This "Audit Booklet" is one of several booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) and provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function.This booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts, and credit unions, as well as technology service providers that provide services to such entities. This booklet replaces and rescinds Chapter 8 of the 1996 FFIEC Information Systems Examination Handbook. It should beused by examiners of the FFIEC member agenciesBoard of Governors of the Federal Reserve System (Federal Reserve Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS). as a foundation from which they can assess the quality and effectiveness of an institution's IT audit program. It describes the roles and responsibilities of the board of directors, management, and internal or external auditors; identifies effective practices for IT audit programs; and details examination objectives and procedures. Agency examiners will use the examination procedures in Appendix A to assess the adequacy of IT audit programs at both financial institutions and technology service providers.The examination guidance and procedures in this booklet focus on IT audit and supplement other, more general, internal and external audit guidance provided by the FFIEC agencies.These include the "Interagency Policy Statement on the Internal Audit Function and Its Outsourcing," March 17, 2003; "Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations," September 22, 1999; and "Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners," July 23, 1992.
A well-planned, properly structured audit program is essential to evaluate risk management practices, internal control systems,and compliance with corporate policies concerning IT-related risks at institutions of every size and complexity. Effective audit programs are risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies, and inform the board of directors of the effectiveness of risk management practices. An effective IT audit function may also reduce the time examiners spend reviewing areas of the institution during examinations. Ideally, the audit program would consist of a full-time, continuous program of internal audit coupled with a well-planned external auditing program.
The financial industry must plan, manage, and monitor rapidly
changing technologies to enable it to deliver and support new
products, services, and delivery channels. The rate of these
changes and the resulting increased reliance on technology make the
inclusion of IT audit coverage essential to an effective over all
audit program. The audit program should address IT risk exposures
throughout the institution, including the areas of IT management
and strategic planning, data center operations, client/server
architecture, local and wide-area networks, telecommunications,
physical and information security, electronic banking, systems
development, and business continuity planning. IT audit should also
focus on how management determines the risk exposure from its
operations and controls or mitigates that risk.
To determine what risks exist, management should prepare an independent assessment of the institution's risk exposure and the quality of the internal controls associated with the development, acquisition, implementation, and use of information technology. An institution's IT audit function can provide this independent assessment within the context of the overall audit function and can include work performed by both internal and external auditors and by other independent third parties as appropriate for the institution's complexity and level of internal expertise. The FFIEC member agencies believe that a strong internal auditing function combined with a well-planned external auditing function substantially increase the probability that an institution will detect potentially serious technology-related problems. An effective IT audit program should:
- Identify areas of greatest IT risk exposure to the institution in order to focus audit resources;
- Promote the confidentiality, integrity, and availability of information systems;
- Determine the effectiveness of management's planning and oversight of IT activities;
- Evaluate the adequacy of operating processes and internal controls;
- Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures; and
- Require appropriate corrective action to address deficient internal controls and follow up to ensure management promptly and effectively implements the required actions.
The examiner is responsible for evaluating the effectiveness of the IT audit function in meeting these objectives. The examiner should also consider the institution's ability to promptly detect and report significant risks to the board of directors and senior management. Examiners should take into account the institution's size, complexity, and overall risk profile when performing this and other evaluations. Examiners should consider the following issues when evaluating the IT audit function:
- Independence of the audit function and its reporting relationship to the board of directors or its audit committee;
- Expertise and size of the audit staff relative to the IT environment;
- Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits;
- Processes in place to ensure timely tracking and resolution of reported weaknesses; and
- Documentation of IT audits, including work papers, audit reports, and follow-up.
IT Audit Roles and Responsibilities