IT Audit Within Financial Institutions

CARTAC & Caribbean Group of Banking Supervisors IT Workshop for Regional Bank Examiners
June 23 25, 2009 Georgetown, Guyana

Kirk Tyrell, CISA Assistant Director Financial Institutions Supervisory Division Bank of Jamaica www.boj.org.jm

Objectives

The characteristics of an effective IT audit function Provide a foundation from which examiners can assess the quality and effectiveness of an institutions IT audit programme.

Philosophy
a strong internal auditing function combined with a well-planned external audit function substantially increase the probability that financial institutions will detect potentially serious technology related problems.

(Holistic Approach to IT Auditing, 2008, Kaya Kazmici)

Definition of IT Audit Function

The objective of IT audit and risk assessment is to review a financial institution's IT management and operation to ensure accuracy and reliability of information system as well as its alignment with the financial institution's business objectives which can eventually bring in the safety and soundness

IT Audit Foundation
The IT audit function should be established By an audit charter, which may include other audit functions, for internal audit By An engagement letter for external auditing function

IT Audit Function Requirements

Identify areas of greatest IT risk exposure Promote the confidentiality, integrity, and availability of information systems Determine the effectiveness of managements planning and oversight of IT activities

IT Audit Function Requirements

Evaluate the adequacy of operating processes and internal controls Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures

IT Audit Function Requirements

Require appropriate corrective action to address deficient internal controls Follow-up to ensure management promptly and effectively implements the required actions.

Key Audit Programme Areas

The structure of an internal audit function

whether internally resourced or outsourced

The scope, authority, role, independence, and staffing of internal IT Audit

Key Audit Programme Areas

The role of external audit from both a policy and engagement position Risk assessment and risk-based auditing methodology Audit participation in application acquisition, development, and testing

Unraveling the IT Audit Universe

Division/ Business line Financial Statement Accounts
STEPS 1. Identify mission critical business cycles. 2. Identify applications supporting those cycles. 3. Identify technology and infrastructure components. 4. Identify IT process universe. 5. Identify and assess risk.

Understanding / Assess Risk

Business Cycles

Financial Accounting

Revenue

Expenditures

Etc.

Applications

Core Banking Apps (ICBS, BM+, etc)

Various other systems ( GL, e-Banking, etc)

IT Infrastructure & Processes

Hardware/OS (Widows)

Hardware/OS (others Unix, AS/400)

Networks

IT Audit Risk Universe

IT Audit Basic Elements

IT Audit Roles & Responsibilities Independence and Staffing Internal IT Audit Internal Audit programme

IT Audit Roles and Responsibilities

The Board and Senior Management: Has overall responsibility for the effectiveness of the audit function May establish an audit committee to oversee audits and report to the full board Provides the audit function with resources

IT Audit Roles and Responsibilities

The Board and Senior Management: Ensure that written guidelines for conducting IT audits exist Ensure that the internal audit function is headed by a member of management Head is independent of operations and reports to the Board

IT Audit Roles and Responsibilities

Audit management: Implements board-approved audit directives Ensures that audit staff are competent, independent, experienced, educated and skilled Establish clear lines of authority and reporting responsibilities

IT Audit Roles and Responsibilities

Audit management: Reviews and approves audit strategies (including policies and programmes) and monitor the effectiveness of the audit function

IT Audit Roles and Responsibilities

The internal audit staff: Assesses the controls, reliability and integrity of the IT environment Evaluates IT plans, strategies, policies and procedures Independently and objectively evaluates technological activities

IT Audit Roles and Responsibilities

Business line management: Promptly and effectively responds to IT audit findings and recommendations

IT Audit Roles and Responsibilities

External auditors: Review the general and application controls Make recommendations to management about procedures that affect IT controls Review the IT control procedures as part of an outsourcing arrangement

Independence and Staffing

Independence of audit staff from operations management Skill level requirements and the size or source of IT auditors must be commensurate with the

Size Complexity scope and sophistication

Internal Audit programme

Outlines guidelines for developing and maintaining a formal internal audit programme, including IT audits

Internal Audit programme

1. 2. 3. 4. 5. 6. 7. 8. 9.

A mission statement A risk assessment Audit plan Audit cycle Audit work programme Delivery of a written audit report Requirements for audit work paper documentation Follow-up process Professional development programme

Internal Audit programme

All financial institutions are encouraged to implement riskbased IT audit procedures based on a formal risk assessment methodology to determine the appropriate frequency and extent of work

Risk Assessment & Risk-Based Auditing

A preferred framework Includes performing an IT risk assessment and developing riskbased audit plans

Risk Assessment & Risk-Based Auditing

Plan should include processes for: Identifying institutional resources and business activities Ranking risks for significant business units and products Developing and implementing riskbased audit plans

Audit and Major IT Projects

Senior management should be include IT audit in major application development, acquisition, conversion, and testing. Review of new applications controls as early as during the design phase

Audit and Major IT Projects

Involvement limited to: monitoring, reporting, and escalation processes Conduct post-implementation reviews or establish test criteria and evaluate results
Importantly, for acquisitions projects with significant IT impacts, participation of IT audit may be necessary early in the due diligence stage.

Outsourcing Internal IT Audit

The board of directors should ensure that the structure, scope, and management of the outsourcing arrangement provides for an adequate evaluation of the system of internal controls

Outsourcing Internal IT Audit

Who may perform these services: Independent public accounting firms Other outside professionals Arrangements are often called:

internal audit outsourcing internal audit assistance audit co-sourcing extended audit services

Outsourcing Internal IT Audit

Key features of relationship: Independence of the audit provider Clear definition of responsibilities Internal Audit Manager or staff is responsible for overseeing relationship and reporting Ongoing due diligence of audit provider Consider current and anticipated business risks

Computer-Base Auditing

Is essentially using technology to perform audits Todays business landscape makes it obvious that old/manual audit techniques will only achieve:

Mediocre results High risk of material misstatement

There is a welcomed realization over the past 2 years that effective auditing is good business

Examiners Responsibilities

Evaluating the effectiveness of the IT audit function Considering the institutions ability to promptly detect and report significant risks Taking into account the institutions size, complexity, and overall risk profile when performing evaluations

Examiners Responsibilities

Independence of the audit function and its reporting relationship Expertise and size of the audit staff Identification of the IT audit universe, risk assessment, scope, and frequency

Examiners Responsibilities

Timely tracking and resolution of reported weaknesses Documentation of IT audits (e.g. work papers, audit reports, and follow-up.

Lessons Learnt

An effective IT audit function may reduce the time examiners spend reviewing IT areas during examinations The audit programme also should consist of both a full-time internal audit unit and a well-planned external auditing programme Outsourced audit provider must report to the Audit Manger

not directly to the audit committee

Questions

Additional Resources

ISACA Downloads (www.isaca.org/downloads ) COBIT (www.isaca.org/cobit ) COBIT Mappings (www.isaca.org/cobit ) IT Control Objectives for Sarbanes-Oxley (www.isaca.org ) Integrating COBIT into IT Audit Planning, Fieldwork, and Reporting Holistic Approach to IT Auditing ISO (www.iso.org ) ANSI (www.ansi.org )