SASRA IT Compliance Bundle for SACCOs 2026 | Sentinel Assurance Partners Ltd
SASRA Compliance Bundle — Risk Register · Audit Program · Reports · Dashboards

SASRA IT Compliance Bundle for SACCOs

The complete SASRA IT compliance toolkit purpose-built for Kenya’s DT-SACCOs — Risk Register with 190 Controls, 190+ Audit Procedures, 6 Management Dashboards, IT Audit findings log, Evidence request log, and Board-ready Report templates. Walk into your SASRA examination with every document ready.

190 Controls in Register
190+ Audit procedures
6 Built-in dashboards
⇩ Get the Full Bundle — KES 50,000 ▶ See what’s included
SASRA IT examinations are active and SACCOs without documented IT controls risk qualification findings.  Get examination-ready today →
SASRA MIS Regulations
ODPC Data Protection Act 2019
CBK BCBS and BS-SOC Guidelines
NIST CSF Aligned Standards
ISO 27001:2022 Aligned

The compliance challenge

New SASRA and CBK regulations have raised the bar — is your SACCO examination-ready?

The SASRA and CBK regulations state the mandatory requirements for all regulated SACCOs, including offering digital financial services. Non-compliance is no longer a management letter observation — it is an examination finding that attracts directed remediation, financial penalties, and in serious cases, licence conditions.

Digital channel scrutiny is at an all-time high

SASRA examiners are specifically testing ATM, mobile money, and internet banking controls. SACCOs without documented, tested procedures are failing examinations they were passing 12 months ago.

Third-party risk is now a primary examination focus

The directive explicitly requires documented oversight of technology vendors and system integrators. Undocumented vendor relationships and missing contractual controls are the most common new findings.

Generic audit templates are not enough

Generic IT audit programs do not reference SASRA’s specific regulatory instruments, do not cover SACCO-specific digital channels, and do not align to the requirements. Examiners notice.

Time pressure is real

Building a SASRA-aligned audit program from scratch takes experienced IT auditors weeks of research and drafting time. The examination cycle does not wait for internal capacity to catch up.


⇩ Purchase Now — KES 50,000

What’s included

190 audit controls across 14 domains — including a full Risk Register and Overall Audit Program

A complete SASRA compliance bundle — Risk Register (190 controls), Overall Audit Program (190+ audit procedures), 6 Dashboards, IT Audit findings log, Evidence request log, and 5 Board-ready report templates. Every document a DT-SACCO needs for SASRA examination readiness. Ready to deploy.

