Recent Advances in Information Science

IT Governance and IT Auditing Practice in Commercial Banks in

Bosnia and Herzegovina

ALICA PANDZO & KEMAL TALJANOVIC

Department of Information Systems
University Sarajevo School of Science and Technology
Hrasnicka 3a, Ilidza, 71000 Sarajevo
BOSNIA AND HERZEGOVINA
alica.pandzo@ssst.edu.ba / kemal.taljanovic@ssst.edu.ba / http://www.ssst.edu.ba

Abstract: Information technology (IT) auditing is one of the fastest growing fields in technology today. In Bosnia
and Herzegovina, this profession is in its infancy. The recent passing of the Decision on minimum standards for
managing information systems by the Banking Agency of Federation of Bosnia and Herzegovina is expected to be
the long awaited trigger for recognition, promotion and growth of the information technology audit profession.
This paper provides an overview of IT governance and IT auditing. It also presents the results of a survey of
current IT governance and IT auditing practices in commercial banks in Bosnia and Herzegovina and identifies
challenges the banks have in trying to comply with the newly introduced standards. Findings reveal poor IT risk
management practices across banks of all sizes. This study was the first step of an ongoing project to measure and
track the effect or regulatory provisions in this field, and identify the challenges for banks.

Key-Words: IT governance, ITG, IT auditing, information systems, auditing, banks, Bosnia and Herzegovina

1 Introduction after receiving an all clear financial audit report.

Most people are familiar with the purpose of
traditional or financial auditing, but when it comes to
IT/IS auditing, majority would be clueless. The
purpose of a financial audit is to issue an unbiased
opinion on the truth and fairness of financial
statements of the company being audited, based on
objective evidence. As many modern business
processes are automated and business and accounting
data today is kept and processed using increasingly
complex information systems, the information
systems themselves become an important element of
any audit. Hence, information system or information
technology auditing (IT auditing), initially referred to
as Electronic Data Processing (EDP) auditing, was
created to support the audit of financial statements
and IT audit reports were produced as part of a
financial audit report [9].
Today, IT auditing is still most often used to audit
critical systems in order to provide support to
financial audits or in order to comply with the new
laws and regulations such as the Sarbanese-Oxley
Act in the USA and Basel II in Europe. These new
regulations were brought in primarily to restore
public confidence in accounting, after a number of
large corporations filed for bankrupt less than a year
Enron was the largest and the most popularized
among these. [7].
However, as companies are increasingly recognising
and relying on the strategic value that Information
Technology brings to their business the role of IT
auditors is changing. IT audit plays a key advisory
role in IT governance (ITG) which is an integral part
of Corporate Governance. IT auditors can initiate,
plan and monitor ITG initiatives and help to drive
business benefits from better ITG. [8].
On the 28th December, 2011, the administrative
committee of the Banking agency of Federation of
BiH (FBA) adopted a Decision on the minimum
standards for managing information systems in banks
(the Decision) [1]. The decision is based on best ITG
practice and standards. An equivalent regulation
does not yet exist in the other entity of Bosnia &
Herzegovina (B&H), the Republic of Srpska, but it is
reasonable to expect that the same will be adopted in
the near future. The Decision is expected to
influence promotion of good ITG practices across the
financial and other sectors in B&H. It is also
expected to trigger the recognition, promotion and
growth of the IT audit profession in this region.

