What determines specific audit guidance?
All controls have an ID and a statement, which defines the scope of the organizational compliance framework. That statement also requires detailed control guidance.
These three data points (ID, statement and guidance) aren't specific audit guidance. It isn't until the authority document begins to ask pointed questions for who to interview, what to examine, and what to test or observe that the document provides specific audit guidance.
- Examine guidance is when the auditor is asked to inspect, analyze, or scrutinize the demonstrable outcome of a control.
- Test/observe guidance is when the auditor is asked to either actively try a control's process or observe the active process in order to judge the demonstrable outcome.
- Interview guidance is when the auditor is asked to speak with, or take a survey of individual or key personnel when examining the demonstrable outcome of the control.
These points are what set specific audit guidance apart from regular control guidance.
Within each of the handbooks, the specific audit guidance can be found in the examination procedures appendix, which is broken down into two tiers of audit questions. The first tier of questions always focuses on the basics, while the second tier of questions provides additional validation "as warranted by risk" (a favorite statement within the FFIEC handbooks). One of the great things about the audit guides is that end users can also access them as workpapers in either generic word processing format or in MS Word format.
Reformatting and harmonizing the audit guidance
Within the FFIEC handbooks, the audit guidance is not separated into what to examine, test/observe or interview. The information is presented as a series of straightforward directions such as the following:
Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient coverage related to IT. Consider:
- Regulatory reports of examination;
- Internal and external audit reports, including correspondence/communication between the institution and auditors;
- Regulatory, audit, and security reports from key service providers; etc.
Therefore, the first step is to break your questions down into their distinct areas -- examine, test/observe or interview. The second step is to thread the different audit questions together into a harmonized whole.
One of the audit statements found within both Audit and Wholesale Payment Systems is to define the scope of the organizational compliance framework and controls for the organization. Because of their differing outlook, the Audit handbook has a different take on what to examine. The FFIEC IT Examination Handbook -- Audit Exam Tier I Obj 11.9 states that the auditor should verify that if an audit vendor is used to provide external audits or other services to the organization, both parties have discussed and determined that applicable statutory and regulatory independence standards are being met. The FFIEC IT Examination Handbook -- Wholesale Payment Systems Pg 29, Exam Tier I Obj 2.1, and Exam Tier II Obj 13.1 all state that the auditor should examine the organization's compliance with the Federal Reserve's payments system risk policies and procedures. There is no mention of external sources.
Are these really so different? No. In order to reduce audit fatigue and make your life easier, you could simply rewrite a harmonized version of the audit examination guidance to "gather all authority document sources from both internal and external audit sources and ensure that those authority documents are being used as the basis for risk assessments, policies, procedures, and all other compliance initiatives."
There's also an easier way to do this. Vendors in the governance, risk, and compliance (GRC) space, such as CA, Inc., NetIQ Corp., Compliance Spectrum, and NEMEA Security Services, LLC have already loaded and harmonized all of the FFIEC's audit questions into their applications.
About the author:
Dorian J. Cougias is the co-founder and primary architect of the Unified Compliance Framework, the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. A frequent speaker and well respected author, Cougias has written hundreds of articles and dozens of books, including the award-winning Backup Book: Disaster Recovery from Desktop to Data Center and most recently the Unified Compliance Series. Dorian has served as CIO of two global ad agencies and CEO of an international software company. He is currently an adjunct professor at the University of Delaware and the lead analyst at Network Frontiers, a company that focuses on systems continuity, regulatory compliance, and IT infrastructure. For more information, visit www.unifiedcompliance.com.
This was first published in July 2008