MG / Domain 01
Governance & Policy Framework
5 audit procedures
  • Board-approved IT and cybersecurity policy review
  • IT governance function and CISO accountability
  • Digital channel risk assessment (within 12 months)
  • IT strategy alignment to business plan
  • Policy coverage of digital channel security obligations
🏹
AO / Domain 02
ATM Operations & Security
7 audit procedures
  • ATM asset inventory and network connectivity
  • Logical access and MFA for ATM management systems
  • Physical security, CCTV, and anti-skimming controls
  • Firmware patch management and version currency
  • Real-time transaction monitoring and alert thresholds
  • Network encryption and certificate management
📱
MM / Domain 03
Mobile Money Platform Controls
7 audit procedures
  • Mobile money integration inventory and contracts
  • API security — authentication, rate limiting, input validation
  • Transaction limits, velocity controls, and risk appetite alignment
  • Mobile money reconciliation frequency and exception handling
  • Member authentication and step-up for high-value transactions
  • Encryption in transit and at rest (TLS 1.2+ minimum)
  • SIM-swap detection and fraud prevention procedures
💻
IB / Domain 04
Internet Banking Controls
8 audit procedures
  • Platform architecture and hosting arrangement review
  • Multi-factor authentication — members and administrators
  • Session management, timeout, and re-authentication
  • Web application penetration test and OWASP Top 10
  • Maker/checker workflows and transaction signing
  • Audit logging — tamper-resistance and retention
  • Web Application Firewall (WAF) implementation
  • DDoS mitigation capabilities
👥
VM / Domain 05
Third-Party Vendor Risk
8 audit procedures
  • Complete vendor inventory with criticality classification
  • Pre-engagement security due diligence procedures
  • Contract review — DPA, right-to-audit, SLA, exit clauses
  • Vendor access management — time-bounded and logged
  • Ongoing monitoring — SOC 2, ISO 27001, annual reviews
  • Vendor incident escalation and notification timelines
  • Concentration risk analysis and contingency planning
  • System integrator change control and security testing
🔒
DP / Domain 06
Data Protection & Privacy
5 audit procedures
  • ODPC registration and DPO appointment verification
  • Data classification and handling for member data
  • Privacy notices and consent mechanisms
  • Data retention schedules and deletion evidence
  • Data subject request handling procedures
🚨
IR / Domain 07
Incident Response & BCP
6 audit procedures
  • Incident Response Plan covering all digital channel scenarios
  • SIEM and alert detection capability assessment
  • SASRA 24-hour and ODPC 72-hour reporting procedures
  • Documented and Tested BCP/DRP with defined RTOs and RPOs
  • Cybersecurity awareness training, coverage and completion
  • Tabletop exercise results and action item tracking
📊
MG & MA / Domains 08–09
MIS Governance & MIS Adequacy
13 audit controls
  • Board IT strategy, steering committee oversight
  • IT policies, standards and procedures — all key domains
  • Independent IT assurance and audit committee
  • IT risk register, risk appetite and KRI metrics
  • SASRA statutory return generation (Forms 1A–4B)
  • GL-to-MIS reconciliation, maker-checker SoD
🖥
IA / IT Infrastructure
IT Infrastructure & Network Security
15 audit controls
  • IT asset inventory and lifecycle management
  • Server build standards, hardening and patch currency
  • Database security, access control and activity monitoring
  • Network perimeter — firewall rule-base, segmentation and IDS/IPS
  • Network device hardening and configuration baselines
  • Remote access & VPN — MFA, split-tunnel policy and session logging
  • Capacity planning, performance monitoring and data-centre physical access
🔐
AM / Domain 10
Access Management
11 audit controls
  • Dual-authorised user provisioning and RBAC
  • SoD conflict checking before access grant
  • Privileged Access Management (PAM) — logging and quarterly review
  • Access termination within 1 business day — automated workflow
  • Monthly IT-vs-HR active user reconciliation
  • Semi-annual User Access Review (UAR) with sign-off
  • MFA and password policy enforcement
🔄
CM / Domain 11
Change Management
11 audit controls
  • Formal RFC process — documented, risk-assessed, authorised
  • Non-production testing, UAT sign-off, masked test data
  • Emergency change controls with retroactive approval
  • Change Advisory Board (CAB) for significant changes
  • Rollback plan — documented and validated during testing
  • Separation of development and production environments
  • Source code repository access control and version management
💾
BB / BC / DR / Domain 12
Backup, BCP & Disaster Recovery
12 audit controls
  • RPO/RTO-aligned backup schedules — full, incremental, differential
  • Offsite and encrypted backup storage
  • Backup restoration testing — minimum annually
  • Documented BCP covering critical processes and roles
  • Documented DRP with defined RTO/RPO for critical IT systems
  • Annual BCP/DRP testing — tabletop or full failover
🛡
VP & IP / Domain 13
Vulnerability, Patch & Incident Management
11 audit controls
  • CVSS-prioritised vulnerability scanning — minimum monthly
  • Threat intelligence feeds and CVE monitoring
  • Patch testing, deployment SLAs, and monthly KPI compliance
  • Unpatchable asset exception with CISO approval
  • Documented SIRP — tested annually
  • SASRA 24-hour and ODPC 72-hour incident notification
  • Root cause analysis and post-incident review within 5 days
🏢
VM & SD / Domain 14
Vendor Management & System Development
15 audit controls
  • Risk-based vendor due diligence before onboarding
  • ODPC-compliant Data Processing Agreements (DPAs)
  • Annual vendor performance review — SOC 2, ISO 27001
  • Project charter, steering committee, and scope change control
  • SAST/DAST, SCA, and penetration testing before go-live
  • Data masking for test environments
  • Post-implementation review and lessons learned

