Can anyone recommend a good (reasonabley priced) firm that performs IT audits? I am in southeastern New Mexico, so a firm in Las Cruces or Albuquerque NM or even El Paso Texas would work. The S&L I work for has a 3rd party service provider with no proof department, and has only 2 branches. In addition, there is no email or internet capabilities on employees' PCs. However, I am going to recommend to the Audit Committee that one be performed, considering that an audit has never been done of this area, and there is only one employee in this department (i.e., no segregation of duties).

What are your areas of concern?

Send me a private email, or your email address. We have a presence in that part of NM - I'll let you know how we addressed this need.

We're pretty good, and we think we charge a fair price. But unless you can wait until June, we can't help you.

I think you're wise to have an IT audit, even though you don't have an in-house data center. 80% of our audit procedures focus on operations that are present in all banks--whether they are in-house or use a service bureau.

If you don't mind some unsolicited advice, there are four things you want to ensure the auditor looks at.

1. Data entry operations for loans and CDs. It's not uncommon for us to find data entry errors that exceed the price of our audits. (However, the errors aren't always in the bank's favor. But, as we tell our clients, better we find them than someone else.)

2. Use of the banking system's security controls. When you last renewed your blanket bond, you probably told the insurance company that all material financial transactions are executed under dual control. We typically find that with first-time audit clients, there are 10-12 (or more) people that can unilaterally execute material transactions. And if one of these folks embezzles funds, the insurance company will likely deny your request for indemnification.

3. Firewall and virus-detection procedures. We do a penetration test as part of our audits, using a tool called NESSUS (www.nessus.org). In 50% of our first-time audits, we find weaknesses in these controls. (Note: NESSUS is usually correct when it finds a weakness. However, since we didn't develop the software, we do not guarantee the results when it finds no weaknesses. We do not charge extra for these tests.)

4. Controls governing wire transfers, ACH, debit card, and ATM operations. Very few banks are aware of the requirements of Regulation J on ACH and wire transfer operations--until it's too late.

Good luck finding an auditor. We'd love to give you a proposal, but let me tell you up-front we are one of the more expensive firms.

Regards,
Wayne Barnett, CPA
800-680-8692
wbarnett@barnettcpa.com

Wayne Barnett, President
Wayne Barnett Software
877-975-4344
wbarnett@barnettsoftware.comn

It doesn't sound to me like you would need to outsource an IT Audit. There are plenty of audit programs out there to help you.

The major area of concern is that only 1 employee has ever been in this department - at least for the last 10 years. I know that this area isn't nearly as complicated because there is no internet banking, no email/internet capabilities, etc. However, I am only one internal auditor - I just began as one 6 months ago. In addition, I'm a CPA, so my background is accounting, not banking and certainly not IT. I don't have the manpower, nor the skills necessary to audit this area.