An information technology audit (IT audit) involves a systematic process of appraisal and evaluation of the organization structure, its IT infrastructure systems and processes. The leading purpose of IT audit services is to analyze the work and performance ratings of information systems and data in an institution. Such audits are integral to identifying and avert risks associated with the use of technology in an organizational setup. IT audit services are generally provided by specialized IT auditors who have knowledge and skills of the information technology system in addition to its application on a business aspect. This helps IT auditors to achieve their business goals such as maintaining security, safety and efficiency of the organizations IT infrastructure.
The common types of IT security audits are system and network audits, application audits, cyber security audits, third-party vendor audits, disaster recovery audits, mobile device security audits, wireless network security audits and physical security audits. Financial institutions rely on information technology and audit services to protect their critical infrastructure and networked resources from hackers and implement efficient internal controls that will help manage risks associated with their IT activities including IT security risks as well as operational efficiency of modernization initiatives among others.
This study analyzes the procurement of IT audit services by numerous government agencies and Public Sector Undertakings (PSUs) in India in the year 2023. Among the 8,000+ government agencies, 225 entities announced a total of 714 IT audit tenders across different states with the leading three positions occupied by Delhi (147 tenders), Uttar Pradesh (118 tenders) and Maharashtra (97 tenders).
Cybersecurity audit is a key type of audit undertaken by the government agencies. For example, the Greater Mumbai Municipal Corporation in Maharashtra has published tenders for IT security audit services focused on enhancing the BMC’s cybersecurity initiatives. Similarly, the Tihri Jal Vikas Nigam Limited (THDC) of Uttarakhand has published tenders for conducting cybersecurity audits specifically targeting web and application security.
The Ministry of Education issued many tenders for the procurement of IT audit services. For example, in Jammu and Kashmir, the Ministry of Higher Education issued tenders for web security audits. Similarly, the Department of Higher Education in Uttarakhand released tenders for network security assessment and security audit of application software.
The Indian Railways Catering and Tourism Corporation (IRCTC) published tenders for conducting IT security audits in the various states of India. In IRCTC, IT audit plays an important role in protecting passenger data, prevention of cyber incidents and continuously improving cybersecurity infrastructure. For instance, the IRCTC office in Delhi advertised tenders for the selection of an information security audit organization to conduct a security audit of IRCTC applications. Similarly, IRCTC in Uttar Pradesh also released tenders for the selection of an information security audit organization for the security audit of IRCTC applications.
A total of 147 tenders were released for the procurement of Vulnerability Assessment Penetration Testing (VAPT) services. While an IT audit service provides a comprehensive assessment of an organizations overall IT environment, VAPT focuses on targeted testing to identify and improve specific weaknesses. Integrating both approaches enables organizations to establish an appropriately layered cybersecurity strategy that addresses security and governance technology components. For example, Gujarat Gas Ltd published tenders for VAPT equipment including vulnerability analysis and penetration testing scanner with a three-year support period.
The banking industry published several VAPT tenders in recognition of its critical role as an integral part of the cybersecurity strategy in this industry. This approach helps financial institutions prevent cyberattacks, protect customer information and ensure that customers have unwavering trust and confidence in their banking operations in various fields. Moreover, in Tamil Nadu, LIC published tenders for conducting comprehensive information systems assessment of banks’ information and communication technology infrastructure. The Agriculture Department Punjab in Chandigarh published tenders for Vulnerability Assessment and Penetration Testing (VAPT) for the PSWC portal and IT infrastructure. Similarly, Telecommunications Consultants India Limited (TCIL) in Delhi released tenders to select a service provider for vulnerability assessment and penetration testing (VAPT) of IT infrastructure and security audit certification of web portals and websites affiliated with TCIL.
The VAPT is often done along with application security audit. Webel Technology Limited in West Bengal for example advertised tenders for the empanelment of application security audit and vulnerability assessment penetration testing for web applications and mobile applications through certification in empaneled information security organizations. This arrangement is designated to be treated as a rate contract. Similarly, CPCL in Tamil Nadu published tenders for conducting VAPT audits on CPCL public IPs specifically for CPCL Manali.
As of January 28, 2024, there are 38 live tenders for IT audit services being promoted by different government agencies in various states of India. Delhi has 13 tenders at 33%, Uttar Pradesh has 6 tenders at 15%, Maharashtra has 5 tenders at 13%, and Tamil Nadu, Madhya Pradesh, and Haryana each have 4 tenders at 10%. Finally, Jammu and Kashmir contributed 3 tenders at 8%.
This study highlights the strong demand from government agencies in India for IT audit services. The extensive issuance of tenders underscores the significance of IT audit services in guaranteeing the security, compliance and efficiency of information technology systems across various regions. Therefore, organizations offering these IT audit services are advised to proactively monitor and engage in pertinent tenders to capitalize on upcoming business opportunities.
