As African economies accelerate their digital transformation — from mobile banking and cloud migration to real-time payment rails and open finance — IT audit has become one of the most consequential tools available to boards and audit committees. For organisations in Kenya, East Africa, and across the continent, an IT audit is no longer a compliance formality; it is a strategic instrument for protecting assets, preserving trust, and satisfying increasingly demanding regulators.

What Is an IT Audit?

An IT audit is a systematic, independent examination of an organisation’s information technology infrastructure, policies, operations, and controls. Its purpose is to assess whether IT systems adequately protect assets, maintain data integrity, operate effectively to achieve organisational goals, and comply with applicable laws, regulations, and internal policies.

Unlike a financial audit, which focuses primarily on the accuracy of financial statements, an IT audit examines the reliability and security of the systems that produce, store, and transmit the data underlying those statements. In East Africa, where core banking platforms, mobile money systems, and cloud-based ERP environments now underpin critical operations across both the public and private sectors, the scope and strategic importance of IT audits have expanded dramatically.

The discipline spans several distinct but interrelated domains: IT general controls (ITGCs), application controls, cybersecurity controls, data governance, IT governance and strategy, third-party and vendor risk, business continuity, and regulatory compliance. A mature IT audit function addresses all of these systematically, using evidence-based methodologies and international standards.

67%
Of African organisations report inadequate IT controls as a key audit finding — ISACA Africa Survey 2025
KSh 4.2B
Estimated financial losses from IT-related fraud and system failures across Kenyan financial institutions in 2024
72hrs
Maximum breach notification window under Kenya’s Data Protection Act 2019 and CBK Cyber Risk Guidance
3x
Higher likelihood of regulatory sanction for institutions without a structured IT audit programme — CBK supervisory data

IT General Controls Explained

IT General Controls (ITGCs) are the foundational policies, procedures, and technical safeguards that govern the overall IT environment. They are the bedrock upon which application-level and business-process controls rest. External auditors, regulators, and internal audit functions all assess ITGCs because weak general controls undermine the reliability of every system and dataset that depends on them.

For Kenyan and East African organisations operating under the Central Bank of Kenya Prudential Guidelines, the Capital Markets Authority IT Risk Framework, or ISACA’s COBIT 2019 framework, ITGCs typically fall into five core domains:

1
Access Management & Logical Security Controls

Controls governing who can access systems, data, and applications — including user provisioning and de-provisioning, privileged access management (PAM), multi-factor authentication (MFA), and periodic access reviews. Excessive or unreviewed access privileges remain the most common ITGC deficiency identified in East African financial institution audits, particularly in institutions that have grown rapidly through acquisition or digital expansion.

2
Change Management Controls

Processes for requesting, testing, approving, and documenting changes to systems, applications, and infrastructure. Unauthorised or poorly controlled changes are a primary vector for both intentional fraud and inadvertent system failures. The CBK has repeatedly cited change management weaknesses as a contributing factor in core banking system outages affecting Kenyan retail banks.

3
IT Operations & Job Scheduling Controls

Controls ensuring that batch processes, data feeds, and automated jobs execute completely, accurately, and on schedule. Failures in operational controls are a significant source of financial statement errors in organisations relying on automated processing — a near-universal condition in modern banking and insurance.

4
Backup, Recovery & Business Continuity Controls

Verification that data backups are performed, tested, and stored securely; that recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined and achievable; and that business continuity plans are current and exercised. Many East African organisations maintain untested backup regimes that offer the appearance but not the substance of resilience.

5
Programme Development & Acquisition Controls

Oversight of the system development lifecycle (SDLC), including requirements, testing, security review, and deployment governance for new systems and significant enhancements. As Kenyan banks and fintechs accelerate digital product development, SDLC controls have become a critical area of regulatory scrutiny — particularly around data privacy, API security, and third-party component risk.

Regulatory Context — Kenya & East Africa

The Central Bank of Kenya’s Cyber Risk Management Guidance (2023), the Communications Authority’s Cybersecurity Regulations, and the Kenya Data Protection Act 2019 collectively mandate that regulated financial institutions maintain documented IT general controls, conduct periodic IT audits, and demonstrate to supervisors that their control environments are adequate. Institutions that cannot produce evidence of operating ITGCs face escalating supervisory interventions — including enhanced examinations, directive letters, and civil monetary penalties.

IT Audit Checklist for Financial Institutions

Financial institutions in Kenya and across East Africa operate in one of the most IT-intensive and regulatory-demanding environments in the economy. The following checklist reflects the core areas examined during a comprehensive IT audit of a bank, microfinance institution, SACCO, insurance company, or capital markets intermediary. It is aligned with CBK guidelines, ISACA COBIT 2019, and the international standard ISO/IEC 27001:2022.

Audit Domain Key Control Objectives Priority
IT Governance & Strategy IT strategy aligned with business objectives; board-level IT oversight; IT risk appetite defined; IT steering committee operational High
Access & Identity Management Least-privilege access; MFA on critical systems; quarterly access reviews; privileged account management; joiners/movers/leavers process High
Change & Release Management Formal change request process; segregation of duties in production; emergency change procedures; change advisory board (CAB) records High
Core Banking & Application Controls Input, processing, and output controls; interface reconciliation; error handling; application-level audit trails; parameter change controls High
Cybersecurity Controls Vulnerability management; patch management; network segmentation; endpoint protection; SIEM deployment; penetration testing cadence High
Data Protection & Privacy KDPA 2019 compliance; data classification; encryption in transit and at rest; retention and disposal policies; DSAR process High
Third-Party & Vendor Risk IT vendor register; due diligence on critical service providers; contractual security requirements; right-to-audit clauses; offboarding controls Medium
Business Continuity & DR BCP and DRP documented and tested; RTO/RPO defined and validated; backup integrity testing; incident escalation procedures Medium
IT Asset Management Comprehensive hardware and software inventory; end-of-life asset management; software licence compliance; cloud asset visibility Medium
Audit Logging & Monitoring Audit logs enabled on critical systems; log integrity protection; centralised log management; alert thresholds and response procedures Medium
Mobile & Digital Banking API security controls; mobile application security testing (MAST); transaction monitoring and fraud detection; customer authentication controls High
Cloud & Infrastructure Security Cloud security posture management (CSPM); shared responsibility model understanding; cloud configuration baselines; data residency compliance Medium

Key IT Audit Risks in Digital Banking

The rapid expansion of digital banking across Kenya and East Africa — accelerated by M-Pesa’s dominance, the proliferation of mobile lending apps, and the Central Bank of Kenya’s Digital Credit Provider (DCP) licensing framework — has introduced a new generation of IT audit risks that traditional audit methodologies were not designed to address.

API Security & Open Banking Risk

As financial institutions open their systems to fintechs, payment aggregators, and third-party developers via APIs, inadequate API security controls represent a significant and growing exposure. Weak authentication, missing rate limiting, and verbose error messages have been exploited in several East African digital banking incidents.

Mobile Application Vulnerabilities

Kenyan consumers bank almost exclusively through smartphones. Mobile applications that lack certificate pinning, store sensitive data insecurely, or fail to implement proper session management expose customers and institutions to fraud and reputational damage. The CBK now expects mobile application security testing to be part of every institution’s annual assurance programme.

Third-Party & Fintech Integration Risk

Many Kenyan banks and SACCOs rely on third-party service providers for core functions — including loan origination, KYC platforms, payment switching, and cloud hosting. Inadequate due diligence and contractual oversight of these relationships creates concentration risk, data leakage exposure, and regulatory accountability gaps.

Fraud in Real-Time Payment Systems

The immediacy of platforms such as RTGS, PesaLink, and mobile money transfers means that fraudulent transactions may be irrecoverable within seconds of authorisation. IT audit must evaluate the adequacy of transaction monitoring rules, velocity controls, and fraud detection algorithms across all real-time payment channels.

Data Integrity in Core Banking Migrations

Several major East African institutions have undergone or are currently undertaking core banking system migrations. These projects carry significant data integrity risk — including incomplete data mapping, reconciliation failures, and the introduction of new control gaps during transition periods that are frequently exploited by insider fraud.

Cloud Configuration & Residency Risk

The rapid adoption of cloud infrastructure without corresponding governance frameworks has created significant audit exposure. Common issues include misconfigured storage buckets, excessive IAM permissions, and failure to comply with the CBK’s requirements around data localisation and cloud outsourcing notifications.

ISACA East Africa Chapter — 2025 Insight

ISACA’s East Africa Chapter noted in its 2025 State of IT Audit report that fewer than 30% of East African financial institutions conduct formal IT audits aligned to international standards such as COBIT 2019 or ISO 27001. The majority rely on point-in-time assessments that fail to provide the continuous assurance needed in a rapidly evolving digital risk environment. Regulators across the region have signalled that this gap will be a supervisory priority in 2026 and beyond.