Built-in management dashboards

6 Board-ready dashboards

Most audit programs give you a spreadsheet. The SASRA IT Compliance Bundle gives you a complete management intelligence system. The Risk Register workbook includes 6 pre-built dashboards that auto-populate directly from your data — open the file, populate your controls, and your board-ready risk reports are ready instantly. No additional configuration. No extra software.

📊
Inherent Risk Dashboard
Visual breakdown of all 190 controls by inherent risk rating (Critical / High / Medium / Low) across all 14 domains — your pre-control exposure map. Shows the risk the SACCO carries before any mitigating controls are applied.
🔌
Residual Risk Dashboard
Post-control risk profile showing exactly what risk remains after your controls are applied and tested. Exactly what SASRA examiners look for when reviewing your IT risk management framework.
📈
Risk Reduction Analysis
Quantifies the risk reduction your controls deliver — inherent vs residual comparison by domain. The evidence your Board needs that IT investment is actually reducing risk, not just creating documentation overhead.
🔴
Risk Responses Dashboard
Accept / Reduce / Transfer / Avoid breakdown across all 190 controls by domain — demonstrates structured, risk-based decision-making to SASRA examiners and your Audit Committee.
🛡
Controls Dashboard
Your full control architecture at a glance — breakdown by control type (Preventive / Detective / Corrective / Directive) and nature (Manual / Semi-Automated / Automated) across all 14 audit domains.
Risk Appetite Dashboard
Maps every control’s residual risk against your Board-approved appetite thresholds — instantly flags AT LIMIT and BREACHED positions requiring mandatory Audit Committee escalation.

⇩ Purchase Now — KES 50,000

What the data reveals

What every DT-SACCO discovers when it runs this audit framework

These numbers come from real SASRA IT audit engagements conducted using this framework. They are what your Audit Committee and SASRA examiner will see — and they are why documentation matters.

100%
Controls start at Critical or High inherent risk
Every single one of the 190 controls in this register presents at Critical or High inherent risk before mitigating controls are applied. Digital channels, member data, and SASRA regulatory obligations create a high-exposure environment for every DT-SACCO. Without a documented register, your Board cannot govern this risk.
89%
Average risk reduction when controls are documented and tested
SACCOs using this framework to document and test their controls can achieve a substantial reduction in elevated risk. That is the number your Board’s Risk Reduction Analysis dashboard will show. It is also the number SASRA wants to see in your IT governance framework.
7
Average ineffective controls found on a SACCO’s first structured audit
SACCOs on average identify some of their controls to be Ineffective i.e designed but not operating effectively. Each one is an unmitigated risk. Finding them yourself using this Audit Program costs KES 50,000. Having SASRA find them on examination day costs significantly more — in remediation time, regulatory direction, and reputational exposure.
53
Risk groups mapped across 14 audit domains
The Risk Register maps 190 controls to 53 distinct risk groups i.e from ATM skimming and mobile money fraud to MIS governance, change control, and ODPC data protection. Each group is documented, ownership-assigned, and linked to a specific SASRA regulatory instrument. This is the documentation standard SASRA examiners now expect.
2
Typical risk appetite breaches requiring Board escalation
Some controls, on average, breach the Board-approved risk appetite threshold when first formally assessed i.e triggering mandatory Audit Committee (Board) escalation. The Risk Appetite Dashboard flags these automatically. A SACCO that identifies and documents appetite breaches is demonstrating governance maturity. A SACCO that discovers them on examination day is in a very different position.
35
Controls mapped to Cybersecurity Risks
Cybersecurity risks introduced new requirements across digital channel security, network and infrastructure security, incident response, and access management. 35 controls in this bundle are specifically mapped to cybersecurity — including network perimeter, device-hardening and remote-access/VPN controls.

