IT Examiner School eBook May 2025

6. Determine whether the actual frequency of IT audits aligns with the risk assessment results and whether the scope of IT audits is appropriate for the complexity of operations. Decision Factor 3 ▲

7. Review IT audit reports issued since the previous examination. Evaluate whether the reports adequately:  Describe the scope and objectives  Describe the level and extent of control testing  Describe deficiencies  Note management’s response, including commitments for corrective action and timelines for completion  Detail follow-up/correction of prior IT audit or regulatory examination exceptions Decision Factor 3 ▲ 8. Evaluate the ability of the IT audit function to accurately assess, test, and report on the effectiveness of controls. Consider the following:  IT examination findings  Cyber incidents  Other significant IT events Decision Factor 3 ▲ Control Test Sample the audit workpapers for adequacy and completeness.

9. Determine whether auditor expertise and training is sufficient for the complexity of the IT function in relation to the technology and overall risk at the institution. Consider the following:

 Education  Experience  On-going training

Decision Factor 4 ▲

10. Evaluate the audit department’s process for monitoring audit and regulatory findings until resolved. Consider the following:  A formal tracking system that assigns responsibility and target date for resolution  Timely and formal status reporting  Tracking and reporting of changes in target dates or proposed corrective actions to the Board or Audit Committee  Process to ensure findings are resolved  Independent validation to assess the effectiveness of corrective measures Decision Factor 5 ▲ Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner.

Page: 9

InTREx – Management IT Risk Examination Modules - July 2016