Welcome » IT Booklets » Audit » Appendix A: Examination Procedures
Examination objectives allow the examiner to determine the
quality and effectiveness of the audit function related to IT
controls. These procedures will disclose the adequacy of audit
coverage and to what extent, if any, the examiner may rely upon the
procedures performed by the auditors in determining the scope of
the IT examination.
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the scope and objectives of
the examination of the IT audit function and coordinate with
examiners reviewing other programs.
1. Review past reports for outstanding issues, previous
problems, or high-risk areas with insufficient coverage related to
2. Review the most recent IT internal and external audit reports
in order to determine:
3. Review management's response to issues raised since the last
4. Assess the quality of the IT audit function.
Using the results from the preceding procedures and
discussions with the EIC, select from the following examination
procedures those necessary to meet the examination objectives.
Note: examinations do not necessarily require all
Objective 2: Determine the quality of the oversight and
support of the IT audit function provided by the board of directors
and senior management.
1. Review board resolutions and audit charter to determine
the authority and mission of the IT audit function.
2. Review and summarize the minutes of the board or audit
committee for member attendance and supervision of IT audit
3. Determine if the board reviews and approves IT policies,
procedures, and processes.
4. Determine if the board approves audit plans and schedules,
reviews actual performance of plans and schedules, and approves
major deviations to the plan.
5. Determine if the content and timeliness of audit reports
and issues presented to and reviewed by the board of directors or
audit committee are appropriate.
6. Determine whether the internal audit manager and the
external auditor report directly to the board or to an appropriate
audit committee and, if warranted, has the opportunity to escalate
issues to the board both through the normal audit committee process
and through the more direct communication with outside
Objective 3: Determine the credentials of the board of
directors or its audit committee related to their ability to
oversee the IT audit function.
1. Review credentials of board members related to abilities
to provide adequate oversight. Examiners should:
2. Determine if the composition of the audit committee is
appropriate considering entity type and complies with all
applicable laws and regulations. Note - If the institution is a
publicly traded company, this is a requirement of Sarbanes-Oxley.
Additionally, this is a requirement of FDICIA for institutions with
total assets greater than $500 million.
Objective 4: Determine the qualifications of the IT
audit staff and its continued development through training and
1. Determine if the IT audit staff is adequate in number and
is technically competent to accomplish its mission.
Objective 5: Determine the level of audit
1. Determine if the reporting process for the IT audit is
independent in fact and in appearance by reviewing the degree of
control persons outside of the audit function have on what is
reported to the board or audit committee.
2. Review the internal audit organization structure for
independence and clarity of the reporting process. Determine
whether independence is compromised by:
Objective 6: Determine the existence of timely and
formal follow-up and reporting on management's resolution of
identified IT problems or weaknesses.
1. Determine whether management takes appropriate and timely
action on IT audit findings and recommendations and whether audit
or management reports the action to the board of directors or its
audit committee. Also, determine if IT audit reviews or tests
management's statements regarding the resolution of findings and
2. Obtain a list of outstanding IT audit items and compare
the list with audit reports to ascertain completeness.
3. Determine whether management sufficiently corrects the
root causes of all significant deficiencies noted in the audit
reports and, if not, determine why corrective action is not
Objective 7: Determine the adequacy of the overall
audit plan in providing appropriate coverage of IT risks.
1. Interview management and review examination information to
identify changes to the institution's risk profile that would
affect the scope of the audit function. Consider:
2. Review the institution's IT audit standards manual
and/or IT-related sections of the institution's general audit
manual. Assess the adequacy of policies, practices, and procedures
covering the format and content of reports, distribution of
reports, resolution of audit findings, format and contents of work
papers, and security over audit materials.
Objective 8: Determine the adequacy of audit's risk
analysis methodology in prioritizing the allocation of audit
resources and formulating the IT audit schedule.
1. Evaluate audit planning and scheduling criteria,
including risk analysis, for selection, scope, and frequency of
audits. Determine if:
2. Determine whether the institution has appropriate
standards and processes for risk-based auditing and internal risk
Objective 9: Determine the adequacy of the scope,
frequency, accuracy, and timeliness of IT-related audit
1. Review a sample of the institution's IT-related audit
reports and work papers for specific audit ratings, completeness,
and compliance with board and audit committee-approved
2. Analyze the internal auditor's evaluation of IT controls
and compare it with any evaluations done by examiners.
3. Evaluate the scope of the auditor's work as it relates to
the institution's size, the nature and extent of its activities,
and the institution's risk profile.
4. Determine if the work papers disclose that specific
program steps, calculations, or other evidence support the
procedures and conclusions set forth in the reports.
5. Determine through review of the audit reports and work
papers if the auditors accurately identify and consistently report
weaknesses and risks.
6. Determine if audit report content is:
Objective 10: Determine the extent of audit's
participation in application development, acquisition, and testing,
as part of the organization's process to ensure the effectiveness
of internal controls.
1. Discuss with audit management and review audit policies
related to audit participation in application development,
acquisition, and testing.
2. Review the methodology management employs to notify the IT
auditor of proposed new applications, major changes to existing
applications, modifications/additions to the operating system, and
other changes to the data processing environment.
