Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell

8/3/2019 Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell

1/38

IT Audit Within FinancialInstitutions

Kirk Tyrell, CISAAssistant DirectorFinancial Institutions Supervisory DivisionBank of Jamaica

www.boj.org.jm

CARTAC & Caribbean Group of Banking Supervisors

IT Workshop for Regional Bank Examiners

June 23 25, 2009

Georgetown, Guyana
http://www.boj.org.jm/http://www.boj.org.jm/


2/38

Objectives

The characteristics of an effective ITaudit function

Provide a foundation from whichexaminers can assess the qualityand effectiveness of an institutionsIT audit programme.


3/38

Philosophy

a strong internal auditing functioncombined with a well-plannedexternal audit function substantiallyincrease the probability that financialinstitutions will detect potentiallyserious technology related problems.

(Holistic Approach to IT Auditing, 2008, Kaya Kazmici)


4/38

Definition of IT Audit Function

The objective of IT audit and riskassessment is to review a financialinstitution's IT management andoperation to ensure accuracy andreliability of information system aswell as its alignment with the financial

institution's business objectives whichcan eventually bring in the safety andsoundness


5/38

IT Audit Foundation

The IT audit function should beestablished

By an audit charter, which mayinclude other audit functions, forinternal audit

By An engagement letter for

external auditing function


6/38

IT Audit Function Requirements

Identify areas of greatest IT riskexposure

Promote the confidentiality,integrity, and availability ofinformation systems

Determine the effectiveness of

managements planning andoversight of IT activities


7/38


Evaluate the adequacy of operatingprocesses and internal controls

Determine the adequacy ofenterprise-wide compliance effortsrelated to IT policies and internalcontrol procedures


8/38


Require appropriate correctiveaction to address deficient internalcontrols

Follow-up to ensure managementpromptly and effectivelyimplements the required actions.


9/38

Key Audit Programme Areas

The structure of an internal auditfunction

whether internally resourced oroutsourced

The scope, authority, role,independence, and staffing of

internal IT Audit


10/38

Key Audit Programme Areas

The role of external audit from botha policy and engagement position

Risk assessment and risk-basedauditing methodology

Audit participation in applicationacquisition, development, and

testing


11/38

Unraveling the IT Audit UniverseSTEPS

1. Identifymission criticalbusinesscycles.2. Identifyapplications

supportingthose cycles.3. Identifytechnologyandinfrastructurecomponents.

4. Identify ITprocessuniverse.5. Identify andassess risk.

Division/Business line

BusinessCycles

Applications

IT Infrastructure& Processes

Financial Statement Accounts

FinancialAccounting

Revenue Expenditures Etc.

Core Banking Apps

(ICBS, BM+, etc)

Various other systems

( GL, e-Banking, etc)

Hardware/OS (Widows)Hardware/OS (others

Unix, AS/400)

Networks

Understanding/Asse

ssRisk


12/38

IT Audit Risk Universe


13/38

IT Audit Basic Elements

IT Audit Roles & Responsibilities

Independence and Staffing

Internal IT Audit Internal Audit programme


14/38

IT Audit Roles and Responsibilities

The Board and Senior Management:

Has overall responsibility for the

effectiveness of the audit function May establish an audit committee to

oversee audits and report to the fullboard

Provides the audit function withresources


15/38


The Board and Senior Management:

Ensure that written guidelines for

conducting IT audits exist Ensure that the internal audit

function is headed by a member ofmanagement

Head is independent of operationsand reports to the Board


16/38


Audit management:

Implements board-approved audit

directives Ensures that audit staff are

competent, independent,experienced, educated and skilled

Establish clear lines of authority andreporting responsibilities


17/38


Audit management:

Reviews and approves audit

strategies (including policies andprogrammes) and monitor theeffectiveness of the audit function


18/38


The internal audit staff:

Assesses the controls, reliability and

integrity of the IT environment Evaluates IT plans, strategies,

policies and procedures

Independently and objectivelyevaluates technological activities


19/38


Business line management:

Promptly and effectively responds

to IT audit findings andrecommendations


20/38


External auditors:

