DWA Services

IT Audit, Assessment, and Test of Controls

(AAT)

GLBA, HIPAA, FFIEC-NIST, GLBA-HIPAA-PCI Engagements Available

​​​

DWA’s Information Systems & Technology Audit, Assessment, and Test of Controls (AAT) is a comprehensive, multi-level, risk focused engagement designed to help high-trust organizations confirm the safety and soundness of their IT environment. 

This engagement is built around recognized regulatory and industry expectations - including guidance commonly used in examinations - and focuses on how well the board / executives, management, staff, and vendors identify, measure, monitor, and control IT risk; protect nonpublic information and other critical resources; and respond appropriately when issues occur.​​​

It is a structured audit, assessment, and test of controls process that is intended to answer a simple question:

Are your IT controls designed and operating in a way that supports compliance and security—today—not just on paper? 

It is aligned to GLBA, FFIEC, HIPAA, NIST, and / or PCI privacy and safeguards expectations and commonly referenced regulatory requirements and is informed by guidance from examination and standards bodies. 

Core objectives

During the engagement, we work to: 

​

• Determine whether the board / executives and management have adopted, approved, and implemented appropriate IT policies, programs, and procedures. 

• Evaluate the organization’s ability to identify, assess, monitor, and control IT risk. ​

• Assess whether management, staff, and vendors have the expertise and oversight needed to plan, direct, and control IT operations. 

• Assess IT controls and safeguards protecting nonpublic information and critical sensitive resources. 

• Audit and test for compliance with established internal policies and applicable standards, rules, and guidance. 

How we do it

The engagement uses three method types - chosen based on risk and practicality: 

 

1. Reviewing: discussions and documentation/configuration analysis to understand processes and locate evidence. 

2. Examination: direct inspection/observation/analysis of assessment objects to obtain evidence. 

3. Testing: exercising controls under defined conditions to compare expected vs. actual behavior. 

​

Because testing can create operational disruption or risk exposure if done carelessly, we use it judiciously - preferably in non-production environments - typically when risk is higher, prior issues exist, or review / examination results warrant deeper validation. 

What we cover (assessment objects)

The report is organized around a defined set of “assessment objects” - the technology and control areas we evaluate. These include: 

​​

• Governance and Compliance

• Management and Security

• Audit and Assessment

• Business Continuity

• Authentication and Encryption

• Vendors and Outsourced Services

• Retail and Wholesale Banking Services OR CRM and ERP Services 

• Websites

• Remote Access

• Internet Access

• Malware and Endpoint Protection

• Networks

• Servers and Workstations

• Operations and Systems Development 

What you receive (the deliverable)

​

Your final deliverable are the IT Audit, Assessment, and Test of Controls Reports, which include: 

​

• A clear summary of findings by priority (Critical / High / Medium / Low) with a concise conclusion. 

• Administration details for the engagement (scope period, approach, and key participants). 

• A structured, detailed section for each assessment object that includes: 

  • Description and goals;

  • Findings;

  • Recommendations .

• Appendices that support transparency and traceability, including: 

  • Evidence document listings (typically delivered as accompanying ZIP files) ;

  • Reference resources (regulatory, examination guidance, and standards references);

  • Acronym definitions for readability.

 

Note - Reports are provided in both technical detail and management summary versions.

We also conduct an exit meeting with management (and designated representatives) to walk through results, discuss practical remediation, and ensure there are no surprises when the report is delivered. 

The outcome: clear risk, clear priorities, clear next steps

This report is designed to be useful at multiple levels:

​

 

• Boards and executives get a risk focused view of overall safety and soundness. 

• Management and IT teams get prioritized findings and practical recommendations tied to real evidence and observed conditions. 

​​

Let’s Talk

​

If you’re looking for a trusted partner for IT audits, assessments, controls testing, or advisory support, we’d be glad to connect.

 

Contact us to discuss your needs, pricing, timelines, and the best approach for your organization.