Let's see if I can make this short & sweet: Our Information Security Program was criticized by our examiners (at the last exam - 2003) b/c there were some deficiencies noted regarding safeguarding customer information. Mgmt. ensured that the program would be revised to addressed the deficiencies by a certain date(in 2004). Our bank also had an external IT review performed recently but have not rec'd the draft report yet...curious to see their comments regarding the Information Security Program.

Dilemma: I need to audit the revised program before the next exam (later this year). I'm sure it has not been revised as of this date (for whatever reason). Should I wait (till GOD knows when but I know it will be revised before the next regulatory exam) or go ahead with the audit and document that I could not conduct it b/c the deficiencies had not been corrected. I don't want to cited for not conducting the audit.

I appreciate any comments, words of wisdom, etc........

Do you keep a due date monitoring report of the items? If so, is it reviewed frequently? If they have a specific date in the report, I would look for them to comment on why it hadn't been fixed by that date. If you don't have this system in place...I would do whatever is necessary to CYA .

You certainly don't want to wait. We were once cited for pushing back a trust audit because they had a state exam and an external audit conducted back-to-back. The fact that I wasn't in there conducting my audit concurrently with the others got us in trouble.

Do you have the type of relationship with your external auditor where you could ask them if there were any exceptions noted during their IT exam that might affect you conducting an Information Security audit?

Although IT and Information Security have overlapping areas of audit coverage, they are not the same animal.
If you feel that you are not going to get at least a preliminary report within the next couple of weeks, I would continue with your scheduled audit.

Does your contract with the external auditor specify time frames in which they must have at least the preliminary report prepared and presented for review to your bank? I personally don't think that is good for business to allow them to get it to you on their time table. I understand that these take time to prepare...but not that long.

P.S. I went back and re-read your post. If the management has not updated their program, based on a requirement/recommendation from your regulatory agency, then this will be an exception in your report. Prepare your audit papers to match the FFIECs exam procedures because these are the same guidelines your examiners will use. Do not audit based on the old program...you audit based on what the program should encompass.

In all of my audits there is a section which asks if this was an area that required corrective actions to be taken based off of a prior FDIC exam. If the FDIC made recommendations, then I test to make sure the recommendations were implemented. If they were not, the lack of corrective action on behalf of the bank will be included in my report.

Good luck.

Yes, the date was stated in the examiner's report and the date has passed. I sent a "friendly" email inquiring about the status of the revision ( asked for a possible completion date) to the employee responsible but have not rec'd a reply. This dept. head is also understaffed and have many "projects" to complete.

My schedule is already tight and behind (a dept. of one) so I can't keep postponing the audit and I'm definitely trying to CYA but yet be understanding w/the employee.

If you want to be "friendly", give them a memo that gives them two weeks to prepare for the audit. Compliance exams come every two years, so if you are due for another compliance exam this year...that means your bank has had ample time to fix this.

I know it is hard to "push" these issues, but it will come back to bite you when the examiners show up and 1) you have not conducted an audit since the last exam, and 2) the bank has not made any corrective actions. Neither of these positions do you want to be associated with.

Schedule your audit, let them know you are coming, and you don't have to even mention it up front about the past exam...they are going to find out while you are conducting the audit that you know they have not complied with the examiners request. Not only that, the examination team coming in is not going to be very pleased to see that these items took nearly two years for you guys to fix...so if the management needs a little pushing to get it done...so be it. Lets see...your bank gave them a date by which corrective actions would be completed (usually within about 90 days after the examiners leave...and now its a year and a half later and they are not done)...this is not your problem; it is your management's problem.

The exam was conducted in Sept/Oct. 2003 and the corrective action was to be completed by end of 1st qtr. 2004.

Your advice is exactly what my intuition says....to proceed w/the audit ASAP. The draft report from the external audit should be finished within 2 weeks (hopefully). Actually I was contacted by the consultant this week b/c they needed something from me and the IT guy. I replied promptly but the IT guy hasn't yet (so the draft report will be pending until the IT guy sends what they need to complete the audit). I'm anxious to see their comments regarding the Information Security Program so I can move on. But I need to see their draft report as well.

Thanks for the advice....BOL rocks!!!

As an alternative, you could follow up on all of the outstanding issues from the exam. List all of the issues, list the correction action (along with date) that management promised; document the status and whether you verified the correction. Have enough documentation to CYA but provide the results in a memo to management; if your fears are substantiated and there has not been followup, the audit would be a waste of time.

As someone else mentioned, it would be a good idea to track all of your audit findings plus external results along with correction/follow up. The examiners will love it.

Discuss the situation with the audit committee and document the conclusion! Do not postpone the audit for too long.

I would audit to CYA. Sometimes by doing the audit it will again bring to the forefront the need to get the policy completed. This just happened in on of my recent audits. Good luck.

Thanks for all the feedback... My goal is to wait to see if we'll receive the external IT audit report by month-end (6/30). If not, then proceed to verify the corrective action has/has not been done.

Sorry for the late response...

Addressing your main question: Generally speaking, I would follow my audit schedule. Therefore, I would start the audit process. Where surprise is not an issue, I would send advance notice to the auditee (two to four weeks ahead of time, depending upon the amount of request information needed, perceived scheduling issues, etc.). In your specific situation, your preliminary memo and request list will put the auditee on notice and could incent them to finish up their project. Depending upon the circumstances, I have occasionally agreed to a one time postponement of the audit if the auditee couldn't be ready, there were scheduling issues, etc. So you do have some flexibility.

First rabbit...I believe that the audit schedule should be a living document, not prepared once a year and set in stone. At any given time, ask yourself if what you are working on right now and in the coming weeks are the most important thing for you to be working on...if not, you may need to revise your audit schedule.

Second rabbit...coordination of audit effort. You are wise to see what the independent auditor says, not so much as to see if they found any deficiencies, but to avoid duplication of effort. It is a good idea to sit down with all external auditors/providers every year and go over the scope of their audits. Generally, internal audit does not need to cover procedures that will be addressed externally by an independent firm. In the real world, where audit resources are limited, we need to coordinate our effort where possible.

Third rabbit...tracking deficiencies. One best practice that I have seen over the years is to track all outstanding issues (from regulators, internal auditors, external auditors and consultants, etc.) in one central database. The database should indicate the area, source of recommendation, management response, manager responsible, original due date, revised due date (managers should be required to request an extension, with approval by exec management or the audit committee), status comments, priority, etc. By using a priority code, you can filter what gets reported to the audit committee (i.e. high level deficiencies), executive management (i.e. moderate and high level deficiencies), line management (all deficiencies and recommendations), etc. Managers should be required to update this database monthly, with monthly or quarterly reporting to management, and quarterly reporting to the audit committee. Using this approach, nothing should slip through the cracks.