audit workprogram

7/28/2019 Audit Workprogram

1/29

Audit September 2003

AUDIT EXAMINATION PROCEDURES

Examination objectives allow the examiner to determine the quality and effectiveness of the

audit function related to IT controls. These procedures will disclose the adequacy of audit

coverage and to what extent, if any, the examiner may rely upon the procedures performed by the

auditors in determining the scope of the IT examination.

Tier I objectives and procedures relate to the institutions implementation of aneffective audit function that may be relied upon to identify and manage risks.

Tier II objectives and procedures provide additional validation as warranted byrisk to verify the effectiveness of the institutions audit function. Tier II questionscorrespond to the Uniform Rating System for Information Technology (URSIT) ratingareas and can be used to determine where the examiner may rely upon audit work indetermining the scope of the IT examination for those areas.

TIER I OBJECTIVES AND PROCEDURES

Work

Paper

Reference Comment

Objective 1: Determine the scope and objectives of the examination of the IT audit function

and coordinate with examiners reviewing other programs.

1. Review past reports for outstandingissues, previous problems, or high-

risk areas with insufficientcoverage related to IT. Consider

Regulatory reports of examination;

Internal and external auditreports, includingcorrespondence/communicationbetween the institution andauditors;

Regulatory, audit, and securityreports from key service

providers; Audit information and summary

packages submitted to the boardor its audit committee;

Audit plans and scopes,including any external audit orinternal audit outsourcing

FFIEC IT Examination Handbook Page 1


2/29


Work

Paper

Reference Comment

engagement letters; and

Institutions overall risk assessment.

2. Review the most recent IT internaland external audit reports in orderto determine:

Managements role in IT auditactivities;

Any significant changes inbusiness strategy, activities, ortechnology that could affect theaudit function;

Any material changes in the auditprogram, scope, schedule, orstaffing related to internal andexternal audit activities; and

Any other internal or externalfactors that could affect the auditfunction.

3. Review managements response toissues raised since the last

examination. Consider: Adequacy and timing of

corrective action;

Resolution of root causes ratherthan just specific issues; and

Existence of any outstandingissues.

4. Assess the quality of the IT auditfunction. Consider

Audit staff and IT qualifications,and

IT audit policies, procedures, andprocesses.

Using the results from the preceding procedures and discussions with the EIC, select from

the following examination procedures those necessary to meet the examination objectives.

Note: examinations do not necessarily require all steps.



3/29


Work

Paper

Reference Comment

Objective 2: Determine the quality of the oversight and support of the IT audit functionprovided by the board of directors and senior management.

1. Review board resolutions and auditcharter to determine the authorityand mission of the IT auditfunction.

2. Review and summarize the minutesof the board or audit committee formember attendance and supervision

of IT audit activities.

3. Determine if the board reviews andapproves IT policies, procedures,and processes.

4. Determine if the board approvesaudit plans and schedules, reviewsactual performance of plans andschedules, and approves majordeviations to the plan.

5. Determine if the content andtimeliness of audit reports andissues presented to and reviewed bythe board of directors or auditcommittee are appropriate.

6. Determine whether the internalaudit manager and the externalauditor report directly to the boardor to an appropriate auditcommittee and, if warranted, hasthe opportunity to escalate issues to

the board both through the normalaudit committee process andthrough the more directcommunication with outsidedirectors.



4/29


Work

Paper

Reference Comment

Objective 3: Determine the credentials of the board of directors or its audit committee relatedto their ability to oversee the IT audit function.

1. Review credentials of boardmembers related to abilities toprovide adequate oversight.Examiners should

Determine if directorsresponsible for audit oversighthave appropriate level of experience and knowledge of IT

and related risks; and If directors are not qualified in

relation to IT risks, determine ifthey bring in outside independentconsultants to support theiroversight efforts througheducation and training.

2. Determine if the composition of theaudit committee is appropriateconsidering entity type andcomplies with all applicable laws

and regulations. Note If theinstitution is a publicly tradedcompany, this is a requirement ofSarbanes-Oxley. Additionally, thisis a requirement of FDICIA forinstitutions with total assets greaterthan $500 million.

Objective 4: Determine the qualifications of the IT audit staff and its continued development

through training and continuing education.

1. Determine if the IT audit staff isadequate in number and istechnically competent toaccomplish its mission. Consider

IT audit personnel qualificationsand compare them to the job



5/29


Work

Paper

Reference Comment

descriptions;

Whether staff competency iscommensurate with thetechnology in use at theinstitution; and

Trends in IT audit staffing toidentify any negative trends inthe adequacy of staffing.

Objective 5: Determine the level of audit independence.

1. Determine if the reporting processfor the IT audit is independent infact and in appearance byreviewing the degree of controlpersons outside of the auditfunction have on what is reported tothe board or audit committee.

2. Review the internal auditorganization structure for independence and clarity of thereporting process. Determine

whether independence iscompromised by:

The internal audit managerreporting functionally to a seniormanagement official (i.e., CFO,controller, or similar officer);

The internal audit managerscompensation and performanceappraisal being done by someoneother than the board or auditcommittee; or

Auditors responsible for operating a system of internalcontrols or actually performingoperational duties or activities.



6/29


Work

Paper

Reference Comment

Objective 6: Determine the existence of timely and formal follow-up and reporting onmanagements resolution of identified IT problems or weaknesses.

1. Determine whether managementtakes appropriate and timelyaction on IT audit findings andrecommendations and whetheraudit or management reports theaction to the board of directorsor its audit committee. Also,

determine if IT audit reviews ortests managements statementsregarding the resolution offindings and recommendations.

2. Obtain a list of outstanding ITaudit items and compare the listwith audit reports to ascertaincompleteness.

3. Determine whether managementsufficiently corrects the rootcauses of all significantdeficiencies noted in the auditreports and, if not, determinewhy corrective action is notsufficient.

Objective 7: Determine the adequacy of the overall audit plan in providing appropriate

coverage of IT risks.

1. Interview management and reviewexamination information to identifychanges to the institutions riskprofile that would affect the scopeof the audit function. Consider

Institutions risk assessment,



7/29


Work

Paper

Reference Comment

Products or services delivered to

either internal or external users, Loss or addition of key

personnel, and

Technology service providersand software vendor listings.

2. Review the institutions IT auditstandards manual and/or IT-relatedsections of the institutions generalaudit manual. Assess the adequacyof policies, practices, andprocedures covering the format andcontent of reports, distribution ofreports, resolution of audit findings,format and contents of work papers,and security over audit materials.

Objective 8: Determine the adequacy of audits risk analysis methodology in prioritizing the

allocation of audit resources and formulating the IT audit schedule.

1. Evaluate audit planning andscheduling criteria, including risk

analysis, for selection, scope, andfrequency of audits. Determine if

The audit universe is welldefined; and

Audit schedules and audit cyclessupport the entire audit universe,are reasonable, and are beingmet.

2. Determine whether the institutionhas appropriate standards andprocesses for risk-based auditing

and internal risk assessments that

Include risk profiles identifyingand defining the risk and controlfactors to assess and the riskmanagement and controlstructures for each IT product,



8/29


Work

Paper

Reference Comment

service, or function; and

Describe the process forassessing and documenting riskand control factors and itsapplication in the formulation ofaudit plans, resource allocations,audit scopes, and audit cyclefrequency.

Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-

related audit reports.

1. Review a sample of the institutionsIT-related audit reports and workpapers for specific audit ratings,completeness, and compliance withboard and audit committee-approved standards.

2. Analyze the internal auditorsevaluation of IT controls andcompare it with any evaluationsdone by examiners.

3. Evaluate the scope of the auditorswork as it relates to the institutionssize, the nature and extent of itsactivities, and the institutions riskprofile.

4. Determine if the work papersdisclose that specific programsteps, calculations, or otherevidence support the proceduresand conclusions set forth in thereports.

5. Determine through review of theaudit reports and work papers if theauditors accurately identify andconsistently report weaknesses and



9/29


Work

Paper

Reference Comment

risks.

6. Determine if audit report content is

Timely

Constructive

Accurate

Complete

Objective 10: Determine the extent of audits participation in application development,

acquisition, and testing, as part of the organizations process to ensure the effectiveness of

internal controls.

1. Discuss with audit management andreview audit policies related toaudit participation in applicationdevelopment, acquisition, andtesting.

2. Review the methodologymanagement employs to notify theIT auditor of proposed newapplications, major changes to

existing applications,modifications/additions to theoperating system, and otherchanges to the data processingenvironment.

3. Determine the adequacy andindependence of audit in

Participating in the systemsdevelopment life cycle;

Reviewing major changes toapplications or the operating

system; Updating audit procedures,

software, and documentation forchanges in the systems or environment; and

Recommending changes to new



10/29


Work

Paper

Reference Comment

proposals or to existing

applications and systems toaddress audit and control issues.

Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external

vendors, determine its effectiveness and whether the institution can appropriately rely on it.

1. Obtain copies of

Outsourcing contracts andengagement letters,

Outsourced internal audit reports,

and Policies on outsourced audit.

2. Review the outsourcing contracts/engagement letters and policies todetermine whether they adequately

Define the expectations andresponsibilities under thecontract for both parties.

Set the scope, frequency, andcost of work to be performed bythe vendor.

Set responsibilities for providingand receiving information, suchas the manner and frequency ofreporting to senior managementand directors about the status ofcontract work.

Establish the protocol forchanging the terms of the servicecontract, especially for expansionof audit work if significant issuesare found, and stipulations for

default and termination of thecontract.

FFIEC IT Examination Handbook Pa ge 10


11/29


Work

Paper

Reference Comment

State that internal audit reports

are the property of the institution,that the institution will beprovided with any copies of therelated work papers it deemsnecessary, and that employeesauthorized by the institution willhave reasonable and timelyaccess to the work papersprepared by the outsourcingvendor.

State that any informationpertaining to the institution must

be kept confidential.

Specify the locations of internalaudit reports and the relatedwork papers.

Specify the period of time thatvendors must maintain the workpapers. If work papers are inelectronic format, contracts oftencall for vendors to maintainproprietary software that allowsthe institution and examinersaccess to electronic work papersduring a specified period.

State that outsourced internalaudit services provided by thevendor are subject to regulatoryreview and that examiners willbe granted full and timely accessto the internal audit reports andrelated work papers and othermaterials prepared by theoutsourcing vendor.

Prescribe a process (arbitration,

mediation, or other means) forresolving problems and fordetermining who bears the costof consequential damages arisingfrom errors, omissions andnegligence.



12/29


Work

Paper

Reference Comment

State that outsourcing vendors

will not perform managementfunctions, make managementdecisions, or act or appear to actin a capacity equivalent to that ofa member of institutionmanagement or an employee and,if applicable, they are subject toprofessional or regulatoryindependence guidance.

3. Consider arranging a meeting withthe IT audit vendor to discuss the

vendors outsourcing internal auditprogram and determine theauditors qualifications.

4. Determine whether the outsourcingarrangement maintains or improvesthe quality of the internal auditfunction and the institutionsinternal controls. The examinershould

Review the performance andcontractual criteria for the auditvendor and any internalevaluations of the audit vendor;

Review outsourced internal auditreports and a sample of auditwork papers. Determine whetherthey are adequate and prepared inaccordance with the auditprogram and the outsourcingagreement;

Determine whether work papersdisclose that specific program

steps, calculations, or otherevidence support the proceduresand conclusions set forth in theoutsourced reports; and

Determine whether the scope ofthe outsourced internal auditprocedures is adequate.



13/29


Work

Paper

Reference Comment

5. Determine whether key employees

of the institution and the auditvendor clearly understand the linesof communication and how anyinternal control problems or othermatters noted by the audit vendorduring internal audits are to beaddressed.

6. Determine whether management orthe audit vendor revises the scopeof outsourced audit work appropriately when the institutionsenvironment, activities, riskexposures, or systems changesignificantly.

7. Determine whether the directorsensure that the institutioneffectively manages any outsourcedinternal audit function.

8. Determine whether the directorsperform sufficient due diligence to

satisfy themselves of the auditvendors competence andobjectivity before entering theoutsourcing arrangement.

9. If the audit vendor also performsthe institutions external audit orother consulting services, determinewhether the institution and thevendor have discussed, determined,and documented that applicablestatutory and regulatory

independence standards are beingmet. Note If the institution is apublicly traded company, this is arequirement of Sarbanes-Oxley.Additionally, this is a requirementof FDICIA for institutions withtotal assets greater than $500



14/29


Work

Paper

Reference Comment

million.

10. Determine whether an adequatecontingency plan exists to reduceany lapse in audit coverage,particularly coverage of high-riskareas, in the event the outsourcedaudit relationship is terminatedsuddenly.

