COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION

o Attribution — You must give appropriate credit, provide a link to the license, and indicate if
changes were made. You may do so in any reasonable manner, but not in any way that
suggests the licensor endorses you or your use.

o NonCommercial — You may not use the material for commercial purposes.

o ShareAlike — If you remix, transform, or build upon the material, you must distribute your
contributions under the same license as the original.

How to cite this thesis

Surname, Initial(s). (2012). Title of the thesis or dissertation (Doctoral Thesis / Master’s
Dissertation). Johannesburg: University of Johannesburg. Available from:
http://hdl.handle.net/102000/0002 (Accessed: 22 August 2017).
The Role of Internal Auditing on Information Technology
within the Banking Industry

by

Bridgette Khanyile

Student Number: 215082308

LIMITED SCOPE DISSERTATION

submitted in fulfilment of the requirements for the degree

MAGISTER COMMERCII

in

COMPUTER AUDITING

at the

College of Business and Economics

at the

UNIVERSITY OF JOHANNESBURG

2019

Supervisor: Mrs Rozanne Smith

Co-supervisor: Mrs Vanessa Van Dyk

 DECLARATION

I certify that the limited scope dissertation submitted by me for the degree Master’s in Computer
Auditing (Faculty of Economic and Financial Science) at the University of Johannesburg is my
independent work and has not been submitted by me for a degree at another university.

Bridgette

i|Page
Abstract
The Information Technology (IT) is a complex system used to conduct and process banking
transactions. As a consequence, banking relies heavily on IT. Since banking transactions take place
on an IT driven system, the systems’ infrastructure and security become the bank’s core functions.
However, IT does have its risks and challenges, such as confidentiality issues, security breaches,
non-compliance with regularity and poor quality services.

IT governance is a framework that ensures that an organisation’s IT infrastructure supports the

achievement of its corporate objectives. In the banking industry, IT governance plays a vital role,
especially in the internal auditing function. Internal auditors are mandated by the Institute of
Internal Audit’s standards to provide reasonable and objective assurance regarding the proper
functioning of IT departments.

This study considers the role of the internal audit function in IT governance in the South African
banking industry. The study also highlights the IT governance risks that exist in the banking
industry in South Africa. This is achieved through an extensive literature review on the governance
frameworks and recommended practices for effective governance as well as the role and
responsibilities of internal auditors in reducing IT risks. The study used purposive sampling to
examine the integrated annual reports of the major banks in South Africa. The findings show that
the banks demonstrate sound internal control systems while their internal audit approach reflects
the effective and efficient implementation of systems, with embedded risk management practices,
to ensure risk reduction.

KEY WORDS
Bank, IT governance, internal audit, corporate governance, risk, big data.

ii | P a g e
Acronyms and Abbreviations

AICD Australian Institute of Company Directors

BIS Bank for International Settlements
CAE Chief Audit Executive
CEO Chief Executive Officer
COBIT Control Objective for Information Technology
COSO Committee of Sponsoring Organisations of the Treadway Commission
IIA Institute of Internal Auditors
IoDSA Institute of Directors in Southern Africa
ISACA Information Systems Audit and Control Association
ISO International Organisation for Standardisation
IT Information Technology
ITGI IT Governance Institute
KPMG Klynveld Peat Marwick Goerdeler
NYSE New York Stock Exchange
PwC PricewaterhouseCoopers
SA South Africa
SABRIC South African Banking Risk Information Centre
SARB South African Reserve Bank
USA United States of America
Val IT Value from IT Investments

iii | P a g e
Table of Contents

CHAPTER 1: Introduction and Study Layout ................................................................................ 1

1.1 Background ................................................................................................................... 1

1.2 Problem Statement ........................................................................................................ 5

1.3 Research Objectives ..................................................................................................... 6

1.4 Research Methodology ................................................................................................. 6

1.5 Research Scope ............................................................................................................. 6

1.6 Limitations ........................................................................................................................... 7

1.7 Ethical Considerations ......................................................................................................... 7

1.8 Chapter Overview ................................................................................................................ 7

1.9 Conclusion ........................................................................................................................... 8

CHAPTER 2: Research Methodology ......................................................................................... 10

2.1 Introduction ....................................................................................................................... 10

2.2 Research Design ................................................................................................................ 10

2.3 Research Approach ............................................................................................................ 11

2.4 Research Methodology ...................................................................................................... 12

2.5 Research Purpose ............................................................................................................... 13

2.6 Data Collection .................................................................................................................. 13

2.7 Population .......................................................................................................................... 14

2.8 Sampling ............................................................................................................................ 14

2.9 Data Analysis and Interpretation ....................................................................................... 15

2.10 Validity ............................................................................................................................ 16

2.11 Conclusion ....................................................................................................................... 16

CHAPTER 3: Literature Review .................................................................................................. 18

iv | P a g e
 3.1 Introduction ....................................................................................................................... 18

3.2 Background to IT ............................................................................................................... 19

3.3 Importance of IT in the Banking Industry ......................................................................... 20

3.4 Challenges and Risks Associated with IT ......................................................................... 20

3.5 Summary: Information Technology .................................................................................. 23

3.6 Mandating Governance...................................................................................................... 24

3.6.1 Principles of Good IT Governance............................................................................ 25

3.7 Corporate Governance in the Banking Industry ................................................................ 27

3.7.1 IT Governance ........................................................................................................... 28

3.7.2 IT Governance Frameworks ...................................................................................... 29

3.8 Summary: IT Governance in the Banking Industry........................................................... 34

3.9 Introduction to Internal Auditing ....................................................................................... 36

3.10 Importance of Internal Auditing ...................................................................................... 37

3.11 Strategic Positioning of Internal Auditing ....................................................................... 39

3.12 Different Types of Audits and Reviews Conducted within the Banking Environment .. 41

3.13 Summary: Internal Auditing ............................................................................................ 42

3.14 Conclusion ....................................................................................................................... 44

CHAPTER 4: Presentation and Analysis of Results .................................................................... 46

4.1 Introduction ....................................................................................................................... 46

4.2 Approach ........................................................................................................................... 46

4.3 Demographics - Top South African Banks........................................................................ 48

4.3.1 Recommended IT Governance Practices .................................................................. 49

4.3.2 Recommended IT Governance Practices for the Purpose of Testing........................ 49

4.4 Findings ............................................................................................................................. 50

4.4.1 Presentation of the Findings ...................................................................................... 50

v|Page
 4.5 Conclusion ......................................................................................................................... 64

CHAPTER 5: Conclusion ............................................................................................................. 66

5.1 Study overview .................................................................................................................. 66

5.2 Summary............................................................................................................................ 67

5.3 Recommendations ............................................................................................................. 68

5.4 Areas of Future Research .................................................................................................. 68

5.5 Conclusion ......................................................................................................................... 69

References ............................................................................................................................... 70

vi | P a g e
List of Tables and Figures
Chapter 3
Table 1: IIA IT Governance Model .............................................................................................. 32
Table 2: Internal Audit Functions in the Banking Industry .......................................................... 41
Chapter 4
Table 3: Brand Finance's ranking in 2018 .................................................................................... 48
Table 4: Results on whether a system of internal controls was implemented .............................. 51
Table 5: Results on whether banks implemented risk management structures ............................ 52
Table 6: Results on regulations and frameworks adapted by the banks ....................................... 55
Table 7: Results on whether banks had internal audit functions .................................................. 56
Table 8: Results on whether the internal audit function was strategically positioned .................. 59
Table 9: Results on whether the internal audit functions of the banks reduced the risks posed by
the IT environment ........................................................................................................................ 61
Table 10: Overall summary of findings ........................................................................................ 64

Chapter 3
Figure 1: Five elements of IT governance .................................................................................... 26

vii | P a g e
CHAPTER 1: Introduction and Study Layout

1.1 Background
The importance of Information Technology (IT) in every aspect of human life and business is
undisputed. Recent trends show that IT usage has increased dramatically and continues to grow
and develop (Mokoena, 2016). Lawlor (2007) and Globalisation101 (2016) affirm that the use of
IT has become a major driving force in today’s globalised world. Dangolani (2011:15) echoes this
sentiment by pointing out that “the IT revolution has set the stage for unprecedented growth in
financial activity across the globe”. Ally (2016) concurs, observing that computer programmes
perform more than just basic functions, and are now performing increasingly complex transactions.

One of the industries that has been most affected by IT development is undoubtedly the banking
industry. IT is of considerable importance in the banking environment, because of the industry’s
heavy reliance on IT systems (Dangolani, 2011; Accenture, 2016). The financial services industry
(which includes banks and insurance companies) plays a vital role in supporting a country’s
economy (Gordhan, 2009). Jayaprakash (2013:15) adds that “banks are increasingly
interconnecting their computer systems not only across branches in a city, but also to other
geographic locations with high-speed network infrastructure and setting up local area and wide
area networks and connecting them to the internet”.

Almost all of the banking industry’s business processes and activities have been transformed in
the last twenty years due to various factors such as economic development, global financial crises
and social change. Whether the products and services include debit and credit cards, transfers,
deposits, loans, assets, liabilities or specific business or product domains such as government
securities and foreign exchange, all of the products and services offered by banks have modernised
and progressed from manual transactions to electronic ones (Padmanabhan, 2012; Banking
Association South Africa, 2017).

With all of these dramatic technological advances, banks are becoming increasingly dependent on
highly sophisticated modelling techniques, analytics and complex IT systems to inform their
1|Page
decision-making (Conover, 2009; OCC, 2011). Sanchez (2017) states that although most banking
system solutions are over 30 years old, continuous improvements are required for banks to exist
and operate in such a competitive technology industry. Moreover, the World Bank (2012),
PricewaterhouseCoopers (PwC) (2013) and the Economic and Social Council (2014) state that IT
has provided the necessary infrastructure to allow banks to cope with the challenges that the 21st
century economy poses to the banking industry.

Part of the improvements within the banking industry involve its adoption of ‘big data’. Toseland
(2017) states that big data has already begun to transform how businesses in Africa operate,
specifically and significantly in the financial and ecommerce sectors. Big data is too complex and
too large to be handled by common software programmes (Chandani, Mehta, Neeraja & Prakash,
2015). Big data is analysed by a broad range of new and massive data tools that assist organisations
to identify relevant data and analyse its implications. The question that needs to be considered is
whether or not big data will require significant changes in business operations in the short term
(Moura & Serrão, 2016; ISACA, 2016).

Big data provides several benefits for the banking industry. ITWeb (2016) states that the banking
industry will undoubtedly leverage big data. Among these benefits are tracking customers’ credit
card and loan limits, ensuring there is no excessive spending, preventing fraudulent behaviour,
monitoring and analysing customers’ usage from different regions and banks changing their
methods of service delivery (ISACA, 2016).

However, there are also inherent risks in applying big data, such as ensuring privacy laws are not
breached, skills gaps and risks to data security and privacy (Marr, 2015; ISACA, 2016).
Additionally, the banking industry trades in a risky and vulnerable environment, as seen in the
global economic downturn of 2009 and other incidents such as the rising number of cyber-attacks.
Padmanabhan (2012) contends that regulators and stakeholders are greatly concerned about IT use
and the risks associated with it and thus it is crucial that all the associated risks are addressed. IT
risk can be defined as the business risk inherent in “the use, ownership, operation, involvement,
influence and adoption of IT within an entity” (ISACA, 2016:103) and such risk could include IT-
related procedures that might potentially influence the business. These risks range from false entry

2|Page
gained into master file transactions, entry gained through inadequate physical security, poor
business continuity plans and the increase of social media usage in companies (Ellingwood, 2011;
Hutter, 2016). Therefore, according to ISACA (2009), risk management plays an integral function
since almost every business decision requires that those charged with governance balance the risks,
opportunities and governance.

Although IT can boost an organisation’s productivity and effectiveness, it can also disturb the
organisation’s overall performance. Such disturbances could be caused by different risks affecting
the processing methods used in an IT space (Loebbecke, Loebbecke & Arens, 2000). Boulton
(2016) states that security risks and regulatory compliance have become major concerns when
adopting IT solutions, thus highlighting the importance of governance within organisations.

The banking industry faces a range of challenges. For example, their customers currently expect a
modernised banking experience which, together with the digitisation of products and services such
as online banking and mobile banking, has increased the level of competition throughout the
banking industry (Schubert, 2015; Healy, 2018). Such an environment presents different
technological challenges and also poses threats to the banking industry. Therefore, banks have to
be poised to overcome these challenges and meet customer demands at all times.

In order to survive and grow in such an evolving market environment, banks have introduced
various IT risk governance structures such as internal audits, risk management, compliance and
internal control systems, amongst other functions. These structures address and mitigate the
material risks that could arise, including identifying, assessing, monitoring and reporting risks to
which the organisation might be exposed. The establishment of the Basel Committee in
Switzerland was intended to address organisational governance shortcomings and to present a
uniform set of rules for the global banking industry (Scheepers, 2014).

IT governance forms part of organisational governance strategies. The Control Objective for
Information and Related Technology (COBIT) helps corporations to derive optimal value from IT
by maintaining a stable balance between realising benefits and optimising risk levels and resource
usage (ISACA, 2012b). COBIT was first introduced in 1996 as a framework that offers a standard

3|Page
and uniform language which business executives could use to communicate and to align with each
other’s goals, objectives and results (ISACA, 2012b). The Bank for International Settlements (BIS)
(2014) maintains that effective corporate governance is critical to proper functioning in the
banking industry and indeed for the economy as a whole. Banks need to adopt good governance
principles (or any other related principles) to be fully effective and efficient (BIS, 2014).
Therefore, the board is accountable and should safeguard IT and other critical projects and
activities should be appropriately controlled and governed. Assurance providers such as internal
and external auditors, compliance groups, risk management teams, internal control teams that
verify controls over financial reporting and IT governance teams experience challenges in this
regard (KPMG, 2016).

The Institute of Internal Auditors’ (IIA) (2015:4) standards state that “the internal audit activity
must assess whether the IT governance of the organisation supports the organisation’s strategies
and objectives”. This means that internal auditors are charged with the responsibility of reviewing
control structures, assessing the control environment, identifying weaknesses if there are any and
providing recommendations to overcome any uncontrolled risk environment (Galea, 2015).
Moreover, the internal audit profession has experienced major changes and improvements since
the recession of 2008 – 2009 which caused stock markets to crash. The IIA published its new
listing standard, necessitating an internal audit function in organisations (Protiviti, 2009).

Internal auditors can provide an independent and objective assessment of IT governance in an

organisation since they do not have a vested interest in the development or expansion of the IT
function (ISACA, 2016). Additionally, internal auditors assist management and audit committees
to identify and evaluate business risks and they perform focus audits in high-risk areas. As such,
the internal auditor is one of the best resources available to assess IT governance practices within
an organisation. However, according to Protiviti (2015), internal auditors need to understand that
it is not necessary for IT governance audits to follow a ‘one-size-fits-all’ audit programme
approach. Rather, they should develop a forward-looking approach (Lewis, 2016). During the
audit planning phase, the internal auditors should consider what would be more impactful for the
bank, considering aspects such as enterprise level governance, service and process areas, strategic

4|Page
initiatives and decisions, outsourced service providers, vendor risks and the alignment of decisions
and strategies (Protiviti, 2015).

Other studies have addressed auditing IT governance, IT governance security and the principles of
the King Code of Governance for South Africa 2009 (King III). However, these studies were
limited to describing their functionality as well as the recommendations stipulated in the King
Code (Janse van Vuuren, 2006; Joshi, Bollen & Hassink, 2013; Ngwenya, 2015; Ally, 2016). The
current study investigates the role of internal auditors in reducing risks posed by the IT
environment in the banking industry. A qualitative approach is adopted and a thorough literature
review is conducted on COBIT, King IV, Basel III, the IIA and the ISACA guidelines. The study
also evaluates the top banks’ financial reports to establish whether or not internal auditors reduce
the risks posed by the IT environment in the top SA banks. This research adds to existing literature
on this topic.

1.2 Problem Statement

As outlined above, the IT environment has created risks in the banking industry and, if not
appropriately addressed and mitigated, these risks could potentially lead to significant failures.
For instance, Jibrin, Blessing and Danjuma (2014) assessed the cause of the Nigerian banking
crisis (between 1990 and 1994) and established that investors and depositors lost several billions
of Naira due to the banks’ failure to implement proper, adequate and effective IT governance
systems. Subsequently, Deloitte’s (2017) study of financial services organisations across South
and East Africa during 2016/17 highlighted the weaknesses in IT governance and IT risk
management as one of the top five IT audit topics that still require attention. For the year 2017
alone, the South African Banking Risk Information Centre (SABRIC) (2018) states that banks
reported a 55% (representing R250m and 13 438 incidents) gross loss due to cybercrime, IT-
related risks and poor IT governance. These findings clearly demonstrate the enormous importance
of appropriate oversight of organisational corporate governance. Thus, it is necessary to study
factors regarding the role and effectiveness of internal auditors in IT governance in the SA banking
industry.

From the research statements above, the following research question is derived:
5|Page
 What is the role of internal auditors regarding IT governance in reducing the risks posed by
the IT environment in the banking industry?

1.3 Research Objectives

The problem statement described above forms the basis for the following research objectives:

Main objective:
 To determine the role of internal auditors in reducing risks posed by the IT environment in
the banking industry.

Sub-objectives:
 To understand the IT risks in the banking industry;
 To understand IT governance within the banking industry; and
 To understand the role of the internal audit function and to establish whether or not the
internal audit function reviews the effectiveness of IT governance within the banking
industry.

1.4 Research Methodology

To accomplish these objectives, a qualitative research approach was adopted as the method of
enquiry. The study examined COBIT, King IV, Basel III, the IIA and ISACA as the primary
guidelines for IT governance. Other guidelines such as the Committee of Sponsoring Organisations
of the Treadway Commission (COSO), Value from IT Investments (Val IT) and International
Organisation for Standardisation (ISO) were also reviewed to obtain secondary information.
Lastly, the study examined current practices within the banking sector in relation to the IT
governance and internal audit’s role in reducing risks in the IT environment in the banking
industry.

1.5 Research Scope

This study consists of a literature review and an analysis of published local and international
research in this area. As the field of IT is evolving at a particularly rapid rate, a focus was
maintained on the most recent research.

6|Page
1.6 Limitations
The population of this study comprises the major banks in South Africa. The SA banking industry
was ranked third out of 148 countries in the 2013/14 World Economic Forum Global
Competitiveness Survey (Banking Association South Africa, 2015). This study covers the top six
banks which hold over 80% of the banking assets, namely, Amalgamated Banks of South Africa
(ABSA), Capitec, First National Bank (FNB), Investec, Nedbank and Standard Bank. It was
assumed that the other 74 banks formed the minority (Banking Association South Africa, 2015).
The 2017 results were used for this study as the 2018 results were not officially published at the
time of this study.

