OpenGov sat down with Gary Pettigrove, Chief Information Officer (CIO) at the Australian National Audit Office (ANAO). Mr. Pettigrove has been in the role for over 11 years, guiding the organisation through its digital transformation and anticipating and meeting business requirements. He talks about the current focus on cloud-based collaboration, enterprise, business apps, mobility and security.
The ANAO provides the Parliament with an independent assessment of selected areas of public administration, and assurance about public sector financial reporting, administration, and accountability. The agency conducts performance audits, financial statement audits, and assurance reviews.
What is the role being played by ICT in achieving the broader business objectives of ANAO?
We are enabling the business. The business is looking for improvements in productivity and efficiency, to do more with less. We are providing them with a playground, where they can do proof-of-concept and test new technology for the same.
It is not about big bang approaches. It’s about working hard and staying a step ahead of business. We work with the business analysts to try and understand where the business wants to go over the next 12 months and try to prepare for it.
What are the areas of focus right now?
The primary areas of focus currently are cloud-based collaboration, enterprise, business apps, mobility and security.
We have a cloud policy, aligned with the whole-of-government cloud policy. Out of our six main applications, we have already moved three applications to the cloud. We are moving our fourth application, the finance system, to the cloud next March. The first one was moved in 2010. Every two years we have moved one of them to the cloud.
The remaining two applications hold protected data. We can’t move them into the cloud, until we can find a protected data centre, certified by the Australian Signals Directorate (ASD).
By June 2018, we plan to move to infrastructure-as-a-service. Everything will be offsite and we won’t need to own any more backend equipment.
We have long term plans to move everything into the cloud. I also have a data centre in the cloud as a service. I use Canberra Data Centres (CDC) as my secondary data centre.
Can you tell us about other ICT-related projects you are working on?
We are upgrading to Exchange 2013. We are rolling out Skype for Business. We are looking at video conferencing on the cloud through Lifesize. The pilot will start in the next two weeks.
We have virtualised our remaining servers. So, we are now running 100 server instances on two physical applications servers. We used to have 40 physical servers. Now we are down to two.
We are also looking at data back-up to the cloud and remove the tapes. Again, we need secure encrypted cloud service to do that.
The other priority is mobility. Mobility is one of our biggest business drivers. Our objective with respect to mobility, is to create a protected environment, which is secure, efficient and easy to use.
Do you permit BYOD (Bring your own device) in the agency?
Every one of our 350 audit staff gets a laptop. We put a classified and guest Wi-Fi through the place this year. We use Citrix for BYOD. If you want to carry documents on your encrypted laptop you can. You can use VPN to connect securely and conduct business anywhere and anytime
Using the Citrix solution is like working behind the glass. You cannot move any documents backwards or forwards. But you can work. So, if you are in a hotel business lounge or you are a contractor, you can bring in your own computer and use Citrix to connect in and securely conduct ANAO business.
We have a Mobile Device Management policy. We are currently using Blackberry MDM and Good Technology. People can bring their own phones and we put the Blackberry MDM and Good services on it.
We always had VPN because we need to go into a range of secure locations, where you can’t have Wi-Fi or 4G connections. You download the data you need to your laptop through the VPN and our applications enable you to work offline. And when you get out of the secure location, you synchronise it back in again. Our Audit applications use a sync model. Citrix is a good alternative if you can be online.
Do you still have old data on tapes?
We have an archive requirement to keep data back-ups for ten years. I have tapes going back to 2006. I plan to let that just deteriorate over time. So, each year we destroy more old tapes and don’t create any new ones. We plan to back up the new data to the cloud.
You need to exchange large amounts of data because your staff is out in the field travelling most of the time. What channels do you use for transferring the data securely?
We audit 250 commonwealth government agencies. We bring all that audit evidence data back here and keep it as a record for 10 years.
There are several ways to get the data back. In the field, you can download it to your encrypted laptop. You can download it to your laptop in the offline storage applications and then automatically replicate it back over the secure VPN back into the application.
For large data sets we have external encrypted hard drives. We can use them to securely get the data back into the office.
For small files, up to 20 megabytes, people can just email it in over Fedlink. Fedlink is the government’s secure, protected email system.
In addition, we use a product called Sigbox, a secure file transfer protocol. You can upload up to 100 gigabytes of data securely. Then we can port it back into our systems.
Are there any plans for a system where you can transfer data directly from an agency to some centralised kind of the storage where the ANAO can access it?
Yes. We are working to identify whether we can have a direct access or direct connect solution to enable agency interoperability. We have been working with the Australian Taxation Office (ATO) to set up a secure link, so that we can get data directly from them.
Interoperability is a big issue for auditors. They have field work where they get and bring data back. They would like to be able to have interoperability and access the systems and remotely download information securely.