3. Determine the adequacy and independence of audit
Objective 11: If the IT internal audit function, or
any portion of it, is outsourced to external vendors, determine its
effectiveness and whether the institution can appropriately rely on
1. Obtain copies of:
2. Review the outsourcing contracts/engagement letters and
policies to determine whether they adequately:
3. Consider arranging a meeting with the IT audit vendor
to discuss the vendor's outsourcing internal audit program and
determine the auditor's qualifications.
4. Determine whether the outsourcing arrangement maintains or
improves the quality of the internal audit function and the
institution's internal controls. The examiner should:
5. Determine whether key employees of the institution and
the audit vendor clearly understand the lines of communication and
how any internal control problems or other matters noted by the
audit vendor during internal audits are to be
6. Determine whether management or the audit vendor revises
the scope of outsourced audit work appropriately when the
institution's environment, activities, risk exposures, or systems
7. Determine whether the directors ensure that the
institution effectively manages any outsourced internal audit
8. Determine whether the directors perform sufficient due
diligence to satisfy themselves of the audit vendor's competence
and objectivity before entering the outsourcing arrangement.
9. If the audit vendor also performs the institution's
external audit or other consulting services, determine whether the
institution and the vendor have discussed, determined, and
documented that applicable statutory and regulatory independence
standards are being met. Note - If the institution is a publicly
traded company, this is a requirement of Sarbanes-Oxley.
Additionally, this is a requirement of FDICIA for institutions with
total assets greater than $500 million.
10. Determine whether an adequate contingency plan exists to
reduce any lapse in audit coverage, particularly coverage of
high-risk areas, in the event the outsourced audit relationship is
Objective 12: Determine the extent of external audit
work related to IT controls.
1. Review engagement letters and discuss with senior
management the external auditor's involvement in assessing IT
2. If examiners rely on external audit work to limit
examination procedures, they should ensure audit work is adequate
through discussions with external auditors and reviewing work
papers if necessary.
Objective 13: Determine whether management effectively
oversees and monitors any significant data processing services
provided by technology service providers:
1. Determine whether management directly audits the service
provider's operations and controls, employs the services of
external auditors to evaluate the servicer's controls, or receives
sufficiently detailed copies of audit reports from the technology
2. Determine whether management requests applicable
regulatory agency IT examination reports.
3. Determine whether management adequately reviews all
reports to ensure the audit scope was sufficient and that all
deficiencies are appropriately addressed.
Objective 14: Discuss corrective actions and
1. Determine the need to perform Tier II procedures for
additional validation to support conclusions related to any of the
Tier I objectives.
2. Using results from the above objectives and/or audit's
internally assigned audit rating or audit coverage, determine the
need for additional validation of specific audited areas and, if
3. Using results from the review of the IT audit function,
including any necessary Tier II procedures:
4. Review preliminary examination conclusions with the
examiner-in-charge (EIC) regarding:
5. Discuss examination findings with management and obtain
proposed corrective action for significant deficiencies.
6. Document examination conclusions, including a proposed
audit component rating, in a memorandum to the EIC that provides
report-ready comments for all relevant sections of the report of
7. Document any guidance to future examiners of the IT audit
8. Organize examination work papers to ensure clear support
for significant findings and conclusions.
TIER II OBJECTIVES AND PROCEDURES
The Tier II examination procedures for the IT audit process
provide additional verification procedures to evaluate the
effectiveness of the IT audit function. These procedures are
designed to assist in achieving examination objectives and scope
and may be used entirely or selectively.
Tier II questions correspond to URSIT rating areas and can be
used to determine where the examiner may rely upon audit work in
determining the scope of the IT examination for those areas.
Examiners should coordinate this coverage with other
examiners to avoid duplication of effort with the examination
procedures found in other IT Handbook booklets.
1. Determine whether audit procedures for management
B. SYSTEMS DEVELOPMENT AND ACQUISITION
1. Determine whether audit procedures for systems development
and acquisition and related risk management adequately
1. Determine whether audit procedures for operations
D. INFORMATION SECURITY
1. Determine whether audit procedures for information
security adequately consider the risks in information security and
e-banking. Evaluate whether:
2. Determine whether audit procedures for information
security adequately consider compliance with the "Interagency
Guidelines Establishing Standards for Safeguarding Customer
Information," as mandated by Section 501(b) of the
Gramm-Leach-Bliley Act of 1999. Consider evaluating whether
E. PAYMENT SYSTEMS
1. Determine whether audit procedures for payment systems
risk adequately consider the risks in wholesale electronic
funds transfer (EFT). Evaluate whether:
Adequate operating policies and procedures govern all
activities, both in the wire transfer department and in the
originating department, including authorization, authentication,
and notification requirements;
2. Determine whether audit procedures for payment
systems risk adequately consider the risks in retail EFT
(automatic teller machines, point-of-sale, debit cards, home
banking, and other card-based systems including VISA/Master Charge
compliance). Evaluate whether:
3. Determine whether audit procedures for payment systems
risk adequately consider the risks in automated clearing house
(ACH). Evaluate whether:
1. Determine whether audit procedures for
outsourcing activities adequately cover the risks when
IT service is provided to external users. Evaluate
2. Determine whether audit procedures for outsourced
activities are adequate. Evaluate whether: