| Booklet:
Audit Section: IT Audit Roles and Responsibilities |
|||||||||||||||||||||||||||
Action Summary
BOARD
OF DIRECTORS AND SENIOR MANAGEMENT
The board of directors and senior management are responsible for ensuring
that the institution’s system of internal controls operates effectively.
One important element of an effective internal control system is an internal
audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should:
|
|
Provide an internal audit function capable of evaluating IT controls, |
|
|
Engage outside consultants or auditors to perform the internal audit function, or |
|
|
Use a combination of both methods to ensure that the institution has received adequate IT audit coverage. |
An institution’s board of directors may establish an “audit
committee” to oversee audit functions and to report on audit matters
periodically to the full board of directors. For purposes of this booklet,
the term “audit committee” means the committee with audit
oversight regardless of the type of financial institution.
Audit committee members should have a clear understanding of the importance
and necessity of an independent audit function.
To
comply with the Sarbanes-Oxley Act of 2002,
public
stock-issuing institutions are required to appoint outside directors as
audit committee members. All members of a stock-issuing institution’s
audit committee must be members of the board of directors and be independent
(i.e., not otherwise compensated by, or affiliated with, the institution).
Additionally, 12 CFR 363 (Federal Deposit Insurance Corporation Improvement
Act, or FDICIA) requires all depository institutions with total assets
greater than $500 million to have independent audit committees. Although
not all institutions are subject to these requirements due to their corporate
structure (Sarbanes-Oxley) or their size (FDICIA), it is generally considered
good practice that they use them as guidelines to ensure the independence
of their audit committees.
The board of directors should ensure that written guidelines for conducting IT audits have been adopted. The board of directors or its audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the “internal audit manager”) who has sufficient audit expertise and is independent of the operations of the business.
The board should give careful thought to the placement of the audit function in relation to the institution's management structure. The board should have confidence that the internal audit staff members will perform their duties with impartiality and not be unduly influenced by senior management and managers of day-to-day operations. Accordingly, the internal audit manager should report directly to the board of directors or its audit committee.
The board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function. The board or its audit committee should be aware of, and understand, significant risks and control issues associated with the institution’s operations, including risks in new products, emerging technologies, information systems, and electronic banking. Control issues and risks associated with reliance on technology can include:
|
|
Inappropriate user access to information systems, |
|
|
Unauthorized disclosure of confidential information, |
|
|
Unreliable or costly implementation of IT solutions, |
|
|
Inadequate alignment between IT systems and business objectives, |
|
|
Inadequate systems for monitoring information processing and transactions, |
|
|
Ineffective training programs for employees and system users, |
|
|
Insufficient due diligence in IT vendor selection, |
|
|
Inadequate segregation of duties, |
|
|
Incomplete or inadequate audit trails, |
|
|
Lack of standards and controls for end-user systems, |
|
|
Ineffective or inadequate business continuity plans, and |
|
|
Financial losses and loss of reputation related to systems outages. |
The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls. The board of directors or its audit committee should periodically meet with both internal and external auditors to discuss audit work performed and conclusions reached on IT systems and controls.
AUDIT MANAGEMENT
The internal audit manager is responsible for implementing board-approved
audit directives. The manager oversees the audit function and provides
leadership and direction in communicating and monitoring audit policies,
practices, programs, and processes. The internal audit manager should
establish clear lines of authority and reporting responsibility for all
levels of audit personnel and activities. The internal audit manager also
should ensure that members of the audit staff possess the necessary independence,
experience, education, training, and skills to properly conduct assigned
activities.
The internal audit manager should be responsible for internal control risk assessments, audit plans, audit programs, and audit reports associated with IT. Audit management should oversee the staff assigned to perform the internal audit work, should establish policies and procedures to guide the audit staff, and should ensure the staff has the expertise and resources to identify inherent risks and assess the effectiveness of internal controls in the institution’s IT operations.
INTERNAL IT AUDIT STAFF
The primary role of the internal IT audit staff is to assess independently
and objectively the controls, reliability, and integrity of the institution’s
IT environment. These assessments can help maintain or improve the efficiency
and effectiveness of the institution’s IT risk management, internal
controls, and corporate governance.
Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management. Auditors also perform operational audits, including system development audits, to ensure that internal controls are in place, that policies and procedures are effective, and that employees operate in compliance with approved policies. Auditors should identify weaknesses, review management’s plans for addressing those weaknesses, monitor their resolution, and report to the board as necessary on material weaknesses.
Auditors should make recommendations to management about procedures that affect IT controls. In this regard, the board and management should involve the audit department in the development process for major new IT applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.
OPERATING MANAGEMENT
Operating management should formally and effectively respond to IT audit
or examination findings and recommendations. The audit procedures should
clearly identify the methods for following up on noted audit or control
exceptions or weaknesses. Operating management is responsible for correcting
the root causes of the audit or control exceptions, not just treating
the exceptions themselves. Response times for correcting noted deficiencies
should be reasonable and may vary depending on the complexity of the corrective
action and the risk of inaction. Auditors should document, report, and
track recommendations and outstanding deficiencies. Additionally, auditors
should conduct timely follow-up audits to verify the effectiveness of
management’s corrective actions for significant deficiencies.
EXTERNAL AUDITORS
External auditors typically review IT control procedures as part of their
overall evaluation of internal controls when providing an opinion on the
adequacy of an institution's financial statements. As a rule, external
auditors review the general and application controls affecting the recording
and safeguarding of assets and the integrity of controls over financial
statement preparation and reporting. General controls include the plan
of organization and operation, documentation procedures, access to equipment
and data files, and other controls affecting overall information systems
operations. Application controls relate to specific information systems
tasks and provide reasonable assurance that the recording, processing,
and reporting of data are properly performed.
External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. Such arrangements are discussed in more detail in the “Outsourcing Internal IT Audit” section of this booklet.
The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit timeframe, and resulting reports. Examiners will typically review the engagement letter, reports, and audit work papers to determine the extent to which they can rely on external audit coverage and reduce their examination scope accordingly.