FDIC IT Exam Update

Amy Bucklin

The FDIC has updated their IT Examination procedures.  On July 1, 2016, the FDIC will begin using the Information Technology Risk Examination (InTREx) Program to perform IT examinations at financial institutions.  The InTREx Program consists of the IT profile and three workpapers to help examiners accurately assess IT risks and the mitigating controls in place.  

InTREx Program Summary

  • Information Technology Profile
  • Core Analysis Decision Factors and Audit Procedures Workpaper
    • Audit
    • Management
    • Development & Acquisition
    • Support & Delivery
  • Information Security Standards (GLBA) Workpaper
  • Cybersecurity Workpaper
  • Expanded Core Analysis Decision Factors and Audit Procedures Workpaper
    • Management
    • Support and Delivery

Let’s take a closer look at each component of the InTREx Program.

Information Technology Profile

This document is replacing the lengthy IT Officer’s Questionnaire (ITOQ).  Financial institution personnel are responsible for completing the IT profile and submitting it to the examiner prior to the examination.  The examiner will use the profile results to define the scope of the exam.  The revised questionnaire consists of 26 questions and is divided into the following categories.

  • Core Processing (4)
  • Network (6)
  • Online banking (4)
  • Development and Programming (1)
  • Software and Services (2)
  • Other (9)

Core Analysis

The core analysis is the primary component of the InTREx Program and is the first of three workpapers the examiner will use.  Each of the four sections (Audit, Management, Development & Acquisition, and Support & Delivery) includes a number of decision factors.  Each decision factor has related audit procedures to be performed so the examiner can assign a rating to the decision factor. The decision factor ratings will be utilized to assign a rating to the component which will affect the composite rating.  The Management and Support & Delivery sections also have expansion sections with audit procedures that may not be applicable to all financial institutions.  The decision factors and audit procedures are excellent resources to review to ensure that you have assessed all risks and implemented appropriate controls.  A summary table of the decision factors is at the end of this document.

Information Security Standards (GLBA)

Several audit procedures are flagged as GLBA in the core analysis as they are directly related to protecting the security, confidentiality and integrity of customer information.  This second workpaper ensures that standards defined in section 501(b) of the GLBA are met.  This workpaper has one single decision factor and does not contain audit procedures since they are all flagged in the core analysis.  
Decision Factor: After completing the GLBA-related examination procedures contained in the Core Modules, summarize the institution’s compliance with the Interagency Guidelines Establishing Information Security Standards.

Cybersecurity

The third workpaper, Cybersecurity, is similar to the GLBA workpaper in that there is only one decision factor and no additional audit procedures.  The cybersecurity audit procedures are flagged in the core analysis. 
Decision Factor: After completing the cybersecurity-related examination procedures contained in the Core Modules, summarize the adequacy of the institution’s cybersecurity preparedness, including risk identification processes and mitigating controls.

Rating & Reporting

The Uniform Rating System for Information Technology (URSIT) is utilized to rate each of the four components of the core analysis and to assign a composite score for the core analysis.  These scores will appear in the Risk Management Report of Examination.  

Summaries of the examiner’s assessment of the cybersecurity preparedness and compliance with GLBA will also be documented on the Information Technology and Operations Risk Assessment Page of the Risk Management Report of Examination.

Summary

The InTREx Program will be implemented on July 1, 2016.  You should contact your local FDIC examiner if you have any specific questions on how this will affect your next exam.  The three workpapers will be utilized during the exam; however, the exam will not be limited to the core analysis audit procedures and expansion procedures.  The examiner can expand the scope of the exam based upon his or her discretion.  The FFIEC Information Technology Examination Handbook, which includes workpapers, are still valid resources that are referenced in the InTREx Program and will be utilized by examiners.

I recommend reading the Financial Institution Letter 43-2016 and the InTREx Program.  If you have not had an independent party perform an IS General Controls Review, please contact us at info@trainacpa.com or 225.308.1712.  The scope of the IS General Controls Review includes audit procedures documented in the InTREx Program.

Core Analysis Decision Factors
AUDIT
  1. The level of independence maintained by audit and the quality of the oversight and support provided by the Board of Directors and management.
  2. The adequacy of IT coverage in the overall audit plan and the adequacy of the underlying risk analysis methodology used to formulate that plan.
  3. The scope, frequency, accuracy, and timeliness of internal and external audit reports and the effectiveness of audit activities in assessing and testing IT controls.
  4. The qualifications of the auditor, staff succession, and continued development through training.
  5. The existence of timely and formal follow-up and reporting on management’s resolution of identified problems or weaknesses.
  6. If applicable, include a summary comment below for any additional risk factors reviewed or examination procedures performed that may not be directly referenced in the Decision Factors above.
MANAGEMENT
  1. The level and quality of oversight and support of IT activities by the Board of Directors and management.
  2. The ability of management to provide information reports necessary for informed planning and decision making in an effective and efficient manner.
  3. The adequacy of, and conformance with, internal policies and controls addressing IT operations and risks of significant business activities.
  4. The level of awareness of and compliance with laws and regulations.
  5. The level of planning for management succession.
  6. The adequacy of contracts and management’s ability to monitor relationships with third-party servicers.
  7. The adequacy of risk assessment processes to identify, measure, monitor, and control risks.
  8. If applicable, include a summary comment below for any additional risk factors reviewed or examination procedures performed that may not be directly referenced in the Decision Factors above.
MANAGEMENT – EXPANDED ANALYSIS
  1. The adequacy of controls over cloud computing.
  2. The adequacy of involvement in service provider user groups.
  3. Oversight of critical service providers’ information security programs.
  4. The adequacy of controls over managed security service providers.
  5. The adequacy of controls over Foreign-Based Technology Service Providers.
  6. Oversight of incentive compensation agreements within IT service provider contracts.
DEVELOPMENT & ACQUISITION
  1. The level and quality of oversight and support of systems development and acquisition activities by senior management and the Board of Directors.
  2. The quality of project management programs and practices.
  3. The adequacy of controls over program changes.
  4. The development of information technology solutions that meet the needs of end users.
  5. If applicable, evaluate the adequacy of source code and programming controls.
  6. If applicable, include a summary comment below for any additional risk factors reviewed or examination procedures performed that may not be directly referenced in the Decision Factors above.
SUPPORT & DELIVERY
  1. The quality of processes or programs that monitor capacity and performance.
  2. The adequacy of data controls over preparation, input, processing, and output.
  3. The quality of assistance provided to users, including the ability to handle problems.
  4. The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units.
  5. The adequacy of network architectures and the security of connections with public networks.
  6. The quality of physical and logical security, including the privacy of data.
  7. The adequacy of controls over electronic funds transfers and electronic banking activities.
  8. If applicable, include a summary comment below for any additional risk factors reviewed or examination procedures performed that may not be directly referenced in the Decision Factors above.
SUPPORT & DELIVERY – EXPANDED ANALYSIS

Adequacy of controls over:

  1. Wireless networks
  2. Virtualization
  3. Voice over Internet Protocol (VoIP)
  4. ATM operations
  5. Customer-facing call center operations
  6. Internal IT Help Desk operations
  7. Services provided to other entities