Making A Difference In The Performance Of SAIs

First group of IS Audit Champions are set to make a significant impact

AFROSAI-E region is set to scale greater heights in information Systems (IS) audit following the successful completion of the Information Technology (IT) Audit Champions Programme. It equipped participants with knowledge and skills on auditing IT technical areas.

Most auditees within the region have embraced the use of technology in their operations. This means a host of new risk for auditors to consider. The need for IT controls and Information System’s audit have become critical in ensuring the integrity of information systems and both financial and non-financial data. 

In its 2017-2019 IS audit strategic plan, we identified capacity gaps in audit of databases, application controls, network and cyber security, operating systems and information systems acquisition, development, and implementation. To address the capacity gap, we collaborated with SAI Norway and implemented a 4-module Champions Programme:

  • Module 1 – Audit of MSSQL database
  • Module 2 - Audit of oracle database and application controls
  • Module 3 – Audit of Active Directory and Basic Network Security
  • Module 4 – Audit of Cisco Firewalls and Basic Network Security

The Programme drew SAI participants from 12 countries: Botswana, Ghana, Liberia, Malawi, Namibia, Rwanda, Sudan, Tanzania, Uganda, Zambia, Zimbabwe and Kenya.

Audit of oracle and MSSQL databases armed participants with skills on database security controls and how to audit these them as per the best practices. Databases are repositories for data and information, thus compromising database security affects data integrity and impacts on the opinion given by auditors.

Application controls audit, equipped participants with methods on how to effectively audit an application system and understand the links between IS audit and financial audit.

Active Directory (AD) is meant to supplement the weakness of users of information systems e.g. by enforcing the use of a strong password. The audit of AD module imparted knowledge and skills on how to secure the AD and audit it. It is usually a target for hackers because of the valuable information it houses.

The last module was audit of Networks and firewalls. Digital trends like e-Government, virtual education, online services, social media, and mobile applications are but a few types of technologies that rely on networks. It’s critical for IS auditors to have the skills to audit these complex networks. This module introduced the concept of securing a network, how to identify security vulnerabilities and how to exploit these vulnerabilities in an ethical way.

Use of virtual machines, case studies, presentations and discussions, made the sessions practical, mimicking real audit environments. For each of the areas covered, the facilitators also shared, best practices on configuration settings, detailed audit programmes, prepared and tested scripts and virtual machines. In addition, the programme created a forum for IS auditors with different experiences, interest and specialisations to exchange ideas for future audits or similar programmes.

Said one participant: “The road to becoming a Champion in Information Systems audit was not easy considering the many challenges we faced. In the end, the team’s commitment, hard work and perseverance paid off.”

It is not the end but the beginning…

Being the first group of champions, participants are encouraged to continuously apply the knowledge learnt and share it among themselves and with colleagues in their respective SAI. Conducting joint audits are also an excellent way to apply the skills and knowledge. In addition, since the field of IS audit is dynamic, they are encouraged to keep up to date with changes in the profession.

A big congratulation to the participants for becoming the pioneer Champions in Information Systems Audit.

A team of Champions celebrate after winning an audit of network competition