Board of Directors and Senior Management
The board of directors and senior management are responsible for ensuring that the institution's system of internal controls operates effectively. One important element of an effective internal control system is an internal audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should:
- Provide an internal audit function capable of evaluating IT controls,
- Engage outside consultants or auditors to perform the internal audit function, or
- Use a combination of both methods to ensure that the institution has received adequate IT audit coverage.
An institution's board of directors may establish an "audit committee" to oversee audit functions and to report on audit matters periodically to the full board of directors. For purposes of this booklet, the term "audit committee" means the committee with audit oversight regardless of the type of financial institution.A federal credit union board of directors is required to establish a "supervisory committee" with oversight responsibility for audit. A supervisory committee consists of not less than three members, nor more than five members, one of whom may be a director other than the compensated officer of the board. Audit committee members should have a clear understanding of the importance and necessity of an independent audit function.
To comply with the Sarbanes-Oxley Act of 2002,Sarbanes-Oxley Act of 2002 (Public Law 107-204) puts into place significant new requirements that provide for auditor independence of registered companies that will apply, through FDIC guidelines, (1) to any financial institution that is required under banking laws to have an annual independent audit or (2) to its holding company if the bank satisfies this requirement at the holding company level. All insured depository institutions with $500 million or more in total assets are required under banking laws to have an annual audit by an independent public accountant. If the institution is a subsidiary of a holding company, it can satisfy this requirement by an independent audit of the holding company. Further, the Federal Reserve Board may apply the auditor independence requirements in the Act to all bank holding companies that are required by the Federal Reserve Board to have an annual audit by an independent public accountant even if no subsidiary institution is subject to the requirements. public stock-issuing institutions are required to appoint outside directors as audit committee members. All members of a stock-issuing institution's audit committee must be members of the board of directors and be independent (i.e., not otherwise compensated by, or affiliated with, the institution). Additionally, 12 CFR 363 (Federal Deposit Insurance Corporation Improvement Act, or FDICIA) requires all depository institutions with total assets greater than $500 million to have independent audit committees. Although not all institutions are subject to these requirements due to their corporate structure (Sarbanes-Oxley) or their size (FDICIA), it is generally considered good practice that they use them as guidelines to ensure the independence of their audit committees.
The board of directors should ensure that written guidelines for conducting IT audits have been adopted. The board of directors or its audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the "internal audit manager") who has sufficient audit expertise and is independent of the operations of the business.
The board should give careful thought to the placement of the audit function in relation to the institution's management structure. The board should have confidence that the internal audit staff members will perform their duties with impartiality and not be unduly influenced by senior management and managers of day-to-day operations. Accordingly, the internal audit manager should report directly to the board of directors or its audit committee.
The board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function. The board or its audit committee should be aware of, and understand, significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, information systems, and electronic banking. Control issues and risks associated with reliance on technology can include:
- Inappropriate user access to information systems,
- Unauthorized disclosure of confidential information,
- Unreliable or costly implementation of IT solutions,
- Inadequate alignment between IT systems and business objectives,
- Inadequate systems for monitoring information processing and transactions,
- Ineffective training programs for employees and system users,
- Insufficient due diligence in IT vendor selection,
- Inadequate segregation of duties,
- Incomplete or inadequate audit trails,
- Lack of standards and controls for end-user systems,
- Ineffective or inadequate business continuity plans, and
- Financial losses and loss of reputation related to systems outages.
The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls. The board of directors or its audit committee should periodically meet with both internal and external auditors to discuss audit work performed and conclusions reached on IT systems and controls.
IT Audit Roles and Responsibilities