The scope of the research was limited to the literature reviewed and the specific research
objectives. The information disclosed in the banks’ annual integrated reports followed a prescribed
template, which is likely to limit the information provided and certain details may have been
omitted. This study adhered to the relevant ethical issues, which are discussed hereunder.

1.7 Ethical Considerations

All relevant ethical issues and concerns were considered during this study. Objectivity, fairness
and transparency were applied in this study. Other people’s work was respected by acknowledging
their authorship wherever their work was cited to avoid plagiarism.

The study adhered to the University of Johannesburg’s ethical policy, which provides for the right
to privacy, confidentiality and anonymity, the right to equality, justice, human dignity/life and
protection against harm, the right to freedom of choice, expression and access to information and
the right to the community and science community. Ethical clearance was obtained from the
University of Johannesburg’s Department of Accountancy within the College of Business and
Economics’ Ethics Committee.

1.8 Chapter Overview

This study is divided into five chapters, which are summarised below.

7|Page
Chapter 1: Introduction and study layout
This introductory chapter discusses the background of the research, the research problem and the
research objectives. The purpose of the study and the research approach are also outlined in this
chapter. The chapter concludes with a summary of the study.

Chapter 2: Research methodology

This chapter outlines the research approach and methodology which were followed in the study.
The scientific methods, justification of the philosophical paradigm and data collection processes
and methods are also outlined in this chapter.

Chapter 3: Literature Review

This chapter deals with the literature review, which is presented in three sections: IT risks, IT
governance in banks and internal audit. In the first section, a background to IT is provided as well
as its importance within banks. The risks and challenges are also discussed. The second section
provides a detailed discussion of IT governance and its requirements in the banking industry, along
with IT frameworks. The third section provides information on internal audits by analysing the
importance of internal auditing, its strategic positioning and the types of audits performed within
banks.

Chapter 4: Presentation and analysis of results

This chapter include the presentation and analysis of the results by showing a visual presentation
of the findings. This section seeks to identify the principles and practices adopted by the top SA
banks.

Chapter 5: Conclusion
Based on the results of the literature reviewed and the data analysis, inferences are drawn and a
conclusion is then made. This chapter also suggests areas for future research.

1.9 Conclusion
Banks are faced with challenges, risks and constant technological changes in their environment
(Schubert, 2015). As banks continually improve their IT systems and functions, it is necessary to
8|Page
involve the overseeing structures, namely, internal and external assurance providers, as part of the
plan (Lewis, 2016). These structures could offer assistance in terms of best practice and efficient
and effective procedures that may need to be employed.

Managing and monitoring the risks posed by this growth could determine a bank’s success or
failure. These topics have to be discussed with management and executives in order to develop an
effective solution that mitigates risk exposure. In doing so, it is important to understand the
requirements and expectations of the regulatory bodies such as COBIT, King IV, Basel III, the IIA
and ISACA.

This chapter has highlighted IT’s advances and the associated risks, with the aim of demonstrating
how rapidly the IT industry has developed over recent years. The banking industry’s IT governance
requirements were discussed briefly as well as the role on internal audits functions.

The next chapter describes the research methodology and the research plan followed in the study.
It also presents the research strategy.

9|Page
CHAPTER 2: Research Methodology

2.1 Introduction
According to Keohane (2014) and Leedy and Ormrod (2014), research has distinct characteristics
which can be explained as follows: it originates from a question or a problem and it requires an
articulated plan for proceeding. The main problem is divided into more manageable secondary
objectives. The research is usually guided by a specific main objective, question or a problem
statement and the conclusions of research are uncertain critical assumptions. Somers (2012) and
Maree and Pietersen (2014) define research as a systematic investigation of a study through a
process of collecting materials, sources and data in order to analyse and interpret the information
to establish facts, gain insight about the phenomenon which is of interest and to reach new
conclusions. Thus, this chapter elaborates on the research methodology, outlined in Chapter 1,
which was used to address the research objective. A detailed explanation of the population, sample,
the research approach and methods is also provided, followed by a discussion of the validity of the
results.

2.2 Research Design

A research design is a strategy which guides information collection and analysis in a way which
merges the research purpose with practical procedures (Smith, 1981). The research design provides
a logical flow that sets out the way that the research is conducted in order to discover answers to
the research question and objectives. A research design is important because it assists researchers
to plan their overall study in a meaningful way, in order to obtain the relevant data (Leedy &
Ormrod, 2005). Cohen, Mnion and Morrison (2000:73) concur with this view, contending that “the
setting up of research is a balancing act, for it requires the harmonising of planned possibilities
with workable, coherent practice and the resolution of the differences between idealism and
reality”. According to Durrheim (2002), a research design could be perceived as a four-phased
approached consisting of:

10 | P a g e
  Stage 1: Outlining and describing the research question.
 Stage 2: Designing the research.
 Stage 3: Collecting and analysing data.
 Stage 4: Drafting the research report.

Mouton (2005) mentions different types of research design, notably, an empirical study and a non-
empirical study. Empirical studies are observational or experimental rather than theoretical while
non-empirical studies are based on principles or theory (Mouton, 2005).

The focus of this study is the evolution of the IT, i.e. the innovations, upgrades and enhancements
in the SA banking industry and how these pose risks to banks. For example, cybercrime, security
breaches and poor governance could potentially result in significant failures for banking
organisations if not appropriately addressed and controlled.

The research design chosen for this study was an empirical one. Consequently, qualitative factors
were considered appropriate to answer the research question. The study also evaluated the top
banks’ financial reports to establish whether or not internal auditors managed to reduce the risks
posed by the IT environment in the sampled banks.

2.3 Research Approach

As outlined in the section 1.2 above, the banking industry is losing considerable amounts of money
due to cybercrime, IT-related risks and poor IT governance. This calls for the appropriate oversight
of organisational corporate governance, including an effective internal audit tfunction. Therefore,
to gather more information and discover the root cause of this topic, the research instruments
chosen for this study were a literature review and an evaluation checklist.

The study sought to collect data from relevant textbooks, journal articles, newspaper articles,
internet reports, banks’ financial reports as well as from a wider variety of resources (Miller &
Dingwall, 1997). It also assessed the top banks’ Integrated Annual reports to establish whether
internal auditors reduced the risks posed by the IT environment in these banks.

11 | P a g e
The evaluation checklist consisted of six main considerations. An analysis was done to determine
the level of agreement (applied, not applied or not clear) with the given articulation (items and / or
statements) on a metric scale by the top SA banks. All the statements in combination reveal the
particular attitude towards the issue and are therefore fundamentally inter-linked with each other.

The literature review comprises a comparison of COBIT, King IV, Basel III, the IIA and ISACA
guidelines to determine the requirements of these regulations and an evaluation that sought to
determine the current practices within the banks on whether internal auditors reduced the risks
posed by the IT environment in the top SA banks. Such an analysis required research into the
nature of IT governance and its enforceability and effectiveness. Therefore, the guidelines and the
banks’ financial reports mentioned above were thoroughly scrutinised to find an answer to the
problem of this study.

2.4 Research Methodology

The research objectives were addressed through a literature review including a thorough content
analysis of the operations of the SA banking industry. The review focused on the top banks’
financial reports. To achieve the objectives and address the research problem, a qualitative research
approach was adopted as a method of enquiry.

William (2007) states that in qualitative research, data is collected through interviews, surveys or
observations. This approach is also suited to examining the nature of certain processes,
relationships and systems that are included in the framework of IT governance (Sibanda, 2011).
Qualitative research seeks to explain characteristics of a particular concept; thereafter the data is
analysed by identifying and categorising themes.

A qualitative approach can also be used to explore the traits of individuals and settings which
cannot easily be described numerically. It allows for issues to be studied in depth, as well as for
openness and detail (Leedy & Ormrod, 2005). A qualitative approach was used to obtain secondary
information whereby a literature review was conducted to reveal the theory and concepts around
IT governance, internal audit and how these are applicable to the banking environment.

12 | P a g e
Furthermore, a literature review also allows for the collection and review of current standpoints as
reported in existing research (Leedy & Ormrod, 2005).

An evaluation checklist was used to address the research objectives. This checklist was used to
determine qualitative factors on whether or not internal auditors reduced the risks posed by the IT
environment in the top SA banks. This allowed the topic to be evaluated in depth, results to be
compared systematically and general conclusions to be drawn. The six-point evaluation checklist
was essential to meet the objectives of the study as it also corroborated with the theory discovered
in the literature review. The results of such analyses are generally presented in tables and graphs
(Siddiqui & Fitzgerald, 2014).

2.5 Research Purpose

The purpose of this research was to analyse the responsibilities of internal auditors in promoting
the principles of IT governance, particularly in reducing the risks posed by the IT environment in
the SA banking industry.

2.6 Data Collection

Over the past decade, substantial literature has become available in the form of both empirical and
theoretical studies on the role of internal audit and IT governance. This literature forms a sound
basis on which to consolidate and enhance corporate policies and governance pronouncements
across the globe (Filatotchev, Jackson, Gospel & Allcock, 2007).

Mouton (2011) states that information can be gathered through different data collection methods
such as observation, interviewing or selecting and analysing texts. Analysis involves breaking up
the data into topics, patterns, connections and trends. Thus, this study’s aim was to identify the
different components of the data by assessing the connections between concepts or factors and to
analyse whether there were any patterns or trends that could be identified, isolated or used to
establish themes emerging from the data (Babbie & Mouton, 2010).

The collection method applied in this study was a literature review and an evaluation checklist.
The literature review collected information from e-documents, publications, books, practice

13 | P a g e
advisories, articles and previous research reports. The evaluation checklist covered information
contained in the top banks’ financial reports, namely, ABSA, Capitec, FNB, Investec, Nedbank
and Standard Bank. The evaluation checklist was necessary because it addressed the current
practices applied in banks. This research contains an analysis of the relevant local and international
literature on the responsibilities of internal auditors in reducing IT risks posed by the IT
environment.

2.7 Population
Saunders, Lewis and Thornhill (2000) define the term ‘populace’ as a complete set of cases from
which the sample is drawn. Van Zyl (2014) terms populace as the larger group from which a
sample is selected. In other words, the populace (or population) is the entire group of potential
participants to whom the researcher seeks to generalise the results of the study. In this study, the
population consist of the major and small banks in South Africa, in which the sample was drawn
from.

These banks were chosen according to the SA Reserve Bank’s (SARB) report (annual bank
supervision report for 2017). These banks are also part of the listed companies on the Johannesburg
Stock Exchange (JSE) and are ranked by market capitalisation on the JSE’s All Share Index as of
31 December 2017. The major banks in SA namely, ABSA, Capitec, FNB, Investec, Nedbank and
Standard Bank were chosen from that list.

2.8 Sampling
The banking industry is one of the most computerised industries. The use of IT resources and
services is critical for banks to ensure competitive positioning in the marketplace (Cordenonsi,
2004). The SA banking industry was selected for this study owing to its operational use of IT.
Moreover, the focus was on the top banks as they hold over 80% of the banking assets and are the
sector trendsetters (Banking Association South Africa, 2017; BusinessTech, 2018).

In purposive sampling, a researcher exclusively selects a sample because of its knowledge about
the topic under investigation (Glen, 2015). This method allows thus allows for the collection of
cases that are likely to give the researcher the most information about the phenomenon being
14 | P a g e
studied. The rationale for choosing this approach was that the researcher was seeking knowledge
about the banking industry’s governance structures and the internal auditors’ functionality.
Therefore, purposive sampling was well-suited to targeting only the major banks in South Africa.

This type of sampling means that a researcher makes specific choices about which group to include
in the sample in order to ensure that the sample covers the full range of possible characteristics of
interest. Using purposive sampling, the researcher obtained a sample of banks with relevant
information on all the important sub-groups of the target population. Palinkas, Horwitz, Green,
Wisdom, Duan and Hoagwood (2015) highlight that, in purposive sampling, the sample is selected
based on its knowledge, perceptions and experience of the matter under study.

2.9 Data Analysis and Interpretation

Data analysis consists of breaking up the data into manageable themes, patterns, trends and
relationships (Babbie & Mouton, 2010). Data documentation or execution of fieldwork culminates
in data analysis and interpretation, be it quantitative survey data, experimental recordings,
historical or literary texts, qualitative transcripts or discursive data. The data in this study was
derived from the literature reviewed and the evaluation checklist. This was done in order to
understand the various elements of data by examining the relationships between concepts,
constructs and variables. It also assisted to identify emergent patterns, trends or themes in the data
(Maree & Pietersen, 2014).

The annual reports of the top banks were analysed by comparing disclosure of IT governance in
each bank’s reports to the IT governance principles obtained from COBIT, King IV, Basel III, the
IIA and ISACA guidelines. These guidelines provide IT governance principles that the banks may
implement and comply with. The six considerations in the checklist sought to determine whether:
i. The bank had implemented an internal control measure;
ii. The bank had implemented a risk management structure;
iii. The bank had adopted a regulation(s) or framework for its IT governance;
iv. The bank had established an internal audit function;
v. The internal audit function was strategically positioned, i.e. independent and supervised by
the board; and

15 | P a g e
vi. The internal audit function reduced the risks posed by the IT environment, i.e. performed
amongst other audits, a risk management audit and an IT governance audit.

These six-point evaluation requirements were compared against the bank’s annual reports to
determine whether they mentioned or complied with any of these IT governance principles. This
evaluation sought to determine the practices and procedures that have been applied in relation to
whether or not internal auditors reduced the risks posed by the IT environment.

Interpretation involves synthesising data into larger coherent wholes (Babbie & Mouton, 2010). It
is about interpreting and explaining observations by formulating hypotheses or theories that
account for patterns or trends observed in the data. In interpreting data, the results and findings are
related to existing frameworks to ascertain whether these are supported by the new interpretation.
Based on the analysis a conclusion is then formed.

2.10 Validity
The validity and objectivity of the study results was ensured through a structured data collection
method that included an analysis of COBIT, King IV, Basel III, the IIA and ISACA guidelines and
other publications, books, practice advisories, articles, banks’ financial reports and research
reports. Furthermore, an in-depth literature review was conducted and the operations of the South
African banks were analysed, which served as the basis for the development of the
recommendations presented in the study conclusion.

2.11 Conclusion
This chapter discussed in detail the philosophy, strategy and methodology applied in the study. It
provided the rationale for the selection of the research methodology. A qualitative approach was
used as the method of enquiry. This entailed a literature review to reveal the theory and concepts
around IT governance, internal audit and the banking environment. A six-point evaluation
checklist was utilised to determine qualitative factors on whether internal auditors reduced the
risks posed by the IT environment in the top SA banks.

16 | P a g e
The study used purposive sampling to select the top SA banks. The banks’ financial reports were
used; no consent was required from the banks as these documents are publicly available on the
banks’ websites. Nonetheless, ethical clearance was obtained from the University of
Johannesburg’s Department of Accountancy Ethics Committee. Anonymity, self-determination
and confidentiality were ensured. Confidentiality was ensured by keeping the banks information
anonymous. The chapter concluded by discussing the justification of the validity of the results.

The following chapter presents the literature review, including a detailed account of IT governance
as well as the role of internal auditing as it relates to banking IT governance requirements.

17 | P a g e
CHAPTER 3: Literature Review

3.1 Introduction
The purpose of this chapter is to review the existing literature relevant to the topic under
investigation. While Chapter 1 provided an overview of the study, background and research
problem, Chapter 2 explained the methodology and the research approach. The literature review
is divided into three sections, namely, IT risks, IT governance and internal audits and summarised
below.

The first section of the literature review examines the risks in the banking industry in South Africa.
This section includes the background of IT, the importance of IT in banks and the challenges and
risks associated with IT.

The second section looks at the importance of IT governance within the banking industry. This
section covers corporate governance, including a discussion of the guidelines that mandate
governance within the banking industry, principles of good IT governance and corporate
governance within banks. This section seeks to identify mitigating actions that can reduce or
alleviate identified risks.

The third section considers the role of internal audit in terms of risk reduction and seeks to establish
if internal auditors review the effectiveness of IT governance within the banking industry. This
section covers the background to internal auditing, including its origins, practices and principles
and the development of the profession. It also discusses the trends and development of the internal
auditing professional body and the accompanying frameworks, standards and guidelines. It also
simplifies and clarifies the role of internal auditing. A number of other issues that are of
fundamental importance to the contribution of internal auditing to organisational success and
survival are also highlighted.

18 | P a g e
3.2 Background to IT
The term ‘IT’ was first introduced in a 1958 Harvard Business Review article, where it was said
to have the following three characteristics: business software, computational data processing and
business hardware (Mitchell, 2017). IT could also be defined as the ability of computers and
telecommunications equipment to store, retrieve, transmit and manipulate information (Nikoloski,
2012). Similarly, Gelinas, Sutton and Fedorowicz (2008) state that IT refers to any hardware,
software or communications technology that an organisation might adopt to support or control a
business process, enable management decisions and/or provide a competitive advantage (IoDSA,
2009; IT Governance Network, 2010). For the purposes of this study, however, IT is defined as
the use of any system, technology and/or infrastructure for information processing (Rouse, 2015).

An article in BusinessVibes (2015) points out that IT drives innovation, which is one of the
pathways to business success. However, since the 1990s globalisation has given rise to new
challenges and increased competition (Cakmak, 2016). In response, most organisations have
substantially transformed the way in which they run their operations, to the extent that currently it
is difficult to run any business without using IT, or at least some elements of it (Robinson, 2012).

In terms of the development of IT, the scale of information collection, processing and
communication needs has increased significantly as a result of growing populations, the fourth
industrial revolution, the increasing scale of business and the expansion of governments
(November, 2014). As such, governments experienced problems in keeping track of their
populations, telecommunications companies could not keep pace with message traffic and
insurance agencies had difficulties processing policies for the mass of employees (November,
2014). Thus, novel and effective systems had to be developed to handle this increase in information
and it was computers which played a pivotal role in this transformation. Indeed, from the 1950s,
computers progressively transformed the antiquated methods of accounting and record-keeping in
a new industry, i.e. data processing (Mahoney, 1988).

The following section presents the importance of IT within the banking industry, including the
current trends in SA.

19 | P a g e
3.3 Importance of IT in the Banking Industry
In the 21st century economy, companies are continuously investing in new technologies and
improving processes to build solid customer relationships and increase efficiency and effectiveness
(Gelinas et al., 2008). More particularly, organisations need to ensure that their IT infrastructure
and business procedures enhance their ability to achieve their business goals (Jangara &
Bezuidenhout, 2015). It is in this context that IT is used to exchange ideas, convey desirable
actions, communicate, evaluate results and, most importantly, to make decisions (IoDSA, 2009;
IT Governance Network, 2010). For example, the success of Amazon (widely known to be a
successful retail giant) is based on its dependency on the high quality of its database and its use of
business intelligence tools to analyse the data and information to inform business decisions
(Gelinas et al., 2008). This example indicates that it is important to build a strong relationship
between business processes and IT (Nikoloski, 2012).

