Professional Documents
Culture Documents
CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners
June 23 25, 2009 Georgetown, Guyana
Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm
Objectives
The characteristics of an effective IT audit function Provide a foundation from which examiners can assess the quality and effectiveness of an institutions IT audit programme.
Philosophy
a strong internal auditing function combined with a well-planned external audit function substantially increase the probability that financial institutions will detect potentially serious technology related problems.
IT Audit Foundation
The IT audit function should be established By an audit charter, which may include other audit functions, for internal audit By An engagement letter for external auditing function
Identify areas of greatest IT risk exposure Promote the confidentiality, integrity, and availability of information systems Determine the effectiveness of managements planning and oversight of IT activities
Evaluate the adequacy of operating processes and internal controls Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures
Require appropriate corrective action to address deficient internal controls Follow-up to ensure management promptly and effectively implements the required actions.
The role of external audit from both a policy and engagement position Risk assessment and risk-based auditing methodology Audit participation in application acquisition, development, and testing
Business Cycles
Financial Accounting
Revenue
Expenditures
Etc.
Applications
Hardware/OS (Widows)
Networks
IT Audit Roles & Responsibilities Independence and Staffing Internal IT Audit Internal Audit programme
Independence of audit staff from operations management Skill level requirements and the size or source of IT auditors must be commensurate with the
Outlines guidelines for developing and maintaining a formal internal audit programme, including IT audits
A mission statement A risk assessment Audit plan Audit cycle Audit work programme Delivery of a written audit report Requirements for audit work paper documentation Follow-up process Professional development programme
All financial institutions are encouraged to implement riskbased IT audit procedures based on a formal risk assessment methodology to determine the appropriate frequency and extent of work
A preferred framework Includes performing an IT risk assessment and developing riskbased audit plans
Senior management should be include IT audit in major application development, acquisition, conversion, and testing. Review of new applications controls as early as during the design phase
The board of directors should ensure that the structure, scope, and management of the outsourcing arrangement provides for an adequate evaluation of the system of internal controls
internal audit outsourcing internal audit assistance audit co-sourcing extended audit services
Computer-Base Auditing
Is essentially using technology to perform audits Todays business landscape makes it obvious that old/manual audit techniques will only achieve:
There is a welcomed realization over the past 2 years that effective auditing is good business
Examiners Responsibilities
Evaluating the effectiveness of the IT audit function Considering the institutions ability to promptly detect and report significant risks Taking into account the institutions size, complexity, and overall risk profile when performing evaluations
Examiners Responsibilities
Independence of the audit function and its reporting relationship Expertise and size of the audit staff Identification of the IT audit universe, risk assessment, scope, and frequency
Examiners Responsibilities
Timely tracking and resolution of reported weaknesses Documentation of IT audits (e.g. work papers, audit reports, and follow-up.
Lessons Learnt
An effective IT audit function may reduce the time examiners spend reviewing IT areas during examinations The audit programme also should consist of both a full-time internal audit unit and a well-planned external auditing programme Outsourced audit provider must report to the Audit Manger
Questions
Additional Resources
ISACA Downloads (www.isaca.org/downloads ) COBIT (www.isaca.org/cobit ) COBIT Mappings (www.isaca.org/cobit ) IT Control Objectives for Sarbanes-Oxley (www.isaca.org ) Integrating COBIT into IT Audit Planning, Fieldwork, and Reporting Holistic Approach to IT Auditing ISO (www.iso.org ) ANSI (www.ansi.org )