IT Audit and Control in Sri Lanka: Laws, Risks, and the Role of Auditors

-

Why IT Audit Matters Today?

In today’s digital world, information technology plays a crucial role in how organizations operate, communicate, and deliver services. Activities such as online banking, e-commerce, cloud computing, and social media depend heavily on IT systems that process large volumes of data every day. While these technologies improve efficiency and support economic growth, they also introduce serious risks such as cyberattacks, data breaches, online fraud, and misuse of personal information.

To manage these risks, organizations must implement effective IT audit and control mechanisms. IT audit and control focus on ensuring that information systems are secure, reliable, compliant with laws, and aligned with business objectives.

In Sri Lanka, the importance of IT audit has grown significantly in recent years due to the introduction of new digital laws and regulations. These laws aim to protect personal data, improve cybersecurity, and regulate online activities within the country.


Growth of IT Laws in Sri Lanka

Over the past two decades, Sri Lanka has introduced several important laws to govern the use of information technology. These include:

  • Electronic Transactions Act (2006)

  • Computer Crimes Act (2007)

  • Personal Data Protection Act (2022)

  • Online Safety Act (2024)

In addition, the proposed Cyber Security Act further strengthens national oversight of critical information systems. (Legal resources - ICTA website)

These laws place clear responsibilities on organizations to implement proper IT controls and prove compliance through audits. Unlike international frameworks such as ISO 27001, NIST, or COBIT, which are voluntary, Sri Lankan laws are mandatory and legally enforceable.

As a result, IT audits in Sri Lanka must balance global best practices with local legal requirements.







💻 Electronic Transactions Act (ETA) No. 19 of 2006

The Electronic Transactions Act provides the legal foundation for electronic commerce, digital business, and e-government services in Sri Lanka. It recognizes electronic contracts, records, and data messages as legally valid. (ELECTRONIC TRANSACTIONS ACT, No. 19 OF 2006)

Section 3 of the Act ensures that electronic documents have the same legal effect as paper-based documents. The Act is technology-neutral, allowing it to remain relevant despite rapid changes in digital technologies.

In 2017, amendments aligned the Act with UNCITRAL Model Laws, making Sri Lanka the first country in South Asia to adopt these international standards. This strengthens legal certainty and cross-border electronic trade.

For IT audits, key control areas include:

  • Integrity and authenticity of electronic records

  • Secure digital signature management

  • Retention and availability of electronic evidence


🔑Digital Signatures and Authentication

(Electronic Transactions Act No. 19 of 2006 and by the Electronic Transactions (Amendment) Act No. 25 of 2017)
As digital transactions increase, so does the risk of identity theft and fraud. The Electronic Transactions Act legally recognizes electronic signatures and digital certificates to address these risks. (Legal resources - ICTA website)

Sri Lanka’s National Certification Authority (NCA), operated by Sri Lanka CERT, regulates Certification Service Providers and ensures trust and integrity in digital authentication.

IT auditors must assess:

  • Certificate lifecycle management

  • Authentication controls

  • Cryptographic integrity

  • Compliance with NCA standards

Strong authentication directly supports trust in e-commerce and e-government platforms. 



🖥️ Computer Crimes Act No. 24 of 2007

The Computer Crimes Act is Sri Lanka’s primary law addressing cybercrime and computer-related offenses(COMPUTER CRIME ACT, No. 24 OF 2007). Traditional laws such as the Penal Code were inadequate for handling crimes in digital environments, as they focused on physical property and physical entry.

This created legal gaps where cyber offenders could avoid responsibility. The Computer Crimes Act addressed this issue by clearly defining offenses such as unauthorized access, data modification, interception, and denial-of-service attacks. The Act was inspired by the UK Computer Misuse Act of 1990 and treats cyber threats to national security and the economy as serious crimes.

Sri Lanka’s ratification of the Budapest Convention on Cybercrime further strengthened this framework by enabling international cooperation and better handling of electronic evidence.

From an IT audit and control perspective, auditors must evaluate whether organizations have implemented:

  • Strong access control mechanisms

  • System monitoring and logging

  • Audit trails that preserve electronic evidence

  • Incident response and reporting procedures

Failure to maintain these controls increases cyber risk and legal exposure, highlighting the critical role of IT audits.




🔐 Personal Data Protection Act (PDPA) No. 09 of 2022

The Personal Data Protection Act (PDPA) represents a major shift in Sri Lanka’s approach to privacy and data governance. Its main objective is to protect individuals’ personal data while allowing organizations to process data lawfully for business and public interest purposes. (PERSONAL DATA PROTECTION ACT, No. 9 OF 2022)

From an IT audit perspective, accountability is a key principle introduced by the PDPA. Organizations must implement a Data Protection Management Programme (DPMP) that includes policies, procedures, risk assessments, and internal controls. IT auditors are required to assess whether these controls are properly designed and effectively implemented.

