Developing IT Audit Champions in the AFROSAI-E region

By Afrosai-e | 20th July 2018

The first IT Audit Champions Programme concluded in July with the 3rd module workshop, held in Kigali, Rwanda.

Governments within the AFROSAI-E region have embraced technology by digitising their existing processes and services. Some have gone the extra mile to use digital technologies to fundamentally re-design and transform their business models. This rapid change and sophistication of technology has however come at a cost. There are many cases of fraud being committed using information technology hence, the need to equip the IT auditors with skills to audit the ever-evolving IT environment.

To address this need, AFROSAI-E developed a three-year (2017-2019) IT Audit Strategic Plan for the region. The strategy grouped SAIs in the region in 3 levels:

  • Level 1 – SAIs that need general basic training in IT Audit
  • Level 2 – SAIs that need advanced training programmes (Champions Programme)
  • Level 3 – SAIs that have established IT Audit capacity and can support others.

The IT Audit Champions Programme was developed to address technical gaps in the following areas:

  • Databases security
  • Applications controls security
  • Network and cyber security
  • Operating Systems
  • Information Systems acquisition, development, and implementation

The Champions Programme was designed to be delivered in three modules, aimed at training regional auditors to be experts in specific IT technical areas. This Programme and the IT Audit Strategic Plan in general is being implemented with the support of experts from the Auditor General of Norway (OAGN).

IT Auditors from the SAIs of Botswana, Ghana, Liberia, Malawi, Namibia, Rwanda, Sudan, Tanzania, Uganda, Zambia and Zimbabwe took part in the first Champions Programme. The SAI of Kenya contributed to the facilitation team. We now expect that these Champions will in turn train other auditors in the region.

The focus of the three modules were on:

  • Database audits: This involves assessing the safeguards put in place to protect the database by ensuring that adequate safeguards for its access, version and patches, services, password policy, audit and logging and other security parameters, have been correctly configured and do not compromise the confidentiality, integrity and availability of data.
  • Audit of application controls: This entailed equipping the participants with audit methodology that can be used to give assurance on the completeness and accuracy of the records and the validity of the entries made using an application system.
  • Audit of Active Directory (AD) and Network security: Active directory is used to facilitate working with interconnected, complex and different network resources in a unified manner. This however exposes the organization to more security issues. Participants were given the tools and techniques to effectively conduct an Active Directory and Windows audit. The training focused on active directory/network access control and who has access to manage and control access to network resources in a windows environment, password settings and other security settings regarding AD and Domain Controller (DC). The audit of network security training focused on discovering network vulnerabilities, how hackers can discover network vulnerabilities and how to do penetration testing.

The workshops were very practical and provided participants with tools and techniques to effectively conduct IT audits based on security good practices. In addition, participants needed to perform at least two pilot audits per module. The results of the pilot audits were reviewed by peers and the facilitators to support the teams with any challenges they experienced.

It is expected that this Champions Programme will develop experts in these key technical areas of IT audit, thereby building the capacity of the IT audit professions in the AFROSAI-E region. We expect that the next IT Audit Champions programme will start in 2019 and that Champions from the first roll-out will play a key role in mentoring and supporting the new participants.

We are grateful to the OAGN, SAI Kenya, SAI Rwanda and the participating SAIs for making the Champions Programme the success it was.

John King'ara

Article by John King’ara, SAI Kenya

“We appreciate AFROSAI-E and the facilitators for providing such an intensive training. As a result, SAI Liberia is now prepared to do an audit of 

database, active directory and network – Yamah L. Bowah, SAI- Liberia

 

 

With the IT Audit Champions Programme I have been able to create a web of networks to share inter-country experiences and lessons learnt in as far as IT audit is concerned. My thanks to AFROSAI-E.- Chikondi, SAI-Malawi

 

It has been a transformative experience for me to be part of the IT Audit Champions Programme and the most exciting learning experience of my life. The Programme included modules that are useful and have enhanced my IT auditing skills and gave more scope on IT audits which we did not consider before. – Mercy Esau, SAI Malawi

Posted in News