Help -
FDIC just finished an exam and they really hit us hard on our IT Audit program. I knew we were behind the times, but don't know where to start to get up to speed.

Would any of you out there have your own IT Audit program that you would be willing to share?

Thanks in advance!!!!

We have given up trying to keep trained and experienced IT auditors and have outsourced. There is another thread on IT audit currently running. You might take a look there.

Unfortunately, this duty is currently and will be in my lap to get a handle on. Management has no intention of out-sourcing IT auditing.

So, once again, can anyone assist me??

There is no ONE IT audit program. FDIC expects a risk analysis and separate audit program for about ten areas of IT. The task is large and complicated. IT audit training is available from BAI and from ICBA. See also FDIC's website for various examination programs. Be forewarned, if you process inhouse this IT audit will take many weeks.

I would start with the turnkey procedures in the 1996 FFIEC Information Systems handbook. While some parts of it are somewhat outdated, it is still a good starting point for a general IT controls review.

From there, I would look at the new Information Security and Business Continunity Planning handbooks from the FFIEC. Links to these and the 1996 handbook are available here.

Financial Institution Letters (FDIC) addressing Information Technology are available here, and include electronic banking and other procedures and guidance. OCC and Fed have similar documents available.

http://www.auditnet.org has a number of free workprograms available, including workprograms for specific systems (Windows NT, Unix, etc.).

http://www.theiia.org/itaudit/ offers tons of articles on the subject.

Sheshunoff, AlexInformation and other industry groups offer manuals.

If IT Audit is going to be in your lap, I would also get some training from your state banking association, an industry group like www.misti.com or www.icba.org, etc. Further, I would look into an IT related certification such as the CISA or the CISSP.

Although I current workly for a firm that provides IT auditing services, I have also been on the other side of the fence as a bank audit department manager. Taking my consulting hat off and putting my industry experience hat back on, I have the following advice.

Unless you're a bank of sufficient size to retain a full-time trained IT auditor and work hard to keep them trained, it is "penny wise and pound foolish" not to outsource this activity. You will never obtain satisfactory results unless you do one or the other.

I know what mangement has said, but do they really realize what they are asking? Print the 704 page two volume set of the FFIEC IS Examination Manual and the various other documents referred too in the above posts, not to mention the lastest penetration testing techniques, hardware and software configurations, etc. Ask them how in your spare time would they suggest that you get up to speed on all of it in order to just perform an adequate risk assessment.

You can hire out an expert that can customize the review to meet the specific needs of your bank for a lot less than I think they expect and they will then get the desired result.

Now I'll put my consultant hat back on and say - hire the expertise or hire it out.

Those are both of my views - hope it helps.

Some additional comments.

We're $500MM and spend around 40 work days on IT audit. We also outsource Internet penetration testing, network vulnerability assessment, social engineering, and other targeted reviews.

While someone with some IT savy could easily get up to speed and complete a good general IT controls audit (though it would be a good idea to have an external review up front, then external every third year or so for validation of the internal audit activity, the more technical reviews (i.e. Internet penetration, network vulnerabilities, etc.) are best left to the professionals.

Also, there are many firms out there that offer IT audit services, and, to some degree, you get what you pay for. Some of the lower priced firms don't have near the expertise that we have internally, so we don't bother. I'd rather pay $10,000 for a quality limited scope, targeted review than $5,000 for a "full-scope" review that is pretty useless.

I think everyone responding here has hit the proverbial nail on the head quite well, so there is not much anyone can add to an overall answer. However, when the original requestor asked if anyone has any "IT audit procedures", I think what he/she needs to realize is this: There is NO such thing anymore as a true cookie-cutter type of "IT audit" process -- at least not one that is "examiner-proof". Questions such as what does your enterprise consist of; what are your most critical risks; what are your alternative-response and incident response processes -- all of these must be addressed. Even if you're a $160MM institution with outsourced deposit, loan and other critical systems, the fact is you'll still need to have emergency dial backup procedures written and tested etc. I would agree with the aforementioned advice and definately have a professional CISA-type audit with substance conducted, with a substantive report as a deliverable. Trying to conduct this as a generalist to satisfy examiners in this climate is professionally suicidal. There are some things that a generalist/small bank function is better to outsource, and this is definately one of those things.