IT Audit Best Practices for Organisations

Effective IT audit is not simply a matter of following a checklist. Organisations that derive the most value from their IT audit programmes share a set of characteristics: they treat IT audit as a strategic function rather than a compliance exercise, they invest in auditor competency and tooling, and they ensure that audit findings are connected to meaningful action.

Approaches & Methodologies

Risk-Based Audit Planning

Prioritise audit resources toward the systems and processes that pose the greatest risk to the organisation, rather than rotating through a fixed universe of entities on a cyclical basis. Annual IT risk assessments should drive the audit plan.

COBIT 2019 Governance Framework

Align IT audit scope and objectives to COBIT 2019’s governance and management objectives, enabling a structured, internationally recognised assessment of IT governance maturity across the enterprise.

ITAF Standards Compliance

Apply ISACA’s IT Assurance Framework (ITAF) to ensure professional standards for planning, evidence collection, reporting, and quality assurance are met. ITAF compliance is increasingly expected by regulators and external auditors across East Africa.

Integrated Audit Approach

Coordinate IT audit with financial, operational, and compliance audit streams. IT general control deficiencies directly affect financial audit reliance decisions; integration prevents duplication and improves coverage.

Continuous Control Monitoring

Move beyond annual snapshots by embedding automated control monitoring into key systems. Continuous monitoring of access logs, change records, and transaction patterns provides real-time assurance and enables faster escalation of exceptions.

Agile & Iterative Audit Delivery

In fast-moving digital environments, traditional waterfall audit cycles are too slow to provide relevant assurance. Agile IT audit methodologies — with sprint-based delivery, rolling findings, and iterative stakeholder engagement — are gaining adoption across East African internal audit functions.

Recommended Tools

IT Audit Toolset — Sentinel Assurance Partners Recommended Stack

  • ACL / Galvanize HighBond — data analytics & continuous auditing
  • TeamMate+ — audit management and workflow
  • Nessus / Qualys — vulnerability scanning
  • SolarWinds / Nagios — IT operations monitoring
  • Microsoft Entra ID / CyberArk — identity and access governance
  • ServiceNow GRC — risk and compliance management
  • Splunk / IBM QRadar — SIEM and log analytics
  • Metasploit / Burp Suite — penetration testing
  • AWS Config / Azure Policy — cloud configuration compliance
  • OWASP ZAP — web and API application security testing
  • Power BI / Tableau — audit analytics visualisation
  • ISO 27001 audit management toolkits

How to Prepare for an IT Audit

Preparation is the single most important factor in determining whether an IT audit proceeds efficiently and generates useful findings, or devolves into a time-consuming evidence-collection exercise that frustrates both the audit team and the business. For East African organisations facing regulator-mandated IT audits — whether from the CBK, the Capital Markets Authority, or the Insurance Regulatory Authority — proactive preparation also signals governance maturity to supervisors.

  • Phase 01
    Scope Definition & Stakeholder AlignmentAgree the audit scope, objectives, and methodology with key stakeholders before fieldwork begins. Identify system owners, data custodians, and subject matter experts for each in-scope domain. Clarify regulatory requirements that the audit must address.
  • Phase 02
    Documentation InventoryCompile and organise current versions of IT policies, standards, procedures, network diagrams, data flow maps, SDLC documentation, vendor contracts, and prior audit reports. Gaps in documentation are themselves an audit finding — identifying them early allows time for remediation.
  • Phase 03
    Control Self-AssessmentConduct an internal walkthrough of key IT controls before the audit. Many East African organisations find that this pre-audit self-assessment reveals control deficiencies that can be remediated before external scrutiny — significantly improving audit outcomes and regulatory standing.
  • Phase 04
    Evidence PreparationPre-populate evidence folders with access review logs, change management records, backup test results, training records, penetration test reports, and patch management evidence. Slow evidence provision during fieldwork is a primary source of audit delays and can create negative impressions with regulators.
  • Phase 05
    Team Briefing & CoordinationBrief IT operations, security, development, and compliance teams on the audit scope, timeline, and their expected contributions. Designate a single point of contact for the audit team to route requests through. Establish a secure document-sharing channel for evidence exchange.
  • Phase 06
    Prior Finding Remediation ReviewReview all open findings from previous IT audits, regulatory examinations, and external reviews. Where remediation is complete, prepare closing evidence. Where it is not, prepare an honest status update and revised remediation timeline. Auditors treat unresolved prior findings as a significant risk indicator.