Similarly, IT lies at the heart of the banking industry (Deloitte, 2016a). Technology governs almost
every action in the banking industry and, as such, consumes a large percentage of capital
investments and operational expenses (Deloitte, 2016a). Moreover, in response to growing
electronic and mobile consumers across both the retail and corporate industries, PwC (n.d.) states
that banks continue to place customer centricity at the heart of their innovation strategies to
enhance their channels and products.

Owing to this heavy reliance on IT, banks’ IT environments are susceptible to various challenges
and risks (e.g. fraud, natural catastrophes and terrorist attacks or other intentional and unintentional
acts). The most significant risks in the banking industry are discussed in the following section.

3.4 Challenges and Risks Associated with IT

Deficiencies in IT controls can have a significant impact on an organisation (Public Company
Accounting Oversight Board, 2004). Hamidovic (2010) cautions that poor or insufficient board
oversight can be dangerous, especially with regard to IT, as it places the enterprise at risk. IT
divisions have to ensure that IT is aligned with the organisation’s direction and business strategies,
that key risks are controlled and that regulatory compliance is supported by the organisation’s
management body (National Computing Centre, 2005).
20 | P a g e
In a 2010 study on how IT managers can better mitigate IT risk, International Business Machines
Corporation (IBM) found that organisations and senior executives recognise the need for risk
mitigation as well as the business benefits of doing so (IBM, 2011). However, some IT critical
functions require improvement and there are indications of what the future might hold for IT risks
(ISACA, 2011). Current IT risks range from IT security, physical security, hardware and software
malfunction, IT governance and social networking. Organisations that are unable to identify and
address risks become irrelevant and obsolete and do not usually attract investors (PwC, n.d.;
Institute of Risk Management, 2016).

Owing to the nature of the banking environment and the increase in IT usage in this sector, banks
are exposed to very specific risks. Deloitte (2016a) notes that some of the most significant IT risks
in banks include the following:
 Strategic risk, which stems from an ineffective IT strategy and is one of the top threats in
the banking industry (PwC, n.d.; Dumitrescu, 2004; Knudson, 2017; Patel, 2018).
 Cyber security and incident response risk, which arises from exposure to digital
technologies, devices and media. The dangers could include financial loss, disruption and/or
damage to an organisation’s reputation due to failure of its IT systems (PwC, n.d.;
Dumitrescu, 2004; Knudson, 2017; Patel, 2018).
 IT resilience and continuity risk, which includes malicious activity, catastrophes, fatal errors
and pandemics. These sorts of disruptions require a variety of responses in order to resume
operations. Moreover, some types of disasters affect not only that particular organisation,
but also the surrounding community (PwC, n.d.; Dumitrescu, 2004; Knudson, 2017; Patel,
2018; Deloitte, 2017).
 Technology vendor and third-party risk, which refers to data breaches at vendors and other
third parties, which are often costlier than in-house breaches. Additionally, the number of
incidents of such breaches is rising (PwC, n.d.; Dumitrescu, 2004; Knudson, 2017; Patel,
2018; Deloitte, 2017).
 Data management risk, which pertains to ineffective data management. This can lead to
misinterpretation of accounting records and regulatory reporting issues and loss of
stakeholders’ trust (Deloitte, 2016a). Solid data management rests on data governance and

21 | P a g e
 policy, the unwavering quality of information and timeliness of data and clarification of
data ownership, its uses and modification (PwC, n.d.; Dumitrescu, 2004).
 Technology operation risk, which takes into account factors such as performance, quality
standards, delivery times, key performance indicators and service-level agreement
measurements with reputational and financial risk factors. For example, a weak incident
management process leads to the slow and inconsistent resolution of issues, as well as
missed opportunities to strengthen processes (PwC, n.d.; Dumitrescu, 2004; Knudson,
2017; Patel, 2018; Deloitte, 2017).
 Risk of ineffective risk management, which refers to reckless risk-taking. This is often a
result of the board of directors and executives not understanding how IT operations function
(PwC, n.d.; Dumitrescu, 2004; Knudson, 2017; Patel, 2018; Deloitte, 2017).

As a result of the above risks, internal control has become increasingly important because of the
emphasis shareholders place on corporate governance, as well as their expectations that the
governing bodies and executives demonstrate control over business processes. To this end, the
Bank for International Settlements (BIS) noted that financial institutions’ boards of directors and
executives ought to consider IT as equally important as other strategic board agenda topics
(Hamidovic, 2010; Krishnamurthy, 2013).

One of the recent and major risks in IT is big data, the use of which has been largely adopted within
the banking industry. Big data is a term that describes the large volume of data – both structured
and unstructured – that inundates a business on a daily basis (SAS Institute, 2017). Rouse (2015)
confirms this definition, stating that big data refers to any voluminous amount of structured, semi-
structured or unstructured data that has the potential to be mined for information. The ‘Three Vs’
that characterise big data are its excessive volume, the wide variety of data types and the velocity
at which this data must be processed (Rouse, 2015).

The advantages of using big data in banks include reduced costs, greater innovativeness, gaining
a competitive advantage (Seetharam, 2016), more effective management of credit risk (Toseland,
2017), improved predictive capabilities, increased agility (Oracle, 2016) and higher and faster
levels of insight into data, enabling more effective decision-making (Oracle, 2016). The use of big

22 | P a g e
data also means more efficient turnaround times in the banking industry (Toseland, 2017; Oracle,
2016).

The advantages of big data are considerable, but banks should also carefully weigh the potential
drawbacks before committing to such a project. These include employees’ current skill sets,
mapping the gaps required for implementation of data analytics, investment infrastructure and
infrastructure cost as physical data storage and data warehousing represent significantly high costs
(Meadows, 2014; Chandani et al., 2015).

In the end, however, when weighing up the advantages and disadvantages of big data, most
organisations decide that the advantages outweigh the disadvantages. Nonetheless, the relative
drawbacks and benefits of big data are always worth careful consideration before launching a new
big data project (ITWeb, 2016).

3.5 Summary: Information Technology

IT is mostly used for business operations, where its commercial use encompasses both computer
technology and telephony (Rouse, 2015). These technological improvements have modernised
almost all facets of life and commerce, including accounting. In order to be competitive in the
business environment, organisations need to constantly improve and develop their IT systems. IT
is fundamental as it allows organisations to enhance business processes and attain economies of
scale (Oven, White, Katyal & Henchock, 2012). However, this also poses risks to banks which
therefore need to ensure that they implement control measures to mitigate the risks that accompany
IT usage, including risks posed by big data. Such risks have an impact on the entire organisation
and therefore it is necessary to have internal audit and risk management divisions within the banks
to address these risks and manage them through effective control systems (Ellingwood, 2011).
Essentially, the entire risk management process must proactively deal with detecting and
preventing risks that could cause damage to the organisation.

This section established that IT is the main driver of all transactions in the banking industry, thus
IT risks in this sector are multi-layered and complex. These risks include, among others, IT
security, physical security, hardware and software malfunction, IT governance and social
23 | P a g e
networking. As such, banking systems need to be protected against both internal and external
attacks and risks. Because strategies to prevent these attacks sometimes prove to be difficult, if not
impossible to implement, the approach should be to try manage the outcome. Doing so requires a
comprehensive approach in mitigating and preventing these attacks and risks.

Critical link to research objective and checklist

The literature emphasises the importance of safeguarding the IT environment within the banks,
as it is vulnerable and often attacked. Therefore, practices around safeguarding the bank’s assets
against attacks will be tested to:
1. Determine if the bank implemented an internal control measure; and
2. Determine if the bank has implemented a risk management structure.

Owing to its crucial role in banks, IT needs to be governed or managed carefully (Radojevic &
Radovanovic, 2010), as the banking industry’s performance often depends on the reliability and
security of its technology. Thus, in order to govern IT and to provide reasonable assurance that the
goals of each process are being achieved, banks take different measures, such as:
 Hiring external auditors, often annually, and usually to establish a permanent internal audit
function within the organisation; and
 Using separate audit functions for the IT section to identify vulnerabilities within that
section and then implement the necessary steps to overcome or reduce their impact
(Deloitte, 2016a).

The following section discusses the guidelines mandating IT governance within the banking
industry and addresses the concept of IT governance and its related frameworks. Governance
structures are also assessed in terms of how they work within the SA context.

3.6 Mandating Governance

The United States of America (US) has a series of regulations that require organisations to practice
and promote good corporate governance, including the Sarbanes-Oxley Act of 2002, the Securities
and Exchange Commission and the various stock exchanges’ guidelines. In South Africa,
corporate governance disclosure was introduced as a result of changes in international and local
24 | P a g e
governance trends, becoming effective on 1 March 2010 (IoDSA, 2009). King Report recommends
that all SA public and private companies adopt and promote good principles of corporate
governance as set out in the King Report (Ngwenya, 2015).

According to the King IV recommended practices, companies should disclose relevant and
adequate information about their operations in their integrated annual reports. Nkonki (2017)
explains that in the company’s integrated annual report, the board of directors should include IT
reporting which should be complete, timely, relevant, accurate and accessible.

The next sub-section examines the principles for good IT governance to establish what is currently
acceptable to the banking industry.

3.6.1 Principles of Good IT Governance

This section provides an overview of the key principles of IT governance. Bank executives need
to comply with these principles in respect of their IT mandate. BIS (2015) reiterates that banks’
board members must address IT with the same importance that they would attach to any other
strategic board agenda item.

According to the IIA (2015), monitoring IT performance and investment requires an organisation
to adhere to a certain IT governance model or to adopt the key principles of IT governance. The
IT Governance Institute (ITGI) (2011) has defined the five elements of IT governance that could
be used to identify specific governance practices and goals, which are illustrated below.

25 | P a g e
Figure 1: Five elements of IT governance
Source: Protiviti (2015:30)

In order for IT governance to be effective, banks should consider discussing this model in board
meetings and implementing such model (ITGI, 2011), which comprises the following:
i. Strategic alignment, which deals with the strategic needs of the organisations. The strategy
of the organisation should be aligned to the delivery of IT services (ITGI, 2011). Moreover,
Hamidovic (2010) states that the organisation’s strategy should be innovative and take into
account IT’s current and future capabilities.
ii. Risk management, which pertains to transparency and accountability in the risk
management process (Hamidovic, 2010) as well as IT risk awareness and understanding of
risk tolerance and appetite.
iii. Performance management, which measures the organisation’s performance versus its set
targets, as well as strategy implementation and value delivery (ITGI, 2011). Metrics are
used to evaluate and monitor IT progress and IT performance.
iv. Resource management, which refers to the alignment of capabilities and the optimisation of
investment resources (ITGI, 2011) and includes the management of technology, processes
and human resources.
v. Value delivery, which ensures that delivered benefits and value are in line with strategy
(ITGI, 2011) and are used to assess whether or not the organisation can measure the value
against the business of IT investments.

26 | P a g e
Although the banking industry already operates in a rigid and a highly-regulated environment,
banks still need to adhere to these principles. Not only do these principles represent best practice
and good governance, but they have also proven to be successful in improving organisational
operations (Hamidovic, 2010).

The next section presents the corporate governance and key principles of IT governance. Each
bank’s strategy should be aligned to these principles, which comprise an industry standard
framework and, when properly implemented, could reduce risks and threats to a certain degree.

3.7 Corporate Governance in the Banking Industry

In order to effectively deal with the challenges and risks discussed in section 3.4 above, a vigorous
corporate governance structure needs to be implemented and properly dealt with by an oversight
governing body. IoDSA (2009) states that corporate governance primarily includes establishing
structures and procedures with applicable checks and balances that empower executives, non-
executives and directors to carry out their legal responsibilities and to manage compliance with
the law. As such, corporate governance is centred on the structures, policies and systems that direct
and control companies. It is essentially a combination of law and practices, which are grounded in
fiduciary duties and applied to regulate the conduct of those in control (Nikoloski, 2012).

Similarly, Maseko (2012) defines corporate governance as a set of mechanisms, both institutional-
and market-based, which induce a company’s stakeholders to make decisions that maximise the
company’s value for its owners. For the purpose of this study, corporate governance is defined as
the governing body and executives’ responsibilities regarding leadership, oversight, organisational
structures, accountability and processes to ensure that the organisation sustains and extends
organisational strategies and objectives in line with applicable policies and regulations
(Lingenfelder, 2015).

Corporate governance builds and strengthens accountability, credibility, transparency, integrity

and trust (Ngwenya, 2015; Maseko, 2012; IoDSA, 2009). IT plays an essential role in boosting
corporate governance, since most key business processes are generally automated and executives

27 | P a g e
depend on information produced by IT systems for their decision-making (National Computer
Centre, 2005).

The next section deals specifically with IT governance.

3.7.1 IT Governance
IT governance was primarily introduced to effectively control and manage risks introduced by IT
(Ngwenya, 2015). The ITGI (2011) states that the purpose of IT governance is to coordinate and
steer IT endeavours and to ensure that IT’s overall performance meets the following objectives:
 “To be aligned with the enterprise and realise the promised benefits.
 To enable the organisation to take advantage of opportunities and maximise benefits.
 To use IT resources responsibly and
 To appropriately manage IT-related risks”.

The risks discussed in section 3.4 require robust and comprehensive governance structures to
ensure that they are appropriately managed and effectively controlled. IT governance is a segment
of corporate governance that particularly focuses on the IT structures, systems and performance
and the management of associated risks, which are important in banks, as some of the major risks
faced by the banks are IT-related (IBM, 2011). Therefore, the response to IT risk should be
managed properly, hence the need for robust and sound IT governance structures within banks.

 The significance of IT governance in the banking industry

The use of IT resources and services is critical if banks are to occupy a more competitive position
in the marketplace (Cordenonsi, 2004). Moreover, the banking industry is one of the major
investors in IT. In the SA economy, the banks direct as much as 12% of their expenditure towards
IT (McKinsey, 2016). Tarrant (2016) calculates that in the 12 months ending June 2016, the large
SA banks (retail and commercial) spent in excess of R30 billion on IT, including the cost of staff
involved in this function.

Effective IT governance in banks has the potential to increase accountability and offer the IT
functions quantifying criteria. It can also enhance and improve the support system around the

28 | P a g e
bank’s strategy and thus deliver value (Gupta, 2015). IT governance is also crucial in ensuring
growth and business operationalisation (Lalwani, 2017). By establishing and developing well-
managed governance structures and overseeing information risks and security, IT governance can
manage demand, deliver value and protect against risk. A solid IT framework within banks helps
to establish balance between rigour and responsiveness on a constant basis (Chaves, Galegale &
Azevedo, 2016). If an IT governance framework is legitimate and properly implemented, it can
have a direct impact on how IT is perceived at higher management levels.

With apparent benefits accruing from IT governance, such as concentrated and reduced costs,
reduced exposure to legal risk and improved performance, developing and implementing an
information governance framework should be of paramount importance for any banking institution
(Chaves et al., 2015). As such, the issues of corporate governance and IT governance are crucial
for the development and growth of investment that can be audited in the SA banking sector.

3.7.2 IT Governance Frameworks

In order to minimise and control the risks and threats posed by the IT environment, it is necessary
to adopt relevant policies, strategies and frameworks (Noraini, Bokolo, Rozi & Masrah, 2015;
Ngwenya, 2015). The frameworks below describe the relevant governance components and
support used for an organisation’s IT strategies and objectives.

 COBIT
COBIT is the main framework for the governance and administration of an organisation’s IT
(ISACA, 2016) and combines five principles that enable an organisation to establish and maintain
efficient IT governance. COBIT is centred on what is required to realise and achieve IT control
and is positioned at a high level.

ISACA (2012a) states that successful organisations understand the benefits of IT governance and
use this understanding to amplify and increase their share value. Organisations should recognise
their business processes’ integral reliance on IT, the obligations that are necessary to meet the
terms of increasing regulatory compliance demands and the benefits of managing risk. COBIT is

29 | P a g e
a generally accepted internal IT control framework and is frequently used in conjunction with other
good practices, benchmarks and in-house guides (Badenhorst, 2012).

 King IV
The King IV Report on Corporate Governance for South Africa (King IV) sets out the
internationally recognised standards of operation (Ngwenya, 2015). King IV presents 17 voluntary
principles and leading practices (PwC, 2016). The technology and information governance
requirements in the code are as follows:
 The board of directors is responsible for technology and information governance and
should direct how this is to be approached (IoDSA, 2017).
 The board should delegate these responsibilities to management for implementation and
execution (IoDSA, 2017).
 The board should exercise constant monitoring and oversight of IT management (IoDSA,
2017).
 The board should also receive periodic independent assurance regarding the effectiveness
of the organisation’s IT arrangements, together with outsourced services (IoDSA, 2017).
 The IT reports should provide an overview of the arrangements for governing and
managing IT, key areas of focus during the reporting period, significant changes in policy,
significant acquisitions, remedial actions taken as a result of major incidents and actions
taken to monitor the effectiveness and actions plans (IoDSA, 2017).

In particular, principle 12 of King IV outlines the requirements for IT governance. This principle
states: “The governing body should govern technology and information in a way that supports the
organisation setting and achieving its strategic objectives” (IoDSA, 2017:62). This code is not
universal or a ‘one-size-fits-all’ regulation and should be used in conjunction with other applicable
regulations. Rather, the focal points of the King IV code on IT governance are IT strategy, IT and
business alignment, value delivery, overall performance management, information security,
information management, roles and responsibilities (including those of the governing body,
management, audit committee and risk committee), IT compliance, business continuity planning
(including disaster recovery planning), IT project management and benefit realisation, IT

30 | P a g e
sustainability, IT risk management, IT and third parties and IT cost management (Levenstein,
2017; IoDSA, 2017).

 Basel III
Basel III is an internationally agreed upon set of guidelines and measures developed by the Basel
Committee on Banking Supervision in response to the financial crisis of 2007-2009. Basel III
proposes that corporate governance currently significantly relies on IT, therefore the proposed
measures aim to tighten the regulation, administration, supervision and risk management of banks
(BIS, 2015).

Basel III also requires banks to establish, implement and maintain a sound and effective IT
governance structure to increase the probability of achieving goals, improve the identification of
opportunities and threats and allocate and use resources for the treatment of risks (Chaves et al.,
2015). Consequently, Basel III highlights the importance of IT risk as an essential measure of
operational risk and the significance of IT governance implementation.

