Professional Documents
Culture Documents
IT Governance and IT Auditing Practice in Commercial Banks in Bosnia and Herzegovina
IT Governance and IT Auditing Practice in Commercial Banks in Bosnia and Herzegovina
Abstract: Information technology (IT) auditing is one of the fastest growing fields in technology today. In Bosnia
and Herzegovina, this profession is in its infancy. The recent passing of the Decision on minimum standards for
managing information systems by the Banking Agency of Federation of Bosnia and Herzegovina is expected to be
the long awaited trigger for recognition, promotion and growth of the information technology audit profession.
This paper provides an overview of IT governance and IT auditing. It also presents the results of a survey of
current IT governance and IT auditing practices in commercial banks in Bosnia and Herzegovina and identifies
challenges the banks have in trying to comply with the newly introduced standards. Findings reveal poor IT risk
management practices across banks of all sizes. This study was the first step of an ongoing project to measure and
track the effect or regulatory provisions in this field, and identify the challenges for banks.
Key-Words: IT governance, ITG, IT auditing, information systems, auditing, banks, Bosnia and Herzegovina
Much of the research in the field of ITG focuses on As defined by Ron Weber (1988) , IT auditing is "the
ITG implementation and frameworks [2 – 6, 17], process of collecting and evaluating evidence to
while little research focuses on challenges determine whether a computer system (information
organisations may encounter [14, 15, 16]. Research system) safeguards assets, maintains data integrity,
on ITG and IT auditing practices and challenges in achieves organizational goals effectively and
Western Balkan developing countries and the impact consumes resources efficiently." [21]. IT audit
of legislation and regulation in this field is very plays an important role in measuring the maturity of
scarcely addressed. The effects of a very similar organizations IT and letting the management know
decision in Republic of Croatia have been tracked how it compares to the globally recognized standards
and studies by Spremic et.al [19, 20]. and frameworks. The most widely accepted ITG
framework COBIT, is created by non-profit
The aim of this research study is to explore the organizations ISACA [12] and ITGI, who define it as
current practices of ITG and IT auditing in a comprehensive set of resources that contains all the
commercial banks in B&H and identify the information organizations need to adopt an ITG and
challenges the banks in Federation of Bosnia and control framework. The current version COBIT 5
Herzegovina (FBiH) have in complying with the was released in 2012 and divides IT into five
newly introduced regulations. domains (Evaluate, Direct and Monitor; Align, Plan
and Organize; Build, Acquire and Implement;
Section 2 of this paper provides a brief overview of Deliver, Service and Support; and Monitor, Evaluate
ITG and IT auditing. Section 3 describes the and Assess). The five domains are broken down into
commercial banking sector in B&H and it’s 37 high level processes and 300 detailed IT controls.
regulatory environment, including details of the Version 5 has been aligned and harmonized with
newly introduced Decision on the minimum other frameworks and standards such as ITIL, ISO,
standards for managing IS in banks in FBiH. The PMBOK, PRINCE2 and the Open Group
methodology and results of our research are Architecture Framework (TOGAF).
presented followed by a discussion of major findings
and conclusions. The process of conducting an IT audit is similar to
any other audit and can be roughly grouped in three
major stages: planning, fieldwork and reporting.
2 IT Governance and IT Auditing Planning begins with familiarizing and understanding
IT Governance Institute defines ITG as “an integral the audit environment, conducting risk assessment,
part of enterprise governance and consists of the establishing audit scope and control objectives,
leadership and organizational structures and performing preliminary assessment of controls and
processes that ensure that the organization's IT developing an audit program and plan. The purpose
sustains and extends the organization's strategies of fieldwork is to gather evidence to achieve the audit
and objectives. IT governance is the responsibility of objectives. Evidence may come in form of observed
the board of directors and executive management” processes, documentary evidence, representations
[11]. While IT management is mainly focused on the (flowcharts, narratives, policies and procedures) or
daily effective and efficient supply of IT services and data analysis. An audit opinion and is formed by
IT operations, ITG is much broader concept which evaluating the audit evidence. The findings,
focuses on performing and transforming IT to meet conclusions and suggestions for corrective actions
present and future demands of business. There are are presented to the company’s board in form of an
five main focus areas of ITG - Strategic alignment, audit report. Follow-ups are scheduled to check on
IT value delivery, IT resource management, risk any reportable conditions or deficiencies [9].
management and performance measurement. ITG is a
continuous lifecycle and all areas are driven by
stakeholder value [10]. IT auditors play an important
part in establishing, measuring and analysing the
organisation’s performance in terms of ITG.
internal IT auditors from 8 commercial banks in hand, it is most concerning that only 50% of all
FBiH, of which 5 sere small and 3 were medium. banks have an IT risk management plan and 64%
Large banks were not included as they clearly do not reported having a risk management methodology.
appear to have major challenges. Being part of large Even though large banks have a majority of required
European banking groups, large banks strive to align IT documents in place and conduct regular internal
its local operations with the Group banking IT audits, only 30% (1 out of 3) reported having an
standards, and being so, these banks benefit from IT risk management plan and methodology in place,
synergies in terms of know-how, professional while the remaining 2 reported that their IT risk plan
development and information and financial support. and methodology are being developed. This indicates
We first asked the participants to identify the that IT risks are not being properly identified,
challenges their banks have met with in trying to assessed and managed on a continuous basis.
