IT Examiner School - Oct 2023

Internal Use Only

Audit Component Rating Areas to focus on when rating IT Audit component adequacy:

• Independence and quality of oversight • Audit risk analysis methodology/resources applied • Scope, frequency, accuracy, and timeliness of audit reports • Extent of audit participation in SDLC to ensure effectiveness internal controls and audit trails • Audit plan in providing appropriate coverage of IT risks • IT auditor’s adherence to code of ethics/professional standards • Qualifications of IT auditors • Timely and formal follow ‐ up and reporting on management’s resolution of identified issues/weaknesses • Quality and effectiveness of internal and external audit activity related to IT controls

45

Internal Use Only

Conclusion

Learned basics for IT Audits

Minimum scope in risk focused examination process ‐ must review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Can risk focus areas recently audited

46