dc.description.abstract | Given the increasing reliance on Information Communication Technology (lCT) systems for
managing business processes, as well as driving business strategy, ICT auditing has become a
requirement of international standards on auditing. In Kenya, the Central Bank stipulates that
commercial banks undertake ICT audits as a measure of disaster recovery and business
continuity plans, among other key ICT controls. With increased use of computer based information
systems, commercial banks have become more exposed to risks that could result
into gross financial losses. This has resulted to increased demand for assurance to the
management and other stakeholders that the business's ICT systems are operating as
intended.
In Kenya, commercial banks have implemented different levels of ICT auditing. The extent
of ICT auditing on the specific aspects and challenges faced in ICT auditing was a major
concern and needed to be known. It was in view of this that this study was conducted with the
following objectives: to determine the extent of ICT auditing in banks in Kenya and to
establish the challenges faced in effort to successful ICT auditing in banks in Kenya. The
study was an exploratory survey targeting all commercial banks with operations in Nairobi.
The design was appropriate considering that not much was known to make it possible to do a
more advanced research. Data collection was done through a questionnaire. Of the 46
commercial banks targeted for the study, there were 38 fully completed questionnaires which
represented an 82.6 % response. Data lIected from the respondents was analyzed using
various statistical tools and findings were found adequate to make inferences and
generalization of the state of ICT auditing in commercial banks in Kenya.
Findings of the study indicated that most of the commercial banks in Kenya had awareness
about and conducted ICT audits regularly. ICT auditing was being undertaken by either the
internal audit departments or by external auditors. Most international and foreign owned
banks exhibited thorough and in-depth ICT audit practices mainly being done by their
company group audit teams with high level of specialization and sophistication as compared
to the locally owned and the privately owned banks. All banks interviewed showed evidence
of ICT auditing processes that focused on confidentiality, integrity and availability aspects of
their ICT based systems. There was consensus among the respondents on frequency of lCT
audits and on ICT audits around aspects relating to the overall business continuity planning.
The study found that ICT auditing among Kenya's commercial banks faced numerous
challenges. Poor assessment of threats and vulnerabilities was found to be the most
challenging factor as well as the lack of awareness about ICT auditing by senior managers.
Other major challenges were related to the complexity of ICT infrastructure and poorly
defined compliance framework for Kenya. The concept of ICT auditing was hence found to
be a newly emerging phenomenon and hence existing gaps and lack of standard ICT audit
framework/guidelines was found to be a challenge especially among the smaller banks. In
addition, the complexity of the ICT auditing exercise coupled to ICT being a highly technical
field, ICT auditors required specialized skills which in most cases were not readily available
among the conventional audit teams.
In view of the above and in summary, this study gave a general view of the state of ICT
auditing in commercial banks in Kenya and outlined the extent of ICT auditing as well as the
major challenges that banks face in their effort to successful ICT auditing. The greatest
beneficiary of this study was the society which would enjoy greater confidence in
information systems if commercial banks undertook successful ICT audits. There were a few
limitations encountered while undertaking this study. Firstly, some respondents and mainly
from the privately owned banks were reluctant to disclose information relating to the topic
and as a result the number of completed questionnaires was reduced. Secondly, the target
respondents were IT managers and some could not provide information regarding to the size
in terms of staffing and number of accounts which were necessary to determine the size of the
bank. Further research should be undertaken on the topic through a case study on ICT
auditing specific to any of the main commercial banks: Standard Chartered, Barclays Bank or
Kenya Commercial bank in order to get an in-depth understanding of the topic. | en |