comply with the Decision. After that, they were read According to N. Carr in [18], the key to getting value
out a list of challenges (drawn from current literature from IT is to effectively manage risk and IT risk (as
and authors own opinions), and asked to rate each on operational risk), should be managed as part of
a 1 – 5 scale. 1 representing “does not present a organizations overall risk management process. If IT
challenge” and 5 representing “presents a very risks are not being identified they are being retained
serious challenge”. by default. Risk assessment allows IT auditors to
narrow the audit scope and maximize efficiency and
effectiveness [9]. Lack of formal IT risk management
5 Discussion of Results documents indicates that a control based rather than
We received a total of 15 responses resulting in a risk based audit approach is being exercised by these
response rate of 54%. We received 10 responses banks, which is not the most efficient or effective.
from banks registered in FBiH, which is 55% of all 67% of medium size banks reported having an IT risk
banks in FBiH. The remaining 5 were from banks in management plan while only 20% (1 of 5) of small
RS, covering 50% of banks in RS. The Decision banks did so. Incident and documentation
stipulates different requirements for large, medium management is poorly proceduralized and
and small banks, and we were able to obtain a good documented by banks across the board, with medium
distribution of banks of all sizes. Fig. 1 shows the size banks reporting best performance in thesea
distribution of respondents classified according to areas. All large banks report having an IS strategy
bank’s total assets, which is the same classification while only 67% of medium and small banks do so.
stipulated by the Decision. 60% of the responding
banks are majority owned by a foreign banking
group. These include all large banks and most
medium sized banks.
5.1 IT documents
It is very encouraging that all responding banks
reported having a business continuity plan and an IS Fig. 2: IT documents (all banks)
security policy, as shown in Fig. 2. On the other
Fig. 4: IT functions
Challenge Total Medium Small Additional issues identified by banks were fear of
Average Bank Bank change, the importance of upper management
score Average Average
Lack of knowledge and 2.5 1.3 3.2 awareness and support, and organizational logistical
skills in the field of IT issues for larger banks.
Governance, IS security
and IT auditing.
Difficulties in 1.8 2 1.6
6 Conclusion
understanding what is Although the Decision on minimum standards for
required by the FBA managing IS in banks has only been passed at the
Decision level of FBiH there are no visible differences in
Lack of qualified staff in 2.3 2.7 2 internal IT audit practices between banks in the two
this field
Language difficulties – 1.6 1.7 1.6
Bosnian entities, namely the Republic of Srpska and
literature in this field is Federation of BiH. The differences are rather evident
largely only available in between large (foreign owned) banks, and smaller
English. domestic banks. While majority of large and
Lack of professional 3 4.7 2 medium banks have implemented internal IT audit
training available in this
field functions, documented most IT procedures and plans
Lack of financial 3.3 2 4 and conduct internal IT audits, they show significant
resources weaknesses when it comes to proper IT risk
Table 6: Challenges facing small and medium size management practices. It appears that there is a
banks general lack of awareness and knowledge of
appropriate IT risk management practice, requiring
5.4 Challenges further awareness raising and training across all sizes
As Table 6 shows, lack of financial resources and of banks in BiH.
lack of professional training available in this field
were rated as two biggest challenges across all banks. Majority of small banks (with active funds of less
Even though the results were quite mixed, lack of than 500 million KM) will likely choose to outsource
financial resources, as expected, was the highest their internal IT audit function. These banks have a
ranking challenge among small banks, followed by lot of work ahead of them as they were found to lack
lack of skills and knowledge in this field. Medium documented administrative controls in majority of IT
banks consistently rated lack of professional training areas stipulated by the Decision. The biggest
as the biggest challenge (average response 4.7), challenge identified by small banks is the lack of
followed by lack of financial resources, however financial resources, followed by lack of professional
explaining that more money should be spend on staff skills and knowledge. However, it is the medium
training. They suggested that the FBA should banks that showed biggest concerns about the lack of
organize additional professional training in this field. locally available professional training in the field of
They also said that they have some qualified staff but IT governance and IT auditing. What is needed is a
not enough. lot of awareness raising and professional training in
all areas of ITG, especially in IT risk management
Apart from undergraduate or postgraduate education aimed at all commercial banks in B&H.
in the IT field, most employers of IT auditors today
value and seek auditors with special certification or The importance of this research is that it provides a
license. The most valued global professional clear insight into the ITG practice among B&H
certification in the IT audit field is Certified commercial banks before enforcement of the
Information Systems Auditor (CISA) [13] issued by Decision which will allow us to track and asses it’s
the Information Systems Audit and Control future impact. The survey questionnaire used in this
Association (ISACA). The certification requires a study will be resent to all commercial banks in B&H
minimum of 5 years of experience in IT auditing and in the second half of 2013 in order to measure
successful completion of a 4 hour examination that is progress. The list of challenges identified in this
administered annually. There is no ISACA chapter study will be incorporated into the survey instrument.
present in B&H and the closest chapter exists in
Zagreb, Croatia.