The investment case

KES 50,000 — versus building it yourself

Every DT-SACCO needs exactly what is in this bundle. Here is what producing each component independently would cost — versus purchasing the complete SASRA IT Compliance Bundle today.

Building it in-house
Risk Register from scratch i.e 3–4 weeks of senior IT auditor research (KES 120,000+)
190+ audit procedures i.e 2–3 weeks of drafting and regulatory alignment (KES 80,000+)
SASRA/ODPC/CBK/BCBS regulatory mapping i.e 40–60 hours of specialist research
6 management dashboards i.e Excel development and configuration (KES 40,000+)
Findings log (findings, recommendations, action plans, owners, due dates) i.e hours of manual drafting
Evidence request log i.e manual extraction from audit program
Risk appetite framework calibrated to SACCO thresholds
Cybersecurity Guidelines i.e requires current regulatory knowledge
12-month regulatory update maintenance
KES 280,000+
Estimated 8–10 weeks of qualified auditor time, plus ongoing maintenance
VS
SASRA IT Compliance Bundle
Risk register / RCM — 190 controls, 14 domains, fully populated
Audit program — 190+ procedures, 28 columns, fieldwork-ready
IT Audit findings log — findings, recommendations, action plans, owners & due dates
Evidence request log — evidence items, date requested & 14-day deadline
6 Management dashboards — auto-populate from your RCM data
5 Board-ready report templates (Board & IT Management)
SASRA / ODPC / CBK / BCBS / NIST / COBIT — all mapped, citation-ready
Cybersecurity Guidelines — fully integrated (35 controls)
KES 50,000
Complete bundle · Instant delivery by email · One-SACCO licence

Regulatory alignment

Built on Kenya’s actual regulatory instruments

Every audit procedure is anchored to a specific regulatory requirement — not generic best practice. When SASRA examiners ask for your audit evidence, you point to the specific control and the specific regulatory instrument it satisfies.

Regulations — Governance, risk management, access controls, change management, Digital channels, incident response, third-party controls
Data Protection Act 2019 & Regulations — Member data processing, consent, DPO, ODPC registration
BCBS Core Principles and BS-SOC Guidelines — Interoperability controls for bank-connected SACCOs and payment systems
ISO 27001:2022 — International information security control framework referenced throughout

Who this is for

Built for every professional involved in SACCO IT assurance

Whether you are an external IT auditor, an internal audit function, a SACCO board member, or a compliance officer, this program gives you a structured, defensible audit approach that satisfies SASRA’s examination expectations — ready to tailor and deploy. Costs less than a single day of IT Audit consulting.

📋
External IT Auditors
Deploy immediately on SACCO engagements — no research time required. SASRA-aligned procedures, evidence lists, and workpaper references built in.
🏢
Internal Audit Teams
Build your annual IT audit plan around a comprehensive, regulator-aligned program that demonstrates governance maturity to the SACCO board.
📔
Compliance Officers
Map SACCO digital channel controls against SASRA requirements and identify gaps before the examiner does — proactive rather than reactive compliance.
💸
SACCO Management
Commission a structured IT health check using this program to understand your current compliance posture against the SASRA resulations and guidelines-circulars.
👥
Board of Directors
Use the program and its risk ratings to provide meaningful board-level oversight of IT and cybersecurity risk across your SACCO’s digital operations.

