Thread Options
#49960 - 12/19/02 08:44 PM EDP auditing
Anonymous
Unregistered

I have recently joined a community bank to head up the internal audit function (I am the only auditor at this point). I have had 30 years experience in public accounting and in industry as a controller and CFO but have had no hands-on banking experience prior to this position.

My initial charter is to redirect the bank's audit function. I have assembled most of the pieces of the function except for the one related to EDP auditing.

I am a reasonably proficient user of computer systems but do not have a technical background. I am assessing whether to recommend training for myself so that I can conduct EDP audits internally or that the bank engage an outside firm capable of conducting such audits. I like the idea of retaining technical expertise within the bank if it is reasonable to develop that expertise.

As I considered the issue, I am prejudiced to feel that our best benefit may lie with my learning as much as is reasonable about EDP auditing so that I can perform the bulk of the work, leaving only the most technical aspects to an outside expert.

I would appreciate your thoughts on the strategy. What skills would I need to develop to be effective in performing some of the audit work? What suggestions do you have for training that would help someone with my background to perform as much of the EDP audit work as is possible?

I thank you for your help.

Return to Top
Audit
#49961 - 12/19/02 09:17 PM Re: EDP auditing
BANNED BY BOL MANAGEMENT Offline
Platinum Poster
BANNED BY BOL MANAGEMENT
Joined: Oct 2002
Posts: 524
Needed expertise depends on how your bank is set up, EDP-wise. If you are in-house with an off-the-shelf system, reader-sorter, PC network, etc. you can probably do it yourself over time, but it may be wise to have an outside entity go through the entire system first.

If your bank uses in-house programmers on the primary system, donít even think about doing the audit yourself, itís way too risky.

If you are in an outsourced environment, e.g. primary system, etc. you should be able to go through the FDICís or OCCís work papers covering EPD audits and conduct the audit yourself after you have gained a level of expertise on the primary system.

As noted, regulatory work papers are excellent sources of input. In addition, networking security is covered by books, for example, Windows 2000 Server for Dummies is very well done at the non-tech level if you are using a Windows 2000 Server with other books available covering all the network options.

Return to Top
#49962 - 12/20/02 04:03 PM Re: EDP auditing
LinMarie Offline
100 Club
LinMarie
Joined: Nov 2001
Posts: 243
I am finding it more and more difficult to keep up with everything on the EDP world. We have started to outsource this audit. I have some contacts if you would like them. I have been very happy with the external EDP audit. I am involved so I do continue to learn.

Return to Top
#49963 - 12/20/02 04:21 PM Re: EDP auditing
BANNED BY BOL MANAGEMENT Offline
Platinum Poster
BANNED BY BOL MANAGEMENT
Joined: Oct 2002
Posts: 524
I agree with you with the only issue the cost of outsourcing. If the bank can afford it, regardless of how the EDP is set-up, outsourcing the audit function is the route to go. The tricky part is your salary/benefits and outsourcing costs add up to a lot of money with your value increasing as you are able to complete internal audits, eliminating outsourcing costs.

Return to Top
#49964 - 12/20/02 04:27 PM Re: EDP auditing
LinMarie Offline
100 Club
LinMarie
Joined: Nov 2001
Posts: 243
It is quite costly but I think it is worth it. You don't need a full review every year unless major changes were implemented. We are on an extended reveiw where certain areas are reviewed in different intervals. I review the area internally on the off years. It's worked out very well so far.

Return to Top
#49965 - 12/28/02 01:53 PM Re: EDP auditing
Ross A Offline
New Poster
Ross A
Joined: Dec 2002
Posts: 20
Are training courses available?
_________________________
The opinions expressed here are my own and may not represent the views of my employer.

Return to Top
#49966 - 12/29/02 04:35 AM Re: EDP auditing
Deepa C Offline
Junior Member
Deepa C
Joined: Dec 2002
Posts: 27
Dubai, UAE
Whether to outsource or not depends on the complexity of the EDP functions and also the cost involved.

Check out the "INFORMATION SYSTEMS TECHNOLOGY AUDIT PROGRAMS" under www.auditnet.org. This covers several aspects.

Return to Top
#49967 - 12/30/02 05:05 PM Re: EDP auditing
LiL Bit Moore Offline
Platinum Poster
LiL Bit Moore
Joined: Nov 2002
Posts: 624
Texas
You may want to review the FDIC bulletin issued in October '02 regarding New IT Audit Workprograms. The FFIEC IT Exam Handbook is commonly used but includes procedures that are usually not applicable for lower risk institutions. The bulletin referenced provides a link to an IT audit workprogram geared towards those institutions that are less complex. Although, you may also want to refer to the FFIEC Handbook for comparison.

FDIC Bulletin FIL-118-2002
FFIEC Systems Exam Handbook Index

Hope this info helps!
_________________________
An error is not a mistake until you refuse to correct it

Return to Top

Moderator:  Andy_Z