Financial institutions are one of the most regulated industries out there, and it’s no surprise that regulators are driving the need for an IT audit every 12-18 months.
There’s a lot of benefit in having an independent third party assess your IT environment prior to a formal regulatory exam — it gives your institution the chance to close any identified gaps, make improvements and mitigate risk.
But undergoing any audit involves preparation and planning, so whether this is your first IT audit or you’ve been performing them for years now, we have five tips to make the process smoother and easier.
1. Keep record of your policies and procedures
A large part of an IT audit is examining policies and procedures, which makes having an organized record of them essential. You can lift a large burden off your team’s shoulders if, when your auditor asks to see a specific policy, you can simply point to a specific page number in a specific file.
Keeping files and tasks maintained and ready for review will not only save your auditor time and potentially reduce the cost of your audit but also allow your team to continue focusing on their day-to-day priorities instead of looking for files and answering follow-up emails.
2. Schedule availability with your IT resource
Many smaller financial institutions like community banks aren’t large enough to justify a full internal IT department and often outsource their IT to a third party. If this is the case for your institution, prior to your audit’s start date, contact your IT vendor, inform them about your upcoming IT audit and request their availability to talk to your IT auditor. This way, your auditor can ask them more technical questions, get the information they need and continue on with the audit.
3. Block off time on staff schedules
Your IT audit will involve walkthroughs and interviews with key personnel. And while your auditor should take an auditing approach designed to minimize disruption to your team, there will inevitably be questions that pop up during the audit.
Altogether, it’s smart to verify your team’s schedule, determine if there are any projects or events to work around and block off time for the audit. If you have one week that’s particularly project-heavy, an IT audit happening at the same time is only going to stress out your team. Planning ahead and blocking off time will help mitigate this.
4. Be open with communication
Many financial institutions undergoing an IT audit for the first time may feel nervous about the process or what the auditor may discover. However, your IT auditor is not there to catch you out on a substandard process. Their goal is to help you mitigate risk and better prepare for your regulators. It helps if your institution is open and honest about what systems aren’t working well or what department may be experiencing issues. Ultimately, your auditor will provide you valuable feedback that can help make your regulatory exam smoother.
5. Let your IT auditor know how you want to communicate
IT audits often involve a combination of on-site and remote work. Your auditor will rely on technology to receive documents from you, communicate with you and your team, and even gather additional evidence through screensharing.
During the planning process, let your auditor know what your institution’s technology capabilities are, how you would prefer to be communicated with and what your auditor’s technology needs and expectations are. For example, while Wipfli uses Microsoft Teams for virtual meetings, some of our clients prefer GoToMeeting or Cisco Webex. Setting expectations at the start can help prevent technology issues during the audit.
Ready for your IT audit?
If you’ve never had an IT audit before — or if you’re looking to switch IT audit firms to gain a fresh perspective on your IT infrastructure, policies and processes — Wipfli can help. We are experienced IT auditors with deep knowledge of the financial institutions industry.
What’s more, we are a resource available to you throughout the year, not just the week of your audit. Whether it’s answering questions or updating you on regulations, we’re here for your institution as a trusted advisor, year-round.
Click here to learn more about our IT risk assessment and our IT audit services.
Sign up to receive additional financial institutions information in your inbox, or continue reading on: