- 1 IT Audit Roles and Responsibilities
- 2 Audit Management
- 3 Internal IT Audit Staff
- 4 Operations Management
- 5 External Auditors
- 6 Procedures
- 7 Resources
IT Audit Roles and Responsibilities
The board of directors and senior management are responsible for ensuring that the institution’s system of internal controls operates effectively. One important element of an effective internal control system is an internal audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should:
- Provide an internal audit function capable of evaluating IT controls
- Engage outside consultants or auditors to perform the internal audit function
- Use a combination of both methods to ensure that the institution has received adequate IT audit coverage
An institution’s board of directors may establish an “audit committee” to oversee audit functions and to report on audit matters periodically to the full board of directors. For purposes of this booklet, the term “audit committee” means the committee with audit oversight regardless of the type of financial institution. Audit committee members should have a clear understanding of the importance and necessity of an independent audit function.
To comply with the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to appoint outside directors as audit committee members. All members of a stock-issuing institution’s audit committee must be members of the board of directors and be independent (i.e., not otherwise compensated by, or affiliated with, the institution). Additionally, 12 CFR 363 (Federal Deposit Insurance Corporation Improvement Act, or FDICIA) requires all depository institutions with total assets greater than $500 million to have independent audit committees. Although not all institutions are subject to these requirements due to their corporate structure (Sarbanes-Oxley) or their size (FDICIA), it is generally considered good practice that they use them as guidelines to ensure the independence of their audit committees.
The board of directors should ensure that written guidelines for conducting IT audits have been adopted. The board of directors or its audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the “internal audit manager”) who has sufficient audit expertise and is independent of the operations of the business.
The board should give careful thought to the placement of the audit function in relation to the institution's management structure. The board should have confidence that the internal audit staff members will perform their duties with impartiality and not be unduly influenced by senior management and managers of day-to-day operations. Accordingly, the internal audit manager should report directly to the board of directors or its audit committee.
The board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function. The board or its audit committee should be aware of, and understand, significant risks and control issues associated with the institution’s operations, including risks in new products, emerging technologies, information systems, and electronic banking.
Control issues and risks associated with reliance on technology can include:
- Inappropriate user access to information systems
- Unauthorized disclosure of confidential information
- Unreliable or costly implementation of IT solutions
- Inadequate alignment between IT systems and business objectives
- Inadequate systems for monitoring information processing and transactions
- Ineffective training programs for employees and system users
- Insufficient due diligence in IT vendor selection
- Inadequate segregation of duties
- Incomplete or inadequate audit trails
- Lack of standards and controls for end-user systems
- Ineffective or inadequate business continuity plans
- Financial losses and loss of reputation related to systems outages
The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls. The board of directors or its audit committee should periodically meet with both internal and external auditors to discuss audit work performed and conclusions reached on IT systems and controls.
The internal audit manager is responsible for implementing board-approved audit directives. The manager oversees the audit function and provides leadership and direction in communicating and monitoring audit policies, practices, programs, and processes. The internal audit manager should establish clear lines of authority and reporting responsibility for all levels of audit personnel and activities. The internal audit manager also should ensure that members of the audit staff possess the necessary independence, experience, education, training, and skills to properly conduct assigned activities.
The internal audit manager should be responsible for internal control risk assessments, audit plans, audit programs, and audit reports associated with IT. Refer to Risk Assessment and Treatment for more guidance. Audit management should oversee the staff assigned to perform the internal audit work, should establish policies and procedures to guide the audit staff, and should ensure the staff has the expertise and resources to identify inherent risks and assess the effectiveness of internal controls in the institution’s IT operations.
Internal IT Audit Staff
The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution’s IT environment. These assessments can help maintain or improve the efficiency and effectiveness of the institution’s IT risk management, internal controls, and corporate governance.
Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management. Auditors also perform operational audits, including system development audits, to ensure that internal controls are in place, that policies and procedures are effective, and that employees operate in compliance with approved policies. Auditors should identify weaknesses, review management’s plans for addressing those weaknesses, monitor their resolution, and report to the board as necessary on material weaknesses.
Auditors should make recommendations to management about procedures that affect IT controls. In this regard, the board and management should involve the audit department in the development process for major new IT applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.
The ability of the internal audit function to achieve desired objectives depends largely on the independence of audit personnel. Generally, the position of the auditor within the organizational structure of the institution, the reporting authority for audit results, and the auditor’s responsibilities indicate the degree of auditor independence. The board should ensure that the audit department does not participate in activities that may compromise, or appear to compromise, its independence. These activities may include preparing reports or records, developing procedures, or performing other operational duties normally reviewed by auditors.
The auditor’s independence is also determined by analyzing the reporting process and verifying that management does not interfere with the candor of the findings and recommendations.
For an effective program, the board should give the auditor the authority to:
- Access all records and staff necessary to conduct the audit
- Require management to respond formally, and in a timely manner, to significant adverse audit findings by taking appropriate corrective action
Internal auditors should discuss their findings and recommendations periodically with the audit committee or board of directors.
