| Booklet:
Management |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
EXAMINATION
OBJECTIVE: Determine the quality and effectiveness of the organization’s
management of information technology. Examiners should use these procedures
to measure the adequacy of the institution's IT risk management process,
including management awareness and participation, risk assessment, policies
and procedures, reporting, ongoing monitoring, and follow-up.
This workprogram is intended to assist examiners in determining the effectiveness
of a financial institution’s IT management process. However, examiners
may choose to use only particular components of the workprogram based
upon the size, complexity, and nature of the institution’s business.
Objective 1: Determine the appropriate scope and objectives for the examination. |
|||
| 1. |
Review past reports for outstanding issues or previous problems. Consider: |
||
|
|
Regulatory reports of examination, | ||
|
|
Internal and external audit reports, | ||
|
|
Independent security tests, and | ||
|
|
Regulatory and audit reports on service providers | ||
2. |
Review management’s response to issues raised at, or since the last examination. Consider: |
||
|
|
Adequacy and timing of corrective action, | ||
|
|
Resolution of root causes rather than just specific issues, | ||
|
|
Existence of any outstanding issues, and | ||
|
|
If management has taken positive action toward correcting exceptions reported in audit and examination reports, | ||
3. |
Interview management and review the response to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institution’s risk. Consider: |
||
|
|
Products or services delivered to either internal or external users, | ||
|
|
Network topology including changes to configuration or components, | ||
|
|
Hardware and software listings, | ||
|
|
Loss or addition of key personnel, | ||
|
|
Technology service providers and software vendor listings, | ||
|
|
Communication lines with other control functions (e.g., loan review, credit risk management, line of business quality assurance, and internal audit), | ||
|
|
Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, fraud occurring due to poor controls, improperly implemented changes to systems), | ||
|
|
Changes to internal business processes, and | ||
|
|
Internal reorganizations. | ||
Objective 2: Determine whether board of directors and senior management appropriately consider IT in the corporate governance process including the process to enforce compliance with IT policies, procedures, and controls. |
|||
1. |
Review the corporate and Information Technology (IT) departmental organization charts to determine if: |
||
|
|
The organizational structure provides for effective IT support throughout the organization, | ||
|
|
IT management reports directly to senior level management, | ||
|
|
The IT department’s responsibilities are appropriately segregated from business processing activities, and | ||
|
|
Appropriate segregation of duties exists. | ||
2. |
Review biographical data of key personnel and the established staff positions to determine the adequacy of: |
||
|
|
Qualifications, | ||
|
|
Staffing levels, and | ||
|
|
Provisions for management succession. | ||
3. |
Review and evaluate written job descriptions to ensure: |
||
|
|
Authority, responsibility, and technical skills required are clearly defined, and | ||
|
|
They are maintained in writing and are updated promptly. | ||
4. |
Identify key positions and determine whether: |
||
|
|
Job descriptions are reasonable and represent actual practice, | ||
|
|
Back-up personnel are identified and trained, and | ||
|
|
Succession plans provide for an acceptable transition in the event of loss of a key manager or employee. | ||
5. |
Determine the effectiveness of management’s communication and monitoring of IT policy compliance across the organization. |
||
6. |
Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage and management’s responsiveness to identified weaknesses. |
||
Objective 3: Determine the adequacy of the IT planning and risk assessment. |
|||
1. |
Review
the membership list of board, IT steering, or relevant management
committees established to review IT related matters. Determine if
board, senior management, business lines, audit, and IT personnel
are represented appropriately and regular meetings are held. |
||
2. |
Review
the minutes of the board of directors and relevant committee meetings
for evidence of senior management support and supervision of IT
activities. |
||
3. |
Determine if committees review, approve, and report to the board of directors on: |
||
|
|
Information security risk assessment, | ||
|
|
Short and long-term IT strategic plans, | ||
|
|
IT operating standards and policies, | ||
|
|
Resource allocation (e.g., major hardware/software acquisition and project priorities), | ||
