Does anybody have a set of Internal Control Questions for and IT Audit? I am to the point of pulling my hair out with the information OVER LOAD from the ffiec stuff. I feel like an internal IT audit should not be on the same broad scale as the FDIC or a 3rd party External Audit. There is no sense in me trying to re-invent the wheel!! Help!!!

The FFIEC IT booklet series, which succeeded the older 1996 IS Handbook, provides a great foundation for you to create your own ICQs and audit scope, objectives, and plan. The examiners still follow the 4-pronged approach of management, audit, operations, and application systems (formerly "systems development"), and they have the added focus of business continuity and information security.

Conducting a technology risk assessment or IT audit will be different for everyone, depending upon the size of your institution, whether you have a managed security service or do these things internally, and depending upon whether you're examined by standalone IT examiners or as part of your safety and soundness examination.

Only you know your enterprise and what would constitute a true "audit" of technology risk issues specific to your enterprise. A one-size-fits-all questionnaire and audit format from other BOL posters may not even be relevant to your risks and applications, and the examiners will quickly spot this. You can't go wrong with the FFIEC booklets, and I would use them as the foundation for your review.

I know there is a lot of information in the FFIEC booklets but it is worth it to read and become familiar with the information. IMO you do not want to take your IT/IS audit lightly. I would rather be too thorough that not thorough enough. Sometimes it's not reinventing the wheel but rather discovering how the wheel was made. Jay-Risk is right, you can't go wrong with the booklets.