Auditing the EDP
Hickman, James R., Independent Banker
Every bank with an in-house computer system is required to perform an annual independent electronic data processing (EDP) or information system audit. If an EDP audit is not performed, it could have a significant effect on a bank's rating during the next regulatory exam.
A bank's board of directors is responsible for ensuring that an adequate independent EDP audit is performed. Bank regulators require banks to establish effective internal controls and management information systems to safeguard information and measure operating performance and profitability.
EDP examinations generally evaluate a bank's internal control systems to ascertain the integrity, reliability and accuracy of data, as well as the quality of the management information systems supporting management decisions.
EDP AUDIT OPTIONS
The EDP audit can be either external or internal, or a combination of the two. More sophisticated computer systems, regardless of the bank's size, warrant audits performed by individuals with commensurate expertise.
The easiest solution is to hire an external auditor, preferably a certified public accountant to perform the EDP audit. Fees generally run from approximately $3,500 for a bank under $30 million in assets to as much as $30,000 for a bank with $300 million or more in assets, multiple branches, a mid-sized system, and network PCs.
Beware of "low-bid" proposals which deliver little more than a question-and-answer session using a general EDP questionnaire. A quality firm will provide a technical review of the system to include parameter file analysis, program maintenance and testing procedures and exception testing. Furthermore, the external EDP auditor should be experienced in the bank's hardware, software and operating system. Additionally, the audit should include testing using EDP audit software. At the end of the engagement, the auditor should issue an opinion letter and a comprehensive written report.
Outside firms should also be able to assist with the development of an EDP audit manual and an emergency/disaster recovery plan as well as provide EDP audit training.
Alternatively, banks not able to absorb the costs of an external EDP auditor may designate their internal auditor as the EDP auditor. He or she will need to develop an EDP audit program and receive EDP audit training. Moreover, particularly in smaller banks, the internal auditor may lack the technical and computer skills to perform the audit to the satisfaction of examiners. However, the expectations of examiners will largely depend on the size of the bank and the type and complexity of the computer system.
An institution should have written guidelines for the conduct of the information systems audit, and the auditor selected should be approved by the board of directors.
Although the performance of the audit may be delegated, the responsibility for ensuring a quality audit remains with the bank's board of directors. Audit results must be reported directly to the board of directors or its designated committee. Furthermore, the board must take actions to correct any deficiencies noted in the audit report.
According to the Federal Financial Institutions Examination Council's Information Systems Examination Handbook, "the board must periodically review and approve: the qualifications and independence of the auditors; the scope and frequency of the audit; the techniques used in performing the audit; the overall condition of the organization's information systems controls and operations; and management's actions to resolve material weaknesses cited in audit reports. …