ISBN: 978-960-474-304-9 288

 Recent Advances in Information Science
Much of the research in the field of ITG focuses on
ITG implementation and frameworks [2 – 6, 17],
while little research focuses on challenges
organisations may encounter [14, 15, 16]. Research
on ITG and IT auditing practices and challenges in
Western Balkan developing countries and the impact
of legislation and regulation in this field is very
scarcely addressed. The effects of a very similar
decision in Republic of Croatia have been tracked
and studies by Spremic et.al [19, 20].
The aim of this research study is to explore the
current practices of ITG and IT auditing in
commercial banks in B&H and identify the
challenges the banks in Federation of Bosnia and
Herzegovina (FBiH) have in complying with the
newly introduced regulations.
Section 2 of this paper provides a brief overview of
ITG and IT auditing. Section 3 describes the
commercial banking sector in B&H and it’s
regulatory environment, including details of the
newly introduced Decision on the minimum
standards for managing IS in banks in FBiH. The
methodology and results of our research are
presented followed by a discussion of major findings
and conclusions.
2 IT Governance and IT Auditing
IT Governance Institute defines ITG as “an integral
part of enterprise governance and consists of the
leadership and organizational structures and
processes that ensure that the organization's IT
sustains and extends the organization's strategies
and objectives. IT governance is the responsibility of
the board of directors and executive management”
[11]. While IT management is mainly focused on the
daily effective and efficient supply of IT services and
IT operations, ITG is much broader concept which
focuses on performing and transforming IT to meet
present and future demands of business. There are
five main focus areas of ITG - Strategic alignment,
IT value delivery, IT resource management, risk
management and performance measurement. ITG is a
continuous lifecycle and all areas are driven by
stakeholder value [10]. IT auditors play an important
part in establishing, measuring and analysing the
organisation’s performance in terms of ITG.
ISBN: 978-960-474-304-9
As defined by Ron Weber (1988) , IT auditing is "the
process of collecting and evaluating evidence to
determine whether a computer system (information
system) safeguards assets, maintains data integrity,
achieves organizational goals effectively and
consumes resources efficiently." [21]. IT audit
plays an important role in measuring the maturity of
organizations IT and letting the management know
how it compares to the globally recognized standards
and frameworks. The most widely accepted ITG
framework COBIT, is created by non-profit
organizations ISACA [12] and ITGI, who define it as
a comprehensive set of resources that contains all the
information organizations need to adopt an ITG and
control framework. The current version COBIT 5
was released in 2012 and divides IT into five
domains (Evaluate, Direct and Monitor; Align, Plan
and Organize; Build, Acquire and Implement;
Deliver, Service and Support; and Monitor, Evaluate
and Assess). The five domains are broken down into
37 high level processes and 300 detailed IT controls.
Version 5 has been aligned and harmonized with
other frameworks and standards such as ITIL, ISO,
PMBOK, PRINCE2 and the Open Group
Architecture Framework (TOGAF).
The process of conducting an IT audit is similar to
any other audit and can be roughly grouped in three
major stages: planning, fieldwork and reporting.
Planning begins with familiarizing and understanding
the audit environment, conducting risk assessment,
establishing audit scope and control objectives,
performing preliminary assessment of controls and
developing an audit program and plan. The purpose
of fieldwork is to gather evidence to achieve the audit
objectives. Evidence may come in form of observed
processes, documentary evidence, representations
(flowcharts, narratives, policies and procedures) or
data analysis. An audit opinion and is formed by
evaluating the audit evidence. The findings,
conclusions and suggestions for corrective actions
are presented to the company’s board in form of an
audit report. Follow-ups are scheduled to check on
any reportable conditions or deficiencies [9].
289
 Recent Advances in Information Science
3 Regulation of Commercial Banks in
B&H
There are currently 28 commercial banks registered
in B&H. 18 are registered in Federation of BiH
(FBiH) and 10 in Republic of Srpska (RS). There are
two regulatory and supervisory bodies for the B&H
banking sector - the Banking Agency of the
Federation of BiH (FBA) and the Banking Agency of
Republic of Srpska (BARS).
The Decision on minimum standards for managing
information systems in banks in FBiH specifies
minimum responsibilities for the bank’s supervisory
board and the bank’s management. The following
are some of the responsibilities assigned to the
bank’s supervisory board:
• Devise an IS strategy which must be an integral
part of the bank’s business strategy.
• Approve IS policies, proposed by management, and
supervise their implementation.
• Establish a system for measuring, monitoring,
control and management of risks related to
information system security;
• Regulate the content and timeliness or reporting on
IS management issues to the Supervisory board.
• Ensure that IT governance controls, as well as an
internal IT controls are under constant surveillance
of internal audit and periodic external audit
surveillance.
Management of the bank is, among other things,
responsible to:
• Appoint an Information System management
committee composed of representatives of different
business functions;
• Establish and implement information system
policies and procedures’
• Implement a system for Information System risk
measurement, monitoring, control and
management;
• Devise a plan and program to establish and raise
awareness of information system security;
• Adopt a methodology to define the criteria,
methods and procedures for managing
risks arising from the use of information systems,
• Continuously analyze information system risks,
taking steps to reduce
risk to an acceptable level, and regularly, at least
once a year;
ISBN: 978-960-474-304-9
• Manage risks arising from contractual relationships
whose activities are related to bank’s IS;
• Assign an information security officer, IT risk
officer, internal IT auditor, and external IT
auditor;
• Conduct an IT audit within one year of the official
release of the decision and then

