IT Examiner School, Providence, RI

Audit/Independent Review

Performed by independent personnel Knowledgeable individuals conduct risk assessment/complexity based Documented Findings/recommendations 

Board/Committee reported results Conducted separately or all at once IT scope & frequency based on inherent or residual risk

FFIEC specifies that high risk areas should be audited/reviewed at least annually.

Assessment Areas for IT Audits

The IT  Audit  program  should be  assessed  for the  following:

• Audit risk assessment, plan and scope • Appropriate coverage of the entity’s  IT environment and activities • Quality of written IT reports • Audit independence • Auditor qualifications • Findings and recommendations  reporting and follow‐up