ANNUAL SACCO SUMMIT – Register Now
Over 10 years we help companies reach their financial and branding goals. Maxbizz is a values-driven consulting agency dedicated.

Gallery

Contact

+1-800-456-478-23

411 University St, Seattle

maxbizz@mail.com

Twitter Facebook-f Pinterest-p Instagram

Top IT Risks That Can Cause Audit Failure (And How to Fix Them).

Blog
Ndakala Advisory consulting services

Why IT Risks Are Now a Central Audit Concern.

Audits today extend well beyond financial statements. Across Kenya and the broader African market, auditors are dedicating increasing attention to IT systems, data governance, cybersecurity frameworks, and internal controls. For organizations that fail to address underlying IT risks, the consequences can be severe – ranging from critical audit findings and regulatory penalties to lasting reputational damage.

For businesses in Kenya, especially SMEs and growing enterprises, IT audit readiness is no longer optional. It is a core governance responsibility.

At Ndakala Advisory LLP, we help organizations identify control gaps, strengthen their IT environments, and prepare for audits with confidence. In this guide, we break down the eight most common IT audit risks, explain why each matters, and provide practical remediation steps you can act on today.

1. Weak Access Controls.

Access control defines who can access which systems, data, and applications, and under what conditions. It is consistently one of the leading causes of audit failures across organizations of all sizes. When controls are weak or absent, the potential for unauthorized transactions, financial manipulation, and compliance violations is significant.

Common Control Gaps.

  • Users holding excessive system privileges beyond their job role.
  • No role-based access control (RBAC) framework in place.
  • Inactive accounts for former employees still active in the system.
  • Absence of multi-factor authentication (MFA) on critical platforms.
  • Generic or shared administrator credentials in use.

How to Fix It,

  • Implement a formal Role-Based Access Control (RBAC) policy tied to job functions.
  • Enforce Multi-Factor Authentication across all critical and financial systems.
  • Conduct formal access reviews on a quarterly basis.
  • Establish immediate deactivation protocols for exiting staff.
  • Maintain a documented, management-approved access register.

Strong access controls are foundational to any sound IT risk management framework. Learn how our team approaches this as part of our Advisory Services.

2. Lack of Segregation of Duties (SoD).

Segregation of Duties (SoD) is a foundational internal control principle: no single individual should have end-to-end control over a critical business process. When one person can initiate, authorize, and record a transaction, the risk of undetected fraud and error increases substantially – and auditors take note.

In environments where SoD gaps exist, the absence of independent oversight means that errors – intentional or otherwise – can go undetected for extended periods.

Common SoD Failures.

  • One individual initiates, approves, and posts transactions without independent review.
  • No system-enforced approval workflows to separate duties.
  • Small teams with highly overlapping responsibilities and no compensating controls.
  • IT administrators with unrestricted access to financial systems.

How to Fix It.

  • Map critical business processes and assign distinct roles at each approval stage.
  • Configure system-level workflow approvals to enforce separation.
  • Implement documented compensating controls where staffing limits full SoD.
  • Have management formally sign off on all SoD exceptions.

SoD is a standard area of scrutiny during both internal and external audits. Read more about trends in internal auditing and how the role of the auditor is evolving in Kenya.

3. Inadequate Audit Trails and System Logging.

Audit trails are system-generated records that capture who performed what action, when, and from where. Without comprehensive and tamper-proof logs, it becomes impossible to investigate incidents, demonstrate compliance, or support audit inquiries. Auditors routinely request log evidence – and gaps here translate directly into adverse findings.

During an IT audit, reviewers will typically request logs demonstrating user activity in financial systems, change management records, privileged access activity, and evidence that logs are reviewed on a regular, documented basis.

Common Logging Gaps.

  • Logging not enabled on key business systems.
  • Logs stored without access restriction or integrity protection.
  • No formal schedule or assigned ownership for log review.
  • System alerts and warnings routinely ignored or unaddressed.

How to Fix It.

  • Enable comprehensive logging across all critical systems and applications.
  • Store logs in a secure, tamper-evident environment – separate from operational systems.
  • Adopt a SIEM (Security Information and Event Management) tool for centralized monitoring.
  • Assign clear ownership for weekly log review and incident escalation.

Audit trail requirements sit at the heart of statutory and external audit obligations in Kenya. Understanding what auditors expect is the first step toward being prepared.

4. Poor Data Backup and Disaster Recovery.

The inability to produce accurate records during an audit is itself an audit failure. Organizations that lack tested, reliable backup and disaster recovery infrastructure face the very real prospect of irretrievable data loss — along with the financial reporting and compliance consequences that follow.

This risk is particularly acute for SMEs in Kenya, where many organizations rely on single-point, on-premise backup systems that have never been tested under real recovery conditions.

Common Backup Failures.

  • Irregular or undocumented backup schedules.
  • Backups stored solely on-site, creating a single point of failure.
  • No formal Business Continuity or Disaster Recovery Plan.
  • Recovery procedures that have never been tested or validated.

How to Fix It.

  • Automate daily backups with documented retention schedules and ownership.
  • Store backups in geographically separate or cloud-based environments.
  • Conduct structured disaster recovery tests at least twice per year.
  • Maintain and communicate a formal, board-approved Business Continuity Plan.

Business continuity planning connects directly to the broader risk management support we provide through our Advisory Services.

5. Outdated and Unpatched Systems.

Running outdated or unsupported software is both a cybersecurity liability and a compliance risk. Auditors increasingly evaluate whether organizations maintain a proactive patch management posture – and legacy systems that have passed their vendor support lifecycle are an immediate red flag.

