future auditing and risk assessments in public procurement. In concert with these stakeholders, the TdC could facilitate the development of more structured trainings to gain a deeper understanding of how the data can be used in its work and the nuances in terms of data structure, reliability and other technical issues.

Currently, the IGFEJ focuses on providing training in public procurement exclusively to its employees. IMPIC takes a comprehensive approach by preparing and disseminating good practice manuals, technical guidelines, FAQs, webinars, videos, videocasts, and providing training programmes, often in collaboration with other entities. The IRN conducts frequent training sessions for various entities and participates in conferences and colloquia. The AT does not provide external training, but it ensures that protocols for data sharing contain confidentiality rules and obligations. Collaboration with these entities could help the TdC to strengthen its current training plan by tapping into existing resources or creating modules that are specific to such databases that auditors commonly use or cite.

Enhancing collaboration could also involve strengthening the feedback loop with data owners to drive improvements in data quality, which in turn would enhance future risk models. The TdC is well-positioned to drive improvements in gaps in data and enhance the quality of public procurement data, as the TdC deepens its reuse of this data for analysing risks. Currently, feedback loops with data owners, such as IMPIC and AT, occurs on an ad hoc basis (or not at all). As its digital initiatives evolve, the TdC could establish a more consistent and systematic mechanism for exchanging insights and feedback with data owners, outside of audit engagements and within the scope of its data use. The feedback could inform not only improvements to the data, but also trainings and guidance on using specific databases. For instance, the aforementioned NFI in the United Kingdom produces guidance that sets out data specifications in terms of how data should be formatted, and the types of data checks entities can conduct.

The TdC has made significant strides in its digital transformation journey, which is crucial for upholding its role as a standard-bearer of transparency, accountability, and public trust. This transformation is particularly vital in enhancing the TdC's capabilities for data-driven risk assessments in public procurement. The digital strategy of the TdC, as discussed in this chapter, necessitates a comprehensive approach encompassing strategy and organisation, people and culture, technology and process, and environment and partnerships. Each of these domains presents its unique challenges and opportunities.

The TdC’s Digital Strategy, while ambitious, requires greater coherence among its initiatives and a robust mechanism for monitoring and evaluation. This strategic alignment is essential for effective implementation and for achieving desired outcomes in risk assessment and transparency. In terms of people and culture, there is a pressing need for change management, data literacy, and digital skills enhancement, particularly in the context of public procurement risk assessments. Ensuring that auditors are well-versed in data ethics and privacy is also paramount.

Technologically, the TdC faces challenges in IT integration, digital tool efficacy, and data interoperability. Addressing these issues is critical for the success of the Digital Strategy and for improving the TdC’s overall audit efficacy, especially in assessing risks in public procurement. Finally, the TdC's environment and partnerships are key to its digital maturity. By formalising data-sharing protocols and collaborating with data owners, the TdC can strengthen its training programmes and enhance its capacity for effective, data-driven risk assessments.

Overall, the TdC's commitment to digital transformation is a positive step towards more efficient and effective auditing processes. However, for the full potential of this transformation to be realised, a balanced focus on strategy, people, technology, and partnerships is necessary. This will not only improve the TdC’s internal processes but will also reinforce public trust and accountability in the area of public procurement.

The dimensions and key practices below are based on reviews of academic literature, discussions with subject matter experts in government, industry and non-governmental institutions, insights from the OECD’s technical support for governments to strengthen their digital strategies and data-driven risk assessments, as well as OECD Recommendations.12 Numerous self-assessment tools for digital or technology maturity that are relevant or made for integrity actors at an institutional level, such as the Supreme Audit Institutions (SAI) Information Technology Maturity Assessment, also provided inspiration. These practices consider digital maturity and transformation from an organisational perspective, but many are applicable for designing and implementing digital projects.

This dimension encompasses leadership’s vision and strategy for digital transformation, including its goals for strengthening the use of digital technologies and data. A digital transformation strategy can stand alone or be integrated with existing organisational strategies. Either way, the aim is to ensure alignment of the digital strategy with other organisational priorities, audit processes and IT strategies (Bumann, 2019[52]). Clear delineation of roles and charting out responsibilities is imperative. This can include establishing an entity internally with an organisation-wide mandate to implement and co-ordinate digital initiatives. Data management and data governance are also key aspects of this dimension. They involve the policies, procedures, standards and controls that ensure data privacy, quality, consistency and security. Relative to project-based improvements, digital transformation by nature has a disruptive effect on an organisation’s traditional approaches to data management and data governance.

