Take the time and worry out of exams and audits
Institutions are required to audit their information controls based on the extent of risk identified in the risk assessment. For example, a control that is mitigating a high risk will need to be reevaluated more frequently than controls that impact low-risk threats. The results of these audits must be presented to boards of directors annually.
Most financial institutions can improve their information controls audits by focusing on four key areas:
Document, document, document
And then document some more. Make sure that every control reviewed is thoroughly documented. Auditors or internal examiners will want to want see what was done in previous years and will expect that such documentation is part of your permanent records. Documentation also makes it easy to demonstrate follow-through on previous audit report recommendations. If you agreed with a recommendation, you need to show who was assigned the task internally and when and how the recommendation was implemented. If you disagree with a recommendation, you need to document the reasons for your disagreement. Also, make sure you document at the time the action was taken. That’s a lot easier than attempting to reconstruct your reasoning months later when an audit report is coming due.
Get an outside perspective
One purpose of information controls audits is to identify where controls are inadequate or needed controls are missing. That’s why periodically getting an outside perspective on your information controls is helpful. Sometimes, internal staff are a little too close to the issue to have the needed perspective for this. A fresh set of eyes can help you assess your information controls in new and more insightful ways, especially when it comes to identifying new controls that are often all too easy for internal personnel to overlook. An independent banking or risk management specialist who is tied into the changing regulatory, industry and information security scene is an appropriate candidate for such a task. An external review is not required but is highly recommended at least every third year.
Don’t audit yourself
While it may seem obvious, it’s important that information controls are audited by someone other than the person responsible for those controls to avoid any conflict of interest. If you were responsible for the risk assessment or the IT department and therefore IT controls, turn the job over to someone independent of the process. If you don’t have someone on staff who is both independent of the process and knowledgeable about risk assessments and IT, you might want to outsource the job to an external auditing firm.
Report in the right ways
The results of information controls audits must be reported to boards annually. As with other types of risk management activities, little guidance is available to compliance officers when it comes to the right way to do this. Don’t burden boards with eye-glazing spreadsheets and page after page of lists. Instead, provide them with a short summary of the controls you reviewed, any inadequacies you found, the corrective actions you took, and recommendations for improving any controls where improvement is needed.