IT Governance, Audit and Risks Management in Banks: A Narrative Literature Review and Future Research Agenda

Abstract

The increasing digitalization of the banking sector has significantly reshaped institutional control mechanisms and governance structures, particularly in the realm of Information Technology (IT). This narrative literature review examines the evolving role of IT audit and governance in banks, with a specific focus on how these mechanisms contribute to risk management and regulatory compliance. Drawing upon a corpus of 26 peer-reviewed studies spanning from the early 2000s to 2025, this paper offers an integrated framework to understand the complex interrelations between IT governance, internal auditing, emerging technologies, and institutional oversight. Our literature review situates IT audit practices within broader organizational, cultural, and regulatory contexts. It explores how frameworks such as COBIT and COSO serve not only as technical guides but also as institutional artifacts that shape organizational behavior, strategic decision-making, and normative compliance. The review reveals that the role of IT audit has expanded from a purely technical function to a strategic enabler of trust, transparency, and accountability within financial institutions. Furthermore, audit committees and specialized board-level IT committees are shown to play a critical role in translating technological risks into governance priorities, thereby fostering a culture of proactive risk mitigation. Our analysis addresses the competencies of IT auditors, emphasizing the increasing demand for specialized skills in cybersecurity, data governance, and AI-integrated systems. The findings suggest that organizations with robust IT governance structures and trained audit personnel are better equipped to address technological disruptions and regulatory pressures. Moreover, the integration of Artificial Intelligence (AI) into audit processes is identified as both a transformative opportunity and a governance challenge. This paper contributes to the literature by providing a picture that connects technical auditing practices with broader sociotechnical systems. It identifies critical gaps in current audit practices, highlights the importance of organizational culture and ethics in IT governance, and proposes avenues for future research, particularly on the intersection of AI, audit methodologies, and institutional compliance.