IT Examiner School, Seaside, CA

Guidance for IT Audit

• FFIEC IT Examination Audit Handbook

• Federal Agency Rules and Regulations

– Interagency Policy Statement on the Internal Audit Function and its Outsourcing – Interagency Policy Statement on External Auditing Program of Banks and Savings Associations – Interagency Guidelines Establishing Standards for Safety and Soundness – Interagency Guidelines Establishing Information Security Standards (GLBA)

• Information Systems Audits and Control Association (ISACA)

IT Audit Engagement

• Should be engaged by and signed by an individual or committee that is not responsible for IT operations. – Preferably be signed by a member of the Board or Audit Committee.

• Expectations and responsibilities for both parties

• The scope, timeframes, and cost of work to be performed by the outside auditor

• Institution access to audit workpapers

Review the engagement letters for any current outsourced IT audits. Refer to the Interagency Policy Statement on the Internal Audit Function and its Outsourcing for provisions typically included in engagement letters.