I know the FFIEC booklet says there has to be an independent audit, or at least infers this, in the Info Sec. IT Exam. handbook. Do you know, offhand, if there is specific mention in the IT handbooks that states that "there must be an independent IT audit"....or an independent EXTERNAL IT audit? I thought it was up to the bank. If they had IT peeps on their audit team, they could perform the tests, i.e. intrusion tests, etc. Or, has there been some missive that suggests banks should not use their team but rather use an "expert" external audit team.....

We have an internal audit department but outsource most of our IT audits. I just finished an IT exam by the OTS last month and they reviewed our internal audit departments role concerning IT. They did not care if we outsourced any independent audits or if they performed them themselves. Their concern was mainly the scope of the audits and if our auditors reviewed the results, rated the audits, submitted them to the Board and kept track of our progress in fixing any findings. Hope that helps.

We too outsource our IT Internal Audit. I think it depends on the expertise or your audit team as to how you handle the IT Audit. I am a team of one and do not have the expertise needed so it is outsourced and information security is a part of the scope of that audit. This has always been OK with the regulators. They are more cocerned about the scope and findings than who the independent person is. I do the follow-up to determine that all findings have been corrected.

The applicable FDIC reg is 12 CFR Part 364 Appendix B III C 3 (Key Controls Testing):
"Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs."

Parallel regs for OCC banks can be found at 12 CFR Part 30 Appendix B III C 3 (Key Controls Testing).

While the regulations do not explicitly call for external audits, few community banks are likely to have the requisite expertise necessary to conduct an IT/GLBA audit with adequate scope, particularly apart from IT and compliance staff who typically "develop or maintain the security programs".

Additional relevant guidance can be found in the FFIEC IT Examination Handbook - Operations, on page 3 under “Key elements of these responsibilities include”:
"Using qualified consultants and external auditors, when necessary"

And, in the same handbook, on page 38:
"Control self-assessments, however, do not eliminate the need for internal and external audits. Audits provide independent assessments conducted by qualified individuals regarding the effective functioning of operational controls. For additional detailed information on the IT audit function, refer to the IT Handbook’s “Audit Booklet”)."

Finally, from the FFIEC IT Examination Handbook - Audit, page 2:
“To determine what risks exist, management should prepare an independent assessment of the institution’s risk exposure and the quality of the internal controls associated with the development, acquisition, implementation, and use of information technology. An institution’s IT audit function can provide this independent assessment within the context of the overall audit function and can include work performed by both internal and external auditors and by other independent third parties as appropriate for the institution’s complexity and level of internal expertise. The FFIEC member agencies believe that a strong internal auditing function combined with a well-planned external auditing function substantially increase the probability that an institution will detect potentially serious technology-related problems.”

Hope this helps and doesn't "muddy the water" instead.

Keith posted exactly what I would have on this issue. All good information.

With the FDIC and Fed my experience has been that the subject of independence is a moving target. The conventional wisdom is that if internal IT staff are responsible for building, maintaining and securing the network they may not be completely forthcoming in pointing out the deficiencies of their work.

With the FDIC this has been a constant theme with them not giving banks credit for their internal department's review of their systems. With the Fed, I actually have two Kansas City Fed district customers that are doing their own penetration tests and network assessments with no issues from their Fed examiners. However the State Division of Finance is due in this year so it will be interesting to hear their take on the issue.