-
SASRA 2026 IT Audit Requirements: A Compliance Guide for Kenyan SACCOs.
SASRA has entered its most demanding regulatory cycle to date. With tightened audit standards, mandatory audited financial statement deadlines, auditor quality controls, and licence revocations for non-compliance, Kenya’s 176 deposit-taking SACCOs face a technology governance environment that demands professional, risk-based IT audit coverage — not just to satisfy the…
-
Preparing for an ODPC Data Protection Compliance Audit in Kenya
Kenya’s data protection landscape has shifted from awareness to active enforcement. The Office of the Data Protection Commissioner (ODPC) has issued 184 compensation orders, 134 enforcement notices, and 20 penalty notices — and the proposed amendment bill threatens to multiply financial exposure dramatically. For organisations across Kenya and East…
-
CBK’s New Banking Sector Cybersecurity Operations Centre (BS-SOC): What Your Bank Must Do Now
The Central Bank of Kenya has established the Banking Sector Cybersecurity Operations Centre and commenced harmonising its cybersecurity guidelines with the Computer Misuse and Cybercrimes Regulations 2024. For every regulated financial institution in Kenya, this creates new reporting obligations, control requirements, and governance expectations that demand immediate attention —…
-
Third-Party Cybersecurity Risk
When an organisation shares its data, systems, or network access with external vendors, it inherits that vendor’s cybersecurity posture—whether it knows it or not. Understanding, assessing, and continuously monitoring third-party risk is now a core governance imperative. Executives and directors must ensure that third-party cyber risk management is integrated…
-
Understanding County Government ICT Operations Technology Risks: A Framework for IT Audit Risk, and Controls
Kenya’s 47 county governments collectively manage billions of shillings annually, operate critical citizen-facing services, and run increasingly complex ICT environments. Kenya’s devolved governments represent one of the most consequential — and most under-audited — ICT environments in East Africa. The stakes are high: county systems process revenue that funds…
-
Understanding Hospital Technology Risks: An IT Audit Risk & Controls Guide
The hospitals of East Africa are at an inflection point. Digital transformation is arriving at scale — through SHA, through the Digital Health Act etc, with this digital expansion comes a enlarged risk surface. Patient data is among the most sensitive personal information in existence. Clinical system failures can…
-
Understanding Radio Business Technology Risks: An IT Audit Risk & Controls Guide
Radio broadcasting is not simply “talking into a microphone.” It is an integrated chain of business processes spanning content origination, production, scheduling, transmission, audience engagement, advertising fulfilment, and financial reporting. One of the most significant and underappreciated risks in radio broadcasting is the integrity gap between the advertiser’s booked…
-
Understanding Airline Technology Risks: An IT Audit Risk & Controls Guide
Aviation is one of the most complex, technology-dependent industries in the world. For IT auditors and risk professionals across Kenya, East Africa, and the wider continent, understanding how airlines actually work — operationally, commercially, and technically — is the essential foundation for effective audit coverage, meaningful risk assessment, and…
-
Top 10 IT Audit Findings in Kenyan Banks
Banks that invest in robust IT governance, access management, vulnerability programmes, and third-party risk frameworks do not merely satisfy regulators — they build the operational resilience and stakeholder trust that differentiate sustainable financial institutions from fragile ones. In an era where digital banking penetration in Kenya exceeds 80% and…
