We need to audit our IT systems

Rwanda has made a name for itself as a regional rising star in Information Technology. Across business and government, IT is changing operations: revolutionising banking and financial services to suit mobile and internet demand; e-Government services to citizens and businesses; and redefining instruction and learningthrough e-Learning.However exciting our rapid pace of adoption of IT solutions, one cannot help but note the gaps that continue to dent this adoption.In our budding information society it is imperative that as much as we recognise that IT is, and will be, responsible for the design, implementation and maintenance of various operations within various organisations, we must couple this adoption with appropriate IT auditing mechanisms. IT auditing is an IT governance tool that puts in place controls, facilitates resource management, enables performance evaluation of IT systems, and evaluates the capacity of organisations to define what and how to successfully integrate IT into their structure; auditing ensures that users maximize efficiency and profitability from their IT investments, and spot opportunities for newer solutions.Audits can range from technical standardised IT audits to self-evaluations (that may lead to the decision to carry out an actual audit); strategic planning and innovation management audits that provide frameworks for action plans such as staff training; or benchmarking and analysis based on industry leaders (I am doubtful of substantial data being readily available in Rwanda).The recent (2012) case of fraud at an incumbent telecom provider in Uganda demonstrates the vital role of putting in place audit systems: staff at this Mobile operator managed to manipulate a Mobile money account and siphon funds for personal use for over a year before it was finally uncovered. Naturally this case brings to light gaps in regulation, but also highlights the importance of regular auditing mechanisms. In Rwanda banks, insurance companies and telecom operators probably undertake this activity regularly. To increase adoption of IT auditing, the private sector and auditing professional bodies have a pivotal role to play by educating employees and aggressively adopting auditing mechanisms; the government should also put in place laws and policies that require and advocate for IT audits (in line with various directives under review to safeguard against proliferation of cybercrime). No one is under the illusion that it will be a bed of roses. The lack of trained human capital, the absence of IT audit tracks in education (and R&D) institutions, and more importantly, lack of awareness of the importance of putting in place IT audits stick out like sore thumbs. Also, like all IT trends, the tools for IT auditing are constantly changing – the cost of keeping up with updated tools and systems may pose a challenge. To conclude: much as IT streamlines a number of workflows and working processes, in certain instances it makes it more difficult for staff to keep track of resources thus introducing loopholes for fraud. As Rwandan organisations invest heavily in IT, we should consider putting in place mechanisms for IT audits in order to be better placed to carry out business with less risk. When executed according to global best practices IT audits cover risks associated with integrity and confidentiality of information, as well the efficiency and reliability of IT infrastructure.

Opinions

We need to audit our IT systems