Key IT control areas under the PDPA include:

  • Access controls to restrict personal data access

  • Data minimization to collect only necessary data

  • Audit logs and monitoring to detect unauthorized access

  • Data Protection Impact Assessments (DPIAs) for high-risk processing

The PDPA is heavily influenced by the EU’s GDPR, making compliance especially important for Sri Lankan IT and BPO companies handling foreign data. Strong PDPA compliance increases international trust and supports cross-border data processing.




🌍 Online Safety Act No. 09 of 2024

The Online Safety Act focuses on addressing online harm, impersonation, harassment, and public order risks. It introduces concepts such as prohibited statements and declared online locations, overseen by the Online Safety Commission.(ONLINE SAFETY ACT, No. 9 OF 2024)

From an IT audit perspective, organizations must implement:

  • Content moderation controls

  • Identity verification mechanisms

  • Incident reporting and escalation processes

  • Governance and oversight of platform decisions

Although concerns exist regarding freedom of expression, the Act includes judicial oversight and appeal mechanisms. Transparent IT governance is essential to balance safety and rights.

Global frameworks such as ISO 27001, NIST, and COBIT provide structured guidance for designing and managing IT controls. However, they are voluntary.

Sri Lankan laws are mandatory and enforceable, with penalties for non-compliance. Therefore, IT auditors must ensure that organizations comply with both.

 "Frameworks guide how to control, while laws define what must be controlled."

Despite strong legislation, gaps remain. Enforcement of the PDPA is still developing, the Online Safety Act raises concerns about overreach, and emerging technologies such as AI and IoT are not yet fully regulated. Delays in investigations further reduce effectiveness.

By strengthening enforcement, integrating global frameworks with local laws, and improving audit practices, Sri Lanka can protect citizens, attract foreign investment, and position itself as a trusted global IT hub.






Comments

  1. Theekshana GimhanJanuary 5, 2026 at 7:13 AM

    This is an excellent breakdown of the legal landscape for IT auditing in Sri Lanka. The distinction you made between voluntary frameworks like ISO and mandatory local laws like the PDPA is a crucial one that many organizations overlook. I’m particularly interested to see how local SMEs will manage the cost and complexity of these compliance requirements moving forward. Great read!

    ReplyDelete
    Replies
    1. Isuri Amanda SenarathnaJanuary 5, 2026 at 2:05 PM

      Thanks, Theekshana!
      Yes, you’re right, Mithuni also pointed out the same thing below, and as per my opinion, a practical way forward is to focus on the highest-risk areas first, implement basic controls, and gradually scale up, while using affordable tools or outsourced support where possible.

      This approach lets SMEs meet legal requirements without compromising operations or innovation.

      Delete
  2. Mithuni JinanjaleeJanuary 5, 2026 at 1:26 PM

    Great breakdown of how Sri Lanka’s IT audit landscape is evolving and why compliance isn’t just a best practice but a legal mandate now - especially with laws like the Personal Data Protection Act and Online Safety Act shaping control environments and risk landscapes. It’s refreshing to see the legal context tied back to real‑world audit responsibilities and not just ISO frameworks. Considering many local orgs still struggle to balance regulatory compliance with cost and operational efficiency, I’m curious:

    How do you see SMEs in Sri Lanka realistically scaling their IT audit maturity - especially around PDPA and Online Safety Act compliance without compromising innovation or overburdening limited IT budgets?

    ReplyDelete
    Replies
    1. Isuri Amanda SenarathnaJanuary 5, 2026 at 1:58 PM

      Thanks, Mithuni!
      Yes, You’re right,following all laws can be tricky and costly, but since it’s the law, there’s no option to ignore it.
      They can start with the most critical risks, put in basic controls like access restrictions and simple audit logs, train staff, and use affordable tools or outsource when needed.
      In this way, SMEs can follow the law step by step without overburdening their budgets or slowing down innovation.

      Delete
  3. Rashmi GunasekaraJanuary 5, 2026 at 9:03 PM

    Well written and highly relevant!
    A clear explanation of why IT audit matters today, especially in Sri Lanka’s evolving legal landscape. Very informative and practical 👏🔐

    ReplyDelete
    Replies
    1. Isuri Amanda SenarathnaFebruary 1, 2026 at 10:18 PM

      Thank you, Rashmi! 😊 Glad you found it relevant and informative.