What you receive

Everything you need — ready to use on your next SASRA IT Audit engagement

  • 📄
    Excel Files
    Risk Control Matrix / Risk Register
    Fully populated RCM with 190 individual controls across 14 domains. Captures risk statement, likelihood, impact, inherent risk rating, control statement, control type, nature, frequency, ownership, regulatory mapping, and residual risk. The living document SASRA expects your SACCO to maintain.
  • 📈
    Overall Audit Program
    Step-by-step audit program with 190+ test procedures linked by Control ID to the Risk Register. Each procedure includes the control objective, detailed test steps, evidence required, SASRA regulatory reference, sample size guidance, and 28 fieldwork and reporting columns for the auditor to complete.
  • 📋
    IT Audit Findings Log
    Remediation tracking workflow from finding to closure and includes a Summary dashboard and domain breakdown
  • 📄
    Evidence Request Log
    The complete tracking register from Evidence request to receipt.Evidence items across 190 controls and all 14 domains.
  • Dashboards (built into the Risk Register)
    6 Board-Ready Management Dashboards
    Six pre-built dashboards auto-populate directly from the Risk Register — no configuration required: Inherent Risk Dashboard, Residual Risk Dashboard, Risk Reduction Analysis, Risk Responses Dashboard, Controls Dashboard, and Risk Appetite Dashboard. Populate your data once and all six reports update automatically.
  • 📑
    Board & Management Reports
    Board RCM Presentation
    Board-level PowerPoint presentation covering the full Risk profiles. Structured for Audit Committee Board with executive KPIs, domain scorecard, and governance action items.
  • 📑
    IT Management Report
    Detailed IT management PowerPoint deck covering full domain analysis, control effectiveness breakdown, residual risk by domain, structural insights, and the complete Management Action Plan register.
  • 📑
    Board MAP Status Dashboard
    Board-facing Management Action Plan status presentation — executive summary of overdue actions, Critical/High escalations, owner accountability scoreboard, remediation timeline heat map by domain and month, and five specific governance actions for the Audit Committee to action.
  • 📑
    IT Management MAP Dashboard
    Operational MAP dashboard for IT management — full overdue register, 90-day critical path, complete action plan register, domain risk analysis, owner accountability scoreboard, and owner-specific management actions.
  • 📑
    Audit Programme Insights
    The governance intelligence layer on top of the full audit dataset. Analytics presentation derived from the Overall Audit Program — remediation velocity, owner accountability scoreboard, due-date heat map by domain and month, conclusion quality scorecard, SASRA regulatory coverage map, and the 90-day critical path.
  • 🔒
    Regulatory Coverage
    Full Regulatory Mapping — SASRA, ODPC, CBK, BCBS, NIST, COBIT
    Citation-ready for SASRA examination responses. Every control maps to specific regulatory instruments: SASRA, Kenya DPA 2019, CBK BCBS Principles etc.
  • 🎉
    Ready to customise and deploy
    All fields are unlocked for modification. Update risk ratings, control effectiveness, ownership, and findings based on your own fieldwork. The Index sheet includes usage instructions and notes. Costs less than a single day of IT audit consulting.
SASRA Compliance Bundle
SASRA IT Compliance Bundle
KES 50,000

Complete bundle — all files, dashboards & reports included

  • Risk Register / RCM (190 controls, 14 domains)
  • Overall Audit Program (190+ procedures, 28 columns)
  • IT audit findings log (findings, recommendations, action plans, due dates & owners)
  • Evidence Request Log
  • Risk Impact & Occurrence Matrix
  • 6 built-in management dashboards
  • Board RCM Presentation (PowerPoint)
  • IT Management Report (PowerPoint)
  • Board MAP Status Dashboard (PowerPoint)
  • IT Management MAP Dashboard (PowerPoint)
  • Audit Programme Insights (PowerPoint)
  • SASRA, ODPC, CBK, BCBS, NIST & COBIT mapping
  • Email support from Sentinel’s audit team
Purchase & Download Now

🔒 Secure payment  |  Instant delivery by email

Multi-SACCO & firm licensing available — contact us

Add-on services

Optional services to deploy the bundle faster

The KES 50,000 bundle is complete and ready to use on its own. For SACCOs that want hands-on support, Sentinel’s certified IT audit team offers these optional add-on services — priced separately depending on the size of your organization and the scope/statement of work.