Lastly, Basel III acknowledges that it is challenging to develop fixed rules due to rapid innovation
changes, individual differences between banks and the nature of information systems themselves,
including information system safety and accessibility changes. Thus, individual banks have the
freedom to choose the measures that they wish to implement in their regular and daily business
activities, with the aim of improving their IT governance and reducing IT risk (Lackovic, 2013).

 IIA IT Governance Model

The IIA (2012) published a governance model that organisations can adopt to implement effective
IT governance within its ambits. This model has five pillars, which are presented in Table 1 below.

31 | P a g e
Table 1: IIA IT Governance Model

Pillar Goal
1. Organisation and  IT governance is aligned with the organisational and
governance structures architectural structures.
 IT function mirrors the organisation’s structure.

2. Executive leadership
and support
 A clear vision is set by the executive leaders, which should
show how IT functions will assist the organisation to achieve
its strategic objectives.
 Alignment between the organisation’s strategy plan and its
IT plan.

3. Strategic and  Goals are shared between the organisation and the IT
operational plans function.

4. Service delivery  The value of IT spend is measured.

measurement  The key performance indicators are proactively managed.

5. IT organisation and  IT system functions successfully and is dependent on how

risk management well the board and executives properly manage the IT risks.

Source: Adapted from IIA (2012).

This model reduces and mitigates some of the risks in the IT environment, because it offers an
oversight role of both the organisation’s strategy and its IT investments. This role promotes smooth
operations between the different departments, which is essential in the ever-changing banking
environment (IIA, 2012).

Other IT governance frameworks that are commonly used are discussed below.

 Committee of Sponsoring Organisations of the Treadway Commission (COSO)

COSO’s enterprise risk management and integrated framework has established a common
language and foundation that organisations can use to holistically assess and oversee risks
(ISACA, 2011). This framework focuses on:
 Internal environment – determining how risks and controls are viewed.
 Objective setting – aligning organisational objectives.

32 | P a g e
  Event identification – identifying opportunities and/or risks.
 Risk assessment – determining the impact of risks.
 Risk response – mitigating risks.
 Control activities – assigning control responsibility.
 Information and communication – establishing timely and accurate communication
flows.

 Value from IT Investments (Val IT)

Val IT is centred on value delivery, ensuring that IT-enabled investments are managed throughout
their economic lifecycle (ISACA, 2011) and provide the organisation’s governance process with
the means for a thorough evaluation of the results of an IT program. Risk IT and Val IT both
require IT governance managers to consider the strategic objectives of other affected groups within
enterprises, ensuring that IT implementation is aligned to the enterprise’s business needs (ISACA,
2011).

Val IT complements COBIT from both a business and a financial perspective. While COBIT
establishes good practices, contributing to the process of value creation, Val IT establishes good
practices for the process outcomes by providing enterprises with the structure they require to
measure, monitor and optimise business value from their IT investment.

 International Organisation for Standardisation (ISO)

The purpose of ISO/IEC 27002 is to provide information to those parties responsible for
implementing information security within an organisation. ISO offers recommendations for best
practice regarding developing and maintaining security standards and management practices
within an organisation, for the purpose of improving information security in inter-organisational
relationships (Badenhorst, 2012). The purpose of this standard is to promote effective, efficient
and acceptable use of IT in all organisations. It sets out the following six principles for good
corporate governance of IT (AICD, 2008, Toomey, 2008; Pink Elephant, 2016):

33 | P a g e
  Responsibility: The responsibility for acceptable and unacceptable use of IT equipment
should be clearly communicated and fully understood by all employees. Indeed, the
responsibility of IT should be appropriately communicated to all stakeholders.
 Strategy: Aligning an organisation’s IT activity with its business requirements should be
managed as part of the organisational strategy and given significant attention.
 Acquisition: IT investments should be managed as part of establishing an organisation’s
IT strategy. Decisions to invest in IT must be made after thoroughly considering the
elements that will determine success. This decision should also be aligned to the risk
management process.
 Performance: Demand for IT service and IT functionalities and capabilities in an
organisation’s current operations and the development of new business systems ought to
be moderated in respect of the overall business plan and should be balanced against the
organisation’s capacity to achieve or deliver the required service and resources.
 Conformity: IT conformity should be appropriately enforced in an organisation and all
rules governing the use of IT should be formally identified, visible and clearly
communicated.
 Human Behaviour: Characteristics and the requirements of the personnel who will use,
implement and operate IT equipment should be taken into consideration when planning
and using IT.

3.8 Summary: IT Governance in the Banking Industry

This section established that there is a series of global regulations mandating corporate
governance. In the SA context, one of the major regulations is the Companies Act 71 of 2008. This
Act makes reference to the King IV Report, which promotes the apply-and-explain approach.
Unquestionably, IT governance is important in the banking industry, as has been seen in the banks’
IT expenditures; banks spend around 12% of their budget on IT investments and projects. Thus,
the principles for good IT governance are fundamental for the banks. It is recommended that the
banks include the following principles for IT governance:

34 | P a g e
  The bank’s IT function should be aligned with the organisation’s strategy and it should be
able to achieve both its tactical and strategic objectives; doing so is key, because it shows
synergy within the banking environment.
 A risk-based strategy would significantly assist the bank’s IT function; if risk management
techniques are embedded within the bank’s strategy, then the organisation is more likely
to be equipped and well-prepared for any unexpected event.
 A comprehensive plan that covers preparation, implementation and monitoring must be
adopted to ensure that the use of IT meets the bank’s objectives.
 The bank’s internal audit and risk management functions should be aligned and the
relevant employees should be adequately trained and skilled to ensure that they are able
to add value to the bank.

The IT governance framework revealed that COBIT is specifically aimed at IT controls, seeking
to make IT governance an integral part of organisational governance. The guidelines for IT
governance under King IV and Basel III are clear on the requirements for implementing,
monitoring and disclosing IT governance and relevant issues to the board and stakeholders. The
IIA model focuses on reducing and mitigating of some of the risks in the IT environment because
it offers an oversight role over both strategy and IT investments.

COSO is concerned with safeguarding processes that ensure the objectives regarding the
effectiveness and efficiency of operations are achieved and that the financial reporting and
compliance with applicable laws and regulations is consistent. ISO then seeks to promote the
effective, efficient and acceptable use of IT in all organisations by setting out the following six
principles for good corporate governance: responsibility; strategy; acquisition; conformance;
performance; and human behaviour. Finally, Val IT is seen as the best practice for developing and
maintaining security standards and management practices within an organisation, for the purpose
of improving the reliability of information security in inter-organisational relationships.

35 | P a g e
Critical link to objective and evaluation
The literature emphasises the importance of IT governance and its key practices that could be
implemented in the banks. It also highlights some of the common frameworks implemented.
Therefore, the banks’ IT governance system and structures will be tested by posing the following
question: Has the bank adopted a framework or regulation(s) for its IT governance?

The next section analyses internal auditing and examines various techniques used by internal
auditors and the internal audit functions.

3.9 Introduction to Internal Auditing

The IIA (2017) states that internal auditing is an independent profession involved in assisting
organisations to achieve their objectives; it deals with evaluating and improving the effectiveness
of risk management, control and governance practices in an organisation. According to the South
African Companies Act 71 of 2008 and the Basel Committee guidelines, all public and private
companies should have an internal audit function.

Internal auditing is a multidimensional discipline that covers many aspects and has become a key
operation within many organisations. The internal auditor is considered to be an organisation’s
quintessential friend, namely, an independent advisor who can challenge current practice,
champion best practice and act as the catalyst for improvement, with the objective of ensuring that
the organisation as a whole can achieve its strategic objectives (IIA, 2017).

This section discusses the importance of internal auditing, its position within organisations and its
approach to reducing risks, with the aim of showing how internal auditing can be beneficial to the
banking industry. This section presents the literature on internal auditing and its developing
function, the importance of internal auditing, its strategic positioning and the types of audits and
reviews performed within the banking industry.

36 | P a g e
3.10 Importance of Internal Auditing
As business strategies move towards corporate sustainability and excellence, internal auditing
continues to progress as an end result of changes in the business strategies, models and state of
affairs placed on it by policymakers (Ali, 2016). The increased importance of internal auditing is
reflected in the revision of most of the accepted codes of corporate governance such as COBIT,
King IV, Basel, IIA and various other governance regulations (Williams, 2016; IIA 2013; Maseko,
2012).

According to the IIA (2014), the main reasons for having an internal audit function are to:
 Provide reasonable assurance to the audit committee and executive management regarding
governance processes, the control environment and the effectiveness of risk management
(IIA, 2014; Morris, 2017).
 Add value to the organisation; thus, this function should be independent of the functions
it reviews in order to provide objective insight that is free from conflict of interest (IIA,
2014; Morris, 2017).
 Conduct several kinds of auditing, such as compliance reviews, operational and financial
audits and integrated audits (IIA, 2014; Morris, 2017).

Some of the IT governance frameworks discussed in sub-section 3.7.2 support the IIA. For
instance, according to COBIT, the importance of internal auditing is highlighted under the process
capability model, where IT controls can be better monitored and audited when the control objective
is unambiguous (MetricStream, 2018). The benefit of COBIT is that it helps to determine the
control objectives. Moreover, the process capability model, as highlighted in COBIT, has an array
of benefits for auditors, including enhanced usability, reliability and the frequency of process
capability assessment initiatives. It also provides a strong base for conducting more rigorous
assessments and reduces the disagreements between stakeholders on assessment results
(MetricStream, 2018).

The role of internal auditing is also recognised in King IV as being an assurance provider and
pivotal to corporate governance. King IV states that if a listed organisation does not have an
internal auditing function, it needs to explain why not (IoDSA, 2017). This means that internal

37 | P a g e
auditors have become trusted consultants and advisors who provide insight into the organisation’s
activities and often anticipate possible risks and appropriate responses (Crest Advisory Africa,
2017). Moreover, good governance structures call for effective risk functions, internal control
systems and audit functions (internal and external), which are designed to achieve organisational
goals and objectives (IoDSA, 2017).

Internal auditing is crucial to the success of Basel III, since the objectives of this type of banking
reform are to safeguard the financial system and reduce the risk that the taxpayers will once again
have to bail out the banking industry. For that reason, risk management and internal auditing have
significant roles to play in ensuring that this does not happen (Barfield, 2012). Thus in 2012, the
Basel Committee on Banking Supervision issued directives to measure the effectiveness and
efficiency of the internal auditing function within banks. This guideline provides corporate
governance principles specifically for banks, presenting a total of 13 principles that are listed as
‘key elements’. It also sets out values concerning the supervisory expectations relevant to the
internal auditing function (BIS, 2012). Consequently, some banks have adopted the Basel III
guidelines on banking supervision and corporate governance.

Additionally, the IIA (2013) states that the key to good governance oversight is for the internal
auditing function to constantly evolves so that it adds value and remains relevant to the
organisation it serves. In other words, the internal audit function should constantly seek better
ways to achieve organisational objectives, improve operational processes and effectively reduce
and control risk through both assurance and consulting services (Ali, 2016). It is in this way that
the importance of internal auditing will be seen and understood in an organisation.

With specific reference to IT governance, the IIA added standard 2110.A2, which challenges most
internal audit function across the globe to assess IT governance within their organisations. The
standard states that “[t]he internal audit activity must assess whether the IT governance of the
organisation supports the organisation’s strategies and objectives”. Not only does the IIA require
the internal audit function to broaden its audit plan to include IT review, but it also requires that a
review of this calibre be performed by an adequately skilled resource (IIA, 2013).

38 | P a g e
The competencies and skills of internal auditors are briefly be discussed hereunder, together with
the function’s strategic positioning.

3.11 Strategic Positioning of Internal Auditing

Sections 3.7 and 3.8 above indicate that corporate governance standards require the internal audit
function to ultimately help the business to identify, assess and mitigate the risks associated with
IT, thus ensuring that business benefits are realised and risks are addressed (IIA, 2013, 2017;
Jonker, 2014). For instance, King IV emphasises the key role of an audit committee in ensuring
the integrity of financial controls and integrated reporting and identifying and managing risk
(IoDSA, 2017; Deloitte, 2016b). To do so, the internal audit function needs to be aware of both
the advantages and risks associated with financial reporting systems and technologies in order to
add value to the organisation (IIA, 2014; Protiviti, 2015). Therefore, to effectively fulfil these and
requirements, the internal audit function needs to be adequately resourced and skilled.

It is recommended that the internal audit function should constantly upgrade its skills and
competencies to benefit its organisation. These range from core to general competencies and skills
and combine experience, training and professional education (IIA, 2017). The IIA (2013) issued
an internal audit competency framework that includes:
 Professional ethics, which endorse and apply to professional conduct and ethical rules.
 Internal audit management, which relates to the development, administration and
management of the internal audit function.
 International professional practices framework, which includes an understanding and
‘know-how’ of how the organisation’s governance, risk and control structures relate to
one another.
 Business acumen, which pertains to a basic understanding of the business techniques and
best practices within that industry.

With an adequately skilled and resourced internal audit function, positioning internal auditing will
be fairly easy. In terms of its strategic positioning, the internal audit function should firstly have
unlimited, free and unrestricted access to all records, information, personnel and assets to

39 | P a g e
appropriately perform its task. the auditors should also have unrestricted access to the audit
committee’s chair (IIA, 2014; Morris, 2017).

Secondly, the organisation’s audit committee should establish the internal audit function to provide
the committee with objective and independent assurance that internal controls are in place and
functioning effectively, as intended (Davis, Schiller & Wheeler, 2011; Companies Act 71 of 2008).
It is recommended that the chief audit executive (CAE) head the internal audit function as the CAE
is the leader of internal audits.

Thirdly, the internal audit function should draft an internal audit charter that outlines its role,
responsibilities and the authority of the function as well as that of the CAE. The charter should
also establish the scope of the audit team’s role, relationship with external auditors, reporting and
so forth (Davis et al., 2011; Companies Act 71 of 2008).

Fourthly, prior to conducting a governance internal audit, it is crucial that the CAE hold an
appropriate independent position within the organisation. The IIA’s Standard 1110 states that the
CAE must report to a level within the organisation that allows the internal audit function to fulfil
its responsibilities, with no impediments or restrictions on information and for the CAE to have
strong support from the audit committee (Morris, 2017; IIA, 2017).

Lastly, best practices for reporting arrangements for the internal audit function include that the
CAE report administratively to the CEO and functionally to the audit committee via the chair for
operations (Morris, 2017; IIA, 2017).

To conclude, if the above recommendations are properly applied, this will position the internal
audit function as an assurance provider, assisting company boards and management to identify the
key risks inherent in the business and its processes (Protiviti, 2015). It is absolutely essential for
the audit committee to have an internal audit function that it can trust and which is capable of
monitoring the organisation. As the IIA (2014:1) states, “[i]nternal audit has become an important
element in the assurance environment of many organisations and a valuable tool and contributor
to managing risk more effectively”.

40 | P a g e
The next section discusses the different types of audits performed within the banks.

3.12 Different Types of Audits and Reviews Conducted within the Banking Environment
According to the BIS’ (2014) seventh principle, the scope of the internal audit’s activities ought
to ensure sufficient coverage of corporate governance and IT governance features within the audit
plan. This means the bank’s internal audit function should be fully equipped and able to evaluate
risk management functions, regulatory capital adequacy and liquidity control functions, regulatory
and internal reporting functions, the regulatory compliance function and the finance function (BIS,
2014; IIA, 2014; Morris, 2017). Table 2 details internal audit functions in the banking industry.

Table 2: Internal Audit Functions in the Banking Industry

Audit Description Audit features

Risk A bank’s risk management process is a The internal audit approach is usually
management strong pillar of corporate governance. determined by the risks within that particular
environment and the internal audit will have
The risk management practices have to to review the bank’s risk management
reflect the bank’s adherence to processes and structures.
regulatory provisions and safe and
sound processes. The internal audit will comprise the market,
credit, liquidity, interest rate and
technological, strategic, operational,
regulatory, compliance and legal risks
within the banks.

Regulatory Banks are must comply with the global The internal audit incorporates all provisions
capital regulatory framework structures for of this administrative structure, specifically
adequacy capital and liquidity, as endorsed by the bank’s framework for distinguishing and
and liquidity the advisory group and executed in estimating its administrative capital and for
control national policy. evaluating its capital assets in connection to
functions This system contains measures to its risk exposures.
reinforce regulatory capital and
worldwide liquidity.

Regulatory The bank regulators perceive Internal auditors should routinely evaluate
and internal regulatory information to be crucial. the regulatory effectiveness procedure and
reporting This information is used to meet process through which the reporting
regulatory requirements and it forms functions interact to deliver opportune,

41 | P a g e
 the underlying basis for monitoring the exact, solid and pertinent reports for both
bank’s soundness. internal and external uses.

Regulatory Compliance with IT-related legal and
compliance regulatory requirements and the
effective use of lawful contracts are
part of the control and oversight
exercised by the board of directors.
The internal auditing function should
evaluate all regulations and determine
whether or not the bank complies. All of the
regulations regarding IT lean toward similar
objectives.

Finance The bank’s finance function is
processes responsible for monitoring the
financial reporting process and its
output. This means the integrity and
accuracy of financial data and
reporting needs to be ensured. For
instance, profit and loss valuations and
reserves impact the level of a bank’s
capital resources and therefore
associated controls need to be robust
and consistently applied across similar
risks and businesses.
Source: Adapted from BIS (2014), IIA (2014) and Morris (2017).
Internal audits have to periodically review
the bank’s financial processes, using
resources and expertise to provide an
effective evaluation of bank practices.
The audit should cover an examination of the
control environment, availability and
reliability of supporting information used in
the valuation process and the reliability of
estimated fair values.

From examining the different types of internal audits and reviews above, it is evident that internal
audits should audit IT governance.

To confirm the above in the study sample, information in the selected banks’ annual financial
reports was assessed to determine if any of the above audits were disclosed. For the financial period
ending 2017, 80% of the big SA banks stated that the third line of control, i.e. internal audits,
provided independent assurance. Internal auditing evaluates the adequacy and effectiveness of
internal control, governance and risk management. The internal audits conducted included, but
were not limited to, different models of governance risk management and a system of internal
controls.

3.13 Summary: Internal Auditing

This section established that for any organisation to operate effectively and in line with SA
regulations, it should implement an internal audit function. Having this function within the banks

42 | P a g e
allows them to achieve their goals and objectives while working effectively. This function should
be led by the CAE and should be supervised by the board. Richard and McFarlen (2005) state that
not have board oversight of IT activities places an organisation at risk in the same way that failing
to audit its books would.

This section highlighted the importance of the internal audit function and confirmed that it was
beneficial for banks to establish such a function because it:
 Offers an independent and unbiased view of the management of the banks;
 Enhances the efficiency and effectiveness of the bank’s processes and procedures;
 Protects the bank’s assets;
 Assesses risks;
 Increases transparency of the bank’s risk standards and internal control landscape by
improving its control environment; and
 Ensures that the bank operates within the applicable laws and regulations.

