ICT auditing for non-ICT auditors


Continuous Professional Development

Accredited training

Competency based

16 CPD points

Course Outcomes

  1. Develop and implement an internal control policy for a South African municipality as required by the local government legislative framework and principles of good government – where assessment criteria 3 relates to “controls are identified in the context of a municipal computerised information system”
  2. Develop and identify critical areas of internal control within a municipal environment.
  3. Identify and establish internal control procedures that are in accordance with relevant municipal legislation and principles of good governance – where COSO, COBIT and ITIL frameworks are included in the material.
  4. Identify and implement the procedures that should be applied to study and review internal controls.
  5. Determine procedures that can be used to formulate a management strategy in relation to information technology resources.
  6. Identify issues, which are associated with the managing of information technology of strategic importance to the municipality.
  7. Understand how management information systems projects are managed.
  8. Understand risk management issues in a management information system.
  9. Understand the nature of costs associated with the management of a management information system.

Course Content

Analysing the different types of automated systems and covering:

  1. Centralised versus Distributed systems;
  2. On-line vs batch systems;
  3. Network concepts;
  4. Operating systems

Covering critical controls (focussing on reliability and integrity of information and safeguarding of information) within processes relating to:

  1. Human resources and payroll processes;
  2. Procure to pay processes;
  3. Order to cash processes;
  4. Financial statement close process;
  5. Logical information security;
  6. Segregation of duties;
  7. User account management;
  8. Application layer security;
  9. Physical and environmental controls;
  10. Controls over IT service management processes (ITIL-based).

Covering critical controls relating to:

  1. Systems development life cycle;
  2. Business continuity management;
  3. Incident Management and the Service Desk Change and Release Management;
  4. IT Service Continuity Management;
  5. Service Level Management.

Procedures to audit the adequacy and effectiveness of each of the key information controls identified:

  1. Perform a walkthrough;
  2. Defining the population to be tested for control effectiveness; and
  3. Test procedures.

Our material uses GTAG 8 – auditing application controls as the basis for the training.  It specifically focuses on:

  1. The risk universe;
  2. The risk assessment process for application processes – including a method to assess the risks;
  3. The identification of key processes on a mega, major and minor basis;
  4. The documenting of the process flows as a tool to correlate the risk and control assessment;
  5. The identification of key controls relating to the:
    • Document phase;
    • Input phase;
    • Processing phase; and the
    • Output phases.
  6. The risk and control matrixes include the elements of the COSO model and the differentiation of the prevention and detection controls.

Application of CAATS in the auditing of data files –

Focus on datamining tools used by Auditor-General:

  1. Purpose of CAATs;
  2. Understanding data and meta data;
  3. Formulating the CAAT specification;
  4. Development, testing and implementation of CAATs

Focussing on the governance process of IT systems, and specifically the COBIT model, the strategy setting, ensuring information systems are compatible, project management risks and cost overruns in the design and implementation of new systems.  Covering critical controls relating to:

  1. Systems development life cycle;
  2. Business continuity management;
  3. Incident Management and the Service Desk Change and Release Management;
  4. IT Service Continuity Management;
  5. Service Level Management

Covering critical risk management within processes relating to:

  1. Understanding common risks related to the information systems environment;
  2. Understanding risk related to data;
  3. Understanding risks related to user developed applications (additional to required content);
  4. Performing an IT risk assessment.

Target Audience

  1. Internal Auditors;
  2. Risk managers
  3. First and second line of defense;
  4. Audit Committee members.
Deon van der Westhuizen Email:, Telephone: +27 83 999 7955

Course Features

  • Lectures 25
  • Quizzes 0
  • Duration 80 hours
  • Skill level All levels
  • Language English
  • Students 49
  • Certificate No
  • Assessments Yes

    1 Comment

  1. February 8, 2024


    I am interested in doing training on IT audit course, how is it delivered and duration of the course.

Leave A Reply

Your email address will not be published. Required fields are marked *

Open chat
Hello 👋
Can we help you? Please send a whatsapp for quick responses