Risk Based IT Auditing

Auditing of an organization's IT environment should be based on risk. Examiners and auditors must decide the areas to audit based on the Risk Profile that is presented by your risk assessment. If your organization has not performed an IT Risk Assessment recently you may want to consider focusing your security efforts there first. Simply performing an audit because it has "not been done in 18 months" is not a good reason. FIPCO® IT Audit Services can be constructed for your information processing environment based on your Risk Assessment based on information contained in the FFIEC IT Booklets and industry standard guidelines such as National Institute of Standards and Technology (NIST) and International Standards Organization (ISO) or Auditor guidelines such as COBIT or COSO.

Sample FFIEC IT Audits may include:

Audit Management
Business Continuity Planning Information Security & Operations
E-Banking Vendor Management



Review of Information Technology (IT) Audit comprises analysis of the processes to provide financial institutions with guidance on the characteristics that make for an effective IT Audit function. This audit service provides an assessment of the institution’s overall quality and effectiveness in their IT audit program. The adequacy of the IT audit program for both the financial institution and for any technology service provider can be evaluated. The audit will supplement other, more general, internal and external audit guidance.

By maintaining a well-planned and properly structured audit program institutions evaluate risk management practices, internal control systems, corporate IT policy, Security Program and compliance to regulations (i.e. GLBA Section 501(b)). An effective audit program will be risk-focused, promote sound IT controls, and ensure documentation and follow-up for timely remediation of any audit deficiencies. The board of directors will be kept informed of the effectiveness of risk management practices and areas of deficiency. By ensuring effective IT auditing an institution may even reduce the time that examiners spend reviewing various areas of the institution.

By planning, managing, and continuous monitoring of the ever changing complexity, threats and vulnerabilities in the information technology landscape an institution is able to securely and safely deliver and support new products and services. Areas that audit should address include IT management and strategic planning, risk management, data center operations, client/server architecture, local and wide-area networks, telecommunications, physical and information security, electronic banking, systems development/acquisition and business continuity planning. Evaluating IT audit effectiveness will determine how management addresses risk and how future auditing is planned, as well as will consider a proper balance between acceptance of risk and risk mitigation.

An effective internal auditing function combined with a well-planned external auditing function can substantially reduce the probability that an institution will suffer any potentially serious technology-related incidents.


Business Continuity Planning

An audit of Business Continuity/Disaster Recovery provides guidance to ensure the availability of critical financial services in the event of a situation that disrupts standard processing services. For analogy, if a heart attack is considered the disaster, disaster recovery is the resuscitation that allows continuation of life so that life may continue. Business Continuity is the plan that keeps the life going in the short term until a heart transplant (full recovery) or appropriate treatment can be arranged. Death is obviously the worst case scenario providing no possible recovery. This service is designed to provide helpful guidance regarding the implementation of an institution’s business continuity and disaster recovery planning processes.

The focus of this audit is based on an enterprise-wide, process-oriented approach that considers technology recovery (often the disaster recovery), ongoing business operations, overall testing, and the communication strategies that are critical to ensuring that the entire business continues to be able to deliver critical business services.

The overall goal of this audit is to provide evaluation of business continuity planning, in order to establish a basis for whether an institution would likely be able to recover and resume business processes when operations have been disrupted unexpectedly. The Financial Industry is a critical component of our nation’s critical infrastructure and has a crucial role in the overall economy locally and can be even more widespread. Minimizing the impact from disruptions in service must be minimized in order to maintain public trust and confidence in our nation’s financial systems. Every institution’s management must incorporate business continuity and disaster recovery considerations into the overall design of their business in order to proactively ensure availability of critical customer financial services should a disruption occur.

The BCP/DRP audit reviews a financial institution's planning process, which includes an assessment of ability to recovery information technology from a disaster as well as continues to provide critical business functions in the event of a disruption to service. Institutions must anticipate and plan for the unexpected and ensure that their continuity planning process appropriately addresses the lessons they have learned from any past disasters. If it is predictable, it is preventable.



An audit of “Management” assists in evaluating a financial institution’s risk management processes to ensure effective information technology (IT) management.

Effective IT management maximizes the benefits that can be gained from diligent and efficient deployment of technology and is designed to support the enterprise-wide goals and objectives of the institution. A technology department (or outsourced entity) typically manages and administers the systems, application, network and databases, including development and acquisition efforts. IT management provides expertise in choosing and operating the technology solutions that support the lines of business while ensuring an appropriate level of enterprise-wide activities such as security and business continuity planning. This dual role and the increasing use of technology raise the importance of due diligence in IT management.

The process of sound technology management involves more than containing costs and managing operational and technical risks. Value and greater success is gained by aligning IT infrastructure to support an organization’s business strategy. The board of directors strategic committees and executive management must understand and take responsibility for management of information technology as a critical component to the overall leadership and organizational structure and processes. This structure and process ensures that IT sustains and extends the organization’s business strategies and objectives.

Technology has become more and more of a commodity infused across all areas in an institution. The systems built on technology help connect the business with customers, lines of business, third parties and public entities. There have become interdependencies on the components of technology for the timely and more efficient delivery of new products and services. Information has become an extremely valuable asset and often critical to business success and even survival. Advancements in technology and the threat and vulnerability landscape require ongoing investments in new infrastructure, systems, applications and the integration of security to allow them to be deployed securely. Along with these advancements comes a requirement for new skills and expertise.

By ensuring effective IT management through IT management audits, an organization leverages these challenges to create opportunity while strengthening their ability to better manage risk. Technology results in an organization’s ability to offer new products and services to customers. In addition it can increase efficiency of operations, provide better sharing of information between business lines, and position an institution for competition. An institution’s board of directors and executive management must understand that new technology and changes in technology may introduce new sources of risk. Mobile computing devices with external connectivity to non-bank systems, greater reliance on third parties and the adoption of new technology systems to handle core components of the organization are some examples that may introduce new or increased operational risk. Technology changes may introduce new operational risks to the confidentiality, integrity, and availability of systems and information, but can also introduce an institution to increased risk to its reputation or legal standing. As such effective IT management supported by reviews/audits is an essential component of effective corporate governance and operational risk management.


Information Security and Operations

Performance of an Information Security and/or Operations review provides an assessment of the quantity of risk and the effectiveness of an institution’s risk management process. Processes are evaluated as they relate to the security measures, operation of the computing environment and general controls that an organization has implemented to ensure confidentiality, integrity, and availability of information and how an organization instills accountability for the actions taken on their computing systems. 

A review of information security and operations will include a high level assessment of the bank’s overall information security and IT environment, which may include the following areas:

  • Authentication and Access Controls
  • Network and System
  • End User (workstations, laptops, other mobile computing)
  • Physical Controls
  • Human Resources and Organizational Management
  • Applications Acquisition/Development and Vendor Management
  • Incident Management, Business Continuity and Disaster Recovery
  • Security of Data (database, transmission, files, storage mediums)
  • Monitoring and Compliance

The assessment will verify mitigation of any findings from previous reviews. Observations will be discussed and documented as appropriate. Identified control deficiencies and a risk assessment report will be summarized and provided for bank management comment.

A general high level review of Information Security and IT Operations is usually considered to be a mile wide, but only inch deep, but as necessary specific areas may require greater depth of review and testing. When evaluating these areas, the depth and breadth of the review is often determined by assessing an institution’s process for identifying and managing risks. Past audit and security reports are reviewed, along with management’s responses and the intuition’s implementation of remediation measures. Overall changes in the computing environment are evaluated and considerations given to changes in legal and regulatory requirements, the threat and vulnerability landscape taking into account complexity of the environment and adequacy of risk assessments and security policy and procedures. As appropriate, testing may be more in depth in one area versus another based on the risk that has been identified with that area.

The final report will include recommendations for remediation, policy additions and/or changes that satisfy regulatory compliance. In addition as appropriate security tools and utilities may be recommended to help the bank better manage risk.


Electronic (eBanking) Banking Audit

This audit service provides guidance to institutions to identify and control risks associated with electronic banking (e-banking) activities. It evaluates risk from the perspective of automated delivery of new and traditional products and services directly to customers through electronic, interactive communication channels. eBanking includes the systems that enable financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Internet. Customers may even access e-banking services using intelligent mobile and non-mobile devices, such as a personal computer (PC), laptops, cell phones, automated teller machines (ATM), kiosk, or Touch Tone telephone. This audit may review risks associated with the electronic delivery of various financial products and services to customers.

Audit of complete eBanking systems may result in overlap of reviews for common components and processes found in a typical institution. Where this may occur it may not be necessary to duplicate the audit and the report from one audit may be used as evidence for input to the other. There are several control points that work together in the delivery of secure eBanking including: website design and web server hosting, perimeter controls such as firewall configuration and management, incident management components (network/system monitoring), network administration, access control, electronic applications and application servers, internal network servers, external communications, core processing system, programming support, and any automated decision support systems.


Vendor Management

A Vendor Management Audit can evaluate multiple areas related to the institution’s relationship with vendors and the Development and Acquisition processes (i.e. system, network, application, software, database etc...) used in selecting vendor solutions or in some cases internal development. In short the controls, “due diligence”, in the development and acquisition process can be defined as the due diligence that an organization performs in their identification, acquisition, installation, development and maintenance of appropriate information technology systems. The audit reviews the “due diligence” process used in selecting vendors that may provide applications, databases, interfaces and computing software or core business systems that may be run and maintained directly by the institution. It could include the controls and processes that an institution uses to establish, manage, and monitor IT outsourcing relationships and the third-party service provider(s) that supply other needed products and services.

Using third party products and services does not diminish management’s (including Board of Directors) responsibility to ensure that these activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. A audit in this area reviews controls to verify that comprehensive outsourcing risk management process governs third-party relationships. Evaluated processes may include risk assessment, selection of service providers, contract review, and the process of ongoing monitoring of service providers.

Use of third parties does not reduce the fundamental risks associated with information technology or the business lines that use it. Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information, and regulatory action still remain and are the institution’s responsibility to properly manage.

The objectives in reviewing development, acquisition, and maintenance activities would be to identify weaknesses or risks that might negatively impact an organization caused by the third party organizations whose condition or performance may require special monitoring. It also may evaluate the overall development lifecycle of new products to assure that proper due diligence and adherence to base level security controls are considered. A review in this area can help to determine when appropriate corrective action might be necessary to improve the development process or increase diligence in vendor selection or monitoring.


"Ken Shaurette, I look forward to getting your price quotes for this year as well! The Tech Committee, Board Of Directors and myself were very pleased. You gave us great feedback."

- Nathan Barth, VP of IT, Pioneer Bank