®
R. Kinney Williams
Yennik, Inc.

Information Systems-
Technology Audits

The scope of the IT audits are based on examination procedures outlined in the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook. Where applicable, we referenced various information systems/technology guidelines issued by the OCC, FDIC, FRB, and OTS.  We also reference the Control Objectives for Information and Related Technology (CobiT) published by the Information Systems Audit and Control Foundation, which is an international open standard of good practices for IT governance, security, and control.

The IT audit includes completing the FFIEC workpapers for Community Financial Institution IT Examination Workprogram, Fedline Examination Procedures, Information Security questionnaire, FRB Gramm-Leach-Bliley Act 501(b) questionnaire, Information Systems Technology Procedural Testing reports, and other applicable IT auditing questionnaires.

1. Senior management involvement, review applicable minutes
2. Network, workstation, Internet, disaster recovery, and other IT security policies
3. Gramm-Leach-Bliley Act Section 501 (b)
4. Overall security procedures
5. Segregation of IT duties 
6. Internal quality and integrity controls
7. Data communication security
8. User identification authorization
9. User level of accessibility
10. Restricted transactions
11. Activity and exception reports
12. Backup procedures
13. Other operational security controls
14. Insurance coverage
15. Network security, which includes the Internet
16. Internal auditing procedures
17. Contingency planning and disaster recovery
18. Internet security procedures
19. Vendor due diligence
20. Fedline Advantage security
21. Internet banking controls and procedures
22. Telephone banking
23. Internal procedures and controls around your core banking system, whether internal or external processing

At no additional cost and when applicable, the IT audit includes the following IT security tests:

1. External VISTA penetration-vulnerability study
2. Domain server security settings
3. Workstation security setting
4. Network user access
5. Core application access
6. Network topology security analysis
7. Systems security features and controls
8. Sampling for unauthorized software

If you need any of the following auditing services and for a discounted additional fee, we can perform the following during the IT audit:

1. Internal network penetration-vulnerability test.  If you need an internal vulnerability audit, you will find more information about the internal-VISTA penetration study at http://www.internetbankingaudits.com/intrusion_internal_index.htm. 
2. ACH audit in accordance with the ACH Rules (published by the National Automated Clearing House Association).  The audit will include completing the ACH Audit Questionnaire with your personnel.
3. Web site audit of the institution’s informational web site and Internet banking.  The scope includes the FFIEC "Guidance on Electronic Financial Services and Consumer Compliance."  You will find more information about web site audits at http://www.bankwebsiteaudits.com/.

We are members of the Information Systems Audit and Control Association, the Society of Financial Examiners, the Institute of Internal Auditors, and the Association of Credit Union Internal Auditors.  We follow the code of ethics and auditing standards of these organizations.

If you are seeking an information technology audit from an examiner's perspective, please contact Kinney Williams at 806-798-7119 or send an email to examiner@yennik.com. 

Experience
(Over 40 years in banking and bank auditing experience that  includes 21 years as a bank examiner)