Ideally, the internal audit manager should report directly to the board of directors or its audit committee regarding both audit issues and administrative matters. Alternatively, an institution may establish a dual reporting relationship where the internal audit manager reports to the audit committee or board for audit matters and to institution executive management for administrative matters. The objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the chief executive office (CEO), and not to the chief financial officer (CFO) or a similar officer who has a direct responsibility for systems being audited. The board or its audit committee should determine the internal audit manager’s performance evaluations and compensation.
The formality and extent of an institution’s internal IT audit function depends on the institution’s size, complexity, scope of activities, and risk profile. It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system subject to consideration of the internal audit function’s costs and benefits. For larger institutions or institutions with complex operations, the benefits derived from a full time manager of internal audit or an audit staff will likely outweigh the cost. For small institutions with few employees and/or simple operations, these costs may outweigh the benefits. Nevertheless, an institution without an internal auditor can ensure that it maintains an objective and independent internal function by implementing comprehensive internal reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing or performing the review is (are) not also responsible for managing or operating those controls.
Personnel performing IT audits should have information systems knowledge commensurate with the scope and sophistication of the institution’s IT environment and possess sufficient analytical skills to determine and report the root cause of deficiencies. If internal expertise is inadequate, the board should consider using qualified external sources such as management consultants, independent auditors, or other professionals to supplement or perform the institution’s internal IT audit function. In some institutions, a person or group that has no other responsibilities outside the IT audit function performs IT audits. Generally, institutions using this approach centralize IT audit coverage and assign one or more IT audit specialists to perform end-user application control reviews as well as technical system audits. A centralized IT audit department can ensure sufficient technical expertise, but can also strain technical resources and require multiple audits in a user department. Additionally, IT auditors in this environment may need to have a greater understanding of financial and business line audit concerns.
Other institutions may use an integrated audit approach. Using this method, IT audit specialists perform the technology system and other technical reviews, while generalist auditors perform the end-user application control reviews. Institutions should use auditors with technical knowledge appropriate for the areas reviewed.
An institution’s hiring and training practices should ensure that the institution has qualified IT auditors. The auditor’s education and experience should be consistent with job responsibilities. Audit management should also provide an effective program of continuing education and development. As the information systems of an institution become more sophisticated or as more complex technologies evolve, the auditor may need additional training.
Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Operating management is responsible for correcting the root causes of the audit or control exceptions, not just treating the exceptions themselves. Response times for correcting noted deficiencies should be reasonable and may vary depending on the complexity of the corrective action and the risk of inaction. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management’s corrective actions for significant deficiencies.
External auditors typically review IT control procedures as part of their overall evaluation of internal controls when providing an opinion on the adequacy of an institution's financial statements. As a rule, external auditors review the general and application controls affecting the recording and safeguarding of assets and the integrity of controls over financial statement preparation and reporting. General controls include the plan of organization and operation, documentation procedures, access to equipment and data files, and other controls affecting overall information systems operations. Application controls relate to specific information systems tasks and provide reasonable assurance that the recording, processing, and reporting of data are properly performed.
External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. Such arrangements are defined in the Sample Third Party Security Awareness Standard policy example.
The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit time-frame, and resulting reports. Examiners will typically review the engagement letter, reports, and audit work papers to determine the extent to which they can rely on external audit coverage and reduce their examination scope accordingly.
Technology Service Provider
HORSE FACTS: A technology service provider (TSP) that processes work for several financial institutions often is subject to separate audits by internal auditors from each of the serviced institutions. These audits may duplicate each other, creating a hardship on the provider’s management and resources. The technology service provider can reduce that burden by arranging for its own third-party audit to determine the status and reliability of internal controls.
A third-party audit, in this context, is an audit of a technology service provider performed by independent auditors who are not employees of either the technology service provider or the serviced institution(s). The technology service provider, its auditors, or its serviced institutions may engage the third-party auditor. The serviced institutions’ auditors may use this third-party review to determine the scope of any additional audit coverage they require to evaluate the system and controls at the technology service provider. Examiners can also use the third-party review to help scope their activities.
Financial institutions are required to effectively manage their relationships with key technology service providers. Institution management meets this requirement related to audit controls by:
- Directly auditing the technology service provider’s operations and controls
- Employing the services of external auditors to evaluate the technology service provider’s operations and controls
- Receiving and reviewing sufficiently detailed independent audit reports from the technology service provider
Institutions using such audits to complement their own coverage should ensure that the independent auditor was qualified to perform the review, that the scope satisfies their own audit objectives and that any significant reported deficiencies are corrected. It is critically important that the examiner and the institution understand the nature and scope of the engagement and the level of assurance accruing from the accounting firm’s work product. Attest-level services are reviews that result in the expression of an opinion by the reporting practitioner. See Chapter 1, “Attest Engagements,” of Statement on Standards for Attestation Engagements (SSAE) No. 10, Attestation Standards: Revision and Re-codification. Advisory-level services can be strategic, diagnostic, implementation, and sustaining/managing services, among others. See Statement on Standards for Consulting Services (AICPA, Professional Standards, vol. 2, CS sec. 100). There is no expression of an opinion in Advisory Service engagements.
