A survey of ICT audit in commercial banks in Kenya
Nzuki, Charles K
MetadataShow full item record
Given the increasing reliance on Information Communication Technology (lCT) systems for managing business processes, as well as driving business strategy, ICT auditing has become a requirement of international standards on auditing. In Kenya, the Central Bank stipulates that commercial banks undertake ICT audits as a measure of disaster recovery and business continuity plans, among other key ICT controls. With increased use of computer based information systems, commercial banks have become more exposed to risks that could result into gross financial losses. This has resulted to increased demand for assurance to the management and other stakeholders that the business's ICT systems are operating as intended. In Kenya, commercial banks have implemented different levels of ICT auditing. The extent of ICT auditing on the specific aspects and challenges faced in ICT auditing was a major concern and needed to be known. It was in view of this that this study was conducted with the following objectives: to determine the extent of ICT auditing in banks in Kenya and to establish the challenges faced in effort to successful ICT auditing in banks in Kenya. The study was an exploratory survey targeting all commercial banks with operations in Nairobi. The design was appropriate considering that not much was known to make it possible to do a more advanced research. Data collection was done through a questionnaire. Of the 46 commercial banks targeted for the study, there were 38 fully completed questionnaires which represented an 82.6 % response. Data lIected from the respondents was analyzed using various statistical tools and findings were found adequate to make inferences and generalization of the state of ICT auditing in commercial banks in Kenya. Findings of the study indicated that most of the commercial banks in Kenya had awareness about and conducted ICT audits regularly. ICT auditing was being undertaken by either the internal audit departments or by external auditors. Most international and foreign owned banks exhibited thorough and in-depth ICT audit practices mainly being done by their company group audit teams with high level of specialization and sophistication as compared to the locally owned and the privately owned banks. All banks interviewed showed evidence of ICT auditing processes that focused on confidentiality, integrity and availability aspects of their ICT based systems. There was consensus among the respondents on frequency of lCT audits and on ICT audits around aspects relating to the overall business continuity planning. The study found that ICT auditing among Kenya's commercial banks faced numerous challenges. Poor assessment of threats and vulnerabilities was found to be the most challenging factor as well as the lack of awareness about ICT auditing by senior managers. Other major challenges were related to the complexity of ICT infrastructure and poorly defined compliance framework for Kenya. The concept of ICT auditing was hence found to be a newly emerging phenomenon and hence existing gaps and lack of standard ICT audit framework/guidelines was found to be a challenge especially among the smaller banks. In addition, the complexity of the ICT auditing exercise coupled to ICT being a highly technical field, ICT auditors required specialized skills which in most cases were not readily available among the conventional audit teams. In view of the above and in summary, this study gave a general view of the state of ICT auditing in commercial banks in Kenya and outlined the extent of ICT auditing as well as the major challenges that banks face in their effort to successful ICT auditing. The greatest beneficiary of this study was the society which would enjoy greater confidence in information systems if commercial banks undertook successful ICT audits. There were a few limitations encountered while undertaking this study. Firstly, some respondents and mainly from the privately owned banks were reluctant to disclose information relating to the topic and as a result the number of completed questionnaires was reduced. Secondly, the target respondents were IT managers and some could not provide information regarding to the size in terms of staffing and number of accounts which were necessary to determine the size of the bank. Further research should be undertaken on the topic through a case study on ICT auditing specific to any of the main commercial banks: Standard Chartered, Barclays Bank or Kenya Commercial bank in order to get an in-depth understanding of the topic.
SponsorhipUniversity of Nairobi
University of NairobiSchool of Business, College of Humanities and Social Sciences