|
IT AUDIT
Information Technology Risk Assessments
As we are risk-based auditors, we perform an Information Technology risk assessment to ensure the internal audits focus on those areas with greatest risk to your business. This process provides the basis for developing the IT audit plan. To complete the IT risk assessment, ITA interviews key management personnel and obtains prior IT audit assessments and other pertinent information from management.
IT Strategic Planning
Strategic planning is critical to an organization’s process of defining its business strategies and direction. Decision-making on allocating resources to meet business goals is critical to the technology function within an organization. Our team of professionals can assist in creating a strategic plan for IT or perform a review to ensure that it meets the business objective. Various techniques are reviewed such as SWOT and PEST analysis to ensure that the IT Strategic Plan identifies areas that are critical to support the corporate initiatives.
Information Security & Privacy
Both corporate and customer information must be protected against unauthorized Modification, Disclosure and Destruction. The need to protect information must be balanced against the organization’s need to produce its services and products cost-effectively.
ITA assists clients with:
-
Data Classification – developing easy-to-use categories of information based on their sensitivity
-
Risk Assessments – evaluating the use of information throughout the organization both to satisfy regulatory requirements and determine proper control structures
-
Vendor Evaluations – identifying vendors with access to sensitive information and assessing their security postures
-
Independent Reviews – assessing overall information security of the organization with cost-effective recommendations for improvement
Key Business Applications
Application security and access controls will be reviewed including proper segregation of user administration and transactional authority including user templates and security parameters. We will test authorization and procedures for granting or changing user access. We will also review procedures for performing independent output reviews, exception reviews and notification.
Third-Party Vendor Management
We will review business policies and procedures regarding vendor management. This includes due diligence of new and existing third-party relationships including risk, cost-benefit and financial analyses of third-party vendors, insurance coverage, review of SAS 70’s for third-party processors, and evaluation of the disaster recovery capabilities of vendors as appropriate. We will also evaluate whether the Business has negotiated service level agreements. Our procedures will also cover the annual report to the Board of Directors on the overall vendor management program and the status of designated key vendors.
Business Continuity Planning/ Emergency and Disaster Recovery Planning
We will review the readiness of the Business to resume operations on a timely basis in the event of an unforeseen business interruption. This includes the existence of a comprehensive disaster recovery plan for the information processing and communications infrastructure as well as corresponding business continuity plans for operating units. These plans will be evaluated for clear identification of individuals and their responsibilities for various disaster scenarios, inclusion of notification requirements for the staff as well as public safety, vendor and regulatory contacts. This internal audit includes reviewing the controls over the data library system and the storage and retention of off-site back-up volumes and data file inventory tracking. We will evaluate the adequacy of alternate processing facilities and resources. We will also determine if the plan is tested at least annually, if all critical services and applications are tested, if realistic conditions and volumes are used in the test and whether a corrective action plan is generated from the test and followed. Finally, we will evaluate whether the Board of Directors is apprised annually of the current status of the Business’s disaster recovery readiness.
Computer Operations
The areas reviewed include management and supervision of computer operations to ensure that only authorized programs are executed according to schedule, and that there are appropriate error recovery procedures. Included is a review of the controls over the data library system and the storage and retention of off-site back-up volumes. We will review the physical security of the computer and room including physical access controls and use of visitor logs. Environmental controls to be evaluated include adequacy of HVAC and determination that fire detection and suppression systems are adequate and regularly inspected or tested. We will review documentation of operations procedures to determine they are up-to-date. We will evaluate whether checklists for production jobs are utilized and reviewed. We will assess whether operations personnel are qualified and adequately trained.
Network Security and Administration – LAN/WAN
The controls over network access and management of the Business’s Local and Wide Area Networks (LAN/WAN) will be reviewed that ensure reliable and secure access to all network locations. This includes reviewing network-based user access rights, confirming that privileges match employee responsibilities. We will also review account lockout and password policies, security violation and monitoring by IS management, physical security and environmental controls for network infrastructure including servers and routers, evaluation of Help Desk tracking and resolution of network-related problems, network backup and monitoring and adherence to applicable policies and procedures.