Users of audit reports should not rely solely on the information contained in the report to verify the internal control environment of the technology service provider. They should use additional verification and monitoring procedures.
The following two types of reviews were developed by the AICPA and are frequently used by independent accounting firms to provide assurance regarding the internal controls of technology service providers:
- 1: SAS 70 reviews
- 2: Trust Services Reviews
SAS 70 Reviews
The objectives, scope, and audit procedures of each third-party audit differ according to the needs of those engaging the auditor. The AICPA Statement on Auditing Standards (SAS) Number 70 provides guidance for independent auditors when performing a SAS 70 audit of a service organization, and when auditing financial statements of an entity that uses a service organization to process its transactions.
SAS 70 provides a uniform reporting format for third-party reviews of technology service providers in order to facilitate the description and disclosure of the service provider’s processes and controls to customers and their auditors. SAS 70 is a widely recognized standard and indicates that a service provider has had its control objectives and activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion (service auditor's report) is issued to the technology service provider at the conclusion of the SAS 70 process. The report contains a detailed description of the technology service provider’s controls and an independent assessment of whether the controls are in place and suitably designed for the service provider’s operations. The independent assessment of controls is based on testing certain controls to determine whether they are designed and operating with sufficient effectiveness to achieve the related control objective for the specified time period.
There are two types of service auditor's reports:
- Type I reports provide the service organization’s description of controls at a specific point in time, and the auditor’s opinions as to whether the description is presented fairly and whether the controls are suitably designed to achieve the related control objectives.
- Type II reports include all of the elements of the Type I report as well as actual testing of the controls to determine whether they are operating with sufficient effectiveness to achieve the related control objectives over a period of not less than six months.
User institutions can usually obtain service auditor's reports from their technology service providers. The fact that a provider chooses not to undergo a SAS 70 or other independent review, or chooses not to disclose the results of the review, is a matter that institutions should consider when performing due diligence to determine whether to engage, or to continue to engage, the provider’s services.
Trust Services Reviews
The AICPA established its Trust Services Principles and Criteria, a core set of principles, criteria and illustrative controls, to address the risks of IT and to establish confidence in systems reliability and e-commerce activities.
Following are the Trust Services Principles and Criteria developed by the AICPA for use by practitioners in the performance of a Trust Services engagement:
- Security – The system is protected against unauthorized access, both physical and logical.
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely, and authorized.
- On-line Privacy – Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
Each of the principles and related criteria are organized into four broad areas of review:
- Policy – The institution has defined and documented its polices relevant to the particular principal.
- Communications – The entity has communicated its defined policies to authorized users.
- Procedures – The entity uses procedures to achieve its objectives in accordance with its defined policies.
- Monitoring – The entity monitors the system and takes action to maintain compliance with its defined policies.
For security audit procedures and guidance, please refer to Security Audit Procedures.
Federal Financial Institutions Examination Council
Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners
Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations
Policy Statement on the Internal Audit Function and Its Outsourcing
Federal Reserve Board
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR Part 208, Appendix D-1
Amended Interagency Guidance on the Internal Audit Function and its Outsourcing, SR Letter 03-5
Statement on Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations, SR Letter 03-8
The Sarbanes-Oxley Act of 2002, SR Letter 02-20
Federal Deposit Insurance Corporation
Annual Independent Audits and Reporting Requirements, 12 CFR Part 363
Interagency Policy Statement On External Auditing Programs of Banks and Savings Associations, FIL 96-99
Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, FIL 21-2003
National Credit Union Administration
Supervisory Committee Audits and Verifications, 12 CFR Part 715
E-Commerce Guide for Credit Unions, NCUA Letter to Credit Unions 02–CU–17
Electronic Data Security Overview, NCUA Letter to Credit Unions 01–CU–11
Interagency Statement on Retail On-Line PC Banking, NCUA Letter to Credit Unions 97–CU–5
Office of the Comptroller of the Currency
Safety and Soundness Standards, 12 CFR Part 30
Comptroller’s Handbook: Community Bank Supervision: Booklet Appendix
Comptroller’s Handbook: Internal and External Audits:Introduction Supplemental Examination Procedures Appendixes
Comptroller’s Handbook: Large Bank Supervision
The Director’s Book: The Role of a National Bank Director
Interagency Policy Statement on External Auditing Programs, OCC Bulletin 99-37
Interagency Policy Statement on Internet Audit and Internal Audit Outsourcing, OCC Bulletin 2003-12
Office of Thrift Supervision
Audit of Savings Associations and Savings Association Holding Companies, 12 CFR Part 562.4
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR Part 570, Appendix A
Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, Thrift Bulletin 81
Internal Controls, CEO LTR 113
Technology Risk Controls, Thrift Activities Handbook Section 341
External Audit, Thrift Activities Handbook Section 350
Internal Audit, Thrift Activities Handbook Section 355