Objective 12: Determine the extent of external audit work related to IT controls.

1. Review engagement letters anddiscuss with senior management theexternal auditors involvement inassessing IT controls.

2. If examiners rely on external auditwork to limit examinationprocedures, they should ensureaudit work is adequate throughdiscussions with external auditorsand reviewing work papers if

necessary.

Objective 13: Determine whether management effectively oversees and monitors any

significant data processing services provided by technology service providers:

1. Determine whether managementdirectly audits the serviceproviders operations and controls,employs the services of externalauditors to evaluate the servicer'scontrols, or receives sufficientlydetailed copies of audit reportsfrom the technology serviceprovider.

2. Determine whether managementrequests applicable regulatory



15/29


Work

Paper

Reference Comment

agency IT examination reports.

3. Determine whether managementadequately reviews all reports toensure the audit scope wassufficient and that all deficienciesare appropriately addressed.

CONCLUSIONS

Objective 14: Discuss corrective actions and communicate findings.

1. Determine the need to perform TierII procedures for addit ionalvalidation to support conclusionsrelated to any of the Tier Iobjectives.

2. Using results from the aboveobjectives and/or audits internallyassigned audit rating or auditcoverage, determine the need foradditional validation of specific

audited areas and, if appropriate Forward audit reports to

examiners working on relatedwork programs, and

Suggest either the examiners orthe institution perform additionalverification procedures wherewarranted.

3. Using results from the review of theIT audit function, including anynecessary Tier II procedures,

Document conclusions on thequality and effectiveness of theaudit function as related to ITcontrols; and

Determine and document to whatextent, if any, examiners may



16/29


Work

Paper

Reference Comment

rely upon the internal and

external auditors findings inorder to determine the scope ofthe IT examination.

4. Review preliminary examinationconclusions with the examiner-in-charge (EIC) regarding

Violations of law, rulings, andregulations;

Significant issues warrantinginclusion as matters requiringboard attention orrecommendations in the report ofexamination; and

Potential effect of your conclusions on URSIT compositeand component ratings.

5. Discuss examination findings withmanagement and obtain proposedcorrective action for significantdeficiencies.

6. Document examinationconclusions, including a proposedaudit component rating, in amemorandum to the EIC thatprovides report-ready comments forall relevant sections of the report ofexamination.

7. Document any guidance to futureexaminers of the IT audit area.

8. Organize examination work papers

to ensure clear support for significant findings andconclusions.



17/29


Examiner Date

Reviewers Initials



18/29


TIER II OBJECTIVES AND PROCEDURES

The Tier II examination procedures for the IT audit process provide additional verification

procedures to evaluate the effectiveness of the IT audit function. These procedures are designed

to assist in achieving examination objectives and scope and may be used entirely or selectively.

Tier II questions correspond to URSIT rating areas and can be used to determine where the

examiner may rely upon audit work in determining the scope of the IT examination for those

areas.

Examiners should coordinate this coverage with other examiners to avoid duplication of

effort with the examination procedures found in other IT Handbook booklets.

Work

Paper

ReferenceComment

A. MANAGEMENT

1. Determine whether auditprocedures for managementadequately consider

The ability of management toplan for and initiate newactivities or products in responseto information needs and to

address risks that may arise fromchanging business conditions;

The ability of management toprovide reports necessary forinformed planning and decisionmaking in an effective andefficient manner;

The adequacy of, andconformance with, internalpolicies and controls addressingthe IT operations and risks ofsignificant business activities;

The effectiveness of risk monitoring systems;

The level of awareness of, andcompliance with, laws andregulations;



19/29


Work

Paper

Reference Comment

The level of planning for

management succession; The ability of management to

monitor the services deliveredand to measure the institutionsprogress toward identified goalsin an effective and efficientmanner;

The adequacy of contracts andmanagements ability to monitorrelationships with technologyservice providers;

The adequacy of strategicplanning and risk managementpractices to identify, measure,monitor, and control risks,including managements abilityto perform self-assessments; and

The ability of management toidentify, measure, monitor, andcontrol risks and to addressemerging IT needs and solutions.

