Audit Booklet
IT Audit Roles and Responsibilities
The board of directors and senior management are responsible for ensuring that the institution’s system of internal controls operates effectively. One important element of an effective internal control system is an internal audit function that includes adequate IT coverage.
To meet its responsibility of providing an independent audit function with sufficient resources to ensure adequate IT coverage, the board of directors or its audit committee should:
- Provide an internal audit function capable of evaluating IT controls
- Engage outside consultants or auditors to perform the internal audit function
- Use a combination of both methods to ensure that the institution has received adequate IT audit coverage
An institution’s board of directors may establish an “audit committee” to oversee audit functions and to report on audit matters periodically to the full board of directors. For purposes of this booklet, the term “audit committee” means the committee with audit oversight regardless of the type of financial institution. Audit committee members should have a clear understanding of the importance and necessity of an independent audit function.
To comply with the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to appoint outside directors as audit committee members. All members of a stock-issuing institution’s audit committee must be members of the board of directors and be independent (i.e., not otherwise compensated by, or affiliated with, the institution). Additionally, 12 CFR 363 (Federal Deposit Insurance Corporation Improvement Act, or FDICIA) requires all depository institutions with total assets greater than $500 million to have independent audit committees. Although not all institutions are subject to these requirements due to their corporate structure (Sarbanes-Oxley) or their size (FDICIA), it is generally considered good practice that they use them as guidelines to ensure the independence of their audit committees.
The board of directors should ensure that written guidelines for conducting IT audits have been adopted. The board of directors or its audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the “internal audit manager”) who has sufficient audit expertise and is independent of the operations of the business.
The board should give careful thought to the placement of the audit function in relation to the institution's management structure. The board should have confidence that the internal audit staff members will perform their duties with impartiality and not be unduly influenced by senior management and managers of day-to-day operations. Accordingly, the internal audit manager should report directly to the board of directors or its audit committee.
The board or its audit committee is responsible for reviewing and approving audit strategies (including policies and programs), and monitoring the effectiveness of the audit function. The board or its audit committee should be aware of, and understand, significant risks and control issues associated with the institution’s operations, including risks in new products, emerging technologies, information systems, and electronic banking.
Control issues and risks associated with reliance on technology can include:
- Inappropriate user access to information systems
- Unauthorized disclosure of confidential information
- Unreliable or costly implementation of IT solutions
- Inadequate alignment between IT systems and business objectives
- Inadequate systems for monitoring information processing and transactions
- Ineffective training programs for employees and system users
- Insufficient due diligence in IT vendor selection
- Inadequate segregation of duties
- Incomplete or inadequate audit trails
- Lack of standards and controls for end-user systems
- Ineffective or inadequate business continuity plans
- Financial losses and loss of reputation related to systems outages
The board or its audit committee members should seek training to fill any gaps in their knowledge related to IT risks and controls. The board of directors or its audit committee should periodically meet with both internal and external auditors to discuss audit work performed and conclusions reached on IT systems and controls.
Audit Management
The internal audit manager is responsible for implementing board-approved audit directives. The manager oversees the audit function and provides leadership and direction in communicating and monitoring audit policies, practices, programs, and processes. The internal audit manager should establish clear lines of authority and reporting responsibility for all levels of audit personnel and activities. The internal audit manager also should ensure that members of the audit staff possess the necessary independence, experience, education, training, and skills to properly conduct assigned activities.
The internal audit manager should be responsible for internal control risk assessments, audit plans, audit programs, and audit reports associated with IT. Audit management should oversee the staff assigned to perform the internal audit work, should establish policies and procedures to guide the audit staff, and should ensure the staff has the expertise and resources to identify inherent risks and assess the effectiveness of internal controls in the institution’s IT operations.
Internal IT Audit Staff
The primary role of the internal IT audit staff is to assess independently and objectively the controls, reliability, and integrity of the institution’s IT environment. These assessments can help maintain or improve the efficiency and effectiveness of the institution’s IT risk management, internal controls, and corporate governance.