Additionally, the importance of internal auditing was emphasised in several frameworks and
policies. For example, various pieces of legislation require that organisations which conduct
business in a particular country or region establish a sound internal audit function. As such, the
banks operating in SA should comply with the South African Companies Act 71 of 2008 as well
as having an internal audit function (whether in-house or outsourced).

This section also revealed that the positioning of the internal audit function within the banks should
be in line with the internal audit charter if it is to provide independent, objective assurance. A
discussion of the different types of audits and reviews revealed that the internal audit function does
audit the effectiveness of IT governance within the banks, at least to some extent.

43 | P a g e
Critical link to objective and evaluation
The literature emphasises that banks must have internal audit services and that this function
should be strategically positioned. Therefore, the banks’ internal audit structures will be tested
to determine:
 If the bank has established an internal audit function.
 If the internal audit function is strategically positioned, i.e. independent and supervised
by the board.
 If the internal audit function reduces the risks posed by the IT environment, i.e. performs,
amongst others, a risk management audit and an IT governance audit.

3.14 Conclusion
This section dealt with the history of IT from the 1950s to the present day and examined how the
use of IT has evolved over the years, with a particular focus on the function of IT in today’s
business world. IT is now an integral part of business as opposed to a supporting function. Indeed,
it is an enabler of business operations, forming part of organisational short- and long-term goals,
and allows organisations to be competitive.

However, IT has also brought about new security challenges as organisations move away from old
practices to align with new trends, thus exposing the organisation to risks. These risks must be
identified and stringent controls must be implemented to mitigate them. For a bank to implement
complete risk management processes and plans, it should also include IT risks. Against this
backdrop, big data within the banking industry was explored, looking at its advantages and
disadvantages which are imperative for banks.

The banking sector’s corporate governance was then discussed. IT governance within the banking
sector plays a significant role and was linked to the IIA IT governance model. The difference
between IT frameworks and regulations was illustrated, to determine the extent to which King IV
is aligned with other international regulatory frameworks. The internal audit function was then
discussed, particularly its importance, strategic positioning and the responsibilities of internal audit
within the banks.

44 | P a g e
This section then analysed the role of internal auditors as well as the proficiency required to fulfil
the audit function and thereby add value to an organisation. Comparisons of literature were made
to paint a clear picture of internal audit’s roles and responsibilities relating to risk reduction and
risk management. Deficiencies in IT governance and some common procedures applied by internal
audit were then discussed.

At the end of each section, a summary, a critical link to research objectives and evaluation
statement was formulated. The formulation assisted in gathering critical facts that will be analysed
against the current practices applied in the South African banking industry. The evaluation points
are to determine whether or not:
i. The bank has implemented an internal control measure.
ii. The bank has implemented a risk management structure.
iii. The bank has adopted a regulation(s) or framework for its IT governance.
iv. The bank has established an internal audit function.
v. The internal audit function is strategically positioned, i.e. independent and supervised by
the board; and
vi. The internal audit function reduced the risks posed by the IT environment, i.e. performed
amongst other audits, a risk management audit and an IT governance audit.

The next chapter, Chapter 4, presents and analyses the research results.

45 | P a g e
CHAPTER 4: Presentation and Analysis of Results

4.1 Introduction
While the previous chapter (Chapter 3) reviewed the literature on IT and IT governance in the
banking industry and, in particular, the key focus areas of internal auditors, this chapter focuses on
the empirical study and research findings which reveal the role of internal auditors in IT
governance and whether internal auditors succeed in reducing the risks posed by the IT
environment in the banking industry.

Qualitative factors were deemed appropriate to answer the research question. Therefore, in order
to evaluate the implementation and effectiveness of IT governance and the internal audit function
within the top SA banks, the evaluation check points were formed at the end of each section in
Chapter 3. The six checkpoints were evaluated against the practices applied in the top SA banks,
by analysing the content of the banks’ annual reports.

This chapter provides the data analysis and data interpretation evaluation of whether the top banks
implemented IT governance and determine the role of internal auditors in IT governance
particularly in reducing the risks that the IT environment poses to the SA banking industry. The
data was gathered through an assessment of the top banks’ officially published annual reports as
of 2017. This data facilitated scrutiny of the top banks to see if they disclosed their IT governance
practices.

4.2 Approach
The aim of the study was to determine the role of internal auditors in reducing risks posed by the
IT environment. This aim was supported by three research objectives, namely:
 To understand the IT risks in the banking industry;
 To understand IT governance within the banking industry; and
 To understand the role of the internal audit function and to establish whether or not internal
audit reviews the effectiveness of IT governance within the banking industry.

46 | P a g e
The literature review conducted in Chapter 3 presented in-depth information on the background of
IT, IT governance within the banking industry and the internal audit function. From these themes
emerged the evaluation checklist, which were developed and linked to the research objectives.

To determine the role of internal auditors with regard to IT governance and risk reduction, a
qualitative methodology was followed, as explained in section 2.4. This approach entailed
analysing the IT governance principles of COBIT, King IV, Basel III, the IIA and the ISACA
guidelines, which were linked to the study objectives. The requirements of the above frameworks
and guidelines were consolidated, leading to a six-point, self-developed evaluation checklist. This
checklist, which was used to evaluate the practices and procedures applied in SA banks, sought to
determine whether:
i. The bank had implemented internal control measures;
ii. The bank had implemented a risk management structure;
iii. The bank had adopted a regulation(s) or framework for its IT governance;
iv. The bank had established an internal audit function;
v. The internal audit function was strategically positioned, i.e. independent and supervised
by the board; and
vi. The internal audit function reduced the risks posed by the IT environment, i.e.
performed, amongst other audits, a risk management audit and an IT governance audit.

In order to evaluate the implementation and effectiveness of the IT governance and internal audit
function within the top SA banks, these six points were compared against the practices applied in
top SA banks by analysing the content of the bank’s annual reports. The annual reports from
ABSA, Capitec, FNB, Investec, Nedbank and Standard Bank are often the only public platform
through which banks disclose their IT governance and internal, audit-related information to
stakeholders. The 31 December 2017 annual reports were used for this study. It should be noted
that the information disclosed in these annual reports follows a prescribed template and is limited
in terms of depth of disclosure.

47 | P a g e
4.3 Demographics - Top South African Banks
Section 2.6 outlined the population of this study. The banks analysed include ABSA, Capitec,
FNB, Investec, Nedbank and Standard Bank. Determining the top six banks in the South Africa,
was achieved by consulting the SARB’s Annual Bank Supervision Report from 2017. The list
comprises 18 banks in total. According to the report, total banking sector assets increased from
R4.88 trillion in December 2016 to R5.16 trillion at the end of 2017 (BusinessTech, 2018). The
report ranks the biggest banks in South Africa by asset value as of 31 March 2018. The top six
banks were selected from Table 3.

Table 3: Brand Finance's ranking in 2018

No. Bank Assets (R billion) Growth Sampled

1. Standard Bank 1 254 849 +1.64% Yes
2. FNB 1 120 747 +10.23% Yes
3. ABSA 983 378 +7.51% Yes
4. Nedbank 892 006 +2.60% Yes
5. Investec 415 285 +7.29% Yes
6. Capitec 87 033 +21.34% Yes
7. African Bank 31 356 -14.00% No
8. Grindrod Bank 16 696 +9.91% No
9. Mercantile Bank 12 892 +8.97% No
10. Bidvest Bank 8 508 +21.39% No
11. Sasfin 7 778 +14.29% No
12. Albaraka Bank 5 930 +10.10 No
13. Ubank 5 224 +12.90% No
14. HBZ Bank 4 856 +14.97% No
15. South African Bank of Athens 2 355 +3.95% No
16. Tyme Digital (Commonwealth Bank 1 403 +100.00% No
of South Africa)
17. Habib Overseas Bank 1 186 +4.61% No
18. Discovery Bank 622 +100.00% No
Source: Adapted from BusinessTech (2018) and the Banking Association South Africa (2017).

48 | P a g e
4.3.1 Recommended IT Governance Practices
In order for an organisation to gain stakeholder value, the IT department should set out IT
governance practices that directly deal with the management of IT resources adequately and
proficiently (PwC (2015).

The frameworks and guidelines discussed in Chapter 3 provide several IT governance and internal
audit requirements that banks need to apply and comply with. The King report is the recommended
IT governance and disclosure requirement that South African companies should comply with. In
addition, the Basel Committee on Banking Supervision updated and issued a consultation Pillar 3
disclosure requirement. This update of the Basel framework seeks to promote market discipline
through regulatory disclosure requirements which echo the King report (BIS, 2018). Basel requires
the disclosure of the inclusion of operational risk, the leverage ratio, credit valuation that would
benchmark a bank’s risk-weighted assets and an overview of risk management process (BIS,
2018).

Therefore, it can be concluded from the disclosure of banks as to whether they have applied,
partially applied or not applied the requirements and whether there is a need for COBIT, King IV,
Basel III, the IIA and ISACA guidelines to improve and clarify their requirements with regards to
IT governance and disclosure.

4.3.2 Recommended IT Governance Practices for the Purpose of Testing

There is an undisputed need to strengthen regulation and supervision by enhancing the disclosure
of financial institutions (Sanusi, n.d.). Full disclosure requirements, including operational,
corporate governance and management information, are mandatory to the banks, especially after
the global financial crisis of 2008 (Sanusi, n.d.). The King IV report, which promotes the apply-
and-explain approach (IoDSA, 2017), requires companies to comply with corporate governance
requirements.

In 2015, the SARB provided the status on South Africa’s ongoing implementation of Basel III and
global regulatory reforms. The Reserve Bank reiterated the importance of disclosure by stating
that “the revised disclosure requirement known as Pillar 3 supersedes Basel II (SARB, 2015:2).

49 | P a g e
Furthermore, SARB stated that this revision would improve the banking sector's ability to absorb
shocks arising from financial and economic stress, whatever the source, improve risk management
and governance strengthen banks’ transparency and disclosures.

4.4 Findings
This section outlines the findings that emerged from the data. Original passages are cited to reveal
the subtleties and complexities of the research participants’ accounts (Kvale, 1996). This also
demonstrates that the findings are not simply an offering of raw data but are generated and drawn
from the analysis of raw data (Ritchie & Lewis, 2003). For the purposes of the analysis and the
protection of the participants’ information, the banks will be labelled as Bank 1, Bank 2, Bank 3,
Bank 4, Bank 5 and Bank 6.

4.4.1 Presentation of the Findings

The findings are presented according to the six considerations on the list.

Consideration 1: Determining whether the banks have implemented internal control measures
The first point on the checklist assessed whether the bank adopted a system of internal controls.
This consideration sought to understand the risks within the banking industry and how banks rate
the importance of their control environment as it impacts on their profitability and performance.

 Overall analysis
In the discussion on the challenges and risks within the banking industry (section 3.4), it became
evident that the bank’s internal control environment has become increasingly important because
of the emphasis shareholders place on corporate governance structures, as well as their
expectations that the board of directors and executives demonstrate control over business
processes. The bank’s annual reports state the following:

50 | P a g e
Table 4: Results on whether a system of internal controls was implemented

Top Banks Statement from the Bank

Bank 1 “Executive management, together with a number of sub-committees, manage the
business through a system of internal controls functioning throughout the entity.
This promotes an awareness of risk and good governance in every area of the
business and instils a culture of compliance.”

Bank 2 “Standards and systems of internal controls are designed, implemented and
monitored by management to provide reasonable assurance of the integrity and
reliability of the financial statements and to adequately safeguard, verify and
maintain accountability for shareholder investments and company and group
assets.”
Bank “In making our risk assessments, we considered internal controls relevant to the
preparation of the report. We believe that the evidence we have obtained is
sufficient and appropriate to provide a basis for our assurance conclusions.”

Bank 4 “In ensuring and protecting value in 2017, Our bank has considered the
effectiveness of the internal controls of the group in all material respects
throughout the year under review.”

Bank 5 “We monitor that management:

(i) maintains internal controls for assurance of effective and efficient
operations and compliance with laws and regulations; and
(ii) does this within an ethical environment.”

Bank 6 “The audit committees have responsibility for assessing the adequacy of the
group’s internal controls. The bank ensures the effectiveness of internal controls
and the integrity of financial reporting.”

Source: Adapted from ABSA (2017), Capitec (2017), FNB (2017), Investec (2017), Nedbank (2017) and Standard
Bank (2017).

As can be seen, the various statements from the banks highlight each bank’s individual approach
to its system of internal controls. Bank 1 makes a point that the effective functioning of the internal
control system is the responsibility of executives and a number of sub-committees. The audit
committee of Banks 2 to 6, on the other hand, clearly indicate that they oversee and monitor the
internal control system to give assurance on the integrity and reliability of the financial statement
and risk management. This analysis demonstrates the level of reliance placed on the system of

51 | P a g e
internal controls. It also shows that the internal control system is taken into consideration in making
risk assessment.
 Finding and conclusion
The content analysed in the banks’ annual reports indicates that they have successfully
implemented a system of internal controls and that this system is running effectively. However,
the banks did not explicitly mention IT controls. The assumption is that effectiveness of internal
controls includes all the processes in the banks. The results thus show that the banks have
successfully fulfilled this requirement of corporate governance, as supported by the IoDSA (2017).

Consideration 2: Determining whether the banks have implemented risk management

structures
The second point sought to establish whether the banks implemented adequate risk management
structures and processes. As the banks operate of an ever-changing environment, it is important to
understand some of the risks that they face. This consideration sought to obtain the banks position
on whether it:
 Adapted a proactive or reactive approach in its risk management structures.
 Considered a holistic view of the business in its risk management strategies.

 Overall analysis
To effectively and proactively mitigate the risks and challenges highlighted in section 3.4, it is
crucial for each bank to adopt a risk management approach that best suits the bank. Moreover, risk
management is one of the pillars of IT governance. The bank’s annual reports state the following:

Table 5: Results on whether banks implemented risk management structures

Top Banks Statement from the Bank

Bank 1 “Integrated risk management is used in the setting of strategy across the organisation. It
is a structured and disciplined approach to risk management, aligning strategy, processes,
people, technology and knowledge with the purpose of evaluating and managing the
opportunities, threats and uncertainties that the bank faces. It aims to balance both risk
and control effectively.”

52 | P a g e
 Bank 2 “The group’s approach to managing risk and capital is set out in the group’s risk,
compliance and capital management governance framework approved by the group risk
and capital management committee.”

Bank 3 “Our business strategy is underpinned by sound risk management, designed to

effectively balance the relationship between profit growth, returns and earnings
volatility.”

“Effective risk management requires various points of control. The directors and
management are the risk owners, assisted by enterprise risk management and internal
audit.”

Bank 4 “Risk management is fundamental to our strategy and the business of banking. In 2017
the continued evolution of risk management into smarter, practical, digitised and
efficient practices gave us a relevant and competitive business advantage in an ever-
shifting internal and external environment. Our top 10 risks, risk strategy and risk
appetite are integrated in the banks business strategy.”

“A monthly CEO Report provides the board with comprehensive feedback on the
performance of the business across various disciplines, including finance, client
activities, risk management and staff performance.”

Bank 5 “Our conduct risk framework brings together all our activities. Focusing on conduct risk
helps us to:
 provide appropriate products and services at the right prices to our customers
and clients;
 uphold market integrity;
 reward the right activities and behaviours; and
 mitigate potential risks.”

Bank 6 “Risk management is embedded into day to day operations and culture. The bank’s
committee is tasked by the board to ensure that all decisions of the board on risk
management policies and procedures are implemented and monitored.”

Source: Adapted from ABSA (2017), Capitec (2017), FNB (2017), Investec (2017), Nedbank (2017) and Standard
Bank (2017).

As can be seen, the various statements by the banks highlight the risk management strategies the
banks have undertaken. The banks explicitly detailed their risk management structures and
mentioned that risk management forms part of day-to-day operations. Moreover, Banks 1, 3, 4 and
6 emphasised that risk management plays a vital role in their overall business strategy.

53 | P a g e
It was also noted that Banks 3, 4 and 5 had established IT risk and governance committees which
were responsible for information and technology governance, in accordance with King IV. These
ensured the effectiveness and efficiency of the group’s information systems as required by the
Banks Act 94 of 1990. For the other banks i.e. Banks 1, 2 and 6, the function of this committee
was covered by the traditional audit and risk committee.

Each bank disclosed a “Risk Management Review” section that highlighted the bank’s principles
of effective risk management and controls that are vital for its sustainable and profitable growth.
This clearly shows that the banks have undertaken a proactive approach and have considered their
business holistically.

 Finding and conclusion

Most banks detailed their risk management approaches and it was evident that risk management
practices were continuously enhanced by the top banks. Therefore, it can be concluded that risk
management has been found to play a significant role in ensuring that the risks are controlled and
managed (Barfield, 2012).

One exceptional practice that the banks have adopted is that on a monthly basis, the executive
provides the board with feedback, performance information and results of the business across
various disciplines, including finance, client activities, risk management and staff performance.
This practice was recommended in a study carried out by Ellingwood (2011), who stressed the
need to embed risk management structures that effectively address these risks. Therefore, it can be
concluded that effective risk management structures are successfully in place in the banks.

Consideration 3: Determining whether the banks adopted regulation(s) or frameworks for their
IT governance
The third point assessed whether the banks adopted certain regulations or frameworks for their IT
control environment. This assessment sought to understand the IT governance within the banking
industry, to determine which regulations were implemented by each bank and to see if similar
frameworks were implemented.

54 | P a g e
 Overall analysis
Sections 3.6 and 3.7 discussed the IT governance frameworks commonly used in the banking
industry. The most important fact found in the literature was that there was no ‘one size fits all’
regulation or framework. These frameworks have to be used in conjunction with each other to
obtain the best results. In order to minimise the risks posed by the IT environment, it is necessary
to implement a number of policies, strategies and frameworks (Noraini et al., 2015; Ngwenya,
2015). The banks’ annual reports disclosed the following:

Table 6: Results on regulations and frameworks adapted by the banks

Top Banks COBIT King Code Basel III IIA

Bank 1  
Bank 2  

Bank 3   
Bank 4  
Bank 5   
Bank 6  
Source: Own

Bank 5 explicitly mentioned that its IT governance policy was built on a strong framework that
incorporates principles and controls defined in international standards, such as COBIT and the
Information Security Forum Standards of Good Practice. Disclosure of King IV is a common and
mandatory requirement as per the Companies Act 71 of 2008 and all banks mentioned how they
had adapted to King IV. Some banks even went to the extent of disclosing their application of King
IV in detail i.e. principles and practices. The same was found with Basel III; the banks adopted
this regulation and disclosed their level of compliance as this is a requirement in terms of the Banks
Act 94 of 1990 and related regulations. Finally, the presentation of the IIA standard and guidelines
was also adopted and visible in some banks’ disclosure.

