IT Examiner School, Seaside, CA

Audit/Independent Review

• Performed by independent personnel • Conducted by knowledgeable individuals • Based on risk assessment/complexity • Findings/recommendations are documented • Results are reported to the Board/Committee • Conducted separately or all at once • IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually.

Assessment Areas for IT Audits

The following areas should be assessed for the IT Audit Program: • Audit risk assessment, plan and scope • Appropriate coverage of the entity’s IT environment and IT activities • Quality of written IT reports • Audit independence • IT auditor qualifications • IT findings and recommendations reporting and follow-up