Add-on service
Done-for-you Customisation & Configuration
from KES 95,000–KES 450,000

We configure the Risk Register and Audit Program to your SACCO’s specific control environment, size and service model (DT-SACCO vs non-withdrawable) — populating ownership, scope and applicable domains so your team can begin testing immediately.

🎓
Add-on service
Half-Day Facilitated Deployment Workshop
from KES 125,000

A remote or on-site working session where our team helps your IT and internal audit functions deploy the toolkit, calibrate risk ratings to your environment, and produce your first Board-ready risk report.

Add-on service
Management Action Plan Tracker Build
from KES 80,000–KES 200,000

We populate a Management Action Plan tracker from your existing audit findings — each with a named owner, agreed due date and live status — giving your Board Audit Committee a ready remediation-tracking dashboard.

🛡
Add-on service
SASRA Cybersecurity Gap Review
from KES 180,000–KES 500,000

A structured review mapping your current controls against the SASRA Cybersecurity Directive, pinpointing exactly which controls need updating.

🔍
Add-on service
Independent External Examination
KES 200,000–600,000

Sentinel independently tests and validates your populated Risk Register and controls — delivering the board and examiner-ready independent assurance that internal documentation alone cannot. Scope and fee depend on SACCO size.

🏢
Add-on service
Multi-SACCO & Firm Licensing
Custom pricing

For audit firms, consultancies and SACCO groups deploying the bundle across multiple clients or branches — discounted multi-engagement licensing tailored to the number of entities.

To add any of these services, email sales@sentinelassurancepartners.co.ke or call +254 769 546 128. Fees are per SACCO and scope of work.

Risk Control Matrix & Risk Register

A complete Risk Register — not just an audit checklist

Most IT audit programs tell you what to test. This toolkit goes further — it includes a Risk Control Matrix (RCM) / Risk Register with 190 individual controls mapped to risks, regulatory instruments, control types, ownership, and frequency. This is the living document SASRA expects your SACCO to maintain and your auditors to test against.

The Risk Register and Overall Audit Program are linked by Control ID — meaning every audit test procedure in the audit program traces directly back to a documented risk and control in the register. This is the standard examiners look for.

Critical
Critical-rated controls documented

Controls classified as Critical address risks that — if the control fails — are likely to result in material financial loss, regulatory sanction, or irreversible member data loss. Every Critical control has a named owner, a documented regulatory reference, and a specific audit test procedure.

High
High-rated controls documented

High-rated controls cover significant risks with elevated probability of exploitation. Each includes inherent risk assessment, control effectiveness column, residual risk rating, risk response (Avoid / Reduce / Transfer / Accept), and SASRA regulatory mapping.

Three Risk Levels
Enterprise → Intermediary → Library risk hierarchy

Each risk is documented at three levels: Enterprise Risk (e.g. Operational Risk), Intermediary Risk (e.g. Information Security Risk), and Library Risk (e.g. External Data Breach Risk). This hierarchy aligns with SASRA’s risk-based supervisory approach and your SACCO’s own risk appetite framework.

Risk Register columns — what’s captured for every control

Risk & Control Identity Risk Classification Control Details Assessment & Response
Control ID (e.g. MM/01.1)
Enterprise Risk Level 1
Individual Control Statement
Likelihood
Area Reference
Intermediary Risk Level 2
Control Type (Preventive / Detective / Corrective / Directive)
Impact
Risk Entry Date
Library Risk Level 3
Control Nature (Automated / Semi-Automated / Manual)
Inherent Risk Rating
Domain
Risk Description / Statement
Frequency
Control Effectiveness
Process / Audit Area
Risk Owner
Control Owner
Residual Risk Rating
SASRA & Regulatory Reference
Next Review Date
Status
Risk Response (Avoid / Reduce / Transfer / Accept)

Overall Audit Program columns — what the auditor completes in the field

Planning Fieldwork Findings Reporting
Domain & Process Name
Test Procedure (step-by-step)
Conclusion
Recommendation
W/P Reference Number
Evidence Required
Findings description
Management Action Plan
Sub-Control ID
SASRA Regulatory Reference
Finding Owner
Management Action Owner
Risk Statement
Sample Size
Residual Risk Rating
Remediation Due Date
Inherent Risk Rating
Responsible IT Auditor
Audit Phase
Status
Control Objective
W/P Completion Date
Control Type & Nature
Frequency
190 Total controls documented
190+ Audit procedures
14 Audit domains covered
53 Risk groups mapped
6 Regulatory frameworks mapped

Why Sentinel

Written by certified IT auditors with 15+ years of financial sector experience

Sentinel Assurance Partners Ltd is Kenya’s dedicated IT audit, cybersecurity assurance, and technology risk advisory firm. Our team brings global experience covering various industries — Banking, Insurance, Gaming, and Finance — combined with deep understanding of Kenya’s SACCO regulatory environment.

This audit program was built by practitioners who have conducted IT audits in regulated financial institutions and understand exactly what SASRA examiners are lookin your IT environment.

We serve SACCOs, banks, fintechs, insurance companies, and government entities across East Africa, with regulatory fluency.

CISAIT Audit
CISSPSecurity
CRISCRisk
CCSPCloud
CDPSEData Privacy
15+ yrsExperience

Our credentials

  • Certified Information Systems Auditor (CISA) — ISACA
  • Certified Information Systems Security Professional (CISSP)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Cloud Security Professional (CCSP)
  • Certified Data Privacy Solutions Engineer (CDPSE)

Read our SASRA 2026 compliance guide

Understand the full scope of SASRA’s April 2026 IT audit requirements before deploying this program.

Read the guide →

Frequently asked questions

Common questions from SACCO auditors and compliance officers

Is this audit program aligned to the SASRA regulations and guidelines-circulars specifically?
Yes. The program was developed in direct response to SASRA regulations and guidelines-circulars, including CBK requirements for digital financial services. Every procedure references the relevant regulatory instrument.
Can this be used for both DT-SACCOs and non-withdrawable deposit-taking SACCOs?
Yes, with appropriate scope adjustments. The program covers digital channels relevant to both SACCO types. The included customisation guidance note explains how to tailor the scope for non-withdrawable SACCOs that may not operate all digital channels.
Does the program cover third-party vendors and system integrators?
Yes — We have dedicated procedures covering the full vendor risk lifecycle: onboarding due diligence, contract controls, access management, ongoing monitoring, concentration risk, incident escalation, and system integrator controls. This is explicitly required by the SASRA directive.
What file formats are included and how is the program delivered?
The bundle is delivered as two Microsoft Excel workbooks (.xlsx): (1) the Risk Register/RCM with 190 controls and 6 built-in dashboards, and (2) the Overall Audit Program with 190+ test procedures. Both files are delivered by email within the hour of payment. No specialist software is required beyond Microsoft Office.
Can this audit program be used by an internal audit team or only external auditors?
It is designed for both. Internal audit teams use it to build their annual IT audit plan and demonstrate governance maturity. External IT auditors use it as a deployment-ready fieldwork program. The risk rating framework and sign-off sections are relevant to both contexts.
Is multi-SACCO or firm-wide licensing available?
Yes. If you are an audit firm or consultancy planning to use this program across multiple SACCO clients, or a SACCO with multiple branches requiring firm-wide deployment, contact us at sales@sentinelassurancepartners.co.ke to discuss firm licensing pricing.

Your SASRA examination is coming. Walk in with Confidence.

Get the complete SASRA IT Compliance Bundle — Risk Register with 190 Controls, 6 built-in Dashboards, and 190+ Audit procedures and demonstrate full IT governance documentation on examination day. Instant delivery. KES 50,000.

⇩ Purchase Now — KES 50,000 ✉ Ask a question