Questions Your Audit Committee Should Be Asking

  1. Does our IT audit plan reflect our current technology risk profile, including cloud, digital banking, and third-party dependencies?
  2. Do our IT auditors hold current professional certifications such as CISA, CRISC, or CISSP, and are they familiar with Kenyan and East African regulatory requirements?
  3. What percentage of prior IT audit findings have been remediated within agreed timelines, and what is the ageing profile of open issues?
  4. Are our IT general controls sufficiently robust for our external auditors to rely upon them in their financial statement audit?
  5. Has management provided the board with a clear view of the organisation’s IT risk exposure in terms we can act on?
  6. Are we conducting IT audits of critical third-party service providers, or accepting their assurance at face value without independent validation?

Continuous Auditing Using Data Analytics

Traditional IT audit operates on a periodic cycle — typically annual — that leaves significant gaps in assurance coverage between engagements. In a digital environment where systems change weekly, transactions flow in real time, and threat actors operate continuously, an annual audit snapshot is no longer sufficient. Continuous auditing represents the evolution of IT audit practice to match the pace and complexity of modern digital operations.

Continuous auditing uses automated data extraction, analytical routines, and exception-based monitoring to provide near-real-time assurance over key IT controls and business processes. Rather than testing a sample of transactions once a year, continuous auditing monitors the entire population of transactions and control-relevant events, flagging anomalies for human review as they occur.

Analytics Approaches in IT Audit

Access Anomaly Detection

Automated analysis of user access logs to identify accounts with unusual activity patterns — logins outside business hours, access from atypical geographic locations, bulk data downloads, or privilege escalations that were not preceded by an approved change request. These analytics are particularly valuable in identifying insider threats at Kenyan financial institutions, where privileged insider fraud is a documented and recurring risk.

Change Management Population Analysis

Continuous extraction and analysis of change records to identify changes deployed to production without an approved change request, changes that bypassed testing environments, or changes authorised by the same individual who implemented them — a segregation-of-duties violation that is difficult to detect with sample-based testing but straightforward to identify through full-population analytics.

Transaction Monitoring & Fraud Analytics

Pattern-based monitoring of financial transactions to identify velocity anomalies, round-number testing, dormant account activations, and unusual counterparty relationships. Machine learning models are increasingly deployed to adapt detection rules in real time as fraud patterns evolve — a capability that is being piloted by several East African commercial banks and mobile money operators.

Configuration Compliance Monitoring

Automated comparison of live system configurations against approved baselines to detect configuration drift — a common source of vulnerability and control failure in organisations with complex, multi-cloud environments. Cloud security posture management (CSPM) tools such as AWS Config and Azure Policy enable this capability at cloud scale.

Patch Management Completeness Analysis

Continuous interrogation of patch management systems to identify systems that have not received critical security patches within policy timelines. Given the high proportion of East African organisations running legacy core banking and ERP systems, patch management analytics frequently surface material vulnerabilities that periodic audit would miss.

Challenges in Implementing Continuous Auditing

While the benefits of continuous auditing are compelling, implementation across East African organisations presents real challenges. Data quality and accessibility — particularly in legacy core banking environments — often require significant preparation. IT audit teams need analytical skills that are not always present in traditional audit departments. The investment in tooling, data integration, and staff upskilling can be substantial. Sentinel Assurance Partners recommends a phased approach: begin with two or three high-value use cases where data is accessible and the risk justification is clear, demonstrate value, and build from there rather than attempting a comprehensive programme from day one.

IT Audit as a Strategic Imperative for African Organisations

As Kenya’s financial sector deepens, as East African capital markets mature, and as organisations across the continent accelerate their digital transformation journeys, the quality of IT audit practice will increasingly determine which organisations earn the trust of regulators, investors, and customers — and which do not. An IT audit is not a cost centre or a compliance burden; it is one of the most direct investments an organisation can make in the long-term resilience of its digital operations.

The organisations that will navigate the next decade of digital disruption most successfully are those that treat IT audit not as an annual obligation but as a continuous discipline — embedded in governance, powered by analytics, connected to strategy, and led by professionals who understand both technology and the regulatory landscape of the markets they operate in.

Sentinel Assurance Partners works with financial institutions, corporates, and public sector entities across East Africa to design, execute, and enhance IT audit programmes that meet both international standards and local regulatory expectations. Our team of CISA, CRISC, and CISSP-certified professionals brings deep knowledge of the Kenyan and regional regulatory environment to every engagement.