IT Examiner School eBook

Internal Use Only

Conclusion

Learned basics for IT Audits

Minimum scope in risk focused examination process must review the entity’s audit program

If audit program is deficient or lacking • Don’t need to dig deeper • Describe the deficiencies & record in your WP • Notify the Safety & Soundness EIC If audit program is satisfactory • Can risk focus areas recently audited

Internal Use Only

Summary • Audits are a necessity whether performed by in-house and/or external resources • Must be performed by independent and qualified individuals/companies/firms • Based on a current risk assessment • Must provide written, detailed, stand-alone reports • Results must be reported to the Board’s Audit Committee or a related Board Committee in a timely manner • Audits can aid in exam scope reduction