Skip to content
 

A Dozen Dirty Little Secrets of IT Audit Firms - Part Two

by Jimmy Sawyers

Choosing an IT audit firm can be a bit like shopping for an automobile. Look in the nearest parking lot. One will find new and used; foreign and domestic; trucks and sedans; compact and luxury. All will get you where you're going sitting down but the driving experience and reliability can vary greatly.

IT audit firms are similar to cars in that quality, price, and reliability can vary greatly. Accordingly, due diligence is key. To help with that due diligence, we offer 12 secrets for bankers to turn "Caveat Emptor" into "Caveat Venditor" when selecting a firm and more importantly the firm's people who will be given access to the bank's most confidential information and most critical systems. Know who is getting the keys to your bank by becoming familiar with these pitfalls in the proposal and selection process.

Click Here for Part One

7. "Those initials after our names don't mean we know what we're doing."

The world of auditing and consulting is filled with certifications, some easy to get and fairly worthless, some hard to achieve and indicative of expertise. It's beneficial for a firm to have Certified Information Systems Auditors (CISAs) for IT Audits and Certified Information Systems Security Professionals (CISSPs) for Network Vulnerability Assessments. However, don't let a lot of initials serve as a substitute for real knowledge and performance.

Antidote: Find out if the people holding the certifications have the experience and team backing them that's necessary to perform the job.

8. "We're the hammer; you're the nail."

"We don't care to learn about your people, systems, and processes. We have a generic workprogram and we just check the box, copy and paste the boilerplate report contents, and hopefully remember to change the name of the last bank we visited to your bank's name on the report. We use the same approach in your community bank that we just used at the auto dealership, hospital, and insurance firm we just audited. If you want customization or expect us to care, that's not in our business model."

Many IT audit firms' approaches are generic and their reports are templates with little valuable content or guidance. Often, such firms hide behind "audit standards" and give the appearance that a wordy report equals an IT audit with value. A formal proposal should contain the suggested scope and plenty of information about the firm's ability to adapt to the environment in which they are working.

Antidote: Determine if the firm will be customizing its workprograms to consider your bank's IT and operations environment.

9. "Size only matters if we send the entire firm."

Size of the firm can be a non-issue. Bigger is not necessarily better when it comes to banks or IT audit firms. If a 200-person firm and a 10-person firm both send two people to perform an IT Audit and Network Vulnerability Assessment, they essentially become the same size. The quality of the two people, along with their combined work ethic, expertise, and experience, trump the size of the firm.

Community bankers certainly understand that personal service and customer relationships are more important than an organization's size. Should the "bigger is better" maxim apply, community banks would not exist.

Lewis & Clark led the Corps of Discovery expedition just fine. Thomas Jefferson, his cabinet, and Congress stayed home.

Antidote: Focus on the firm's engagement team, its leadership, supervision, and suitability for your bank's specific environment.

10. "We just want to see your board minutes."

"We have an ulterior motive. The IT audit just gives us access to accomplish our true goal."

Firms that offer other services, especially those firms that specialize in mergers and acquisitions consulting, enjoy the access that an IT audit gives. It's like Christmas morning when their auditors/consultants open the board minutes and scan them for their work papers. Such information proves beneficial when attempting to broker the sale of the bank later. Inside information at their fingertips and well worth the price of admission.

Antidote: Determine what percentage of the firm's revenue comes from merger and acquisition consulting.

11. "When we can't convince, we confuse."

New and desperate firms sometimes finagle bankers into believing that IT audit firms must be rotated every year. Nothing could be further from the truth. One will not find this requirement in any law or regulation and it will not be recommended (responsibly) by any regulatory examiner.

This confusion stems from the audit partner rotation every five years, as required by the Sarbanes-Oxley Act, for financial statement audits of publicly-traded companies. Of course, this has nothing to do with IT audits which are normally not "audits" at all. Typically, an opinion is not rendered in what is essentially an IT "Review" or in the CPA vernacular, "agreed-upon-procedures." Such engagements are commonly referred to as "IT Audits" but the term is definitely a misnomer.

If your bank is satisfied with its current IT audit firm and that firm consistently delivers outstanding, responsive service, is respected by the regulators, has knowledgeable people, and produces well-written, comprehensive reports, all at a reasonable price, there is absolutely no reason to switch firms. It doesn't matter if your bank's IT auditor is an independent consultant, CPA firm, or consulting firm, good performance should be rewarded with a long-term relationship. Just as a bank should not leave its longtime attorney or trusted accountant without cause, an IT audit firm that is performing well can be a valuable resource that contributes to the bank's performance.

Antidote: If a proposing IT audit firm states that IT auditors must be rotated, ask them to cite the regulation or law that requires such a rotation. One does not exist.

12. "Independence is a town in Missouri."

"We also serve as your correspondent bank so we'll be auditing our own ACH, wire transfer, and check clearing services. We also have lending relationships with the bank. But, none of this will affect our independence."

"Independence" regarding IT audits can have many definitions. Typically, examiners like to see that the IT auditor will not act as a member of management, set bank policy, design the bank's financial information system, or operate the bank's network. For example, a CPA and consulting firm that developed the bank's general ledger system should not perform the IT audit. Nor should a firm that is providing the bank's continuous network security monitoring perform the Network Vulnerability Assessment.

Many firms observe a strict code of ethics and prohibit their employees from maintaining loans with banks it serves…a good practice indeed.

Can one independently audit two of the highest-risk areas of the bank (ACH and wire transfer) when also providing the service? Probably not. There is no law or regulation preventing such conflicts but bankers should be aware and navigate accordingly to ensure these areas receive proper audit coverage.

Antidote: Identify areas of potential conflict before engaging a service provider to audit high-risk transaction processing functions.

Summary
Competition sharpens all, driving continual improvements and preventing firms from resting on their laurels and losing their competitive edge. Community banks have a wide variety of IT audit firms from which to choose including respected CPA firms, consulting firms specializing in community banks, and independent consultants with in-depth knowledge.

When choosing an IT audit firm, do your best to compare apples to apples while distinguishing the Granny Smiths and Annie Elizabeths from the Red Delicious and Royal Galas. Such due diligence will help your bank avoid the bad apples and establish a long-term, mutually beneficial relationship that helps the bank compete and comply.

To help compare competing proposals, ask your prospective IT Audit firm these simple but direct questions:

1. What is your knowledge of and experience with our Bank's technology providers? Explain in detail.
2. Which team members will be assigned to the engagement and what is their experience level?
3. What type of report will we receive? Please explain the entire process.
4. What percentage of your firm's revenue comes from IT audits and what percentage of that revenue comes from banks?
5. Will the people assigned to the engagement be contractors or actual employees of your firm who have been drug-tested and criminal background-checked?
6. Have you personally, or has your firm or any of its affiliates, ever received grants or any other form of local, state, or federal taxpayer-funded subsidies?
7. What certifications do your team members have and how will these certifications add value to this engagement?
8. Is your approach bank-specific or do you apply generic IT audit standards?
9. What percentage of your firm's employees spend the majority of their time performing IT audits and how will this engagement be staffed?
10. What percentage of your firm's revenue comes from mergers and acquisitions consulting?
11. Do you believe that there is a requirement to rotate IT audit firms and if so, can you cite the regulation or law stating so? Also, why should we leave our current firm to engage you?
12. Does your firm provide correspondent banking services to our bank (e.g., ACH and wire transfer services)?

Please note: The views or opinions expressed in this article are those of the author and do not constitute or imply an endorsement or recommendation by BankersOnline.

First published on 09/16/2013

Filed under: 
Technology

Report a problem with this page

Search Topics