Financial Gazette (Harare)
Rosemary Chamunorwa
9 August 2007
Harare — TODAY in most large and medium sized organisations there are few business processes that are not driven by information technology (IT).
IT is especially common in financial institutions, and a number of historical events in this industry still serve to remind us how much of an impact IT has on daily business.
The IT auditing world has progressively become more exciting in the recent past as a result of the scandals in the financial services industry and the increased regulation thereof. Of note is the requirement by the central bank for all banks to get an annual certification on the soundness of their IT risk management practices.
The financial services sector, through the efforts of the Reserve Bank of Zimbabwe, has taken the lead in terms of structuring IT audits and IT certifications. In assessing a financial institution on the soundness of risk management processes, there are areas that have been found to be critical in terms of effectiveness. The central bank requirements for banking institutions are focused on seven broad areas.
These seven areas (shown in bold below) all assist in ensuring that information retains its integrity, is kept confidential and IT systems are always available to ensure continuity of processing for the banking public and other stakeholders. Adequate Board and Management Oversight must be demonstrated through the review of strategic plans, policies and procedures.
The Board should also take responsibility for ultimate approval of IT budgets as the presence or absence of finances directly affects the quality of an IT environment. Change management is another area that if uncontrolled can lead to serious risk, for example, where a new system is being implemented. Discussions on such major issues should be done at the board level as evidenced by minutes to show how seriously IT is taken from the structure of the organisation. Gone are the days when 'techies' just do their own thing without a strategic focus.
IT Hardware and Software of financial institutions must be very stable and reliable. This includes computer hardware and networks, software and applications that support financial information processing. The Computer Operations review show what controls are in place to safeguard changes to important master file customer information like addresses, due dates of loans and interest rates. In addition, computer operations should ensure that the accuracy of processing during input and output of data is preserved at all times to ensure data integrity. Given that all data revolves around the database, the Database Management Systems Review should ensure data independence and security, transaction processing efficiency, data consistency, accuracy and completeness.
Information Security Management means information security controls are designed to maintain confidentiality, restrict physical access and provide environmental protection against damage or destruction of information, among other objectives. Network Infrastructure Security looks at the control and security of transmitted data and controls to reduce malicious attacks. The quality of Business Continuity arrangements is very critical in terms of ensuring that a bank continues as a going concern given that technology is the life and blood of such organisations. Having assessed all these areas, a rating is used to peg the soundness of an organisation's IT systems on a scale of 1 to 5; 5 being a critical stage of clear and present danger (to the bank and its depositors) and 1 evidencing a strong IT system. Where IT systems break down in a financial institution, it may as well be closed as the risk of loss to customers increases phenomenally in terms of services such as ATMs/RTGS transfers being unavailable or being prone to material errors and fraud.
Traditionally, the audit profession has audited around the computer but events have not only heightened the need for more reliable, accurate and secure systems but have brought on much needed focus to the importance of IT auditing. The strategic focus on IT has meant a change or revision in the audit methodologies of the prominent accounting firms. Performing an audit without using IT is hardly an option now. When all or most of the information needed for doing this is on computer systems, how can one carry out the audit without assessing the information technology?
When cases of fraud come to light, the work of the auditor comes under the spotlight in search of why indications of such an occurrence were not picked up. During an audit, the IT auditor's role is not just to cause alarm but also to recommend corrective action, provide concrete assurances and proof of errors where possible. The general initial approach is to first conduct an analysis of "What could go wrong?", and then to evaluate controls associated with the situation to mitigate risks, ie, "What could prevent it from going wrong?" Evaluation of controls is necessary to determine their existence other than on pieces of paper, if they are designed well, are understood, if they operate effectively and are being complied with by operators. This sets a foundation for any further tests on specific risks.
The advances in technology have continuously changed the way information is stored, retrieved and controlled, leading to a rise in using audit analysis software, tools and techniques to perform analytical tests that include verifying account balances, determining trends and querying data for customised results. Another emerging trend is continuous monitoring/auditing, which is an ongoing and online process of acquiring, analysing and reporting on business data to identify and respond to operational business risk. The main driver for this approach in some financial organisations is the increasing volumes of transactions in systems and the related challenges of retrieving data for audit purposes.
With the increase in our reliance on information technology comes the need for the expertise in carrying out the IT audit of the business systems. Audit software has been developed over the years to allow auditors to do the analysis themselves. Many such packages can carry out audit specific routines such as stratification and grouping, are independent of systems being audited and provide documentation of tests performed which can be used as working papers. Auditors now realise the need to have IT specialists examine the systems being audited in their methodology, with fully fledged IT audit departments being set up being a major shift from the traditional way of grooming auditors who have an interest in IT. There is no silver bullet in the development of such expertise for audit staff leading to some firms mixing the approach of taking auditors and IT specialists in reducing the learning curve needed for full development of these essential skills.
Assurance on IT systems is being sought by progressive management teams and boards that are IT savvy. Auditing around the computer, as opposed to within the computer, is progressively becoming a luxury and in some instances is neither affordable nor feasible. Auditors need to provide total assurance and clearly point out errors, greatly increasing the credibility and value of the audit function. Although this trend continues to suffer from environmental challenges in the economy, IT auditing will continue to grow with a great force and those who adopt it now will be spared from the pressures of being forced to catch on later and the embarrassment of missing critical financial information.
Disclaimer: This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgement. Neither Ernst & Young Zimbabwe nor any other member of the global Ernst & Young organisation can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Be the first to Write a Comment!
Copyright © 2007 Financial Gazette. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.
AllAfrica aggregates and indexes content from over 125 African news organizations, plus more than 200 other sources, who are responsible for their own reporting and views. Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica.
