Using the FFIEC Examination handbooks to produce a harmonized audit guide

Altogether, the FFIEC Examination handbooks contain a total of 686 unique controls. Of those, only 563 that contain actual audit guidance. Why the discrepancy? With all of the authority document harmonization we've done within the Unified Compliance Framework (UCF), we've found that most audit guides never add specific audit-related questions to every control they present -- only the key ones.

What determines specific audit guidance?
All controls have an ID and a statement, which defines the scope of the organizational compliance framework. That statement also requires detailed control guidance.

These three data points (ID, statement and guidance) aren't specific audit guidance. It isn't until the authority document begins to ask pointed questions for who to interview, what to examine, and what to test or observe that the document provides specific audit guidance.

These points are what set specific audit guidance apart from regular control guidance.

Within each of the handbooks, the specific audit guidance can be found in the examination procedures appendix, which is broken down into two tiers of audit questions. The first tier of questions always focuses on the basics, while the second tier of questions provides additional validation "as warranted by risk" (a favorite statement within the FFIEC handbooks). One of the great things about the audit guides is that end users can also access them as workpapers in either generic word processing format or in MS Word format.

Reformatting and harmonizing the audit guidance
Within the FFIEC handbooks, the audit guidance is not separated into what to examine, test/observe or interview. The information is presented as a series of straightforward directions such as the followi

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance FFIEC compliance Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 How AML compliance applies to remote deposit capture Swine flu: Pandemic planning wake-up call The truth about vendor management Industry reaction to FFIEC remote deposit capture guidance positive so far, says FDIC official Book chapter: Remote deposit capture risks Understanding the FFIEC remote deposit capture guidance FFIEC releases risk management guidance for remote deposit capture How the FFIEC's Information Security and Operations Handbooks complete each other

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary FFIEC compliance  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ng:

Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient coverage related to IT. Consider:

Therefore, the first step is to break your questions down into their distinct areas -- examine, test/observe or interview. The second step is to thread the different audit questions together into a harmonized whole.

One of the audit statements found within both Audit and Wholesale Payment Systems is to define the scope of the organizational compliance framework and controls for the organization. Because of their differing outlook, the Audit handbook has a different take on what to examine. The FFIEC IT Examination Handbook -- Audit Exam Tier I Obj 11.9 states that the auditor should verify that if an audit vendor is used to provide external audits or other services to the organization, both parties have discussed and determined that applicable statutory and regulatory independence standards are being met. The FFIEC IT Examination Handbook -- Wholesale Payment Systems Pg 29, Exam Tier I Obj 2.1, and Exam Tier II Obj 13.1 all state that the auditor should examine the organization's compliance with the Federal Reserve's payments system risk policies and procedures. There is no mention of external sources.

Are these really so different? No. In order to reduce audit fatigue and make your life easier, you could simply rewrite a harmonized version of the audit examination guidance to "gather all authority document sources from both internal and external audit sources and ensure that those authority documents are being used as the basis for risk assessments, policies, procedures, and all other compliance initiatives."

There's also an easier way to do this. Vendors in the governance, risk, and compliance (GRC) space, such as CA, Inc., NetIQ Corp., Compliance Spectrum, and NEMEA Security Services, LLC have already loaded and harmonized all of the FFIEC's audit questions into their applications.

About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.