EDP auditing

I have recently joined a community bank to head up the internal audit function (I am the only auditor at this point). I have had 30 years experience in public accounting and in industry as a controller and CFO but have had no hands-on banking experience prior to this position.

My initial charter is to redirect the bank's audit function. I have assembled most of the pieces of the function except for the one related to EDP auditing.

I am a reasonably proficient user of computer systems but do not have a technical background. I am assessing whether to recommend training for myself so that I can conduct EDP audits internally or that the bank engage an outside firm capable of conducting such audits. I like the idea of retaining technical expertise within the bank if it is reasonable to develop that expertise.

As I considered the issue, I am prejudiced to feel that our best benefit may lie with my learning as much as is reasonable about EDP auditing so that I can perform the bulk of the work, leaving only the most technical aspects to an outside expert.

I would appreciate your thoughts on the strategy. What skills would I need to develop to be effective in performing some of the audit work? What suggestions do you have for training that would help someone with my background to perform as much of the EDP audit work as is possible?

I thank you for your help.

Needed expertise depends on how your bank is set up, EDP-wise. If you are in-house with an off-the-shelf system, reader-sorter, PC network, etc. you can probably do it yourself over time, but it may be wise to have an outside entity go through the entire system first.

If your bank uses in-house programmers on the primary system, don’t even think about doing the audit yourself, it’s way too risky.

If you are in an outsourced environment, e.g. primary system, etc. you should be able to go through the FDIC’s or OCC’s work papers covering EPD audits and conduct the audit yourself after you have gained a level of expertise on the primary system.

As noted, regulatory work papers are excellent sources of input. In addition, networking security is covered by books, for example, Windows 2000 Server for Dummies is very well done at the non-tech level if you are using a Windows 2000 Server with other books available covering all the network options.

I am finding it more and more difficult to keep up with everything on the EDP world. We have started to outsource this audit. I have some contacts if you would like them. I have been very happy with the external EDP audit. I am involved so I do continue to learn.

I agree with you with the only issue the cost of outsourcing. If the bank can afford it, regardless of how the EDP is set-up, outsourcing the audit function is the route to go. The tricky part is your salary/benefits and outsourcing costs add up to a lot of money with your value increasing as you are able to complete internal audits, eliminating outsourcing costs.

It is quite costly but I think it is worth it. You don't need a full review every year unless major changes were implemented. We are on an extended reveiw where certain areas are reviewed in different intervals. I review the area internally on the off years. It's worked out very well so far.

Are training courses available?

Whether to outsource or not depends on the complexity of the EDP functions and also the cost involved.

Check out the "INFORMATION SYSTEMS TECHNOLOGY AUDIT PROGRAMS" under www.auditnet.org. This covers several aspects.

You may want to review the FDIC bulletin issued in October '02 regarding New IT Audit Workprograms. The FFIEC IT Exam Handbook is commonly used but includes procedures that are usually not applicable for lower risk institutions. The bulletin referenced provides a link to an IT audit workprogram geared towards those institutions that are less complex. Although, you may also want to refer to the FFIEC Handbook for comparison.

FDIC Bulletin FIL-118-2002
FFIEC Systems Exam Handbook Index

Hope this info helps!