Review the general and application

controls Make recommendations to

management about procedures thataffect IT controls

Review the IT control procedures aspart of an outsourcing arrangement


21/38

Independence and Staffing

Independence of audit staff fromoperations management

Skill level requirements and the size

or source of IT auditors must becommensurate with the Size

Complexity

scope and

sophistication


22/38

Internal Audit programme

Outlines guidelines for developingand maintaining a formal internalaudit programme, including ITaudits


23/38


1. A mission statement2. A risk assessment3. Audit plan

4. Audit cycle5. Audit work programme6. Delivery of a written audit report7. Requirements for audit work paper

documentation8. Follow-up process9. Professional development programme


24/38


All financial institutions areencouraged to implement risk-based IT audit procedures based ona formal risk assessmentmethodology to determine theappropriate frequency and extent of

work


25/38

Risk Assessment & Risk-BasedAuditing

A preferred framework

Includes performing an IT risk

assessment and developing risk-based audit plans


26/38

Risk Assessment & Risk-BasedAuditing

Plan should include processes for:

Identifying institutional resources

and business activities Ranking risks for significant

business units and products

Developing and implementing risk-based audit plans


27/38

Audit and Major IT Projects

Senior management should beinclude IT audit in major applicationdevelopment, acquisition,conversion, and testing.

Review of new applications controlsas early as during the design phase


28/38

Audit and Major IT Projects

Involvement limited to:

monitoring, reporting, and

escalation processes Conduct post-implementation

reviews or establish test criteria andevaluate results

Importantly, for acquisitions projects with significant IT impacts,participation of IT audit may be necessary early in the duediligence stage.


29/38

Outsourcing Internal IT Audit

The board of directors shouldensure that the structure, scope,and management of the outsourcingarrangement provides for anadequate evaluation of the systemof internal controls


30/38


Who may perform these services:

Independent public accounting firms

Other outside professionals Arrangements are often called:

internal audit outsourcing

internal audit assistance

audit co-sourcing

extended audit services


31/38


Key features of relationship:

Independence of the audit provider

Clear definition of responsibilities

Internal Audit Manager or staff isresponsible for overseeing relationshipand reporting

Ongoing due diligence of audit provider

Consider current and anticipated businessrisks


32/38

Computer-Base Auditing

Is essentially using technology to performaudits

Todays business landscape makes it

obvious that old/manual audit techniqueswill only achieve:

Mediocre results

High risk of material misstatement

There is a welcomed realization over thepast 2 years that effective auditing is

good business


33/38

Examiners Responsibilities

Evaluating the effectiveness of theIT audit function

Considering the institutions abilityto promptly detect and reportsignificant risks

Taking into account the institutions

size, complexity, and overall riskprofile when performing evaluations


34/38


Independence of the audit functionand its reporting relationship

Expertise and size of the audit staff Identification of the IT audit

universe, risk assessment, scope,and frequency


35/38


Timely tracking and resolution ofreported weaknesses

Documentation of IT audits (e.g.work papers, audit reports, andfollow-up.


36/38

Lessons Learnt

An effective IT audit function may reducethe time examiners spend reviewing ITareas during examinations

The audit programme also should consistof both a full-time internal audit unit anda well-planned external auditing

programme Outsourced audit provider must report to

the Audit Manger

not directly to the audit committee


37/38

Questions


38/38

Additional Resources

ISACA Downloads(www.isaca.org/downloads )

COBIT (www.isaca.org/cobit ) COBIT Mappings (www.isaca.org/cobit ) IT Control Objectives for Sarbanes-Oxley

(www.isaca.org ) Integrating COBIT into IT Audit

Planning, Fieldwork, and Reporting

Holistic Approach to IT Auditing ISO (www.iso.org ) ANSI (www.ansi.org )
http://www.isaca.org/downloadshttp://www.isaca.org/downloadshttp://www.isaca.org/cobithttp://www.isaca.org/cobithttp://www.isaca.org/http://www.isaca.org/http://www.iso.org/http://www.ansi.org/http://www.ansi.org/http://www.iso.org/http://www.isaca.org/http://www.isaca.org/cobithttp://www.isaca.org/cobithttp://www.isaca.org/downloads

Documents

Day 3-Pres 1-IT Audit Within Financial Institutions-Tyrell