Gauge The Quality Of Your IT Audit Program With These 6 Tips
How to ensure a comprehensive IT audit the feds will love

The FDIC's new IT exam procedures specify that you must have an audit or independent review policy in place for your bank to ensure critical system security. Here's advice from several IT audit experts on how to ensure your audit passes muster with the examiners.

The FFIEC guidelines (www.ffiec.gov/ffiecinfobase/booklets/audit/audit.pdf) spell out what your examiners will look at. "The FFIEC booklet is where banks should go to first as far as determining which specific audit areas to examine, because the guidelines really branch things out well," says Doug Underwood, managing director of technology risk management services with RSM McGladrey and a former OCC examiner. Examiners will use the booklet as a checklist when reviewing your bank, so keep this list handy when performing your risk assessment.

Start With A Risk Assessment
It's a no-brainer these days that all of your systems security and compliance concerns -- and nearly every one of your bank operations -- should begin with a risk assessment, experts agree. The risk assessment will set the scope of your audit, says Underwood. "A lot of banks call me and say, 'We just need help with an audit to satisfy regulators.' My first question to them is, 'Have you done a risk assessment?'" he tells Eli.

What to include: IT risk assessments, like your bank's overall gap analysis, will include all of your low, moderate and high risks, and you will have to approach a risk assessment based on your own particular threats. Examples: E-commerce services, core processing systems and proper patching in general are three areas of grave concern to examiners, says Underwood.
Other potential control weaknesses could include lack of a cohesive information security policy, changes to jobs and roles without upgrading or downgrading corresponding access rights, or users who have access to sensitive systems and transactions that go beyond the scope of their responsibilities, says Dave DiCristofaro, banking/financial services industry sector lead for KPMG's information risk management practice. Tip: After performing your risk assessment, you can get started mitigating the highest risks to your institution and work your way down to the most minor risks.

Get Management Involved
Your internal auditor and your audit committee should set the scope of your bank's audit, but it's highly useful to have management's input to make sure you're covering all critical areas in your assessment. "That way, there are no surprises later," says Cynthia Bonnette, director of Information Security Risk Assessment with NETBankAudit in Arlington, VA. Tip: If you're a small bank with few technical resources at your disposal, consider outsourcing the more difficult IT risks until you're able to do these on your own.

Editor's Note: To read the rest of this article, read the September issue of Bank Security & Technology Alert.