Conduct yearly audits – for banks with total
assets higher than 500 million BAM

Conduct audits every three years – for banks
whose assets fall below 500 million BAM.
Along with the Decision, the FBA also passed a
Decision on minimum standards for managing
outsourced activities. Even though banks may not
fully outsource control functions, according to this
decision banks may outsource the IT audit function,
subject to conditions and manner prescribed by this
Decision.
4 Research Methodology
The current ITG and IT auditing practices in
commercial banks in B&H were studied using a
survey questionnaire which was sent to directors of
internal audit departments in all commercial banks
registered in B&H, in electronic and paper form,
during June 2012. The questionnaire contained a
total of 7 questions for banks which do not conduct
internal IT audits, and an additional 9 questions for
those which do. The questionnaire was organized in
three major parts. The first part focused on existence
of written IT plans, policies and procedures as
required by the Decision. The next part focused on
IT governance structures - existence and placement
of various IT audit functions such as the audit board,
IT auditor, information security officer, IT risk
officer, etc. The final section (required only for
banks that conduct internal IT audits) focused on use
of audit methodologies, standards and tools. It was
not mandatory for participants to disclose the name
of their bank.
In order to identify the challenges of meeting the
minimum standards required by the Decision, 8
phone interviews were conducted during March and
April 2013. We felt it was important to give banks
an appropriate amount of time after the Decision was
adopted, for them to be able to identify challenges.
The interviewees were either IS security officers or
290
 Recent Advances in Information Science
internal IT auditors from 8 commercial banks in
FBiH, of which 5 sere small and 3 were medium.
Large banks were not included as they clearly do not
appear to have major challenges. Being part of large
European banking groups, large banks strive to align
its local operations with the Group banking
standards, and being so, these banks benefit from
synergies in terms of know-how, professional
development and information and financial support.
We first asked the participants to identify the
challenges their banks have met with in trying to
comply with the Decision. After that, they were read
out a list of challenges (drawn from current literature
and authors own opinions), and asked to rate each on
a 1 – 5 scale. 1 representing “does not present a
challenge” and 5 representing “presents a very
serious challenge”.
5 Discussion of Results
We received a total of 15 responses resulting in a
response rate of 54%. We received 10 responses
from banks registered in FBiH, which is 55% of all
banks in FBiH. The remaining 5 were from banks in
RS, covering 50% of banks in RS. The Decision
stipulates different requirements for large, medium
and small banks, and we were able to obtain a good
distribution of banks of all sizes. Fig. 1 shows the
distribution of respondents classified according to
bank’s total assets, which is the same classification
stipulated by the Decision. 60% of the responding
banks are majority owned by a foreign banking
group. These include all large banks and most
medium sized banks.
Fig. 1: Distribution of participating banks according
to bank’s total assets
5.1 IT documents
It is very encouraging that all responding banks
reported having a business continuity plan and an IS
security policy, as shown in Fig. 2. On the other
ISBN: 978-960-474-304-9
hand, it is most concerning that only 50% of all
banks have an IT risk management plan and 64%
reported having a risk management methodology.
Even though large banks have a majority of required
IT documents in place and conduct regular internal
IT audits, only 30% (1 out of 3) reported having an
IT risk management plan and methodology in place,
while the remaining 2 reported that their IT risk plan
and methodology are being developed. This indicates
that IT risks are not being properly identified,
assessed and managed on a continuous basis.
According to N. Carr in [18], the key to getting value
from IT is to effectively manage risk and IT risk (as
operational risk), should be managed as part of
organizations overall risk management process. If IT
risks are not being identified they are being retained
by default. Risk assessment allows IT auditors to
narrow the audit scope and maximize efficiency and
effectiveness [9]. Lack of formal IT risk management
documents indicates that a control based rather than
risk based audit approach is being exercised by these
banks, which is not the most efficient or effective.
67% of medium size banks reported having an IT risk
management plan while only 20% (1 of 5) of small
banks did so. Incident and documentation
management is poorly proceduralized and
documented by banks across the board, with medium
size banks reporting best performance in thesea
areas. All large banks report having an IS strategy
while only 67% of medium and small banks do so.
Fig. 2: IT documents (all banks)
291
 Recent Advances in Information Science
Fig. 3: IT documents accoding to bank size
5.2 ITG structures
All banks reported having an audit committee as this
already a regulatory requirement. Only 4 banks (2
medium and 2 small) do not have an IS management
board set up. Overall, 80% (12) of banks conduct
internal IT audits, of which 4 banks outsource this
function. Only 2 banks (both small) have not yet
carried out internal IT audits. When it comes to
existence of internal IT auditors, IT risk managers
and information security officers, the IT auditors are
found in largest number of banks (57%) followed by
IS security officers and IT risk managers , which is in
line with previously reported poor IT risk
management practices.
Fig. 4: IT functions
ISBN: 978-960-474-304-9
All large banks have an internal IT audit function and
conduct regular audits. All medium size banks also
have an internal IT audit function except for one
which has outsourced this function (Fig. 5). All
internal IT auditor functions are placed within the
internal audit department, reporting to the director of
internal audit. This is the preferred organization as it
provides the internal IT auditor with maximum
independence. None of the small banks reported
having the IT audit or risk function, however
majority plan to implement them in the near future
(Fig. 5).
Fig. 5: IT audit related functions according to bank
size
Only two of all banks reported having an IT risk
manager function, of which one was large and one
medium. IS security officer function was reported
by 67% of medium and large banks and by one small
bank.
5.3 IT audit methods
Of all the banks that conduct internal IT audits in-
house, 50% use COBIT and 50% use their own
internally developed framework. They all reported
using interviews, samples, testing and inspection
methods when auditing and 75% reported also
directly observing employees as they perform
business processes.
292
 Recent Advances in Information Science

