IT Audit Within Financial Institutions

1
IT Audit Within Financial Institutions
CARTAC Caribbean Group of Banking
Supervisors IT Workshop for Regional Bank
Examiners June 23 25, 2009 Georgetown, Guyana

• Kirk Tyrell, CISA
• Assistant Director
• Financial Institutions Supervisory Division
• Bank of Jamaica
• www.boj.org.jm

2
Objectives

• The characteristics of an effective IT audit
  function
• Provide a foundation from which examiners can
  assess the quality and effectiveness of an
  institutions IT audit programme.

3
Philosophy

• a strong internal auditing function combined
  with a well-planned external audit function
  substantially increase the probability that
  financial institutions will detect potentially
  serious technology related problems. (Holistic
  Approach to IT Auditing, 2008, Kaya Kazmici)

4
Definition of IT Audit Function

• The objective of IT audit and risk assessment is
  to review a financial institution's IT management
  and operation to ensure accuracy and reliability
  of information system as well as its alignment
  with the financial institution's business
  objectives which can eventually bring in the
  safety and soundness

5
IT Audit Foundation

• The IT audit function should be established
• By an audit charter, which may include other
  audit functions, for internal audit
• By An engagement letter for external auditing
  function

6
IT Audit Function Requirements

• Identify areas of greatest IT risk exposure
• Promote the confidentiality, integrity, and
  availability of information systems
• Determine the effectiveness of managements
  planning and oversight of IT activities

7
IT Audit Function Requirements

• Evaluate the adequacy of operating processes and
  internal controls
• Determine the adequacy of enterprise-wide
  compliance efforts related to IT policies and
  internal control procedures

8
IT Audit Function Requirements

• Require appropriate corrective action to address
  deficient internal controls
• Follow-up to ensure management promptly and
  effectively implements the required actions.

9
Key Audit Programme Areas

• The structure of an internal audit function
• whether internally resourced or outsourced
• The scope, authority, role, independence, and
  staffing of internal IT Audit

10
Key Audit Programme Areas

• The role of external audit from both a policy and
  engagement position
• Risk assessment and risk-based auditing
  methodology
• Audit participation in application acquisition,
  development, and testing

11
Unraveling the IT Audit Universe
STEPS 1. Identify mission critical business
cycles. 2. Identify applications supporting those
cycles. 3. Identify technology and infrastructure
components. 4. Identify IT process universe. 5.
Identify and assess risk.
Financial Statement Accounts
Division/ Business line
Understanding / Assess Risk
Business Cycles
Financial Accounting
Revenue
Expenditures
Etc.
Applications
Core Banking Apps (ICBS, BM, etc)
Various other systems ( GL, e-Banking, etc)
Hardware/OS (Widows)
Hardware/OS (others Unix, AS/400)
IT Infrastructure Processes
Networks
12
IT Audit Risk Universe
13
IT Audit Basic Elements

• IT Audit Roles Responsibilities
• Independence and Staffing
• Internal IT Audit
• Internal Audit programme

14
IT Audit Roles and Responsibilities

• The Board and Senior Management
• Has overall responsibility for the effectiveness
  of the audit function
• May establish an audit committee to oversee
  audits and report to the full board
• Provides the audit function with resources

15
IT Audit Roles and Responsibilities

• The Board and Senior Management
• Ensure that written guidelines for conducting IT
  audits exist
• Ensure that the internal audit function is headed
  by a member of management
• Head is independent of operations and reports to
  the Board

16
IT Audit Roles and Responsibilities

• Audit management
• Implements board-approved audit directives
• Ensures that audit staff are competent,
  independent, experienced, educated and skilled
• Establish clear lines of authority and reporting
  responsibilities

17
IT Audit Roles and Responsibilities

• Audit management
• Reviews and approves audit strategies (including
  policies and programmes) and monitor the
  effectiveness of the audit function

18
IT Audit Roles and Responsibilities

• The internal audit staff
• Assesses the controls, reliability and integrity
  of the IT environment
• Evaluates IT plans, strategies, policies and
  procedures
• Independently and objectively evaluates
  technological activities

19
IT Audit Roles and Responsibilities

• Business line management
• Promptly and effectively responds to IT audit
  findings and recommendations

