Information Security audit

We are looking for some guidance for our audit department regarding IS audits. I was wondering how those of you who are in the bank audit field are auditing for Information Security. Do you incorporate IS into your regular department audits, or do a separate IS audit? Do you have any written procedures you could share?
Thanks for the help!
Leslie

We're outsourcing IS and IT audits. The primary reason for that was the skill level of the internal staff. That area changes so fast, we felt our money was better spent on an external firm who has the time and funds to keep their skill levels up with the industry. Our regulators liked the approach. Actually, they 'encouraged' us to hire external auditors for several areas including penetration testing.

We are a $300 million commercial bank with a third party processor. Last year, I convinced senior management that it was to everyone's benefit if we outsourced the data processing audit to a third party precisely for the reasons cited in the second post--cost efficiencies and increase in technical skills required by the development of all the different electronic media delivery channels. I spoke to several bank auditors in the state of Connecticut and to a person none felt they had the technical expertise to continue in-house dp audits. As one person asked me, "Would YOU feel comfortable telling your Board of Directors that adequate internal control systems are in place concerning all areas of data processing--i.e. backroom, INTERNET, bank by telephone, internal network, firewalls, internal/external penetration, routers, configurations, etc.???" I would guess 99% of us out there would say NO WAY!!!!Good luck....

We also outsource this audit. It has been very benefical to us to do so. I can e-mail you with the name of the company we use if you like. They are excellent.

I have asked my IT department to follow this. She is very knowledgable in this area and we have just recently undergone an IT audit (OCC) so I am sure she will be willing to share. Let me know.

Thank you all for your responses. I gather from what I am reading that you combine your IS and your IT audits into one. Does your audit department do anything separately such as check to see that customer sensitive files are locked up and computer screens are not left showing customer information when they do department audits, or is this part outsourced as well?
I would be interested in any names of outside companies you use or any procedures you have available. We are an appx. 2 billion dollar bank, located in Maryland. My e-mail address is lcallaway@sandyspringbank.com.
Thank you again.
Leslie