| Booklet:
Audit Section: Introduction |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
This
“Audit Booklet” is one of several booklets that comprise the
Federal Financial Institutions Examination Council (FFIEC) Information
Technology Examination Handbook (IT Handbook) and provides guidance
to examiners and financial institutions on the characteristics of an effective
information technology (IT) audit function.
This booklet replaces and rescinds Chapter 8 of the 1996 FFIEC Information
Systems Examination Handbook. It should be used by examiners of the
FFIEC member agencies
as a foundation from which they can assess the quality and effectiveness
of an institution’s IT audit program. It describes the roles and
responsibilities of the board of directors, management, and internal or
external auditors; identifies effective practices for IT audit programs;
and details examination objectives and procedures. Agency examiners will
use the examination procedures in Appendix A to assess the adequacy of
IT audit programs at both financial institutions and technology service
providers. The examination guidance and procedures in this booklet focus
on IT audit and supplement other, more general, internal and external
audit guidance provided by the FFIEC agencies.
A well-planned, properly structured audit program is essential to evaluate risk management practices, internal control systems, and compliance with corporate policies concerning IT-related risks at institutions of every size and complexity. Effective audit programs are risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies, and inform the board of directors of the effectiveness of risk management practices. An effective IT audit function may also reduce the time examiners spend reviewing areas of the institution during examinations. Ideally, the audit program would consist of a full-time, continuous program of internal audit coupled with a well-planned external auditing program.
The financial industry must plan, manage, and monitor rapidly changing technologies to enable it to deliver and support new products, services, and delivery channels. The rate of these changes and the resulting increased reliance on technology make the inclusion of IT audit coverage essential to an effective overall audit program. The audit program should address IT risk exposures throughout the institution, including the areas of IT management and strategic planning, data center operations, client/server architecture, local and wide-area networks, telecommunications, physical and information security, electronic banking, systems development, and business continuity planning. IT audit should also focus on how management determines the risk exposure from its operations and controls or mitigates that risk.
To determine what risks exist, management should prepare an independent assessment of the institution’s risk exposure and the quality of the internal controls associated with the development, acquisition, implementation, and use of information technology. An institution’s IT audit function can provide this independent assessment within the context of the overall audit function and can include work performed by both internal and external auditors and by other independent third parties as appropriate for the institution’s complexity and level of internal expertise. The FFIEC member agencies believe that a strong internal auditing function combined with a well-planned external auditing function substantially increase the probability that an institution will detect potentially serious technology-related problems. An effective IT audit program should:
|
|
Identify areas of greatest IT risk exposure to the institution in order to focus audit resources; |
|
|
Promote the confidentiality, integrity, and availability of information systems; |
|
|
Determine the effectiveness of management’s planning and oversight of IT activities; |
|
|
Evaluate the adequacy of operating processes and internal controls; |
|
|
Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures; and |
|
|
Require appropriate corrective action to address deficient internal controls and follow up to ensure management promptly and effectively implements the required actions. |
The examiner is responsible for evaluating the effectiveness of the IT audit function in meeting these objectives. The examiner should also consider the institution’s ability to promptly detect and report significant risks to the board of directors and senior management. Examiners should take into account the institution’s size, complexity, and overall risk profile when performing this and other evaluations. Examiners should consider the following issues when evaluating the IT audit function:
|
|
Independence of the audit function and its reporting relationship to the board of directors or its audit committee; |
|
|
Expertise and size of the audit staff relative to the IT environment; |
|
|
Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits; |
|
|
Processes in place to ensure timely tracking and resolution of reported weaknesses; and |
|
|
Documentation of IT audits, including work papers, audit reports, and follow-up. |
|