Auditing the EDP
Hickman, James R., Independent Banker
Every bank with an in-house computer system is required to perform an annual independent electronic data processing (EDP) or information system audit. If an EDP audit is not performed, it could have a significant effect on a bank's rating during the next regulatory exam.
A bank's board of directors is responsible for ensuring that an adequate independent EDP audit is performed. Bank regulators require banks to establish effective internal controls and management information systems to safeguard information and measure operating performance and profitability.
EDP examinations generally evaluate a bank's internal control systems to ascertain the integrity, reliability and accuracy of data, as well as the quality of the management information systems supporting management decisions.
EDP AUDIT OPTIONS
The EDP audit can be either external or internal, or a combination of the two. More sophisticated computer systems, regardless of the bank's size, warrant audits performed by individuals with commensurate expertise.
The easiest solution is to hire an external auditor, preferably a certified public accountant to perform the EDP audit. Fees generally run from approximately $3,500 for a bank under $30 million in assets to as much as $30,000 for a bank with $300 million or more in assets, multiple branches, a mid-sized system, and network PCs.
Beware of "low-bid" proposals which deliver little more than a question-and-answer session using a general EDP questionnaire. A quality firm will provide a technical review of the system to include parameter file analysis, program maintenance and testing procedures and exception testing. Furthermore, the external EDP auditor should be experienced in the bank's hardware, software and operating system. Additionally, the audit should include testing using EDP audit software. At the end of the engagement, the auditor should issue an opinion letter and a comprehensive written report.
Outside firms should also be able to assist with the development of an EDP audit manual and an emergency/disaster recovery plan as well as provide EDP audit training.
Alternatively, banks not able to absorb the costs of an external EDP auditor may designate their internal auditor as the EDP auditor. He or she will need to develop an EDP audit program and receive EDP audit training. Moreover, particularly in smaller banks, the internal auditor may lack the technical and computer skills to perform the audit to the satisfaction of examiners. However, the expectations of examiners will largely depend on the size of the bank and the type and complexity of the computer system.
An institution should have written guidelines for the conduct of the information systems audit, and the auditor selected should be approved by the board of directors.
Although the performance of the audit may be delegated, the responsibility for ensuring a quality audit remains with the bank's board of directors. Audit results must be reported directly to the board of directors or its designated committee. Furthermore, the board must take actions to correct any deficiencies noted in the audit report.
According to the Federal Financial Institutions Examination Council's …
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Auditing the EDP. Contributors: Hickman, James R. - Author. Magazine title: Independent Banker. Volume: 44. Issue: 11 Publication date: November 1994. Page number: 42+. © 2002 Independent Banker. Provided by ProQuest LLC. All Rights Reserved.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.