We have interoperability with Department of Defence now. Using their Dreams (Defence Remote Electronic Access and Mobility Services), we can get the information directly from defence network.
Eventually we can see that we will be doing it more. The national shared services model used to be a part of education and employment. Department of Finance have just taken it over in September. If IT shared services becomes operational with a bigger platform and a bigger cohort, we will be able to link into that.
What are you doing to improve the outward facing services you offer?
The only outward facing service we offer is our ANAO audit reports on the website. Our website has recently moved to the whole-of-government service (GovCMS). It is currently located at https://www.anao.gov.au/. We have revamped the whole website.
Citizens and public servants have the ability to contribute evidence to the audits. You can search through published reports by agency, date or themes including agriculture, border, social services and tax. You can also track the status of in-progress reports and subscribe for updates.
We were the eighth agency to move to Gov CMS (Content Management System). It’s a clean, easy to navigate website. We don’t have to manage it anymore. We just manage the content.
Collaboration on documents and social media is the other big area we are innovating in. Some people might be ahead of us because their security requirements are not as stringent. But we are working towards it.
Also, at the moment each audit group has different systems. We are integrating them. We are doing a lot of work to ensure that we can have an enterprise view of assurance audit, which is the financial statement one and the performance audit. We are doing a pilot performance audit to make sure. The pilot goes on till next June and then we will release it.
How are you dealing with data storage? Are you using any big data analytics tools?
Big data is our next big issue. How do we get data from other agencies, store and analyse it. And then remove the data at the end of the audit, so that we can release that storage and not pay anymore. Currently I have 100 terabytes of big data storage in 20 terabytes NAS (Network Area Storage) systems all over the place. I am trying to shift it all to the cloud.
We are doing a lot of big data analysis. We are setting up a proof-of-concept to put big data on the cloud in a secure environment. We can upload terabytes of data and then analyse it using virtual resources, rather than buying new services and storage. We did a test on that recently.
Big data has changed the way audits are done. In the past we used sampling. For example, to check for duplicate Medicare keys 7 or 8 years ago, we would use a sample and then extrapolate. The confidence level might have been 20 or 30%. Now we can take the whole population. With big data analytics we can analyse the entire data set and have 100% confidence level.
Could you share your experience with legacy architecture?
When I first got here we had legacy architecture. We had Lotus notes and 2500 lotus database. I don’t have any legacy applications now. Occasionally I have to go back to the old Lotus Notes database. I keep one laptop just for that. But other than that, I have migrated everything to Sharepoint and keep my (COTS) applications current.
We spent several million dollars every year to upgrade the HR system earlier. So, we moved to a cloud based system. The vendor upgrades it on a monthly basis and keeps it patched. We just use it. We don’t need separate database administration, application servers, licenses or the costly annual upgrades.
We plan to significantly reduce our capital expenditure. in 2019 capital budgets will be nearly zero. The shift to operating expenditure has delivered around 20% cost savings to the business.
Have you faced cultural resistance in the process of digital transformation?
Culture is the biggest issue everywhere. To support the changes we are making, we have implemented the Future Ready Change Program. The Program supported through the Corporate Plan, outlines the strategic shifts we will make in coming years to sustainably deliver value-adding audit services into the future. A key priority on the Future Ready Program is ICT strategies and systems that will support this environment and way of working.
Our view here is that we entice the business units to move something new, we entice people to use it. We don’t force them off the previous way of working. We encourage them and put champions in place to facilitate change. We work closely with the business and assess their needs and we do proof of concepts and trails to enable them to move when they are ready. When they get there, they have the requisite tools and functionality.
The audit office has a steady staff turnover. We do have people who have been here for 30-40 years but most of our employees are young and technology savvy We have 30 graduates coming in every year. They are looking for new tools, social media, and collaboration. We offer tools, mobility and applications to maximise their productivity.
Our audit office has an extensive personal development training program. Every auditor is required to undertake 60 hours of official personal and technical development a year to keep their CA or CPA. The audit office has this whole training program to assist them keep them up to date.
So, culture is addressed on a regular basis. We do a lot of cultural support to get people over the change hurdles. Do we still have problems? Yes. Do we still have people who don’t want to move? Yes. They might love the old systems. Or they might be too busy with their auditing to fit in change.
But with a supportive executive above them, saying this is part of your work and performance evaluation, the need to reduce the audit duration and improve the impact. Pressure is applied from both sides, from IT and from business. And the people realise the business benefits and efficiencies.
I have a sign here up on the wall that says, “If you want success, figure out the price and then pay it.” If success means changing the culture, then you work out what the cost and effort of that culture change is and then pay it. I live by that motto.
