I'm somewhat new to banking and haven't encountered this before. Our Internal Audit department's charter states that they have unrestricted access to people, systems, etc. Our process for granting system access is to have the application owner approve it, and then IT sets the authority in place.

Internal Audit says they do not need to have the application owner involved, and that their request to IT is sufficient, if their access is read-only. My concern is that a lot of damage can be done with read-only access. Additionally, Internal Audit is against having their access requests reported to the IT Steering Committee or Board.

I can understand if this is needed for a confidential manner. Outside of that, it seems like we're missing a proper control here. Am I off base? How do other bankers handle this?

Thanks!

As a small bank, it is the responsibility of each department manager to determine the IT user access privileges needed for the computer system. This request is then reviewed and approved by the IT Department Manager based on the individual's job responsibilities. If a request seems unusual the access will not be granted. As an internal auditor, I requested inquiry only privileges on everything.

Internal Audit should have open access to "read-only" on all systems. Reporting their access should follow the normal channels, but approval is not an issue. The approval for individual access should lie with the Director of Internal Audit to validate the needs of the specific auditor.

"My concern is that a lot of damage can be done with read-only access." What are your specific concerns???

The concern I have with read-only access is the ability for theft of information. I do agree that we have to have trust at some point in the bank, and that auditors should have (and ours do) the highest integrity. But having full access without any awareness of this seems like a control is missing.

You mentioned that reporting their access should follow normal channels. With that process in place, I'm fine with read-only access. How are you reporting it?

If you are concerned about theft of information ... then you should be able to "hang your hat" on a "security awareness acknowledgment form" that should be signed by all employees and officers -- including internal auditors. This form documents their acknowledgment of the bank's information security program and procedures ... as well as their duty to help ensure the integrity and confidentiality of the information.

As for normal reporting channels ... this can be accomplished by completion of a "system access request sheet" that is signed by the Director of Internal Audit and submitted to the IT Director/Management for approval. To use rlcarey's phrase ... this system access sheet should validate the needs of the specific auditor. Also, the internal auditors' log-in sessions to the system (e.g., time of log-in, file menus accessed, etc.) will be recorded to the system's event log for subsequent review (if necessary). If I missed the mark rlcarey ... then please correct me ...

Yes - that is what I was suggesting. Approval for read-only access for an auditor should not be an issue. The Director of Internal Audit could be charged with ensuring that each individual auditor only has access to the specific systems required to perform their functions. That could be one of your control points.