Gramm-Leach-Bliley/Financial Modernization Act
We will review Bank adherence to the provisions of Section 501(b) of the Gramm-Leach-Bliley (GLB) Act of 1999. We will evaluate whether the Bank has a Board-approved customer information policy and program. We will determine if a Bank-wide privacy risk assessment has been performed to determine the likelihood of unauthorized disclosure of non-public customer information, the efficacy of controls implemented to minimize or eliminate such risk, and the development and execution of mitigation strategies. We will evaluate whether the privacy risk assessment included identification of third-party vendors with access to non-public customer information and whether, for those vendors, the Bank has a) negotiated contract provisions or addenda requiring them to protect customer information, and b) performed due diligence to determine the effectiveness of the vendors’ protective measures. The Bank’s privacy training program will be reviewed to ensure all employees receive instruction at least annually. Finally, we will review whether management performs an annual review of the overall privacy program, recalibrates it as necessary and presents a report to the Board that is reflected in its Minutes.
Change Management
The policies and procedures for controlling modifications to systems and application software as well as IT infrastructure components will be reviewed. Functions to be reviewed include the request, analysis, feasibility, budgeting, testing, and approval of changes to existing systems, programs and infrastructure. Our review will focus on evaluating the performance of these functions in conformance with the Bank’s policies and procedures. Areas of focus will include documentation of management approval of changes, review of the accuracy of change tracking reports, updating of documentation to accurately incorporate changes and the process for ensuring that disaster recovery plans, tests and facilities always mirror the current production environment.
Banking Applications/FedLine or FedAdvantage
We will review the logical and physical controls over the FedLine terminal and the funds transfer application. We will evaluate whether FedLine security parameters are set in accordance with recommendations of the Federal Financial Institutions Examination Council (FFIEC) to ensure appropriate segregation of duties and verification of key fields. Our review will determine whether the Federal Reserve’s list of authorized users is current; and whether the Bank has established an appropriate number of Local Security Administrators with permitted functions. We will also evaluate whether access to the FedLine device is restricted. Our procedures will evaluate the Bank’s ability to recover from a FedLine failure including controls protecting the FedLine configuration diskette and encryption keys; and the existence and testing of a FedLine disaster recovery/backup plan.
Internet/Telephone Banking
We will review Bank policies and procedures regarding Internet and Telephone Banking products and services. The audit will include tests to ensure that adequate authentication and encryption controls have been established, and that controls are in place to protect customer information. Vendor contracts will be reviewed to determine that controls adequate to ensure uninterrupted operations. We will also review the controls over the interactive voice response telephone banking applications including PINs, passwords, record retention, access to customer records, and the processing of transactions.
Corporate Governance
IT Corporate Governance outlines the rights and responsibilities among different business units within the corporations, including shareholders and stakeholders. IT Corporate Governance defines policies and procedures for decisions made within the company. Our team of IT experts reviews the policies and procedures within the organization and ensures they are in line with corporate structure. We also provide insight to best practices within the audit model.
Telecommunications
Telecommunications may include data lines, PBX switches, call centers and e-commerce transmittals. ITA Partnership, LLC understands the complexity of these systems and how they integrate with business models, corporate profits and streamline functionality. Our review consists of ensuring that these telecommunications are secured, configured appropriately and are following compliance and regulatory requirements.
Systems Development
Systems development is critical to the overall operations of a business. Our team of IT professionals review project plans and implementation strategies to ensure consistency with the business plan. Our reviews include the overall project management, project planning, requirements initiatives, design, development, testing, implementation and training.
STAR Compliance Audit
ITA Parntership has been trained and will assist your company in completion of this compliance requirement. We will perform the audit, prepare the necessary supporting detail and help you with the reporting requirements. |
|