As I speak with those in financial institutions responsible for responding to audit and examination requests, I find that there is considerable confusion over the differences between the two. And some of this confusion is understandable…there is certainly some overlap between them, but there are also considerable differences in the nature and scope of each one. It may sometimes seem as if you are asked to comply with 2 completely different standards. How often has the auditor had findings that you’ve never been asked during an examination? And how often has an examiner thrown you a curve ball seemingly out of left field?
In a perfect world shouldn’t the audit be nothing more than preparation for the examination? The scope of the audit should be no more and no less than what you need to get past the examination. Any more and you feel as though you’ve wasted resources (time and money), any less and you haven’t gotten your money’s worth, right? Well…actually no. While the two have the same broad goal of assessing alignment with a set of standards, the audit will often use a broader set of industry standards and best practices. This is because the FFIEC guidance is so general and non-prescriptive. For example, take one of the questions in the FDIC Information Technology Officer’s Pre-Examination Questionnaire.
“Do you have a written information security program designed to manage and control risk (Y/N)?”
Of course the correct answer is “Y”, but since the FDIC doesn’t provide an information security program template, how do you know that your program will be acceptable to the regulators? You know because your IT auditor has examined your InfoSec program, and compared what you have done to existing IT best practices and standards, such as COBIT, ITIL, ISO 27001, SAS 94, NIST, and perhaps others. While this doesn’t guarantee that your institution won’t have examination findings, it will reduce the probability, as well as the severity, of them. This point is critical to understanding the differences between and audit and an examination; an audit will identify and allow you to correct the root cause of potential examination findings prior to the examination. So using the example above, even if the examiner has findings related to your information security program, they will be related to how you addressed the root cause, not if you addressed it. (I’m defining root cause as anything found in the Examination Procedures.) In fact, the FFIEC recognizes the dynamic between the IT audit and examination process this way:
An effective IT audit function may also reduce the time examiners spend reviewing areas of the institution during examinations.
And reduced time (usually) equals fewer curve balls, and a less stressful examination experience!