B. SYSTEMS DEVELOPMENT AND ACQUISITION

1. Determine whether auditprocedures for systemsdevelopment and acquisition andrelated risk management adequatelyconsider

The level and quality of oversight and support of systemsdevelopment and acquisitionactivities by senior managementand the board of directors;

The adequacy of the institutionaland management structures toestablish accountability andresponsibility for IT systems andtechnology initiatives;



20/29


Work

Paper

Reference Comment

The volume, nature, and extent

of risk exposure to the institutionin the area of systemsdevelopment and acquisition;

The adequacy of the institutionssystems developmentmethodology and programmingstandards;

The quality of projectmanagement programs andpractices that are followed bydevelopers, operators, executivemanagement/ owners,independent vendors or affiliatedservicers, and end-users;

The independence of the qualityassurance function and theadequacy of controls overprogram changes including the

- parity of source and objectprogramming code,

- independent review of programchanges,

- comprehensive review of testing

results,

- managements approval beforemigration into production, and

- timely and accurate update ofdocumentation;

The quality and thoroughness ofsystem documentation;

The integrity and security of thenetwork, system, and applicationsoftware used in the systemsdevelopment process;

The development of IT solutionsthat meet the needs of end-users;and

The extent of end-user involvement in the systemsdevelopment process.



21/29


Work

Paper

Reference Comment

C. OPERATIONS

1. Determine whether audit proceduresfor operations consider

The adequacy of securitypolicies, procedures, andpractices in all units and at alllevels of the financial institutionand service providers.

The adequacy of data controlsover preparation, input,

processing, and output. The adequacy of corporate

contingency planning andbusiness resumption for datacenters, networks, serviceproviders, and business units.Consider the adequacy of offsitedata and program backup and theadequacy of business resumptiontesting.

The quality of processes orprograms that monitor capacity

and performance. The adequacy of contracts and

the ability to monitor relationships with serviceproviders.

The quality of assistanceprovided to users, including theability to handle problems.

The adequacy of operatingpolicies, procedures, andmanuals.

The quality of physical andlogical security, including theprivacy of data.

The adequacy of firewallarchitectures and the security ofconnections with publicnetworks.



22/29


D. INFORMATION SECURITY

1. Determine whether audit proceduresfor information security adequatelyconsider the risks in informationsecurity and e-banking. Evaluatewhether

A written and adequate datasecurity policy is in effectcovering all major operatingsystems, databases, andapplications;

Existing controls comply with

the data security policy, bestpractices, or regulatory guidance;

Data security activities areindependent from systems andprogramming, computeroperations, data input/output, andaudit;

Some authentication process,such as user names andpasswords, that restricts access tosystems;

Access codes used by theauthentication process areprotected properly and changedwith reasonable frequency;

Transaction files are maintainedfor all operating and applicationsystem messages, includingcommands entered by users andoperators at terminals, or at PCs;

Unauthorized attempts to gainaccess to the operating andapplication systems are recorded,

monitored, and responded to byindependent parties;

User manuals and help filesadequately describe processingrequirements and program usage;



23/29


Controls are maintained overtelecommunication(s), includingremote access by users,programmers and vendors; and

over firewalls and routers tocontrol and monitor access toplatforms, systems andapplications;

Access to buildings, computerrooms, and sensitive equipmentis controlled adequately;

Written procedures govern theactivities of personnelresponsible for maintaining thenetwork and systems;

The network is fullydocumented, including remoteand public access, withdocumentation available only toauthorized persons;

Logical controls limit access byauthorized persons only tonetwork software, includingoperating systems, firewalls, androuters;

Adequate network updating and

testing procedures are in place,including configuring,controlling, and monitoringrouters and firewalls;

Adequate approvals are requiredbefore deployment of remote,Internet, or VPN access foremployees, vendors, and others;

Alternate network communications procedures areincorporated into the disasterrecovery plans;

Access to networks is restrictedusing appropriate authenticationcontrols; and

Unauthorized attempts to gainaccess to the networks aremonitored.



24/29


2. Determine whether audit proceduresfor information security adequatelyconsider compliance with theInteragency GuidelinesEstablishing Standards for Safeguarding Customer Information, as mandated bySection 501(b) of the Gramm-Leach-Bliley Act of 1999.Consider evaluating whethermanagement has

Identified and assessed risks tocustomer information;

Designed and implemented aprogram to control risks;

Tested key controls (at leastannually);

Trained personnel; and

Adjusted the compliance plan ona continuing basis to account forchanges in technology, thesensitivity of customer information, andinternal/external threats toinformation security.