Challenge Total Medium Small Additional issues identified by banks were fear of
Average Bank Bank change, the importance of upper management
score Average Average
Lack of knowledge and 2.5 1.3 3.2 awareness and support, and organizational logistical
skills in the field of IT issues for larger banks.
Governance, IS security
and IT auditing.
Difficulties in 1.8 2 1.6
6 Conclusion
understanding what is Although the Decision on minimum standards for
required by the FBA managing IS in banks has only been passed at the
Decision level of FBiH there are no visible differences in
Lack of qualified staff in 2.3 2.7 2 internal IT audit practices between banks in the two
this field
Language difficulties – 1.6 1.7 1.6
Bosnian entities, namely the Republic of Srpska and
literature in this field is Federation of BiH. The differences are rather evident
largely only available in between large (foreign owned) banks, and smaller
English. domestic banks. While majority of large and
Lack of professional 3 4.7 2 medium banks have implemented internal IT audit
training available in this
field functions, documented most IT procedures and plans
Lack of financial 3.3 2 4 and conduct internal IT audits, they show significant
resources weaknesses when it comes to proper IT risk
Table 6: Challenges facing small and medium size management practices. It appears that there is a
banks general lack of awareness and knowledge of
appropriate IT risk management practice, requiring
5.4 Challenges further awareness raising and training across all sizes
As Table 6 shows, lack of financial resources and of banks in BiH.
lack of professional training available in this field
were rated as two biggest challenges across all banks. Majority of small banks (with active funds of less
Even though the results were quite mixed, lack of than 500 million KM) will likely choose to outsource
financial resources, as expected, was the highest their internal IT audit function. These banks have a
ranking challenge among small banks, followed by lot of work ahead of them as they were found to lack
lack of skills and knowledge in this field. Medium documented administrative controls in majority of IT
banks consistently rated lack of professional training areas stipulated by the Decision. The biggest
as the biggest challenge (average response 4.7), challenge identified by small banks is the lack of
followed by lack of financial resources, however financial resources, followed by lack of professional
explaining that more money should be spend on staff skills and knowledge. However, it is the medium
training. They suggested that the FBA should banks that showed biggest concerns about the lack of
organize additional professional training in this field. locally available professional training in the field of
They also said that they have some qualified staff but IT governance and IT auditing. What is needed is a
not enough. lot of awareness raising and professional training in
all areas of ITG, especially in IT risk management
Apart from undergraduate or postgraduate education aimed at all commercial banks in B&H.
in the IT field, most employers of IT auditors today
value and seek auditors with special certification or The importance of this research is that it provides a
license. The most valued global professional clear insight into the ITG practice among B&H
certification in the IT audit field is Certified commercial banks before enforcement of the
Information Systems Auditor (CISA) [13] issued by Decision which will allow us to track and asses it’s
the Information Systems Audit and Control future impact. The survey questionnaire used in this
Association (ISACA). The certification requires a study will be resent to all commercial banks in B&H
minimum of 5 years of experience in IT auditing and in the second half of 2013 in order to measure
successful completion of a 4 hour examination that is progress. The list of challenges identified in this
administered annually. There is no ISACA chapter study will be incorporated into the survey instrument.
present in B&H and the closest chapter exists in
Zagreb, Croatia.

