The FDIC has updated their IT Examination procedures. On July 1, 2016, the FDIC will begin using the Information Technology Risk Examination (InTREx) Program to perform IT examinations at financial institutions. The InTREx Program consists of the IT profile and three workpapers to help examiners accurately assess IT risks and the mitigating controls in place.
InTREx Program Summary
- Information Technology Profile
- Core Analysis Decision Factors and Audit Procedures Workpaper
- Development & Acquisition
- Support & Delivery
- Information Security Standards (GLBA) Workpaper
- Cybersecurity Workpaper
- Expanded Core Analysis Decision Factors and Audit Procedures Workpaper
- Support and Delivery
Let’s take a closer look at each component of the InTREx Program.
Information Technology Profile
This document is replacing the lengthy IT Officer’s Questionnaire (ITOQ). Financial institution personnel are responsible for completing the IT profile and submitting it to the examiner prior to the examination. The examiner will use the profile results to define the scope of the exam. The revised questionnaire consists of 26 questions and is divided into the following categories.
- Core Processing (4)
- Network (6)
- Online banking (4)
- Development and Programming (1)
- Software and Services (2)
- Other (9)
The core analysis is the primary component of the InTREx Program and is the first of three workpapers the examiner will use. Each of the four sections (Audit, Management, Development & Acquisition, and Support & Delivery) includes a number of decision factors. Each decision factor has related audit procedures to be performed so the examiner can assign a rating to the decision factor. The decision factor ratings will be utilized to assign a rating to the component which will affect the composite rating. The Management and Support & Delivery sections also have expansion sections with audit procedures that may not be applicable to all financial institutions. The decision factors and audit procedures are excellent resources to review to ensure that you have assessed all risks and implemented appropriate controls. A summary table of the decision factors is at the end of this document.
Information Security Standards (GLBA)
Several audit procedures are flagged as GLBA in the core analysis as they are directly related to protecting the security, confidentiality and integrity of customer information. This second workpaper ensures that standards defined in section 501(b) of the GLBA are met. This workpaper has one single decision factor and does not contain audit procedures since they are all flagged in the core analysis.
Decision Factor: After completing the GLBA-related examination procedures contained in the Core Modules, summarize the institution’s compliance with the Interagency Guidelines Establishing Information Security Standards.
The third workpaper, Cybersecurity, is similar to the GLBA workpaper in that there is only one decision factor and no additional audit procedures. The cybersecurity audit procedures are flagged in the core analysis.
Decision Factor: After completing the cybersecurity-related examination procedures contained in the Core Modules, summarize the adequacy of the institution’s cybersecurity preparedness, including risk identification processes and mitigating controls.
Rating & Reporting
The Uniform Rating System for Information Technology (URSIT) is utilized to rate each of the four components of the core analysis and to assign a composite score for the core analysis. These scores will appear in the Risk Management Report of Examination.
Summaries of the examiner’s assessment of the cybersecurity preparedness and compliance with GLBA will also be documented on the Information Technology and Operations Risk Assessment Page of the Risk Management Report of Examination.
The InTREx Program will be implemented on July 1, 2016. You should contact your local FDIC examiner if you have any specific questions on how this will affect your next exam. The three workpapers will be utilized during the exam; however, the exam will not be limited to the core analysis audit procedures and expansion procedures. The examiner can expand the scope of the exam based upon his or her discretion. The FFIEC Information Technology Examination Handbook, which includes workpapers, are still valid resources that are referenced in the InTREx Program and will be utilized by examiners.
I recommend reading the Financial Institution Letter 43-2016 and the InTREx Program. If you have not had an independent party perform an IS General Controls Review, please contact us at email@example.com or 225.308.1712. The scope of the IS General Controls Review includes audit procedures documented in the InTREx Program.
|Core Analysis Decision Factors|
|MANAGEMENT – EXPANDED ANALYSIS|
|DEVELOPMENT & ACQUISITION|
|SUPPORT & DELIVERY|
|SUPPORT & DELIVERY – EXPANDED ANALYSIS|
Adequacy of controls over: