Internal Audit

The approach to auditing within an IT environment differs based on whether the goal is a financial, performance, or IT audit. There are mainly three common approaches for running internal audits in best practices.

Approaches	Focus	Example
System-Oriented Approach	This approach concentrates on the examination of management systems to ensure their proper functioning	In financial management systems, auditors should assess the effectiveness and efficiency of financial controls, budgeting processes, and overall financial management practices
Result-Oriented Approach	This approach assesses whether the intended outcomes or outputs of programs and services have been achieved as planned	Auditors should evaluate the success of a government program by examining whether it has achieved its goals and produced the desired results. This could involve analysing performance indicators and comparing actual outcomes to planned objectives.
Problem-Oriented Approach	This approach involves examining, verifying, and analysing the causes of specific problems or deviations from established criteria	If there are discrepancies or issues identified in a particular area, such as a project not meeting deadlines or exceeding budgets, auditors using a problem-oriented approach would investigate the root causes of these problems

Table 2: Internal Audit approaches

Each approach serves a distinct purpose and may be chosen based on the specific objectives of the audit and the context in which it is conducted. Performance auditing aims to enhance transparency, accountability, and effectiveness in organisations by providing insights into how well systems and processes are functioning and whether desired outcomes are being achieved.

Audit always divided to four main steps:

Figure 12: Detailed steps for an internal audit activity

The process is indeed iterative, as new insights gained during the conduct phase may lead to adjustments in the audit plan. Additionally, the reporting stage may involve ongoing discussions and feedback with stakeholders, and the follow-up process ensures that the audit's impact is sustained over time.

That said, it is worth checking the list of items to be audited by the CDO teams. The list provided below is the one used by external auditors for Audit procedure and should be followed by the sector IT structure. The categories of audit checklist are mentioned in the table below, and detailed audit questions are presented in the annex of this Handbook.

N	CONTROL	Content
A	ACCESS CONTROL POLICY AND PROCEDURES	Access control policy, procedures for account registration and follow-up, user access privileges reviewing, strong password enforcement, sessions automatically log off after a period, remote access limitations, authentication to access the network, risk assessment performed before allowing mobile devices on the organisation system…
B	SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES	Existence of information security awareness program at the organisation level, security training to all information system users
C	AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES	Auditable events clearly defined with an audit frequency and audits records
D	SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES	documented/shared Information security policy in place, periodic security assessment conducted and reports available, critical infrastructures and their protection plan in place
E	CONFIGURATION MANAGEMENT POLICY AND PROCEDURES	Baseline configuration of the information system as well as change management procedure existence, definition of a list of prohibited or restricted functions, ports, protocols and/ or services
F	BUSINESS CONTINUITY PLANNING POLICY AND PROCEDURES	Business continuity plan in place and periodically tested, periodic information backup to support the recovery time, back-up routine
G	INCIDENT RESPONSE POLICY AND PROCEDURES	appropriate incident handling procedures in place and known by all the staff
H	SYSTEM MAINTENANCE POLICY AND PROCEDURES	written standard for system maintenance, maintenance support process ensure confidentiality of information, maintenance services provided by licensed/certified people/firm
I	MEDIA PROTECTION POLICY AND PROCEDURES	electronic media disposal Policy, secure store for electronics and physical media within a physically secure or controlled area
J	PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES	physical access restricted to selected employees, control all items brought into or taken out of the computer/server room, sensitive application servers/ systems located in a physically restricted area
K	PERSONNEL SECURITY POLICY AND PROCEDURES	procedures address personnel screening and records of screened personnel, personnel termination/transfer; records of personnel termination/transfer actions
L	SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES	information security and information security risk management integrated into the system development life cycle, include and consider security requirements in acquisition contracts, use software in accordance with contract agreements and copyright laws?
M	SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES	separate application for users and managers/admin, mechanism to prevent unauthorised and unintended information transfer via shared system resources, information system that protects and prevents DoS, continuous monitoring Strategy and reporting of the security status of the information system
N	SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES	antivirus software and endpoint security installed in the systems, all staff been advised of the virus prevention procedures, centrally manage antivirus software and endpoint security, receiving security alerts, advisories, and directives from designated external institutions
O	DISASTER RECOVERY	contingency plan provide for recovery and extended processing of critical applications in the event of catastrophic disaster, recovery plans approved and regularly tested, disaster recovery teams established to support disaster recovery plan, responsibilities of individuals within disaster recovery team defined and time allocated for completion of their task, recovery plan ensure, in the event of failure that no loss of data received but not processed, no reprocessing of data already processed

Table 3: Internal Audit check

The above list is provided by RISA and is subject to change. Please refer to the Internal IT Audit Guidelines from RISA for the latest available checklist.

Digital Evolution in Rwanda

Nationwide Strategies (VISION 2050 and NST)

Smart Rwanda Master Plan

ICT Strategy 2018-2024

Legal Framework in the Digital Context

The Role of the Ministry of ICT

The central Role of the Rwanda Information Society Authority (RISA)

Presentation: the Concept of “shared services”

Objectives of the Shared Services Mechanism

Positions and Reporting Mechanisms under the shared services

The CDO Unit

The Resources of the CDO

The Role of the Business Analyst

The CDO Team Organisation

The CDO Network

Interactions with Internal and External Stakeholders

Collaboration with other government agencies

The collaboration between CDOs and DPs and Civil Society

The Collaboration with own Sector’s Institutions

The importance of Academia and research institutions

Strategic Leadership

Digital Culture and Innovation

Ensuring a Quality Data Governance

Ensuring a Quality Cybersecurity

Quality Management System

Sector Digital Maturity Assessment and Action Plan

IT Operations

Risk Management

Internal Audit

Financial Responsibilities

Procurement and Vendor Management

Digitization Project Methodologies Baseline

Tools and Technologies Baseline

Change Management in Digital Transformation

Internal Communication

External Communication

Collaboration Tools

Nationwide standards in the IT field

Sector Blueprint definition guidelines

Standards at the CDO in a sector level: Guidelines per topic to be considered.

Contact with Regional Associations

Contact with Industry Partners and Technology Providers

Contact with Standardization and Certification Bodies

Contact with end-users

Contact with the Innovation Ecosystem

Recruitment

Onboarding Process

Talents Retention

Career Growth

Internal Audit