ISBN: 978-960-474-304-9 293

 Recent Advances in Information Science
References:
[1] Banking Agency of FBiH, Decision on
Minimum Standards for Managing Information
Systems in Banks, 2011 (in Bosnian, translated).
Available at: http://fba.ba
[2] J. Bhattacharjya and V. Chang, Adoption and
Implementation of IT Governance: Cases from
Australian Higher Education, ACIS
Proceedings, 2006
[3] P. L. Bowena, M. D. Cheungb and F. H. Rohde,
Enhancing IT governance practices: A model
and case study of an organization's efforts, IJ of
Accounting Information Systems, 191–221,
2007.
[4] P.H. Bermejo et al., Implementation of IT
governance through IT strategic planning,
African Journal of Business Management,
Vol.6, pp. 11179-11189.
[5] A. Chaudhuri, Enabling Effective IT
Governance: Leveraging ISO/IEC 38500: 2008
and COBIT to Achieve Business–IT Alignment,
EDPACS, Vol. 44, No. 2, pp. 1-18, 2011.
[6] S. De Haes, and W. Van Grembergen, An
Exploratory Study into IT Governance
Implementations and its Impact on Business / IT
Alignment, Information Systems Management,
Vol. 26, Issue 2, p123-137, 2009.
[7] J.A. Hall, Information Technology Auditing, 3rd
edition, South-Western, Cengage Learning. ,
2011.
[8] G. Hardy, The Role of the IT Auditor in IT
Governance, ISACA Journal, Vol. 1, 2009.
[9] J. Hunton, S. Bryant, and N. Bagranoff, Core
Concepts of Information Technology Auditing,
John Wiley & Sons, 2004.
[10] IT Governance Institute, Board Briefing on IT
governance, 2nd Edition," ITGI, 2003. Available
at: http://www.isaca.org, retrieved on 12 March
2013.
[11] IT Governance Institute. Available at:
http://www.itgi.org/
ISBN: 978-960-474-304-9
[12] ISACA, COBIT 5: A Business Framework for
the Governance and Management of Enterprise
IT, ISACA, 2012. Available at:
http://www.isaca.org/cobit
[13] ISACA, Certification, CISA: Certified
Information Systems Auditor. Available at:
http://www.isaca.org/
[14] L. A. Omari, P. Barnes and G. Pitman, A Delphi
Study into the Audit Challenges of IT
Governance in the Australian Public Sector,
eJCSIT, Vol. 4, No. 1, 2013.
[15] M.F.I Othman et al., Barriers to information
technology governance adoption: a preliminary
empirical investigation, 15th International
Business Information Management Association
Conference, pp. 1771-1787, 2011.
[16] S. Ramanathan, IT Governance – Challenges in
Implementation From and Asian Perspective,
Information Systems Control Journal, Vol. 5,
2007.
[17] J. Rouyet-Ruiz, COBIT as a Tool for IT
Governance: between Auditing and IT
Governance, The European Journal for the
Informatics Professional, Vol. 9, No. 1, pp. 40-
43, 2008.
[18] S. Senft, and F. Gallegos, Information
Technology Control and Audit, Third Edition,
Auerbach Publications, Taylor & Francis Group,
2009.
[19] M. Spremic, M. Ivanov, B. Jakovic, IT
Governance and Information System Auditing
Practice in Credit Institutions in the Republic of
Croatia, IJ of Applied Mathematics and
Informatics, Vol. 6, Issue 2, 2012.
[20] M. Spremic, H. Spremic, Measuring IT
Governance Maturity – Evidences from using
regulation framework in the republic Croatia,
Proceedings of the 5th European Computing
Conference, pp. 98-104, 2011.
[21] R. Weber, EDP Auditing: Conceptual
Foundations and Practice, 2nd Edition, McGraw
Hill, 1988.
294