20
IT Audit Roles and Responsibilities

• External auditors
• Review the general and application controls
• Make recommendations to management about
  procedures that affect IT controls
• Review the IT control procedures as part of an
  outsourcing arrangement

21
Independence and Staffing

• Independence of audit staff from operations
  management
• Skill level requirements and the size or source
  of IT auditors must be commensurate with the
• Size
• Complexity
• scope and
• sophistication

22
Internal Audit programme

• Outlines guidelines for developing and
  maintaining a formal internal audit programme,
  including IT audits

23
Internal Audit programme

• A mission statement
• A risk assessment
• Audit plan
• Audit cycle
• Audit work programme
• Delivery of a written audit report
• Requirements for audit work paper documentation
• Follow-up process
• Professional development programme

24
Internal Audit programme

• All financial institutions are encouraged to
  implement risk-based IT audit procedures based on
  a formal risk assessment methodology to determine
  the appropriate frequency and extent of work

25
Risk Assessment Risk-Based Auditing

• A preferred framework
• Includes performing an IT risk assessment and
  developing risk-based audit plans

26
Risk Assessment Risk-Based Auditing

• Plan should include processes for
• Identifying institutional resources and business
  activities
• Ranking risks for significant business units and
  products
• Developing and implementing risk-based audit plans

27
Audit and Major IT Projects

• Senior management should be include IT audit in
  major application development, acquisition,
  conversion, and testing.
• Review of new applications controls as early as
  during the design phase

28
Audit and Major IT Projects

• Involvement limited to
• monitoring, reporting, and escalation processes
• Conduct post-implementation reviews or establish
  test criteria and evaluate results

• Importantly, for acquisitions projects with
  significant IT impacts, participation of IT audit
  may be necessary early in the due diligence
  stage.

29
Outsourcing Internal IT Audit

• The board of directors should ensure that the
  structure, scope, and management of the
  outsourcing arrangement provides for an adequate
  evaluation of the system of internal controls

30
Outsourcing Internal IT Audit

• Who may perform these services
• Independent public accounting firms
• Other outside professionals
• Arrangements are often called
• internal audit outsourcing
• internal audit assistance
• audit co-sourcing
• extended audit services

31
Outsourcing Internal IT Audit

• Key features of relationship
• Independence of the audit provider
• Clear definition of responsibilities
• Internal Audit Manager or staff is responsible
  for overseeing relationship and reporting
• Ongoing due diligence of audit provider
• Consider current and anticipated business risks

32
Computer-Base Auditing

• Is essentially using technology to perform audits
• Todays business landscape makes it obvious that
  old/manual audit techniques will only achieve
• Mediocre results
• High risk of material misstatement
• There is a welcomed realization over the past 2
  years that effective auditing is good business

33
Examiners Responsibilities

• Evaluating the effectiveness of the IT audit
  function
• Considering the institutions ability to promptly
  detect and report significant risks
• Taking into account the institutions size,
  complexity, and overall risk profile when
  performing evaluations

34
Examiners Responsibilities

• Independence of the audit function and its
  reporting relationship
• Expertise and size of the audit staff
• Identification of the IT audit universe, risk
  assessment, scope, and frequency

35
Examiners Responsibilities

• Timely tracking and resolution of reported
  weaknesses
• Documentation of IT audits (e.g. work papers,
  audit reports, and follow-up.

36
Lessons Learnt

• An effective IT audit function may reduce the
  time examiners spend reviewing IT areas during
  examinations
• The audit programme also should consist of both a
  full-time internal audit unit and a well-planned
  external auditing programme
• Outsourced audit provider must report to the
  Audit Manger
• not directly to the audit committee

37
Questions
?
38
Additional Resources

• ISACA Downloads (www.isaca.org/downloads )
• COBIT (www.isaca.org/cobit )
• COBIT Mappings (www.isaca.org/cobit )
• IT Control Objectives for Sarbanes-Oxley
  (www.isaca.org )
• Integrating COBIT into IT Audit Planning,
  Fieldwork, and Reporting
• Holistic Approach to IT Auditing
• ISO (www.iso.org )
• ANSI (www.ansi.org )