      Delete
  4. Ashan Krishna UdawelaJanuary 7, 2026 at 9:07 AM

    This is a very informative and well-written article on IT audit and control in the Sri Lankan context. I like how you clearly explain the relevant laws, regulations, and their importance in ensuring accountability, data protection, and system security. The practical focus makes it easy to understand how IT audit supports compliance and good governance. Great work

    ReplyDelete
    Replies
    1. Isuri Amanda SenarathnaFebruary 1, 2026 at 10:19 PM

      Thank you, Krishna! Really appreciate your kind feedback.

      Delete
  5. W G Tharushi BuddhikaJanuary 26, 2026 at 10:14 PM

    Really informative article, Isuri! I liked how you clearly connected Sri Lanka’s IT laws with practical IT audit and control requirements, especially the focus on PDPA and cybercrime risks. It does a great job of showing why IT auditing is becoming so important in the local and global context.
    With Sri Lanka having mandatory IT laws alongside voluntary global frameworks like ISO 27001 and COBIT, how do you think IT auditors can best balance legal compliance with adopting international best practices in organizations?

    ReplyDelete
    Replies
    1. Isuri Amanda SenarathnaFebruary 1, 2026 at 10:19 PM

      Thanks, Tharushi!
      That’s a really good question.
      Based on my reading and experience, organizations and auditors should treat Sri Lankan laws as the must-do basics, and global frameworks as the tools that help them do it properly. Laws like the PDPA, Computer Crimes Act, and Online Safety Act aren’t optional, so Organizations must first comply with the legal requirements of the jurisdiction they operate in, whether that is Sri Lanka, Silicon Valley, or elsewhere. Because of that, IT auditors need at least a good awareness of these laws, or they should work closely with legal or regulatory experts. If an auditor already has that legal knowledge, it’s definitely a big plus.
      Once the legal side is covered, frameworks like ISO 27001, COBIT, or NIST can be brought in. A lot of what these frameworks recommend already overlaps with local legal requirements, so auditors can map what’s already in place and then improve things step by step. A phased, risk-based approach allows organizations to meet legal obligations first and gradually align with international best practices without overwhelming operations or budgets. Over time, this improves governance, control maturity, resilience, and credibility, especially for organizations operating in international markets.

      Delete
  6. Rashmi GunasekaraFebruary 2, 2026 at 8:29 PM

    Excellent insights! This blog clearly explains why IT audits are more crucial than ever in Sri Lanka, linking legal requirements with practical IT controls. Very informative and well-structured!

    ReplyDelete
  7. U.L.S.Aishani SilvaFebruary 3, 2026 at 4:48 AM

    This is a very informative and well-written blog that clearly explains the importance of IT audit in today’s digital landscape. I like how you connected global IT risks like cyberattacks and data breaches with the local context in Sri Lanka, highlighting the relevance of new digital laws and regulations. The discussion effectively shows why IT audit is essential for ensuring security, compliance, and alignment with business objectives. Great work! 👏

    ReplyDelete

Post a Comment

Popular posts from this blog

Keeping Your SaaS Clients Safe: DR and BCP as Your Secret Superpowers

-
Image
Imagine you run a SaaS company that helps other businesses understand their employees and customers through feedback, surveys, and analytics. Your platform is critical: companies rely on it to make decisions about engagement, satisfaction, and growth . Now, imagine one morning your cloud servers crash, your database goes offline, and your clients—who depend on real-time dashboards—cannot access their insights. Panic spreads. Emails and phone calls flood your support hotlines. Stakeholders demand answers. In that moment, trust hangs by a thread. This is where Disaster Recovery (DR) and Business Continuity Planning (BCP) step in, not as optional IT projects, but as strategic superpowers that protect your SaaS platform, your clients, and your company’s reputation. Disaster Recovery vs. Business Continuity in SaaS : Two Sides of the Same Coin At first glance, DR and BCP may seem similar—but in SaaS, they play distinct roles: Disaster Recovery (DR): Focuses on restoring IT systems, ...
Read more

IT Risk Management: The Secret Weapon of Corporate Governance

-
Image
  In today’s digital age, corporate governance is no longer just about board meetings, financial reports, and compliance checklists . It’s about understanding, managing, and controlling technology risks that can make or break an organization. And that’s where IT Risk Management (ITRM) becomes the secret weapon for companies seeking stability, resilience, and long-term growth. Think of it this way: every business process from payroll to customer management is powered by IT systems. When these systems fail, whether due to cyberattacks, human error, or technological glitches, the consequences can ripple across the entire organization . IT Risk Management ensures that these threats are identified, mitigated, and aligned with corporate goals. Why IT Risk Management is Essential for Corporate Governance Corporate governance ensures that organizations are run ethically, efficiently, and sustainably . Traditionally, this meant financial oversight, legal compliance, and strategic pla...
Read more