Key practices in this dimension include:

• Align the Digital Strategy with the goals and objectives of other institutional strategies, such as the Strategic Plan and IT Strategy.

• Conduct assessments and establish a baseline for digital maturity, capabilities, IT infrastructure and architecture, and possible gaps.

• Identify key opportunities and challenges concerning data management and data governance, including priorities for ensuring data security and quality.

• Define roles and responsibilities internally, including the designation of an entity to implement the Digital Strategy that has an organisation-wide mandate and access to leadership.

• Engage with key stakeholders in the design of the Digital Strategy, including leadership, management and users of new tools, to understand digital maturity and priorities.

• Establish a plan and key performance indicators to monitor the implementation of the Digital Strategy.

The expertise, skills and commitment of individual employees within an organisation are central to digital maturity on any level, whether the goal is transformation or introducing a new tool for using data. Core competencies often revolve around digital and data literacy, sometimes extending to advanced programming skills. Alongside these technical proficiencies, it is critical that employees understand the policies, processes and behaviours that promote the ethical use of data (OECD, 2020[55]). Furthermore, sector-specific knowledge and specialised expertise are also critical competencies, such as having sector-specific knowledge to understand the data landscape for risk analyses. Legal expertise is also valuable for navigating the legalities of data access, privacy, storage, and security. A digital-ready culture is not only about having the right set of skills and experiences available, but it demonstrates tangible ways that leadership and employees rally around digital goals. This can manifest in different ways, such as having policies that allow for the experimentation of new technologies or providing training for employees to improve their digital skills (OECD, 2022[56]).

Key practices in this dimension include:

• Ensure that leadership visibly endorses and partakes in digital initiatives, embodying a top-down commitment to the organisation's digital aspirations.

• Develop and implement a change management and continuous learning plan that focuses on enhancing digital and data literacy, as well as sector-specific knowledge.

• Introduce and encourage training programmes targeting technical proficiencies like advanced programming and data ethics.

• Institute clear policies that favour experimentation with new digital tools and technologies to foster innovation and a “trial-and-error” mentality.

• Establish guidelines on the ethical use of data, ensuring that staff understands and adheres to them.

• Prioritise and establish mechanisms for internal knowledge sharing, facilitating the dissemination of sector-specific, technical and legal expertise.

• Promote a culture of collaboration and digital empowerment, where employees at all levels feel engaged and invested in digital transformation objectives.

• Collaborate with legal experts to navigate the intricacies of data laws, ensuring the organisation remains compliant while maximising its digital potential.

• Implement feedback loops to understand employee challenges and needs in the digital landscape, adjusting strategies based on this feedback.

• Regularly evaluate the digital skills gap within the organisation and adjust training programmes accordingly.

While technology, including IT systems, tools, and software, and the processes encompassing them are vital components of digital maturity, they should not be perceived as the primary objectives. The broader vision for digital transformation or the intent of any given project should inform technological advancements rather than being led by them. This underscores the importance of tailoring technology to specific needs. The term "state-of-the-art" is contextual, acknowledging that digital services, IT mechanisms, and tools differ in their complexity, resource needs, functionality, and alignment with various organisational goals. Given the rapid evolution of technology, expending resources without a lucid objective can lead to a waste of resources. Thus, a pragmatic approach involving cost-benefit analysis can guide judicious decision making about technological investments. This analysis can consider collaborative investments or leveraging open-source technologies that may offer additional public benefits, such as the promotion of systemic transparency and collective technological development. Moreover, it is critical that considerations about adopting new technologies include assessments of their impacts on society, human rights and privacy, among other issues, to avoid exacerbating risks of discrimination and digital exclusion.

Key practices in this dimension include:

• Ensure any technology adoption aligns with the strategic objectives or specific goals of the organisation.

• Understand current capabilities, identify gaps, and ensure alignment with the organisation's digital maturity and objectives.

• Before investing in any new technology, gauge its potential return on investment and long-term sustainability.

• Start with a minimum viable product or proof-of-concept to test and validate new technologies or digital tools.