A common practice noted in the top SA banks was the voluntary presentation and disclosure of
the banks’ adopted regulations and frameworks. The banks presented some of the regulations and
frameworks that they adopted that were in line with IT governance and internal auditing. This was

55 | P a g e
supported by several studies such as those by Noraini et al. (2015) and Ngwenya (2015), which
insisted on the importance of adopting a range of policies, strategies, regulations and frameworks
to minimise the risks posed by the IT environment.
The framework which was most commonly implemented by the banks was the King IV Code. All
the banks patently disclosed how they complied with this code. This was followed by Basel III,
where Banks 1, 3, 4 and 5 mentioned how this framework affected their environment and how they
complied with it. Banks 2, 3 and 5 also mentioned how their audit function complied with the IIA
standard. Only Bank 5 mentioned compliance with COBIT.

 Finding and conclusion

The banks voluntarily disclosed that they had adopted various IT governance regulations and
frameworks which were presented in the banks’ financial reports. This shows the direction and
level of accountability of the banks in relation to IT governance and internal auditing. It can
therefore be concluded that the banks have successfully adopted IT regulations and frameworks.

Consideration 4: Determining whether the banks established internal audit functions

The fourth point sought to determine whether the banks had established an internal audit function
within their environment. This consideration sought greater clarity on the internal audit function
and whether it audited the effectiveness of IT governance in the banks.

 Overall analysis
Sections 3.9 to 3.13 discussed the internal audit function, highlighting the importance and benefits
of establishing this function with the banks. The banks’ annual reports state the following:

Table 7: Results on whether banks had internal audit functions

Top Banks Statement from the Bank

Bank 1 “Internal audit functions in accordance with a charter approved by the audit
committee. Our Bank has an independent internal audit department with direct access
to the chairman of the board and audit committee, reporting functionally to the
committee and administratively to the CEO.”

56 | P a g e
 Bank 2 “In respect of internal control and internal audit, reviewed and approved the annual
internal audit charter and audit plan and evaluated the independence, effectiveness
and performance of the internal audit department and compliance with its charter.
The third line of defence is provided by group internal audit, under its mandate from
the group audit committee.”

Bank 3 “Our internal audit function provides assurance to the board on the adequacy and
effectiveness of the group’s internal control and risk management practices and the
integrity of financial reporting systems. Internal audit assists management by making
recommendations for improvements to the control and risk management
environment.”

Bank 4 “Our day-to-day risk, compliance and internal audit management processes are also
being digitised, ensuring smarter, more agile and intelligence driven outputs.”

Bank 5 “Our comprehensive compliance framework integrates policies and procedures

overseen by a combined assurance model, including internal controls compliance and
internal audit activities.”

Bank 6 “The group audit committee has ensured that internal audit performs an independent
assurance function and monitored the effectiveness of the internal audit function in
terms of its scope, execution of its plan, coverage, independence, skills, staffing,
overall performance and position within the organisation. Monitored and challenged,
where appropriate, actions taken by management with regard to adverse internal audit
findings.”

Source: Adapted from ABSA (2017), Capitec (2017), FNB (2017), Investec (2017), Nedbank (2017) and Standard
Bank (2017).

The above statements from the banks clearly demonstrate the establishment of the internal audit
function. The results are in line with the IoDSA (2017), which stresses that each and every
organisation must have an internal auditing function and if it does not, then the organisation must
explain why this is so.

Banks 1 and 2 specifically mention that their internal audit department operates in line with its
audit charter. Bank 2 adds that this function constitutes its third line of defence. It is also clear that
the internal audit function plays a vital role in the internal controls system, risk management
practices and financial reporting of these banks.

57 | P a g e
This finding is in line with that of Crest Advisory Africa (2017), which notes that internal auditors
are regarded as trusted consultants and advisors who provide insight into the organisation’s
activities and often anticipate risks as well as responses to those risks.

The results show that the banks are in good standing, as the majority of them practice internal
auditing. The results of Barfield (2012) corroborate the findings of this study, as the author
indicates that internal auditing has a significant role to play in ensuring that financial systems are
safe and to avoid the risk of taxpayers bailing out the banking industry.

 Finding and conclusion

The establishment of the internal audit function was fully highlighted, even to the extent where
co-sourcing and outsourcing was presented in the annual reports. For example, two out of the six
banks co-sourced the internal audit function. The credibility of the internal audit function has come
under scrutiny where its value-add has been questioned, especially following the developments of
KPMG and the VBS audit (De Wet, 2018). This shows that the internal audit function is being
monitored and challenged. Therefore it can be concluded that the internal audit function within the
banks is well-established and running effectively.

Consideration 5: Determining whether the internal audit function was strategically positioned
i.e. independent and supervised by the board
The fifth point evaluated the positioning of the internal audit function and sought to verify whether
this function was independently positioned within the bank’s structures.

 Overall analysis
Section 3.11 discussed the internal audit function, highlighting the importance of properly
positioning the internal audit function to ensure it was independent and free from bias. The banks’
annual reports state the following:

58 | P a g e
Table 8: Results on whether the internal audit function was strategically positioned

Top Banks Statement from the Bank

Bank 1 “Internal audit independent validation and review of risk management processes at all
levels. The audit function reports to the audit forum and the risk and audit committee.
Our bank has an independent internal audit department with direct access to the
chairman of the board and audit committee, reporting functionally to the committee
and administratively to the CEO.”

Bank 2 “Assessed the independence and effectiveness of the group chief audit officer, the
internal audit function and adequacy of the available internal audit resources and found
them to be satisfactory.”

Bank 3 “The internal audit function provides assurance to the board on the adequacy and
effectiveness of controls and report to the audit committee.”

Bank 4 “Ensured that internal audit performs an independent assurance function and monitored
the effectiveness of the Internal Audit function in terms of its scope, execution of its
plan, coverage, and independence.”

Bank 5 “Group Audit and Compliance Committee is accountable for accounting policies and
the annual financial statements and reports; oversees the quality and integrity of the
Group’s integrated reporting; is the primary forum for engagement with internal and
external audit; and monitors the Group’s control and compliance environment.”

“Internal and external audit functions who test and review controls to determine
whether the first and second lines execute responsibilities effectively and consistently.”

Bank 6 “Independent risk management, compliance, financial control functions supplemented

by internal audit, who reports independently to the audit committee, ensures the
management of risk.”

Source: Adapted from ABSA (2017), Capitec (2017), FNB (2017), Investec (2017), Nedbank (2017) and Standard
Bank (2017).

The above statements indicate that the internal audit function was indeed strategically positioned
within the banks and reported to the audit committee. The banks presented their internal audit
mandate which covered the main responsibilities of internal audit, external audit and the audit
committee. The reporting structure was also detailed with all banks having an independent internal
audit department. The auditors have direct access to the chairman of the board and the audit
committee, reporting functionally to the committee and administratively to the CEO. This
59 | P a g e
requirement was established from the literature as the IIA (2014) and Morris (2017) both mention
that internal audit functions should have access to the audit committee chair and should have
unlimited, free and unrestricted access to all records, information, personnel and assets when
appropriately required to perform a task. This has therefore encouraged the banks to strategically
position their internal audit function.

 Finding and conclusion

The internal audit function is guided by the charter approved by the audit committee. The charter
formally defines the purpose, authority and responsibility of internal audit activity and is consistent
with the IIA definition. One means of corroborating the strategic positioning and independence of
the internal audit functions is to obtain audit committee approval for the internal audit charter and
the annual audit plan. This practice appears to be common among the top SA banks.

It was evident that the audit committees ensured that the companies’ internal audit functions were
independent and had the necessary resources and authorities, enabling them to discharge their
duties. Therefore, it can be concluded that the banks were successful in strategically positioning
their internal audit functions.

Consideration 6: Determining whether the internal audit function reduced the risks posed by
the IT environment, i.e. performed a risk management audit and an IT governance audit
The sixth point assessed whether the internal audit function managed to reduce the risks posed by
the IT environment. This consideration is the main objective of the study and seeks to determine
whether the internal auditors audited and reviewed the effectiveness of IT governance in the banks.

 Overall analysis
Section 3.12 discussed the different kinds of audits and reviews conducted within the banking
environment, namely, market, credit, liquidity, interest rate and technological, strategic,
operational, regulatory, compliance and legal audits or reviews. Although the discussion did not
specify the scope of the audit or review, it did, however, cover the elements of each particular
audit. For example, the regulatory audit would evaluate all regulations and determine whether or

60 | P a g e
not the bank was compliant. All of the regulations regarding IT leaned toward similar objectives.
A financial audit would periodically review the bank’s financial processes, using resources and
expertise to provide an effective evaluation of bank’s practices. This audit would also examine the
control environment, the availability and reliability of supporting information used in the valuation
process and the reliability of estimated fair values. From this discussion, it is evident that the
internal audit function does indeed audit and review IT governance and principles of good IT
governance.

To corroborate the above discussion, the bank’s annual reports state the following:

Table 9: Results on whether the internal audit functions of the banks reduced the risks posed
by the IT environment

Top Banks Statement from the Bank

Bank 1 “Internal audit is risk-based and the internal auditors submit an annual assessment to
the audit committee on the system of internal controls. Significant emphasis is placed
on the effective implementation and efficiency of systems. The operations environment
is closely monitored and assurance is obtained that controls are adequate and operating
effectively.”

Bank 2 “The group audit committee considered and reviewed:

 reports from management on risk management, including fraud and
information technology risks as they pertain to financial reporting and the
going concern assessment.
 updates on key internal and external audit findings in relation to the IT control
environment, significant IT programmes and IT intangible assets.

To ensure that risk-related matters of relevance to the audit committee are considered,
the chairman is a member of and attended the risk and capital management committee
and the group technology and information committee meetings held during the
financial year.”

Bank 3 “The audit and risk committee assists the board with the governance of information
technology. The board is aware of the importance of technology and information as it
is inter-related to the strategy, performance and sustainability.”

Bank 4 “Group internal audit committee has assisted the board in its evaluation of the integrity
of our financial statements through evaluation of the adequacy and efficiency of our

61 | P a g e
 internal control systems, accounting practices, information systems and internal
auditing applied in the day-to-day management of our business.”

Bank 5 “Group internal audit committee. The Committee is satisfied

(i) that it has complied with its terms of reference and
(ii) with the overall control environment, including those aspects supporting
the financial statements for 2017, as confirmed by Internal Audit and our
external auditors.
In 2018, the Committee will continue to monitor further improvements in the control
environment, as well as identified areas, such as cybercrime, financial crime and fraud;
and the effects of new accounting standards. Including cyber risk issues and
developments, having regard to the inputs of the Information Technology Committee.”

Bank 6 “The role of the chairman of the audit committees requires regular meetings with the
heads of internal audit, compliance, legal, tax, operational and IT risk, credit, finance,
the group head of corporate governance as well as the lead external audit partner and
senior management outside of formal committee meetings in order to maintain and
develop an understanding of the group’s operations and the risks facing the business.
These interactions are an essential part of the role of the chairman of the audit
committees, as it provides an additional layer of assurance to gain comfort that these
control functions are aligned in terms of their understanding of the risks facing the
business and mitigation thereof.
The audit committee receive regular reports from operational risk, information
technology and compliance. During the course of the year, key topics that have been
discussed and debated by the committees have been:
 Business continuity - Consideration of the impact of the London office move
in 2018 on the continuity of business operations.
 Information cyber security - received and discussed the findings of a follow-
up targeted attack simulation that was performed on an external provider.
 Regulatory compliance - review and monitoring of results of regulatory
compliance reviews.
 Review of successful targeted attack simulations to mitigate cyber-crime risk.
Areas of focus in FY 2019, for the audit committee:
 IT risk and cyber security;
 Business continuity;
 Conduct;
 Audit quality;
 Auditor independence;
 Monitoring and closing audit findings;
 Related party processes and disclosures.”

Source: Adapted from ABSA (2017), Capitec (2017), FNB (2017), Investec (2017), Nedbank (2017) and Standard
Bank (2017).

62 | P a g e
The above statements were extracted from the banks’ financial reports. All six banks specifically
highlighted that the audit committee (which oversees the internal audit function) reviews, monitors
and manages risks affecting the bank. The type of risks ranged from operational, strategic,
business, cyber, regulatory, IT, reputational, conduct and culture risks. Moreover, as discussed in
sections 3.7 and 3.8, the internal audit approach has embedded risk management practices, which
necessitates strategies and measures to reduce the risk that the organisation is facing.

Based on the above analysis, it can be deduced that the risks discussed above include IT risks,
which is the focus of this study. Therefore, it can be concluded that the internal audit function does
indeed reduce the risks posed by the IT environment. This finding is in line with the
recommendations of the IIA (2014), which states that internal audit functions provide reasonable
assurance to the audit committee and executive management on governance processes, the control
environment and the effectiveness of risk management (IIA, 2014; Morris, 2017). This means that
internal auditors assist management and audit committees to identify and evaluate business risks
and they perform focused audits in high-risk areas. The IIA (2015:4) standards also state that “the
internal audit activity must assess whether the IT governance of the organisation supports the
organisation’s strategies and objectives”. This means that internal auditors are charged with the
responsibility of reviewing control structures, assessing the control environment, identifying
weaknesses and providing recommendations to overcome any uncontrolled risk environments
(Galea, 2015).

 Finding and conclusion

The internal audit function was and continues to be the main driver of risk reduction. The majority
of the top SA banks indicate that monitoring and constant mitigation of risks related to cybercrime
and information security is a top priority for their internal audit, IT and risk management functions.
Therefore, it can be concluded that the internal audit function plays a significant role in reducing
the risks posed by the IT environment. Moreover, it was established that this function does audit
and review the effectiveness of IT governance within the banking industry.

63 | P a g e
4.5 Conclusion
This chapter presented the findings of the empirical study which shed light on the role of internal
auditors in IT governance. The objective of this study was to evaluate the contribution of internal
auditors in reducing the risks posed by the IT environment. To answer the main objective of this
study, it was important to first understand the risks in the banking industry, IT governance within
the banking industry and the performance of the internal audit function. It was also necessary to
establish whether or not the internal audit function reviewed the effectiveness of IT governance
within the banking industry.

In summary, most of the banks sampled did disclose their corporate governance, and particularly,
their IT governance and internal audit function. It was therefore straightforward to identify some
of the responsibilities of internal audit with regard to IT governance. The study revealed the
following insights on the role of internal auditors in IT governance in reducing risks posed by the
IT environment:

Table 10: Overall summary of findings

Element Finding
Bank implementation of internal It can be concluded that the system of internal controls within
control measures the banks was successfully implemented.

Bank implementation of risk It can be concluded that effective risks management structures
management structures within the banks were successfully implemented.

Bank adoption of regulation(s) or It can be concluded that the banks adopted IT governance
frameworks for IT governance regulations and frameworks which were voluntarily disclosed
and presented in the bank’s financial reports.

Bank establishment of internal It can be concluded that the internal audit function within the
audit functions banks was well-established and functioning effectively.

Banks’ strategic positioning of the It can be concluded that the internal audit function within the
internal audit function - i.e. banks was strategically positioned.
independent and supervised by the
board

64 | P a g e
 Internal audit function’s reduction
of the risks posed by the IT
environment, i.e. performed a risk
management audit and an IT
governance audit
The internal audit function does audit and review the
effectiveness of IT governance within the banking industry. It
can therefore be concluded that this function is effective and
does reduce IT risk.

Source: Own

The findings present a strong indication that the banks’ internal audit function plays a significant
role in relation to risk reduction, particularly risk posed by the IT environment.

The next section discusses the findings and conclusions as well as indicating avenues for possible
future research.

65 | P a g e
CHAPTER 5: Conclusion

5.1 Study overview

The IT environment has created risks in the banking industry and, if not appropriately addressed
and mitigated, these risks could potentially result in significant failures. Therefore, the objectives
of this study were to determine the role of internal auditors in reducing risks posed by the IT
environment.

To address the main objective of this study, it was important to first obtain an understanding of the
different risks in the banking industry, of IT governance in the banking industry as well as the
performance of the internal audit function. In particular, it was necessary to establish whether or
not the internal audit function reviewed the effectiveness of IT governance within the banking
industry. The objectives of the study was;
 To understand the IT risks in the banking industry, this was covered in section 3.4
 To understand IT governance within the banking industry, this was covered in section 3.6 to
3.8
 To understand the role of the internal audit function and to establish whether or not the internal
audit function reviews the effectiveness of IT governance within the banking industry, this was
covered in section 3.9 to 3.13 and the main objective
 To determine the role of internal auditors in reducing risks posed by the IT environment in the
banking industry, this was covered in section 4.4.
Therefore, all the objectives of the study were fully met in the preceding chapters.

The SA banking industry was selected for this study owing to its operational use of IT. The banks
which were sampled in this the study were ABSA, Capitec, FNB, Investec, Nedbank and Standard
Bank. Data was collected through a literature review and an evaluation checklist. The literature
for the review was sourced from e-documents, publications, books, practice advisories, articles
and previous research reports. The evaluation checklist covered information contained in the
banks’ financial reports and was used to assess the current practices applied in banks.

66 | P a g e
5.2 Summary
The literature review laid a solid foundation for the study. To address the research objectives,
substantial information on the banking environment, IT governance and the role of the internal
audit function was examined. With regard to IT governance, it was established in sections 3.6 and
3.7 that IT is the main driver of all transactions in the banking industry and therefore IT governance
and practices in banks should be taken seriously. This is indeed the case, to the extent that the
banks have established IT risk and governance committees which are solely responsible for
information and technology governance, ensuring the effectiveness and efficiency of the banks’
information systems. This practice is in accordance with King IV and the Banks Act 94 of 1990.

Likewise, the top SA banks recognise the importance of mitigating risk and have implemented a
sound and mature system of internal controls and risks management practices. This was
corroborated by each of the banks’ declarations and their robust stance on this matter. In Chapter
3, a strong connection was demonstrated between a system of internal controls and effective risk
management to mitigate some of the risks identified in the banking industry.

The banks have adopted various IT governance regulations and frameworks which were
voluntarily disclosed in the banks’ financial reports. This disclosure shows the direction and level
of accountability the banks are displaying in relation to IT governance and internal auditing. Some
banks voluntarily disclosed the regulation(s) or frameworks that they complied with in relation to
IT governance and internal audits. These could be beneficial for the banks as they may need to
disclose the relevant sections of the regulations or frameworks that they complied with. However,
the assumption would be that if the bank had voluntary disclosed the regulation or framework it
adheres to, it has complied with that regulation or framework in its entirety.

