How frequently do we have to have a full blown audit of the IT area? We are a OCC bank with website, internet service provider, online banking, etc. We do not open new accounts or take loan applications over the internet. And, we do our own data processing on the bank side.

All I have been able to find says we must manage the risks, but it doesn't say that they want something every 12 mos., 18 mos., 24 mos. or whatever.

In advance, thank you.

Your IT Audit cycle should really be risk based. Some area's will need to be audited annually and others you may be able to push off to a 2 year cycle audit cycle. 3 years is probably pushing it a bit.

I own a CPA firm that specializes in IT auditing, so I naturally think all banks should have annual IT audits.

I am not aware of a regulatory requirement that mandates a frequency for IT audits. But, many insurance companies now require annual IT audits--so check your policy. If your policy has such a requirement, and if your bank suffers an IT-related embezzlement and no audit has been done, you'll likely find your coverage has been abrogated.

Also check to see if the IT audit has to be done by a CPA firm. A few insurance companies have added this stipulation to the "annual audit" requirement. I know of two cases where insurance companies refused to indemnify banks for embezzlement losses, because the IT audits were done by individuals the insurance companies deemed unqualified. (In both instances, the Auditors were retired Regulatory Examiners that did ". . . IT audits on the side.")

Regards,
Wayne Barnett, CPA
800-680-8692
www.barnettcpa.com
wbarnett@barnettcpa.com

Wayne Barnett, President
Wayne Barnett Software
A Texas Corporation
877-945-4344
www.barnettsoftware.com
wbarnett@barnettsoftware.com

We just came through an IT Examination by our regulatory agency and they reviewed for an an annual IT Audit. In this world of electronic "mass", I can't imagine not having one.

Who is your regulator?