• Given the fast-paced nature of technological evolution, adapt and update tools and systems based on changing needs and feedback.

• Regularly research and explore new technological advancements that could replace legacy systems and enhance organisational effectiveness and efficiency.

• When selecting technologies, consider how easily they can be scaled or adapted to changing organisational needs or goals.

• Ensure that technologies are user-friendly, meet the needs of the organisation, and are accessible to all relevant stakeholders.

• Ensure that any new technology or process integrates robust cybersecurity protocols to safeguard organisational data.

• Define roles, responsibilities, and decision-making processes related to technology adoption and usage.

• Facilitate channels for sharing best practices, lessons learned, and feedback regarding technology tools and processes.

• Establish mechanisms to assess the social, human and ethical impact of adopting new technologies and mitigate associated risks, including those concerning data privacy, discrimination and digital exclusion.

National frameworks, ranging from laws to directives, can considerably shape the trajectory of institutional digital transformation. For instance, a country's legal and policy framework can lay the foundation for managing digital governance, data stewardship and the sharing of data. These external parameters can influence the effectiveness of a digital transformation project, either limiting or propelling the adoption of digital technologies. Within an organisation, while robust data governance streamlines the sharing and accessibility of data, the true essence of data sharing transcends just infrastructure or processes. Cultivating collaborative relationships between entities, including industry, academia and civil society organisations, is an indispensable cornerstone for advancing digital maturity and ensuring that necessary safeguards are in place.

Key practices in this dimension include:

• Stay abreast of updates to knowledge of laws, policies, and guidance related to digital governance, data management, and sharing.

• Engage with policymakers to advocate for supportive laws, regulations and policies that bolster the goals of digital initiatives.

• Establish data-sharing protocols that align with both internal goals and external legal requirements, allowing for efficient and timely exchange of information.

• Define institutional roles, responsibilities and expectations for all digital initiatives that involve collaboration with external stakeholders.

• Ensure that partnerships are mutually beneficial, fostering a sense of shared ownership and collective achievement.

• Establish channels to gather feedback from partners, ensuring continuous improvement in collaborative endeavours.

• Encourage an organisational mindset that values partnerships as a key enabler of digital growth.

• Establish relationships with other organisations, both within and outside the government (e.g. industry, academia, civil society), to promote collaborative digital initiatives, share best practices, and ensure ethical use.

The International Organization of Supreme Audit Institutions (INTOSAI) develops and promotes principles, standards and guidance for SAIs. Some of these focus explicitly on technical requirements for SAIs when conducting specific types of audits, highlighting the importance of having subject matter expertise related to technology, data and analytics. For instance, the Compliance Audit Standard (ISSAI 4000) highlights the potential for auditors to use analytics as part of risk analysis or evidence collection. It also highlights the possibility, depending on the type of engagement, for audit teams to have data collection and analysis as critical skills within the team (INTOSAI, 2019[77]).

In the context of public procurement, INTOSAI guidance (GUID 5280) also promotes the use of technology and data as fundamental aspects of auditing this sector. It notes that SAIs can use data, analytics and artificial intelligence (AI) to analyse contract data and assess patterns, trends and risks. The guidance also recognises the challenges SAIs may face in doing this from the perspective of recruitment, training and access to data (INTOSAI, 2022[78]). Other INTOSAI guidance, such as the Guidelines for the Audit of Corruption Prevention (GUID 5270), imply a need for auditors to have a sufficient understanding of technology to effectively audit anti-corruption systems and entities (INTOSAI, 2019[79]). For instance, it emphasises the importance of information and communications technology (ICT) systems and procedures, as well as safeguards to ensure data privacy, as critical areas that auditors may wish to consider during an engagement.

Beyond standards and guidance, the SAI community has long recognised the need to keep pace with technological advancements. One example of this is the 2019 Moscow Declaration (named after the location where the XXIII INTOSAI Congress (INCOSAI) took place that year). According to the Declaration, rapid data accumulation and evolving technology present both opportunities and challenges for SAIs. It calls on SAIs to respond effectively to technological advancements, including promoting the availability and openness of data, source code, and algorithms, as well as making better use of data analytics in audits (INTOSAI, 2019[80]). Annex Box ‎2.B.1 provides a summary of relevant standards and guidance that support technological advancement in SAIs.