Despite being mandated by the Companies Act 71 of 2008 and the King Code IV to establish and
implement internal audit function, it was noted that there was a strong sense to do so willingly by
the banks. This was deducted from the fact that the banks went to the extent of publishing
information on whether their internal audit plans and/or audit charters had been approved by their
audit committee. This demonstrates strong commitment to corporate governance structures. The
67 | P a g e
internal audit function was strategically positioned and the independence of the internal audit
functions was assured. The top SA banks disclosed their internal audit reporting line in their annual
financial reports. It can thus be stated that the banks have demonstrated extreme transparency and
accountability in this regard.

As part of the analysis, it was noted the information presented by top SA banks shows that the
internal audit function does, to some extent, reduce the risks posed by the IT environment, as this
was apparent in the banks’ financial reports. The overall impression gained from the evaluation
conducted in this study is therefore satisfactory.

5.3 Recommendations
In order to promote and improve IT governance and the efficiency of the internal audit function in
SA banks, the following recommendations are made:
 Practical IT governance guidelines (practice advisories) need to be developed to address
some of the upcoming complex systems to be implemented within the banks’ IT
environments, e.g. big data, the fourth industrial revolution and the context of data
analytics.
 Good IT process controls would substantially reduce some of the operational risks.
 The internal audit function should be continuously improved and up-scaled so that the
internal audit function can be aligned to the banks’ goals and objectives.
 The internal audit function should be involved in the bank’s strategy as one of the main
drivers of efficiency.

5.4 Areas of Future Research

For future studies, the following topics could be considered:
 The impact and extent of big data on the SA banking landscape, the banks’ state of
readiness and how big data will be regulated.
 Smaller banks’ compliance with IT governance strategies.

68 | P a g e
5.5 Conclusion
This study examined the role of internal auditors in reducing risks posed by the IT environment in
the South African banking industry. The empirical component of the study indicated that IT lies at
the heart of the banking industry. The banks’ operating systems are heavily dependent on an IT
platform, network and infrastructure. Due to this dependence on IT, banks’ IT environments
should be adequately monitored and reviewed.

The role of internal auditors, and particularly their responsibility towards IT governance, is defined
by the IIA (Implementation Standard 2110.A2) as follows: “internal audit activity must assess
whether the IT governance of the organisation supports the organisation’s strategies and
objectives”. It emerged that the different types of assessments required by the IIA include assessing
operational and financial processes, integrated procedures, IT general controls, application
controls and compliance with IT-related legal and regulatory requirements. The study also
indicated that the responsibility of internal audit to the bank was to provide assurance to the board
of the adequacy and effectiveness of the bank’s internal control and risk management practices
and the integrity of the financial reporting systems on all operations, including IT governance.

Finally, the study revealed that the need to actively manage risk has become an essential part of
sound corporate governance practices. Therefore, the following conclusions can be drawn from
this study, namely, that the internal audit function is a major player in actively managing risks and
one of its key roles is to provide assurance that those risks have been properly managed.

69 | P a g e
References
Accenture. (2016). Bridging the technology gap in financial services boardrooms. Available from:
https://www.accenture.com/t20160118T152822__w__/us-en/_acnmedia/PDF-4/Accenture-
Strategy-Financial-Services-Technology-Boardroom.pdf. [Accessed on 02 08 2018].

Ali, A. (2016). Change in internal auditing practice: Evolution, constraints and ingenious
solution. (Unpublished doctoral thesis). Birmingham: Aston University. Available from:
http://publications.aston.ac.uk/31735/1/Azharudin_Ali.pdf. [Accessed on 07 03 2018].

Ally, Z. (2016). IT and cloud governance disclosures of South African financial institutions.
(Unpublished Master’s dissertation). Johannesburg: University of Johannesburg. Available from:
http://uj.ac.za.libguides.com/c.php?g=581209&p=4012058. [Accessed on 23 08 2017].

Amalgamated Banks of South Africa (ABSA) (2017). Financial Results for the reporting period
ended 31 December 2017. Available from: https://www.absa.africa/absaafrica/investor-
relations/financial-results/. [Accessed on 07 03 2019].

Australian Institute of Company Directors. (2008). IT Governance Six principles for good IT
governance. Available from: http://www.companydirectors.com.au/director-resource-
centre/publications/company-director-magazine/2000-to-2009-back-editions/2008/august/it-
governance--six-principles-for-good-it-governance-aug-08. [Accessed on 17 06 2017].

Babbie, E. & Mouton, J. (2010). The practice of social research. 10th ed. Republic of South Africa
[RSA], Cape Town: Oxford University Press Southern Africa

Badenhorst, M. (2012). Making sense of IT Governance the implications of King III IIA.
(Unpublished Master’s dissertation). Cape Town: Cape Peninsula University of Technology.

Bank for International Settlements (BIS). (2012). The internal audit function in banks. Available
from: http://www.bis.org/publ/arpdf/ar2014e.pdf. [Accessed on 29 03 2018].

Bank for International Settlements (BIS). (2014). 84th Annual Report. Available from:
http://www.bis.org/publ/arpdf/ar2014e.pdf. [Accessed on 24 04 2018].

70 | P a g e
Bank for International Settlements (BIS). (2015). 85th Annual Report. Available from:
https://www.bis.org/publ/arpdf/ar2015e.pdf. [Accessed on 24 04 2018].

Bank for International Settlements (BIS). (2018). Pillar 3 disclosure requirements – updated
framework. Available from: https://www.bis.org/bcbs/publ/d432.pdf. [Accessed on Accessed on
26 09 2018].

Banking Association South Africa (BASA). (2015). Annual review 2015. Available from:
http://www.banking.org.za/docs/default-source/publication/annual-review/the-banking-
association-south-africa---annual-review-2015.pdf. [Accessed on 11 02 2019].

Banking Association South Africa (BASA). (2017). The Banking Association South Africa
submission on transformation in the financial sector. Available from: http://www.banking.org.za/.
[Accessed on 10 03 2019].

Barfield, B. (2012). Why internal audit is central to the success of Basel III. Available from:
http://accaiabulletin.newsweaver.co.uk/accaiabulletin/1qra2bg9gyf?a=1&p=27549195&t=21926
635. [Accessed on 08 10 2018].

Barker, R.L. (2003). The social work dictionary, 5th ed. Michigan, USA: University of Michigan
NASW Press.

Boulton, C. (2016). World Bank, Capital One and other banks are moving past their fears about
security and regulatory risk. Available from: http://www.cio.com/article/3068517/cloud-
computing/why-banks-are-finally-cashing-in-on-the-public-cloud.html. [Accessed on 23 08
2018].

BusinessTech. (2018). These are the 18 biggest banks in South Africa – including Discovery.
Available from: https://businesstech.co.za/news/banking/250899/these-are-the-18-biggest-banks-
in-south-africa-including-discovery/. [Accessed on 13 02 2019].

BusinessVibes. (2015). The importance of information technology in business today. Available

from: http://www.business2community.com/tech-gadgets/importance-information-technology-
business-today-01393380#M7FMyGA8BzvpUqPr.97. [Accessed on 23 08 2018]].

71 | P a g e
Cakmak, C. (2016). The role of information systems in business process redesign. (Master’s
dissertation). Portugal: NOVA Information Management School. Available from:
https://run.unl.pt/bitstream/10362/17434/1/TGI0053.pdf. [Accessed on 14 11 2019].

Capitec Bank Holdings Limited (2017). Integrated Annual Report 2017 Available from:
https://commondatastorage.googleapis.com/capitecbank-co-za/integrated_annual_report.pdf.
[Accessed on 07 03 2019].

Chandani, A., Mehta M., Neeraja, B. & Prakash, O.M. (2015). Banking on big data: A case study.
ARPN Journal of Engineering and Applied Sciences, 10: 1. Available from:
www.arpnjournals.com. [Accessed on 14 10 2018].

Chaves, E.C.J., Galegale, N.V. & Azevedo, M.M (2016). IT governance in the retail banking:
Behavior and trends. Future Studies Research Journal, 1: 175-178. Available from:
https://www.revistafuture.org/FSRJ/article/download/230/372 [Accessed on 17 11 2018].

Cohen L., Mnion, L. & Morrison, K. (2000). Research methods in education. New York, NY:
Routledge Falmer.

Companies Act 71 of 2008. Government Gazette, Republic of South Africa. Available from:
https://www.acts.co.za/companies-act-2008/index.html. [Accessed on 14 05 2018].

Conover, M.J. (2009). Model validation: Mitigating financial model risk. Hoosier Banker, 93(6):
20-23.

Cordenonsi, J. (2004). Um modelo de administração da tecnologia da informação. In E.R.P.

D’Andrea, Parte 13. In A.L. Albertin & R.M. de Albertin (Orgs.) Tecnologia de informação. São
Paulo: Atlas.

Crest Advisory Africa. (2017). Internal audit. Available from:

http://crestadvisoryafrica.com/email/CAA_KingIV.pdf. [Accessed on 14 10 2018].

Dangolani, S.K. (2011). The impact of information technology in banking system (A case study
in bank Keshavarzi IRAN). Procedia Social and Behavioral Sciences, 30: 13-16. Available from:
https://ac.els-cdn.com/S1877042811018283/1-s2.0-S1877042811018283-main.pdf?_tid=b f57dd

72 | P a g e
92-fb7f-11e7-b13c00000aab0f6c&acdnat=1516191355_fa315a640e678ed 475523eb4ac7fcce5.
[Accessed on 14 02 2019].

Davis, C., Schiller, M. & Wheeler, K. (2011). IT auditing using controls to protect information
assets. New York, NY: McGraw Hill. Available from: http://www.cio.com/article/3068517/cloud-
computing/why-banks-are-finally-cashing-in-on-the-public-cloud.html. [Accessed on 11 03
2019].

De Wet, P. (2018). Four key questions about the VBS scandal KPMG failed to answer on Sunday.
Available from: https://www.businessinsider.co.za/key-vbs-questions-kpmg-hasnt-answered-
2018-4. [Accessed on 14 01 2019].

Deloitte. (2016a). Global center for corporate governance, information technology risks in
financial services: What board members need to know and do. Available from:
http://www.cio.com/article/3068517/cloud-computing/why-banks-are-finally-cashing-in-on-the-
public-cloud.html. [Accessed on 17 10 2018].

Deloitte. (2016b). King IV: Bolder than ever. The introduction. Available from:
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/governance-risk-
compliance/DeloitteZA_KingIV_Bolder_Than_Ever_CGG_Nov2016.pdf. [Accessed on 07 02
2019].

Deloitte. (2017). 2017 hot topics for IT internal audit in financial services. Available from:
https://www2.deloitte.com/za/en/pages/risk/articles/2017-hot-topics-for-it-internal-audit-in-
financial-services.html. [Accessed on 17 11 2018].

Dumitrescu, I.B. (2004). Commercial Banking Internal Audit in Banking Organisation. Available
from: http://www-ext.nbs.sk/_img/Documents/BIATEC/BIA07_04/16_19.pdf. [Accessed on 17
10 2018].

Durrheim, K. (2002). Research design. In M. Terre Blanche & K. Durrheim (eds) Research in
Practice. Cape Town: University of Cape Town Press.

73 | P a g e
Economic and Social Council. (2014). Commission on Science and Technology for Development,
17th session, Geneva, item 3(b) of the provisional agenda. Available from:
https://unctad.org/en/Pages/CSTD.aspx. [Accessed on 09 03 2019].

Ellingwood, C. (2011). The top ten information security risks. Available from:
http://www.berrydunn.com/news-details/top-10-information-security-risks. [Accessed on 14 02
2019].

Filatotchev, I., Jackson, G., Gospel, H. & Allcock, D. (2007). Key drivers of 'good' corporate
governance and the appropriateness of UK policy responses: Final report to the Department of
Trade and Industry. Available from: https://ssrn.com/abstract=961369 [Accessed on 17 09 2018].

First National Bank (FNB). (2017). Annual Integrated Report for the reporting period ended 31
December 2017 Available from: https://www.firstrand.co.za/investors/annual-reporting/.
[Accessed on 07 03 2019].

Galea, A. (2015). The corporate governance role of internal auditors in Maltese companies: An
assessment. (Unpublished Master’s thesis). Msida: University of Malta. Available from:
https://www.um.edu.mt/library/oar/handle/123456789/8446. [Accessed on 17 11 2018].

Gelinas, U.J, Sutton, S.J. & Fedorowicz, J. (2008). Business processes and information
technology. Available from: http://searchsecurity. techtarget.com/definition/COBIT. [Accessed on
17 09 2018].

Glen, S. (2015). Purposive Sampling (Deliberate Sampling). Available from:

http://www.statisticshowto.com/purposive-sampling. [Accessed on 07 02 2019].

Globalisation101. (2016). Information technology. Available from: http://www.globalization 101

.org/information-technology/. [Accessed on 16 03 2019].

Gordhan, P. (2009, February 5). Speech by Finance Minister Pravin Gordhan on the State of the
Nation Address. Available from:
http://www.treasury.gov.za/comm_media/speeches/2009/2009060501.pdf. [Accessed on 17 10
2018].

74 | P a g e
Gupta, S. (2015). Banking on IT governance: Benefits and practices. Available from:
https://www.firstpost.com/business/banking-governance-benefits-practices-2253752.html.
[Accessed on 17 10 2018].

Hamidovic, H. (2010). Fundamentals of IT governance based on ISO/IEC 38500. ISACA Journal,

5: 1-4. Available from: https://www.researchgate.net/publication/254864216_Fundamentals
_of_IT_ Governance_Based_on_ISOIEC_38500. [Accessed on 07 02 2019].

Healy, D. (2018). How should banks tackle the innovation challenge from fintech start-ups?
Available from: https://blogs.mulesoft.com/biz/trends/how-should-banks-tackle-the-innovation-
challenge-from-fintech-startups/. [Accessed on 26 03 2019].

Hutter, D. (2016). Physical security and why it is important. GIAC (GSEC) Gold Certification.
Available from: https://www.sans.org/reading-room/whitepapers/physical/physical-security-
important-37120. [Accessed on 23 02 2019].

IBM. (2011). Supporting information technology risk management. Available from: https:// www-
935.ibm.com/services/multimedia/Supporting_Info_Technology _Risk_Mgmnt.pdf. [Accessed
on 23 10 2018].

Information Systems Audit and Control Association (ISACA). (2009). Cloud computing: Business
benefits with security, governance and assurance perspectives. Available from:
http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud-computing-
business-benefits-with-security-governance-and-assurance-perspective.aspx. [Accessed on 29 08
2018].

Information Systems Audit and Control Association (ISACA). (2011). IT control objectives for
cloud computing: Controls and assurance in the cloud. Available from:
https://www.isaca.org/chapters2/kampala/newsandannouncements/Documents/IT%20contro%20
objectives%20for%20Cloud%20computing.pdf. [Accessed on 18 10 2018].

Information Systems Audit and Control Association (ISACA). (2012a). Effective IT governance
through the three lines of defence, risk IT and COBIT. Available from: https://www.isaca.org

75 | P a g e
/Journal/archives/2012/Volume-1/Pages/Effective-IT-Governance-Through-the-Three-Lines-of-
Defense-Risk-IT-and-COBIT.aspx. [Accessed on 22 07 2018]

Information Systems Audit and Control Association (ISACA). (2012b). COBIT 5, implementation.
Available from: https://www.isaca.org/COBIT/Documents/COBIT-5-Implementation-
Introduction.pdf. [Accessed on 23 02 2019].

Information Systems Audit and Control Association (ISACA). (2016). Big data — Hot air or hot
topic? Available from: https://www.isaca.org/Journal/archives/2016/volume-3/Pages/big-data-
hot-air-or-hot-topic.aspx. [Accessed on 18 10 2018].

Institute of Directors in Southern Africa (IoDSA). (2009). The King Code of Corporate
Governance for South Africa. Available from: http://www.iodsa.co.za/?kingIII. [Accessed on 16
02 2019].

Institute of Directors in Southern Africa (IoDSA). (2017). General guidance note summary of King
IV™ Disclosure Requirements. Available from:
https://c.ymcdn.com/sites/www.iodsa.co.za/resource/collection/49D62EF3-F749-403C-BE47-
73C50F27F30F/General_Guidance_Note_on_Summary_of_King_IV_Disclosure_Requirements.
pdf. [Accessed on 17 08 2018].

Institute of Internal Auditors (IIA). (2013). Standards & guidance — International Professional
Practices Framework (IPPF). Available from: https://na.theiia.org/standards-
guidance/Pages/Standards-and-Guidance-IPPF.aspx. [Accessed on 31 03 2019].

Institute of Internal Auditors (IIA). (2014). Risk based internal auditing Chartered Institute of
Internal Auditors. Available from: https://global.theiia.org/standards-
guidance/topics/documents/201501guidetorbia.pdf. [Accessed on 25 07 2018].

Institute of Internal Auditors (IIA). (2015). Value of internal auditing: Assurance, insight,
objectivity: A presentation to stakeholders about the value of internal auditing. Available from:
http://www.theiia.org/theiia/about-the-profession/value-proposition/?sf1473960=1. [Accessed on
01 02 2019].

76 | P a g e
Institute of Internal Auditors UK (IIA). (2012). Global technology audit guide. Auditing IT
Governance. Available from:
http://194.177.36.87/IFACI/GTAG%2017_Auditing_IT_Governance_2012.pdf. [Accessed on
DD 03 02 2019].

Institute of Internal Auditors US (IIA). (2017). Building awareness. Available from:

https://na.theiia.org/about-ia/PublicDocuments/Building-Awareness-Toolkit-NA.pdf. [Accessed
on 23 11 2018].

Institute of Risk Management. (2016). Cyber risk and risk management. Available from:
https://www.theirm.org/knowledge-and-resources/thought-leadership/cyber-risk.aspx. [Accessed
on 28 10 2018].

Investec (2017). Integrated Annual Report 2017 Available from:

http://reports.investec.co.za/iar2017/index.php. [Accessed on 07 03 2019].

IT Governance Institute (ITGI). (2011). Board briefing on IT governance. Available from:

https://www.isaca.org/restricted/Documents/26904_Board_Briefing_final.pdf. [Accessed on 01
02 2019].

IT Governance Network. (2010). Information technology (IT) governance. Available from:

http://www.itgovernance.co.za/ or https://www.itgovernance.co.za/3/index.php/cobit-5/cobit-
articles/146-cobit-5-for-assurance. [Accessed on 19 02 2019].

ITWeb. (2016). Banks to leverage big data in 2016. Available from:

http://www.itweb.co.za/index.php?option=com_content&view=article&id=149054. [Accessed on
26 08 2018].

