IT Examiner School eBook

Procedure 6 – Audit Frequency

Determine whether the actual frequency of IT audits aligns with the risk assessment results and whether the scope of IT audits is appropriate for the complexity of operations.

Procedure 7 – Audit Reports

Review IT audit reports issued since the previous examination. Evaluate whether the reports adequately:

• Describe the scope and objectives

• Describe the level and extent of control testing

• Describe deficiencies

• Note management’s response, including commitments for corrective action and timelines for completion

• Detail follow-up/correction of prior IT audit or regulatory examination exceptions

Procedure 8 – Control Evaluation

Evaluate the ability of the IT audit function to accurately assess, test, and report on the effectiveness of controls. Consider the following:

• IT examination and Audit findings

• Audit risk assessment

• Cyber incidents

• Other significant IT events

• Assessment of potential impact of control deficiencies on other areas of operations

Control Test

Sample the audit workpapers for adequacy and completeness.

Procedure 9 – Auditor Expertise and Training

Determine whether auditor expertise and training is sufficient for the complexity of the IT function in relation to the technology and overall risk at the institution. Consider the following:

• Education

• Experience

• On-going training for both internal and external personnel as appropriate

InTREx Mapping

4

Tandem, LLC | Copyright © 2024

Confidential - Internal Use Only