Background checks on external IT auditors

Posted By: Anonymous

Background checks on external IT auditors - 11/19/04 04:34 PM

Hello all,

We would like to run background checks on our external IT auditors.

Has anyone done this before?
How should we go about it?
Is it common practice in the banking industry?

Thanks,
john

Posted By: Anonymous

Re: Background checks on external IT auditors - 11/19/04 08:18 PM

Never done it. We just ask for other references and contact them to see what they have to say.

Posted By: Jay-Risk

Re: Background checks on external IT auditors - 11/19/04 08:37 PM

Quote:

We would like to run background checks on our external IT auditors. Is it common practice in the banking industry?

You need to provide a great deal more information. By external IT auditors, are you referring to technology auditors employed by your attestation auditors who will attest to the technology systems that support the reporting of bank financial statements? Or are you referring to an outside third-party firm conducting an IT review separate from the attestation IT auditors?

In either case, hiring an outside firm such as Ernst & Young, KPMG, Deloitte, etc. -- firms that already conduct full background screening of their employees -- does not require that you conduct your own background screening. Do you have Board-adopted standards for your conducting background investigations of employees of a third party?

Nevertheless, the bigger issue here is that it appears you would be conducting a third-party investigation which would touch on character, general reputation, mode of living, etc., which are all subject to FCRA 15 USC 1681 and in which you would have to disclose the results and in which you would not be held harmless.

Why, if you're hiring a third party IT audit firm, wouldn't you just conduct a basic due diligence and obtain profiles of the principals on the audit? Frankly, I've never heard of a bank conducting a background investigation of employees employed by a third party provider. From an FCRA standpoint, you're almost touching the third rail if you're not careful.

Posted By: Anonymous

Re: Background checks on external IT auditors - 11/19/04 10:24 PM

Thanks for the responses. We're looking to hire a firm to do penetration-style testing. The firm we have in mind is a one person shop and hires contractors as needed. We feel good about the owner, but do not know anything about the contractor. The owner and all contractors are bonded.

This was something that an examiner brought up.

Posted By: Anonymous

Re: Background checks on external IT auditors - 01/07/05 10:37 PM

We've just completed another background check on an IT auditor, a newly arrived Canadian immigrant in his early 20's. The client was obviously concerned about his background. Let us know if we can assist you- - - -mike@cbintel.com