We are creating an IT Audit Policy. Does anyone have a sample they'd share or could someone point me in the direction of a good source? We need a policy that follows the FFIEC IT Audit criteria.

Thank you!

Why would you be wanting an IT Audit Policy? We have a standard audit department policy and then create our audit plan based off of a risk assessment.

Examiners told us we need one as our IT risk is large.

Which regulator told you that? IT risk is large for about every bank right now.

Ok lets start with "Examiners told us we need one". Do you have an IA Risk Assessment? If you do where does IT "rate" with in the risk assessment. My IA Department just recently adopted a New IA Policy and Procedures. The Policy dictates when audits should be performed based on their risk rating. For instance the majority of areas related to IT are rated High and should be performed every 12-18 months. We do not have a specific IT Audit Policy the reason is your audit plan is created utilizing a risk based approach.

Examiners told us we need one as our IT risk is large.

Policy or Procedure?

Do you have a risk assessment issue and not a policy/procedure issue?

Audits are usually conducted the same for each area. Hence my confusion with the statement.

We risk rate all relevant areas of the bank and IT is no exception. If your risk assessment follows a different methodology for each area it would not show the relevant differences between the areas to be audited so you would not be able to allocate your recourses effectively. If you have a separate (standalone) "IT Audit" function and had to allocate recourses around "IT Audit" that would be different and could use a different RA and policy,

PS Making policy without a risk assessment would be placing the cart before the horse.