Internal auditors should evaluate IT plans, strategies, policies, and procedures to ensure adequate management oversight. Additionally, they should assess the day-to-day IT controls to ensure that transactions are recorded and processed in compliance with acceptable accounting methods and standards and are in compliance with policies set forth by the board of directors and senior management. Auditors also perform operational audits, including system development audits, to ensure that internal controls are in place, that policies and procedures are effective, and that employees operate in compliance with approved policies. Auditors should identify weaknesses, review management’s plans for addressing those weaknesses, monitor their resolution, and report to the board as necessary on material weaknesses.
Auditors should make recommendations to management about procedures that affect IT controls. In this regard, the board and management should involve the audit department in the development process for major new IT applications. The board and management should develop criteria for determining those projects that need audit involvement. Audit’s role generally entails reviewing the control aspects of new applications, products, conversions, or services throughout their development and implementation. Early IT audit involvement can help ensure that proper controls are in place from inception. However, the auditors should be careful not to compromise, or even appear to compromise, their independence when involved in these projects.
Operations Management
Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Operating management is responsible for correcting the root causes of the audit or control exceptions, not just treating the exceptions themselves. Response times for correcting noted deficiencies should be reasonable and may vary depending on the complexity of the corrective action and the risk of inaction. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management’s corrective actions for significant deficiencies.
External Auditors
External auditors typically review IT control procedures as part of their overall evaluation of internal controls when providing an opinion on the adequacy of an institution's financial statements. As a rule, external auditors review the general and application controls affecting the recording and safeguarding of assets and the integrity of controls over financial statement preparation and reporting. General controls include the plan of organization and operation, documentation procedures, access to equipment and data files, and other controls affecting overall information systems operations. Application controls relate to specific information systems tasks and provide reasonable assurance that the recording, processing, and reporting of data are properly performed.
External auditors may also review the IT control procedures as part of an outsourcing arrangement in which they are engaged to perform all or part of the duties of the internal audit staff. Such arrangements are discussed in more detail in the “Outsourcing Internal IT Audit” section of this booklet.
The extent of external audit work, including work related to information systems, should be clearly defined in an engagement letter. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit time-frame, and resulting reports. Examiners will typically review the engagement letter, reports, and audit work papers to determine the extent to which they can rely on external audit coverage and reduce their examination scope accordingly.
Resources
Congressional
Sarbanes-Oxley Act of 2002, Pub. Public Law 107-204
Supervisory Committee, 12 USC 1761 & 1761d
Federal Financial Institutions Examination Council
Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners
Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations
Policy Statement on the Internal Audit Function and Its Outsourcing
Federal Reserve Board
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR Part 208, Appendix D-1
Amended Interagency Guidance on the Internal Audit Function and its Outsourcing, SR Letter 03-5
Statement on Application of Recent Corporate Governance Initiatives to Non-Public Banking Organizations, SR Letter 03-8
The Sarbanes-Oxley Act of 2002, SR Letter 02-20
Federal Deposit Insurance Corporation
Annual Independent Audits and Reporting Requirements, 12 CFR Part 363
Interagency Policy Statement On External Auditing Programs of Banks and Savings Associations, FIL 96-99
Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, FIL 21-2003
National Credit Union Administration
Supervisory Committee Audits and Verifications, 12 CFR Part 715
E-Commerce Guide for Credit Unions, NCUA Letter to Credit Unions 02–CU–17
Electronic Data Security Overview, NCUA Letter to Credit Unions 01–CU–11
Interagency Statement on Retail On-Line PC Banking, NCUA Letter to Credit Unions 97–CU–5
Office of the Comptroller of the Currency
Safety and Soundness Standards, 12 CFR Part 30
Comptroller’s Handbook: Community Bank Supervision: Booklet Appendix
Comptroller’s Handbook: Internal and External Audits:Introduction Supplemental Examination Procedures Appendixes
Comptroller’s Handbook: Large Bank Supervision
The Director’s Book: The Role of a National Bank Director
Interagency Policy Statement on External Auditing Programs, OCC Bulletin 99-37
Interagency Policy Statement on Internet Audit and Internal Audit Outsourcing, OCC Bulletin 2003-12
Office of Thrift Supervision
Audit of Savings Associations and Savings Association Holding Companies, 12 CFR Part 562.4
Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR Part 570, Appendix A
Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, Thrift Bulletin 81
Internal Controls, CEO LTR 113
Technology Risk Controls, Thrift Activities Handbook Section 341
External Audit, Thrift Activities Handbook Section 350
Internal Audit, Thrift Activities Handbook Section 355