Auditing the EDP

By Hickman, James R. | Independent Banker, November 1994 | Go to article overview
Save to active project

Auditing the EDP

Hickman, James R., Independent Banker

Every bank with an in-house computer system is required to perform an annual independent electronic data processing (EDP) or information system audit. If an EDP audit is not performed, it could have a significant effect on a bank's rating during the next regulatory exam.

A bank's board of directors is responsible for ensuring that an adequate independent EDP audit is performed. Bank regulators require banks to establish effective internal controls and management information systems to safeguard information and measure operating performance and profitability.

EDP examinations generally evaluate a bank's internal control systems to ascertain the integrity, reliability and accuracy of data, as well as the quality of the management information systems supporting management decisions.


The EDP audit can be either external or internal, or a combination of the two. More sophisticated computer systems, regardless of the bank's size, warrant audits performed by individuals with commensurate expertise.

The easiest solution is to hire an external auditor, preferably a certified public accountant to perform the EDP audit. Fees generally run from approximately $3,500 for a bank under $30 million in assets to as much as $30,000 for a bank with $300 million or more in assets, multiple branches, a mid-sized system, and network PCs.

Beware of "low-bid" proposals which deliver little more than a question-and-answer session using a general EDP questionnaire. A quality firm will provide a technical review of the system to include parameter file analysis, program maintenance and testing procedures and exception testing. Furthermore, the external EDP auditor should be experienced in the bank's hardware, software and operating system. Additionally, the audit should include testing using EDP audit software. At the end of the engagement, the auditor should issue an opinion letter and a comprehensive written report.

Outside firms should also be able to assist with the development of an EDP audit manual and an emergency/disaster recovery plan as well as provide EDP audit training.

Alternatively, banks not able to absorb the costs of an external EDP auditor may designate their internal auditor as the EDP auditor. He or she will need to develop an EDP audit program and receive EDP audit training. Moreover, particularly in smaller banks, the internal auditor may lack the technical and computer skills to perform the audit to the satisfaction of examiners. However, the expectations of examiners will largely depend on the size of the bank and the type and complexity of the computer system.


An institution should have written guidelines for the conduct of the information systems audit, and the auditor selected should be approved by the board of directors.

Although the performance of the audit may be delegated, the responsibility for ensuring a quality audit remains with the bank's board of directors. Audit results must be reported directly to the board of directors or its designated committee. Furthermore, the board must take actions to correct any deficiencies noted in the audit report.

According to the Federal Financial Institutions Examination Council's Information Systems Examination Handbook, "the board must periodically review and approve: the qualifications and independence of the auditors; the scope and frequency of the audit; the techniques used in performing the audit; the overall condition of the organization's information systems controls and operations; and management's actions to resolve material weaknesses cited in audit reports.

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
Loading One moment ...
Project items
Cite this article

Cited article

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited article

Auditing the EDP


Text size Smaller Larger
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

While we understand printed pages are helpful to our users, this limitation is necessary to help protect our publishers' copyrighted material and prevent its unlawful distribution. We are sorry for any inconvenience.
Full screen

matching results for page

Cited passage

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.

Are you sure you want to delete this highlight?