The Case for Regulated Information Systems (IS) Audit Profession in Nigeria
Between late 2002 and early 2004, there was a strong advocacy by NITDA, under the late Prof Olalere Ajayi, for the creation of an Information Technology (IT) cadre in the Federal Civil Service. The push eventually received the assent of the Federal Executive Council. The implementation began with six pilot Ministries, among which was the Federal Ministry of Education. The import was that MDAs would have departments of IT with establishment positions up to directorate level.
The reasons for the agitation for the creation of an IT cadre and establishment positions were several. NITDA had been born just about two years thence and realized that Information Technology would not flourish if graduates of IT who found themselves in the civil service did not see a career path. At that time, IT functions were being undertaken by the Planning Research and Statistics Department (PRS). The Directors of PRS departments were not IT professionals. Therefore IT programs suffered poor implementation. The second reason was that since Information Technology had become a key enabler of governance, it needed special attention. The third reason was to attract IT graduates into the civil service due to the advent of e-government, and the massive deployments of IT infrastructure in government.
By 2006, the impetus had waned and a return to status quo was subtly ordered. That meant that the implementation of the IT cadre would not go beyond the pilot stage. But by 2011, a Ministry of Communication Technology was created and Information Technology came within its purview. The matter was revisited by the new Ministry, this time with greater vigor and success. The success has been underscored by the establishment of a thriving Council of Heads of ICT Department chaired by the Honorable Minister of Communication Technology. The Council now serves, among other things, as a platform to implement standards across government.
While all of these developments are certainly praise worthy, something else which is desideratum for sustained development and delivery of best value to government and the nation is severely lacking in the system. I speak about the absence of an Information Systems (IS) Audit cadre. On the surface, this does not appear critical, but close examination will show that today the reasons for mandatory financial audit as part of corporate governance, good as they are, actually pale against the real need for mandatory IS audit in an economy driven no longer by mere capital but by knowledge ( and by its derivatives such as technology). Among the time-honored factors of production, labor won the battle long time ago. But labor didn’t win as labor. It won because it acquired critical information and knowledge, and became innovative, generating technology in the process. The truth though is that over the centuries the sharp lines which divided the factors of production have blurred, but with knowledge becoming a clear key factor. Application of knowledge can make or mar the progress of any company or corporation today. Knowledge errors or technology glitches can bring down century-old corporations. This accounts for the emergence of Information Systems (IS) audit as a core process in corporate organizations overseas.
Unfortunately, IS audit has not really caught on in Nigeria. Only a few private sector corporations recognize its value. But every year, corporations, especially government MDAs, spend billions of naira in procuring and deploying enterprise Information Systems. It is more alarming that within government MDAs there is no institutionalized framework to evaluate the outcome of IT investments, the sustained security of the technologies and the business value of Information Systems. But on the other hand financial audit has enjoyed longstanding corporate acceptance. Yet Information Technology has assumed a very important position in the survival, efficiency and competitiveness of businesses. The entire cash flow of all Fortune 500 companies is linked to Information Systems (Adewoye, 2007). Adewoye has argued that Technology directly affects how managers decide, how they plan and what products and services are produced.
The fact that IT spend is huge and that Information Systems are a dominant feature in business processes are not surprising at all. The real surprise is that Information Systems audit, unlike financial audit, is not yet a regulated profession in Nigeria in spite of the quantum of investments in Information Systems and the place of IT as critical infrastructure in both the public and private sector business processes. Its practice is limited to a few discerning industries such as banking but is almost non-existent in government MDAs. This is where NITDA has a critical developmental and regulatory role to play. Its position as the clearing house for IT in Nigeria puts on her doorsteps the responsibility of developing the framework for, and enabling the emergence of, an Information Systems Audit profession in Nigeria.
The times are most auspicious for the establishment of a regulated IS Audit profession. Most commercial and public entities have migrated their businesses to the online environment, automating their processes, running high security risks and requiring rigorous IS audit. Information infrastructure has become Critical National Infrastructure (CNI), requiring legal protection. A regulated IS audit practice will be a natural bastion of that protection.
Already, several NITDA-inspired actions have prepared the grounds for the emergence of the IS audit profession in both the public and private sectors. In January 2013, the National Information Systems and Network Security Standards and Guidelines version 3.0 was published by NITDA. On December 5 of the same year the Control Objectives for IT and Related Technologies, version 5.0 (COBIT 5) was adopted as a framework for the governance and management of enterprise IT in Nigeria. Both documents are major planks on the platforms for the security and management of Information Systems for national development. A regulatory and compliance framework for both documents will be a critical step in the evolution of the IS audit profession. If NITDA takes that step, as its mandate demands, the Agency would have bequeathed to the indigenous IT industry one of the most far-reaching IT development and governance mechanism.
The instant benefits of the evolution of an IS audit profession and the creation of an IS audit cadre in the public service are many. Every organization in the public and private sector would employ an IS auditor the same way they employ a financial auditor. This will create jobs. Audit departments would have these two main streams of audit for the entrenchment of stronger corporate governance principles. Every organization will require the services of an external IS audit the same way they hire external auditors to authenticate their books and give an independent, objective view of investments to ensure probity and accountability. This will create more jobs and build great Nigerian companies in the mold of Deloitte, PWC, and Ernst and Young.
