We're pretty good, and we think we charge a fair price. But unless you can wait until June, we can't help you.
I think you're wise to have an IT audit, even though you don't have an in-house data center. 80% of our audit procedures focus on operations that are present in all banks--whether they are in-house or use a service bureau.
If you don't mind some unsolicited advice, there are four things you want to ensure the auditor looks at.
1. Data entry operations for loans and CDs. It's not uncommon for us to find data entry errors that exceed the price of our audits. (However, the errors aren't always in the bank's favor. But, as we tell our clients, better we find them than someone else.)
2. Use of the banking system's security controls. When you last renewed your blanket bond, you probably told the insurance company that all material financial transactions are executed under dual control. We typically find that with first-time audit clients, there are 10-12 (or more) people that can unilaterally execute material transactions. And if one of these folks embezzles funds, the insurance company will likely deny your request for indemnification.
3. Firewall and virus-detection procedures. We do a penetration test as part of our audits, using a tool called NESSUS (www.nessus.org). In 50% of our first-time audits, we find weaknesses in these controls. (Note: NESSUS is usually correct when it finds a weakness. However, since we didn't develop the software, we do not guarantee the results when it finds no weaknesses. We do not charge extra for these tests.)
4. Controls governing wire transfers, ACH, debit card, and ATM operations. Very few banks are aware of the requirements of Regulation J on ACH and wire transfer operations--until it's too late.
Good luck finding an auditor. We'd love to give you a proposal, but let me tell you up-front we are one of the more expensive firms.
Wayne Barnett, CPA
Wayne Barnett, President
Wayne Barnett Software