|
|
Status of major projects, | ||
|
|
IT budgets and current operating cost, | ||
|
|
Research and development studies, and | ||
|
|
Corrective actions on significant audit and examination deficiencies. | ||
4. |
Determine if the board of directors or senior management gives adequate consideration to the following IT matters when formulating the institution's overall business strategy: |
||
|
|
Risk assessment, | ||
|
|
IT strategic plans, | ||
|
|
Current status of the major projects in process or planned, | ||
|
|
Staffing levels (sufficient to complete tasks as scheduled), | ||
|
|
IT operating costs, and | ||
|
|
IT contingency planning and business recovery. | ||
5. |
Review the strategic plans for IT activities. Determine if the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the last examination or planned that affect the institution's organizational structure, hardware/software configuration, and overall data processing goals. Determine: |
||
|
|
If business needs are realistic, | ||
|
|
If IT has the ability to meet business needs, | ||
|
|
If the strategic plan defines the IT environment, | ||
|
|
If the plan lists strategic initiatives, | ||
|
|
If the plan explains trends and issues of potential impact, and | ||
|
|
If there are clearly defined goals and metrics. | ||
6. |
Review turnover rates in IT staff and discuss staffing and retention issues with IT management. Identify root causes of any staffing or expertise shortages including compensation plans or other retention practices. |
||
7. |
If IT employees have duties in other departments, determine if: |
||
|
|
Management is aware of the potential conflicts such duties may cause, and | ||
|
|
Conflicting duties are subject to appropriate supervision and compensating controls. | ||
8. |
Review the adequacy of insurance coverage (if applicable) for: |
||
|
|
Employee fidelity, | ||
|
|
IT equipment and facilities, | ||
|
|
Media reconstruction, | ||
|
|
E-banking, | ||
|
|
EFT, | ||
|
|
Loss resulting from business interruptions, | ||
|
|
Errors and omissions, | ||
|
|
Extra expenses, including backup site expenses, | ||
|
|
Items in transit, and | ||
|
|
Other probable risks (unique or specific risks for a particular institution). | ||
Objective 4: Evaluate management’s establishment and oversight of IT control processes including business continuity planning, information security, outsourcing, software development and acquisition, and operations |
|||
1. |
Review the board of directors and Management IT oversight program. Determine if the Board: |
||
|
|
Is directly involved in setting or managing IT oversight, | ||
|
|
Established a steering committee, | ||
|
|
Implemented processes and procedures that meet objectives of governing IT policies, | ||
|
|
Approved appropriate oversight policies for Information Security, | ||
|
|
Has current policies, processes and procedures that result in compliance with applicable regulatory requirements, e.g., GLBA, | ||
|
|
Addressed risks regarding system development and acquisition, and | ||
|
|
Has a process in place for business continuity planning. | ||
2. |
Review the IT governance (i.e., steering committee) practices established by management. |
||
3. |
Review major acquisitions of hardware and software to determine if they are within the limits approved by the board of directors. |
||
4. |
Review the IT management organizational structure to determine if the Board established: |
||
|
|
A defined and functioning role for either the CIO/CTO; | ||
|
|
Integration of business line manager(s) into the IT oversight process; and | ||
|
|
Involvement of front line management in the IT oversight process. | ||
Objective 5: Determine whether Board of Directors and management effectively report and monitor IT-related risks. |
|||
1. |
Determine if management and the Board of Directors: |
||
|
|
Annually review and approve a formal, written, information security program, | ||
|
|
Approve and monitor the risk assessment process, | ||
|
|
Approve and monitor major IT projects, | ||
|
|
Approve standards and procedures, | ||
|
|
Monitor overall IT performance, | ||
|
|
Maintain an ongoing relationship between IT and business lines, | ||
|
|
Review and approve infrastructure, vendor, or other major IT capital expenditures based upon board set limits, | ||
|
|
Review and monitor the status of annual IT plans and budgets, |
||
|
|
Review management reports, measure actual performance of selected major projects against established plans. Determine the reasons for the shortfalls, if any, and | ||
|
|
Review the adequacy and allocation of IT resources, including staff and technology. | ||
2. |
Review
the risk assessment to determine whether the institution has characterized
their system properly and assessed the risks to information assets.