Beyond the audit risk, unpatched systems are among the most common entry points exploited in cyberattacks targeting Kenyan businesses, making timely updates a governance and operational priority alike.

Common Vulnerabilities.

  • Operating systems and applications running without current security patches.
  • Legacy systems no longer supported by the vendor.
  • No documented patch management policy or deployment schedule.
  • No formal inventory of software assets and version numbers.

How to Fix It.

  • Establish a formally documented patch management policy with assigned accountability.
  • Conduct monthly patch reviews and track deployment completion.
  • Maintain a complete, up-to-date software asset inventory.
  • Begin a structured migration plan away from any end-of-life systems.

6. Lack of Documented IT Policies and Procedures.

Auditors do not only examine what your systems do – they examine whether your organization has documented, approved, and communicated the rules governing those systems. Without formal IT policies, even technically sound controls cannot be adequately demonstrated during an audit.

At a minimum, organizations should maintain the following documented and management-approved policies: an IT Security Policy, a Data Protection Policy aligned with Kenyan data protection regulations, an Acceptable Use Policy, a Change Management Policy, and a Password Management Standard.

Common Documentation Gaps.

  • No formal IT policies in existence.
  • Policies exist but have never received management approval.
  • Documents not communicated to or formally acknowledged by staff.
  • Policies not reviewed or updated in over 12 months.

How to Fix It.

  • Develop a comprehensive IT policy suite appropriate to your organization’s size and sector.
  • Obtain formal management sign-off with version control and effective dates.
  • Distribute policies to all relevant staff and retain signed acknowledgements.
  • Schedule annual policy reviews — more frequently where regulations evolve.

Policy development is a core part of the IT governance and risk management support we provide to organizations across Kenya.

7. Shared User Accounts.

Shared login credentials are among the most visible compliance red flags an auditor can encounter. When multiple individuals access a system under a single account, individual accountability is eliminated – making it impossible to attribute transactions, investigate anomalies, or meet regulatory traceability requirements.

When a shared account is used, you no longer have a user – you have a gap in accountability. Auditors understand this immediately.

Why Shared Accounts Are Dangerous.

  • No individual accountability for system actions or transactions.
  • Incident investigation becomes impossible or legally unreliable.
  • Elevated risk of unauthorized or fraudulent access.
  • Direct violation of most compliance and regulatory frameworks.

How to Fix It.

  • Provision unique, named user accounts for every individual in the organization.
  • Enforce strong password policies and mandatory periodic rotation.
  • Deploy an Identity and Access Management (IAM) solution where feasible.
  • Conduct a full audit of existing accounts to identify and eliminate sharing.

8. Insufficient Monitoring and Continuous Review.

Many organizations invest in configuring the right controls at the point of implementation – then fail to sustain ongoing oversight. Controls erode over time. New users are added without proper review. Privileged access accumulates unchecked. System alerts go uninvestigated. By the time an audit surfaces these issues, the exposure may already be significant.

The shift toward continuous monitoring is a defining trend in modern internal auditing globally – and increasingly expected by auditors operating in the Kenyan market.

Common Monitoring Gaps.

  • No periodic user access certification process.
  • System alerts not assigned for review or escalation.
  • No continuous monitoring dashboard or tooling in place.
  • IT oversight responsibility not formally assigned to any individual or function.

How to Fix It.

  • Implement a continuous monitoring framework with clearly assigned ownership.
  • Conduct formal quarterly user access certification exercises.
  • Configure real-time system alerts with defined escalation and response paths.
  • Integrate IT monitoring reporting into board-level governance and audit committee agendas.

For a deeper look at how technology is reshaping audit oversight, read our article on trends in internal auditing.

Address IT Risks Before They Address You.

The IT risks outlined in this guide are not theoretical – they are the issues auditors encounter in Kenyan organizations every audit season. Most arise not from a lack of technology investment, but from gaps in governance, documentation, and sustained oversight. The good news is that each of these risks is entirely addressable with the right expertise and a structured remediation approach.

At Ndakala Advisory LLP, we work with businesses across Kenya to assess IT control environments, identify exposure before auditors do, and implement practical governance improvements that hold up under scrutiny. Our cross-disciplinary team, spanning audit, tax, legal, and advisory, brings an integrated perspective that goes beyond isolated IT checklists.

Whether you are preparing for a statutory audit, responding to prior-year findings, or building a governance framework from the ground up, explore our full range of Advisory Services or find out why organizations across Kenya choose to partner with us.

Ready to strengthen your IT audit readiness? Contact Ndakala Advisory LLP to speak with a specialist and request an IT audit readiness assessment.

This article was prepared by Brenda Mwanyolo, ICT Compliance Analyst at Ndakala Advisory LLP. For advice on IT audit readiness, access controls, IT governance, or cybersecurity compliance, contact our team or visit ndakalaadvisory.co.ke.

Ndakala Advisory LLP | Audit · Tax · Advisory · Consulting | Nairobi, Kenya & Kampala, Uganda.

Related Posts

Understanding the Affordable Housing Levy (AHL) in Kenya
Blog
Understanding the Affordable Housing Levy (AHL) in Kenya | A Complete Compliance Guide for Employers and Employees.
Guidelines for taxpayers- Ndakala Advisory
Blog
Guidelines for taxpayers under VAT special table

Leave a comment

Your email address will not be published. Required fields are marked *