IS Audits can provide an independent review by experts within the technology industry. We are staffed with Certified Information Systems Auditors. In addition, our CISAs have many years of experience in the technology and computer industry managing virtually every level of sophisticated computer networks, from stand-alone PCs to Local Area Networks (LAN) to Wide Area Networks (WAN) to Mainframe operations. Our expertise covers all areas of IS Management, including management oversight, processing controls, backup procedures, disaster recovery planning and testing, contingency planning, IS program management, computer security and equipment/software control.

The rapid growth of information systems technologies has caused significant changes in the way that financial institutions process data and information. IS controls need to be reviewed by independent auditors that are capable of understanding IS technologies and the impact these systems have on providing efficient, secure service to all customers. The IS Audits team can provide an in-depth technology review that is not normally offered by traditional auditing firms.

Our auditors are members of the Information Systems Audit and Control Association (ISACA) and the Computer Security Institute (CSI). Both organizations are recognized global leaders in IT governance, security, control and assurance.

The Scope of an IS Audit

Our auditors use many references to review various IS functions. The primary source we use for IS auditing in financial institutions is the IS Examiner's Handbook developed by the Federal Financial Institutions Examination Council (FFIEC). This interagency guide contains an exhaustive overview of information systems concepts, practices, examples of sound IS controls, and the checklists and questionnaires used by financial institution examiners to conduct IT exams on financial institutions and independent service bureaus. IS Audits also uses, as applicable, FDIC, FRB, OCC and OTS guidance letters to ensure coverage of all regulatory areas of concern, including compliance with the technical guidelines mandated by the Gramm-Leach-Bliley Financial Privacy Act (GLBA). In addition to regulatory guidelines, our auditors follow the standards established by the ISACA, which include strict adherence to the CISA Code of Professional Ethics. Our audit will provide an independent review that will prepare a financial institution to meet the strict FFIEC guidelines while providing expert recommendations to correct any weaknesses or potential problems areas that are discovered.

Areas Reviewed During an IS Audit

IS Audits will use a combination of questionnaires and interviews, along with a review of system logs, printouts and other documentation, and hands-on inspections, to audit the following areas of your financial institution's IS operations:

  • Internal/External Audit Program Review
    • Automated audit controls
    • Audit Reporting and Follow-up
  • Management of IS Operations
    • Structure and Oversight
    • Policy development and review
    • IS Activity Reports
    • Management succession
    • Insurance coverage
    • User instructions
  • Processing controls
    • Software licenses
    • Updates and releases
    • Remote vendor access
    • In-house parameter changes
    • Access authorizations
    • System software controls
    • AS 400 Security Controls (if installed)
  • Program and procedural documentation review
    • EDP/IS related plans, policies and manuals
    • IS Strategic Plans
  • Disaster Recovery procedures
    • Data Backup and Recovery
    • Business Continuity Planning
    • Alternate Data Processing Procedures and Testing
    • Alternate Item Processing Procedures and Testing
    • LAN/WAN Recovery
    • Emergency Evacuation
    • Contingency Planning and Testing
    • Environmental controls
    • Emergency training
  • Security
    • Policies, Plans and Procedures
    • Formal Information Security Program (GLBA Compliance)
    • Data Privacy and Protection (GLBA Compliance)
    • Internal Security Controls (Network and Workstation)
    • External threat analysis (basic)
    • Security Incident Monitoring and Reporting
    • Anti-virus controls
  • Retail EFT and ACH
    • ATM Operations
    • Wire Transfer Procedures
    • FEDLINE Terminal Security (if installed)
  • System Administration practices
    • Core Data Processing Software
    • LAN/WAN Account Management
  • End-User computing policies and practices
    • Policies and Procedures
    • Training Program
    • E-Mail usage
    • Internet usage
    • Software usage
    • Adherence to policies and standards
  • Electronic Banking Operations (if offered to financial institution's customers)
    • Telephone Banking
    • Internet Banking
    • Web Site Compliance Review
    • Electronic Risk Management
  • Third-Party Vendor Review
    • Contract review
    • Vendor Management and Oversight Activities
Audit Schedule/Itinerary

IS Audits provides the exhaustive IS audit in a single review, which varies in length based on the size and complexity of the computing environment. IS Audits will prepare and submit advance copies of questionnaires to the customer that will be used to expedite the on-site time required to complete the data collection. A typical audit will include on-site time at all locations of your financial institution, plus additional research and evaluation time needed to analyze advance surveys, information collection on-site and prepare the final formal report to the board. During the on-site review, IS Audits will visit all of the offices of your financial institution and perform a 100% hands-on audit of all computer servers and workstations to verify controls and policies are in place and are functioning properly.

Report of Findings and Recommendations

Upon completion of on-site reviews and analysis of advanced surveys, questionnaires and other documentation, IS Audits will provide a formal report, detailing the scope of review and identifying the findings and recommendations for each of the audited areas.

» Call today for more details: 478-738-9451 «