Thread Options
#277289 - 11/19/04 04:34 PM Background checks on external IT auditors
Anonymous
Unregistered

Hello all,

We would like to run background checks on our external IT auditors.

Has anyone done this before?
How should we go about it?
Is it common practice in the banking industry?

Thanks,
john

Return to Top
Audit
#277290 - 11/19/04 08:18 PM Re: Background checks on external IT auditors
Anonymous
Unregistered

Never done it. We just ask for other references and contact them to see what they have to say.

Return to Top
#277291 - 11/19/04 08:37 PM Re: Background checks on external IT auditors
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:


We would like to run background checks on our external IT auditors. Is it common practice in the banking industry?





You need to provide a great deal more information. By external IT auditors, are you referring to technology auditors employed by your attestation auditors who will attest to the technology systems that support the reporting of bank financial statements? Or are you referring to an outside third-party firm conducting an IT review separate from the attestation IT auditors?

In either case, hiring an outside firm such as Ernst & Young, KPMG, Deloitte, etc. -- firms that already conduct full background screening of their employees -- does not require that you conduct your own background screening. Do you have Board-adopted standards for your conducting background investigations of employees of a third party?

Nevertheless, the bigger issue here is that it appears you would be conducting a third-party investigation which would touch on character, general reputation, mode of living, etc., which are all subject to FCRA 15 USC 1681 and in which you would have to disclose the results and in which you would not be held harmless.

Why, if you're hiring a third party IT audit firm, wouldn't you just conduct a basic due diligence and obtain profiles of the principals on the audit? Frankly, I've never heard of a bank conducting a background investigation of employees employed by a third party provider. From an FCRA standpoint, you're almost touching the third rail if you're not careful.

Return to Top
#277292 - 11/19/04 10:24 PM Re: Background checks on external IT auditors
Anonymous
Unregistered

Thanks for the responses. We're looking to hire a firm to do penetration-style testing. The firm we have in mind is a one person shop and hires contractors as needed. We feel good about the owner, but do not know anything about the contractor. The owner and all contractors are bonded.

This was something that an examiner brought up.

Return to Top
#277293 - 01/07/05 10:37 PM Re: Background checks on external IT auditors
Anonymous
Unregistered

We've just completed another background check on an IT auditor, a newly arrived Canadian immigrant in his early 20's. The client was obviously concerned about his background. Let us know if we can assist you- - - -mike@cbintel.com

Return to Top

Moderator:  Andy_Z