Consider whether the institution has: |
||
|
|
Identified
and ranked information assets according to a rigorous and consistent
methodology that considers the risks to customer and non-public
information as well as risks to the institution, |
||
|
|
Identified
all reasonable threats to financial institution assets, and |
||
|
|
Analyzed
its technical and organizational vulnerabilities. |
||
3. |
Identify
whether the institution effectively updates the risk assessment
before making system changes, implementing new products or services,
or confronting new external conditions. |
||
4. |
Determine
the effectiveness of the reports used by senior management or relevant
management committees to supervise and monitor the following IT
activities: |
||
|
|
Management
reports that provide the status of software development/maintenance
activities, |
||
|
|
Performance
and problem reports prepared by internal user groups, |
||
|
|
System
use and planning reports prepared by operating managers, and |
||
|
|
Internal
and external audit reports of IT activities. |
||
Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature and complexity of the institution’s operations. |
|||
1. |
Determine if IT management has adequate standards and procedures governing the following items through examination or by discussing the issues with other examiners performing reviews in these areas: |
||
|
|
Risk assessment, | ||
|
|
Personnel administration, | ||
|
|
Development and acquisition, | ||
|
|
Computer operations, | ||
|
|
Outsourcing risk management, | ||
|
|
Computer and information security, | ||
|
|
Business continuity planning, and | ||
|
|
Audit. | ||
Objective 7: If the institution provides IT services to other financial institutions, determine the quality of customer service and support. |
|||
1. |
If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSP’s financial condition and note any potential strengths and weaknesses. |
||
2. |
Determine whether the service provider provides adequate customer access to financial information. Consider: |
||
|
|
Method of communication with customer financial institutions, | ||
|
|
Timeliness of reporting, and | ||
|
|
Quality of financial information as determined by internal or external auditor reports. | ||
3. |
Determine
the adequacy of service provider audit reports in terms of scope,
independence, expertise, frequency, and corrective actions taken
on identified issues. |
||
4. |
Determine
the quality of customer service and support provided to customer
institutions by: |
||
|
|
Reviewing management reports used to monitor customer service or reported problems, | ||
|
|
Reviewing complaint files and methods used to handle complaints, | ||
|
|
Evaluating the extent of user group activity and minutes from meetings, and | ||
|
|
Interviewing a sample of existing customers for satisfaction (if deemed appropriate). | ||
5. |
Determine
the quality of management's follow up and resolution of customer
concerns and problems through analysis of the information above.
|
||
Objective 8: IF MIS is included in the scope of the review, complete the following procedures. |
|||
1. |
Review previous IT MIS review-related examination findings. Review management's response to those findings and: |
||
|
|
Discuss
with examiners the usefulness and applicability of MIS systems that
have been reviewed or are pending review, |
||
|
|
Request
copies of any reports that discuss either MIS deficiencies or strengths,
and |
||
|
|
Determine
the significance of deficiencies and set priorities for follow-up
investigations. |
||
|
|
Request
and review copies of recent reports prepared by internal or external
auditors of targeted IT MIS area(s) and determine: |
||
|
|
The
significance of IT MIS problems disclosed, |
||
|
|
Recommendations
provided for resolving IT MIS deficiencies, |
||
|
|
Management's
responses and if corrective actions have been initiated and/or completed,
and |
||
|
|
Audit
follow-up activities. |
||
2. |
Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any material changes involving the usefulness of information and the five MIS elements of: |
||
|
|
Timeliness, | ||
|
|
Accuracy, | ||
|
|
Consistency, | ||
|
|
Completeness, and | ||
|
|
Relevance. | ||
Objective 9: Discuss corrective action and communicate findings. |
|||
1. |
Review preliminary conclusions with the EIC regarding: |
||
|
|
Violations of laws, rulings, regulations, | ||
|
|
Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination, | ||
|
|
Proposed URSIT management component rating and the potential impact of your conclusion on other composite or component IT ratings, and | ||
|
|
Potential impact of your conclusions on the institution’s risk assessment. | ||
2. |
Discuss
findings with management and obtain proposed corrective action for
significant deficiencies. |
||
3. |
Document
conclusions in a memo to the EIC that provides report ready comments
for all relevant sections of the Report of Examination and guidance
to future examiners. |
||
4. |
Organize
work papers to ensure clear support for significant findings by
examination objective. |
||