E. PAYMENT SYSTEMS

1. Determine whether auditprocedures for payment systemsrisk adequately consider the risks inwholesale electronic funds transfer(EFT). Evaluate whether

Adequate operating policies andprocedures govern all activities,both in the wire transferdepartment and in the originatingdepartment, includingauthorization, authentication, andnotification requirements;

Formal contracts with each wireservicer exist (i.e., FederalReserve Bank (FRB),correspondent financial



25/29


institutions, and others);

Separation of duties is sufficientto prevent any one person from

initiating, verifying, andexecuting a transfer of funds;

Personnel policies and practicesare in effect;

Adequate security policiesprotect wire transfer equipment,software, communications lines,incoming and outgoing paymentorders, test keys, etc.;

Credit policies and appropriatemanagement approvals have beenestablished to cover overdrafts;

Activity reporting, monitoring,and reconcilement are conducteddaily, or more frequently basedupon activity;

Appropriate insurance riderscover activity;

Contingency plans areappropriate for the size andcomplexity of the wire transferfunction; and

Funds transfer terminals are

protected by adequate passwordsecurity.

2. Determine whether auditprocedures for payment systemsrisk adequately consider the risks inretail EFT (automatic tellermachines, point-of-sale, debitcards, home banking, and othercard-based systems includingVISA/ Master Charge compliance).Evaluate whether

Written procedures are completeand address each EFT activity;

All EFT functions aredocumented appropriately;



26/29


Physical controls protect plasticcards, personal identificationnumber (PIN) information, EFTequipment, and communication

systems;

Separation of duties and logicalcontrols protect EFT-relatedsoftware, customer account, andPIN information;

All transactions are properlyrecorded, including exceptionitems, and constitute anacceptable audit trail for eachactivity;

Reconcilements and proofs are

performed daily by persons withno conflicting duties;

Contingency planning isadequate;

Vendor and customer contractsare in effect and detail theresponsibilities of all parties tothe agreement;

Insurance coverage is adequate;and

All EFT activity conforms toapplicable provisions of

Regulation E.

3. Determine whether audit proceduresfor payment systems risk adequatelyconsider the risks in automatedclearinghouse (ACH). Evaluatewhether

Policies and procedures governall ACH activity;

Incoming debit and credit totalsare verified adequately and items

counted prior to posting tocustomer accounts;

Controls over rejects, chargebacks, unposted and othersuspense items are adequate;

Controls prevent the altering ofdata between receipt of data and



27/29


posting to accounts;

Adequate controls exist over anyorigination functions, including

separation of data preparation,input, transmission, andreconcilement;

Security and control exist overACH capture and transmissionequipment; and

Compliance with NACHA, localclearinghouse, and FRB rules andregulations.

F. OUTSOURCING

1. Determine whether auditprocedures for outsourcingactivities adequately cover the riskswhen IT service is provided toexternal users. Evaluate whether

Formal procedures are in effectand staff is assigned to provideinterface with users/customers tocontrol data center-related issues(i.e., program change requests,

record differences, servicequality);

There are contracts with allcustomers (affiliated andnonaffiliated) and whether theinstitutions legal staff hasapproved them;

Controls exist over billing andincome collection;

Disaster recovery plans interfacebetween the data center,customers, and users;

Controls exist over on-lineterminals employed by users andcustomers;

Comprehensive user manualsexist and are distributed; and

There are procedures for



28/29


communicating incidents toclients.

2. Determine whether audit

procedures for outsourced activitiesare adequate. Evaluate whether

There are contracts in place thathave been approved by theinstitutions legal staff,

Management monitors vendorperformance of contractedservices and the financialcondition of the vendor,

Applicable emergency anddisaster recovery plans are in

place, Controls exist over the terminal

used by the financial institutionto access files at an externalservicer's location,

Internal controls for eachsignificant user application areconsistent with those required forin-house systems,

Management has assessed theimpact of external and internaltrends and other factors on the

ability of the vendor to supportcontinued servicing of clientfinancial institutions,

The vendor can provide andmaintain service levelperformance that meets therequirements of the client, and

Management monitors thequality of vendor softwarereleases, documentation; andtraining provided to clients.



29/29


Examiner Date

Reviewers Initials

audit workprogram

Documents