Investing in IT audit

IN today’s rapidly evolving digital landscape, organizations are leveraging technology to enhance efficiency, elevate customer experience, and maintain competitiveness. Cloud computing, online banking, data analytics, mobile applications, and artificial intelligence have become integral to modern business operations.

However, this accelerated transformation also introduces a broader, more complex set of risks — from cyberattacks and data breaches to system failures and regulatory non-compliance.

For institutions under close regulatory scrutiny, such as Bangko Sentral ng Pilipinas (BSP)-supervised financial institutions, understanding and managing technology and cyber risks is essential.

Regulators are likewise heightening expectations. The BSP continues to emphasize stronger cyber resilience across the financial sector. It has proposed cybersecurity self-assessment requirements to help institutions evaluate their cybersecurity maturity, identify vulnerabilities, and strengthen preparedness against evolving threats.

In this environment, information technology audit plays a pivotal role in ensuring that organizations can innovate responsibly while maintaining robust risk management practices.

An IT audit is an independent review of an organization’s technology environment — its systems, processes and controls — to determine whether they are secure, efficient and compliant with internal policies and external regulations.

It helps answer critical questions, such as whether systems are protected from cyberthreats, data is accurate and reliable, regulatory requirements are being met, and controls effectively support the organization’s digital strategy. Ultimately, the purpose of an IT audit is to help organizations use technology safely, responsibly and efficiently while minimizing risk.

As organizations deepen their digital transformation initiatives, the risks they face evolve just as quickly as the technologies they adopt.

Financial and operational data now move across multiple digital platforms, often involving third-party vendors and cloud-based systems.

Greater responsibility

For BSP-supervised institutions, the responsibility is even greater. Regulatory issuances such as BSP Circulars 808, 982 and 1019 mandate strong IT governance, sound risk management, and operational resilience.

The BSP’s proposed cybersecurity self-assessment framework further underscores the need for proactive risk management, requiring institutions to periodically assess their cybersecurity posture, evaluate control effectiveness, and identify areas for improvement.

In this context, IT audit becomes a valuable mechanism for supporting these assessments. It provides independent validation of cybersecurity controls, governance practices, and risk management processes, ensuring that organizations are not only compliant but also resilient.

Emerging technologies such as AI introduce additional governance challenges. Organizations must now consider whether data feeding AI models is accurate, algorithms are fair and transparent, and automated decisions can be audited or explained.

A proactive IT audit helps management address these risks early, ensuring that innovation is implemented responsibly and ethically.

A well-executed IT audit provides a comprehensive review of an organization’s technology environment by examining key areas such as access management, change and incident management, data backup and recovery, cybersecurity and privacy, emerging technologies, and vendor or cloud oversight.

By assessing these critical components, IT audit helps organizations uncover control gaps, address vulnerabilities, and implement practical improvements that strengthen security, enhance operational resilience, and support sound technology governance.

The value of IT audit extends far beyond regulatory compliance. It delivers measurable business benefits by providing regulatory assurance, demonstrating readiness for the BSP and other regulatory reviews.

It enhances cyber resilience by strengthening the organization’s ability to withstand and recover from cyber incidents. It improves operational efficiency by identifying process inefficiencies, reducing redundancies, and driving cost savings. It also builds stakeholder confidence, reinforcing trust among customers, partners, investors and regulators.

In essence, IT audit transforms technology oversight into a strategic advantage — one that supports innovation and stability. As digital transformation accelerates and AI continues to reshape the business landscape, IT audit is no longer just a safeguard; it is a success enabler.

It ensures that technology serves the organization’s goals securely, responsibly and sustainably. For regulated institutions and fast-growing enterprises alike, investing in IT audit is an investment in trust, resilience and long-term success.

-------------------------------------------------------------------------------------------------------------------------

Ryan A. Sabug is the managing partner of Alas, Oplas & Co., CPAs. He is a member of the Association of CPAs in Public Practice (Acpapp) board of directors.

https://www.manilatimes.net/2026/03/18/business/top-business/investing-in-it-audit/2301982