Internal IT Audit Staff
The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution's IT environment. These assessments can help maintain or improve the efficiency and effectiveness of the institution's IT risk management, internal controls, and corporate governance.
Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management. Auditors also perform operational audits, including system development audits, to ensure that internal controls are in place, that policies and procedures are effective, and that employees operate in compliance with approved policies. Auditors should identify weaknesses, review management's plans for addressing those weaknesses, monitor their resolution, and report to the board as necessary on material weaknesses.
Auditors should make recommendations to management about procedures that affect IT controls. In this regard, the board and management should involve the audit department in the development process for major new IT applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit's role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.