Jangara, T.B. & Bezuidenhout, H. (2015). Addressing emerging risks in transborder cloud
computing and the protection of personal information: The role of internal auditors. Southern
African Journal of Accountability and Auditing Research, 17(1): 11-24. Available from:
https://repository.up.ac.za/bitstream/handle/2263/51634/Jangara_Addressing_2015.pdf?sequence
=1&isAllowed=y. [Accessed on 13 01 2019].

77 | P a g e
Janse van Vuuren, H. (2006). Disclosing risk management policies in financial statements.
(Unpublished Master’s dissertation). Potchefstroom: North-West University.

Jayaprakash, V. (2013). Overview of information technology in banking industry. Available from:

http://shodhganga.inflibnet.ac.in/bitstream/10603/37243/5/chapter3.pdf. [Accessed on 27 09
2018].

Jibrin, M.S., Blessing, S.E. & Danjuma, J. (2014). The role of auditors in the recent Nigerian
banking crisis. International Journal of Academic Research in Business and Social Sciences, 4(3):
2-21.

Jonker, M. (2014). New POPI Act brings operational, financial and legal burden to businesses
and their third party outsource service providers. Available from:
https://www.grantthornton.co.za/insights/articles/new-popi-act-brings-operational-financial-and-
legal-burden-to-businesses/. [Accessed on 19 08 2018].

Joshi, A., Bollen, L. & Hassink, H. (2013). An empirical assessment of IT governance

transparency: Evidence from commercial banking. Systems Information Management, 30(2).
doi.org/10.1080/10580530.2013.773805.

Keohane, K. 2014. Imaginative methodologies in the social sciences: Creativity, poetics and
rhetoric in social research. USA: Ashgate Publishing.

Knudson, J. (2017). Top bank risks in 2018. Available from:

https://bankingjournal.aba.com/2017/12/top-bank-risks-in-2018. [Accessed on 30 03 2019].

KPMG. (2016). Corporate governance overview 2016. Available from:

https://home.kpmg.com/content/dam/kpmg/jp/pdf/jp-en-corporate-governance-overview-
2016.pdf. [Accessed on 12 09 2018].

Krishnamurthy, S. (2013). Ten best practices for an effective model risk management program. A
Quant University White Paper. Available from: http://www.quant
university.com/EffectiveModelRiskManagement.pdf. [Accessed on 27 11 2018].

78 | P a g e
Kvale, S. (1996). Interview Views: An Introduction to Qualitative Research Interviewing.
Thousand Oaks, CA: Sage Publications

Lackovic, I.V. (2013). Model for IT governance assessment in banks based on integration of
control function. Proceedings of the Management, Knowledge and Learning International
Conference. Available from: http://www.toknowpress.net/ISBN/978-961-6914-02-
4/papers/ML13-275.pdf. [Accessed on 30 09 2018].

Lalwani, S. (2017). FinTech in South Africa: Accelerating the digital transformation of banking
& financial services. Africa Outlook Mag. Available from: http://www.africaoutlookmag.com
/news/fintech-in-south-africa-accelerating-the-digital-transformation-of-banking-financial-
services. [Accessed on 05 11 2018]. 27 09 2018

Lawlor, B. (2007). The age of globalisation: Impact of information technology on global business
strategies. (Honours thesis). Available from:
<http://digitalcommons.bryant.edu/cgi/viewcontent.cgi?article=1000&context=honors_cis.
[Accessed on 06 02 2019].

Leedy, P.D. & Ormrod, J.E. (2005). Practical research: Planning and design. 8th ed. Upper Saddle
River, NJ: Pearson Education.

Leedy, P.D. & Ormrod, J.E. 2014. Practical research planning and design. 10th ed. England: Pearson.

Levenstein, E. (2017). King IV misses chance to focus on governance issues. Business Day.
Available from: https://www.businesslive.co.za/bd/opinion/2017-03-01-king-iv-misses-chance-
to-focus-on-governance-issues/. [Accessed on 050 07 2018].

Lewis, I. (2016). The role of internal auditing in providing combined assurance: Assessing
internal financial controls. (Unpublished Master’s thesis). Pretoria: University of Pretoria.
Available from https://repository.up.ac.za/bitstream/handle/2263/44973/Lewis_Role
_2015.pdf?sequence =1. [Accessed on 03 02 2019].

79 | P a g e
Lingenfelder, R. (2015). Internal auditing of model risk within banking institutions. DOI:
https://repository.up.ac.za/bitstream/handle/2263/51886/Lingenfelder_Internal_2015.pdf?sequen
ce=1&isAllowed=y. [Accessed on 03 10 2018].

Loebbecke, J.K., Loebbecke, A. & Arens, A.A. (2000). Auditing an Integrated Approach. 8th ed.
Upper Saddle River, NJ: Prentice Hall.

Mahoney, M.S. (1988). The history of computing in the history of technology. Annals of the
History of Computing, 10(1988): 113-125. Available from: https://www.princeton
.edu/~hos/mike/articles/hcht.pdf. [Accessed on 06 08 2018].

Maree, K. & Pietersen, J. (2014). First steps in research. Revised edition. Pretoria: Van Schaik.

Marr, B. (2015). The five biggest risks of big data. Available from: http://data-informed.com/the-
5-biggest-risks-of-big-data/. [Accessed on 03 09 2018].

Marx, B., Van der Watt, A. & Bourne P. (2011). Dynamic auditing. 10th ed. Pretoria: LexisNexis.

Maseko, L.R. (2012). The role of the board of directors in IT governance. (Unpublished doctoral
thesis). Johannesburg: University of Johannesburg.

Meadows, R. (2014). It may be riskier to ignore big data than implement it, says new ISACA White
Paper. Available from: http://www.isaca.org/About-ISACA/Press-room/News-
Releases/2014/Pages/It-May-Be-Riskier-to-Ignore-Big-Data-Than-Implement-It.aspx. [Accessed
on 27 09 2018].

McKinsey. (2016). Breakthrough IT banking. Available from:

https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/BTO/PDF/MOBT26_Brea
kthrough_IT_banking.ashx. [Accessed on 02 08 2018].

MetricStream. (2018). Integrated GRC in banks and financial services companies: Improving
visibility and management of risks and controls. Available from:
https://www.metricstream.com/solution_briefs/BFSI_Solutionbrief.htm. [Accessed on 27 03
2019].

80 | P a g e
Miller, G. & Dingwall, R. (1997). Context and method in qualitative research. London: Sage.

Mitchell, B. (2017). Introduction to information technology (IT). Available from:

https://www.lifewire.com/introduction-information-technology-817815. [Accessed on 14 07
2018].

Mokoena, T. (2016). The effectiveness of encryption methods in mitigating information technology

security risks. Available from: http://uj.ac.za.libguides.com/c.php?g=581209&p =4012058.
[Accessed on 05 072 018].

Morris, S. (2017). Five reasons why internal audit is important. Available from:
https://kirkpatrickprice.com/blog/5-reasons-why-internal-audit-is-important/. [Accessed on 03 02
2019].

Moura, J. & Serrão, C. (2016). Security and privacy issues of big data. Available from:
https://arxiv.org/ftp/arxiv/papers/1601/1601.06206.pdf. [Accessed on 13 09 2018].

Mouton, J. (2005). How to succeed in your Master’s and doctoral studies: A South African guide
and resource book. Pretoria: Van Schaik Publishers.

National Computing Centre. (2005). IT Governance and developing a successful governance

strategy: A best practice guide for decision making in IT. London: NCC.

Nedbank Group Limited (2017). Integrated Report for the reporting period ended 31 December
2017 Available from: https://www.nedbank.co.za/content/dam/nedbank/site-
assets/AboutUs/Information%20Hub/Integrated%20Report/2017/2017%20Nedbank%20Group%
20Integrated%20Report.pdf. [Accessed on 07 03 2019].

Ngwenya, M. (2015). Analysing information technology governance disclosure of the Top 40 JSE
listed companies. (Unpublished Master’s thesis). Potchefstroom: North-West University.
Available from: https://dspace.nwu.ac.za/handle/10394/17111. [Accessed on 27 09 2018].

Nikoloski, K. (2012). The role of information technology in the business sector. International
Journal of Science and Research (IJSR), 33-58. Available from:
https://www.ijsr.net/archive/v3i12/U1VCMTQzMjA=.pdf. [Accessed on 02 11 2018].

81 | P a g e
Nkonki, (2017). Integrated reporting: Trends in SA Top 100 JSE listed companies and SOCs.
Available from: http://integratedreportingsa.org/ircsa/wp-content/uploads/2017/09/170622-IR-
awards-report-brochure-email-version.pdf. [Accessed on 31 02 2019].

Noraini, C.P., Bokolo, A., Rozi, N.H.N. & Masrah, A.A.M. (2015). Risk assessment of IT
governance: A systematic literature review. Journal of Theoretical and Applied Information
Technology, 17(2): 184-193.

November, J. (2014). Computer: A history of the information machine. IEEE Annals of the History
of Computing, 36(4): 87-88. Available from: https://muse.jhu.edu/article/564927/pdf. [Accessed
on 27 09 2018].

Office of the Comptroller of the Currency (OCC). (2011). Supervisory guidance on model risk
management. Washington: Office of the Comptroller of the Currency. Available from:
https://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf. [Accessed on 25
07 2019].

Oracle (2016). An enterprise architect’s guide to big data: Reference architecture overview.
Oracle Enterprise Architecture White Paper. Available from: https://www.oracle.com/assets/oea-
big-data-guide-1522052.pdf. [Accessed on 17 08 2018].

Oven, C., White, N., Katyal, V. & Henchock, S. (2012). Adding insight to audit: Transforming
internal audit through data analytics. Available from: http://www2.deloitte.com/
content/dam/Deloitte/us/Documents/audit/us-aers-adding-insight-pov-mobile-061913.pdf.
[Accessed on 17 08 2018].

Padmanabhan, G. (2012). Techno-banking – prospects and challenges. Inaugural address at the 6th
ET Banking Technology Conclave 2012, Mumbai. Available from:
https://www.bis.org/review/r121009e.pdf. [Accessed on 19 09 2018].

Palinkas, L., Horwitz, S., Green, C., Wisdom, J., Duan, N. & Hoagwood, K. (2015). Purposeful
sampling for qualitative data collection and analysis in mixed method implementation research.
Administration and Policy in Mental Health & Mental Health Services Research, 42(5): 533-544.
doi:10.1007/s10488-013-0528-y.+
82 | P a g e
Patel, B. (2018). Six risks banks should foresee over the next five years. Forbes. Available from:
http://www.forbes.com/sites/forbesfinancecouncil/2018/08/01/six-risks-banks-should-forsee-
over-the-next-five-years/amp/. [Accessed on 27 09 2018].

Pink Elephant. (2016). ISO 38500 for the design and implementation of IT governance. Available
from: https://www.pinkelephantasia.com/iso-38500-governance/. [Accessed on 11 09 2018].

PricewaterhouseCoopers (PwC). (n.d.). King III, IT governance and your organisation. Available
from: https://www.pwc.co.za/en/assets/pdf/steeringpoint-kingiii-it-governance-and-kingiii-
15.pdf. [Accessed on 28 09 2018].

PricewaterhouseCoopers (PwC). (2013). Shaping the bank of the future South African banking
survey 2013. Available from: https://www.pwc.co.za/en/assets/pdf/south-african-banking-survey-
2013.pdf. [Accessed on 31 03 2019].

PricewaterhouseCoopers (PwC). (2015). King III, IT governance and your organisation. Available
from: https://www.pwc.co.za/en/assets/pdf/SteeringPoint-KingIII-IT-Governance-and-KingIII-
15.pdf. [Accessed on 27 01 2019].

PricewaterhouseCoopers (PwC). (2016). King IV, an outcomes-based corporate governance code

fit for a changing world. Available from: https://www.pwc.co.za/en/assets/pdf/king-iv-steering-
point.pdf. [Accessed on 16 02 2019].

Protiviti. (2009). Guide to internal audit, frequently asked questions about developing and
maintaining an effective internal audit function. 2nd ed. Available from:
https://internalaudit.uonbi.ac.ke/sites/default/files/centraladmin/internalaudit/GuideInternal_Audi
t-FAQs-2n_Edition.pdf. [Accessed on 03 02 2019].

Protiviti. (2015). IT governance effectiveness. Available from:

https://chapters.theiia.org/topeka/Events/Documents/Topeka%20IIA%20-
%20IT%20Governance%20Effectiveness_20150901.pdf. [Accessed on 28 09 2018].

Public Company Accounting Oversight Board (PCAOB). (2004). AU Section 325 -

Communications about Control Deficiencies in an Audit of Financial Statements. Available from:
https://pcaobus.org/Standards/Auditing/Pages/AU325b.aspx. [Accessed on 23 11 2018].
83 | P a g e
Radojevic, T. & Radovanovic, D. (2010). The impact of electronic banking on offer of financial
services. IEEE, Proceedings of the 33rd International Convention MIPRO. Available from:
https://ieeexplore.ieee.org/document/5533626. [Accessed on 03 02 2019].

Richard, N. & McFarlan, F.W. (2005). Information technology and the board of directors.
Harvard Business Review, 83(10): 96-106.

Ritchie, J. & Lewis, J. 2003. Qualitative Research Practice. A Guide for Social Science Students
and Researchers. London, Thousands Oaks: New Delhi.

Robinson, R. (2012). Business goals are no good without information systems. Available from:
http://pressoffice.itweb.co.za/bluekey/PressRelease.php?StoryID=222605. [Accessed on 28 09
2018].

Rouse, M. (2015). Information technology (IT). Available from:

http://searchdatacenter.techtarget.com/definition/IT. [Accessed on 29 09 2018].

Sanchez, C.P. (2017). The effect of the modernisation of legacy systems in banking IT architecture.
Available from: https://www.capgemini.com/consulting-gb/2017/03/the-effect-of-the-
modernisation-of-legacy-systems-in-banking-it/. [Accessed on 01 02 2019].

SAS Institute. (2017). Big Data: What it is and why it matters. Available from:
https://www.sas.com/en_za/insights/big-data/what-is-big-data.html. [Accessed on 08 10 2018].

Sanusi L. S. (2010). The Nigerian banking industry – what went wrong and the way forward.
Text of the Convocation Lecture, Governor of the Central Bank of Nigeria, Available from:
https://www.bis.org/review/r100419c.pdf. [Accessed on 29 07 2018].

Saunders, M., Lewis, P. & Thornhill, A. (2000). Research methods for business students. 5th ed.
Harlow, Essex: Pearson Education.

Scheepers, J. (2014). Special report – A brief history of banking. Available from:

https://www.accountancysa.org.za/special-report-a-brief-history-of-banking/. [Accessed on 17 08
2018].

84 | P a g e
Schubert, J. (2015). Four top challenges facing the banking industry right now. Digitalist
Magazine. Available from: http://www.digitalistmag.com/industries/banking/2015/08/27/4-top-
challenges-facing-banking-industry-right-now-03352186. [Accessed on 31 08 2018].

Schwarz, N. & Bohner, G. (2001). The construction of attitudes. In A. Tesser & N. Schwarz (eds.)
Blackwell Handbook of Social Psychology. Oxford: Blackwell.

Seetharam, Y. (2016). Big data at FNB. ITWeb. Available from:

http://www.itweb.co.za/index.php?option=com_content&view=article&id=149054. [Accessed on
03 02 2019].

Sibanda, M. (2011). An analysis of information security governance model. Available from:

http://uj.ac.za.libguides.com/c.php?g=581209&p =4012058. [Accessed on 31 03 2019].

Siddiqui, N. & Fitzgerald, J.A. (2014). Elaborated integration of qualitative and quantitative
perspectives in mixed methods research: A profound enquiry into the nursing practice
environment. International Journal of Multiple Research Approaches, 8(2): 137-147.

Smith, E.E. (1981). Categories and concepts. Cambridge: Harvard University Press.

Somers, H. (2012). What is research? http://www.chssc.salford.ac.uk/

healthSci/rem99/resmeth/planning.htm. [Accessed on 16 11 2018].

South African Banking Risk Information Centre (SABRIC). (2018). Digital banking crime
statistics. Available from: https://www.sabric.co.za/media-and-news/press-releases/digital-
banking-crime-statistics/. [Accessed on 27 08 2018].

South African Reserve Bank (SARB). (2015). Directive11/2015 issued in terms of section 6(6) of
the Banks Act 94 of 1990. Available from:
https://www.resbank.co.za/Lists/News%20and%20Publications/Attachments/7003/01%20D11%
20of%202015.pdf. [Accessed on 31 03 2019].

South African Reserve Bank (SARB). (2017). Group Annual Financial Statements for the year
ended 31 March 2017 Available from: https://www.resbank.co.za/publications/detail-item
view/pages/publications.aspx?sarbweb=3b6aa07d-92ab-441f-b7bf

85 | P a g e
bb7dfb1bedb4&sarblist=21b5222e-7125-4e55-bb65-56fd3333371e&sarbitem=785 [Accessed on
23 11 2018].

Standard Bank Group (2017). Annual Integrated Report 2017 Available from:
https://www.standardbank.com/pages/StandardBankGroup/web/docs/16000_SBG%20AIR%205
%20APRIL.pdf. [Accessed on 07 03 2019].

Strohbach, M., Daubert, J. Ravkin, H. & Lischka, M. (2016). New Horizons for a Data-Driven
Economy. Available from:
https://www.researchgate.net/publication/299617100_Big_Data_Storage. [Accessed on 24 08
2018 ].

Tarrant, H. (2016). How much SA’s big banks spend on IT. Tech Central. Available from:
https://techcentral.co.za/how-much-sas-big-banks-spend-on-it/68522/. [Accessed on 16 02 2019].

Toomey, M. (2008). IT governance: Six principles for good IT governance. Available from:
http://www.companydirectors.com.au/director-resource-centre/publications/company-director-
magazine/2000-to-2009-back-editions/2008/august/it-governance--six-principles-for-good-it-
governance-aug-08. [Accessed on 23 11 2018].

Toseland, F. (2017). Big data: Is Africa ready? Available from:

http://www.thisisafricaonline.com/News/Big-Data-Is-Africa-ready?ct=true. [Accessed on 28 10
2018].

Van Zyl, L.E. (2014). Research methodology for the economic and management sciences. 8th ed.
SA: Pearson.

William, C. (2007). Research methods. Journal of Business and Economic Research. 5(3): 65-72.

Williams, I. (2016). Corporate Governance in Australia: A Snapshot. Available from:

https://www.herbertsmithfreehills.com/latest-thinking/corporate-governance-in-australia-a-
snapshot. [Accessed on 27 09 2018].

World Bank. (2012). Information and communication technology is revolutionizing development

in Africa. Available from: http://www.worldbank.org/en/news/press-

86 | P a g e
release/2012/12/10/information-communication-technology-revolutionizing-development-africa.
[Accessed on 23 11 2018].

87 | P a g e