| Booklet:
Supervision
of Technology Service Providers
Section: Shared Application Software Reviews |
|||||||||||||||||||||||||||
The FFIEC established the Shared Application Software Review (SASR) Program to employ interagency resources in uniform reviews of major software packages. These packages include stand-alone software and integrated (turnkey system) packages. Criteria for selection include, but are not limited to, purchased software that involves mission-critical applications used by a large number of financial institutions or high-risk applications. These applications include, but are not limited to, wire transfer, capital markets, securities transfer, loans, deposits, and general ledger. SASRs are for use by FFIEC agencies only. Their contents are not shared with the software vendor or the user financial institutions because FFIEC agencies do not have the authority to share SASRs with these respective entities.
PURPOSE
OF THE SASR PROGRAM
The SASR program was designed to provide reviews of major software systems
while conserving examiner resources. Only experienced IT examiners should
prepare SASRs. Because of the continuing demand by all agencies for senior
IT examiner resources, the performance of SASR reviews must be clearly
beneficial when compared to costs. The FFIEC IT subcommittee has the responsibility
for the selection of turnkey software packages included in the SASR reviews,
and the scheduling of these reviews. The benefits of the program include:
|
|
Ensuring a cost effective use of agency/interagency IT examiner resources; and |
|
|
Equipping examiners with information and tools to assist in doing more comprehensive and accurate reviews of institutions using these systems and applications. |
The use of SASR procedures is not limited to the review of community financial institution turnkey systems. The agencies can also use SASRs to support interagency safety and soundness initiatives when focusing on higher-risk applications in larger financial institutions. A SASR could evaluate financial institution software packages for use in wire transfer, capital markets, derivatives development/record keeping, securities transfer, asset management, or other lines of business.
OBJECTIVES
OF THE SASR PROGRAM
The objectives of the SASR program are to:
|
|
Augment the IT examination work in community financial institutions; |
|
|
Provide examiners with information that can reduce time and resources needed to examine turnkey software systems; |
|
|
Reach conclusions on the adequacy of the software product and identify where compensating controls are needed to ensure financial institutions operate in a safe and sound manner; |
RESPONSIBILITY
The IT subcommittee has the ultimate responsibility for oversight of the
national SASR program. The selection of packages for review should be
made by September 30 of each year. In some cases, FFIEC regional offices
will oversee SASRs conducted on software products that are not a part
of the national SASR program. Annually, the IT subcommittee will:
|
|
Select the agency-in-charge (AIC) for each vendor/software product; |
|
|
Identify vendors and software packages for SASR review; and |
|
|
Establish and monitor schedules. The supervisory strategy of MDPS companies that have products subject to review should include the SASR activity, if applicable. |
PROGRAM ADMINISTRATION
The designated AIC conducts the review in an institution that it supervises,
and, with authorization from the vendor, at the vendor’s location.
The part of the review done at an institution should be part of the regular
IT examination. The AIC also performs the following steps:
|
|
Examiner-in-Charge Selection—The AIC should select an experienced IT examiner to supervise the review. |
|
|
Notification—The AIC must provide other agencies with at least six months’ prior notice of the upcoming review to assure the availability of specialized IT examiners. |
|
|
Research—The AIC should perform preliminary research of the selected software product before beginning the review. The research information should include background data and a description of the organizational structure of the firm and any user group activity. Information collected before the review aids in setting its scope. |
|
|
Location Selection—The AIC has the responsibility for selecting the best location to conduct the software review and for notifying the participating agencies of the target review date. |
|
|
Scope document—A scope document for the review must be prepared in a manner similar to that of a MDPS. If a software review is part of the MDPS examination, the AIC may include in the scope document for the MDPS examination the information discussed under “Research” and “Location Selection” bullets. |
|
|
Vendor Notification—The AIC should notify the vendor of the upcoming software review and request the designation of a contact person. The vendor may provide information and suggestions that enhance the review. The AIC should inform the vendor that the final product of the review is a confidential report for regulatory agencies’ purposes only. The AIC should caution the vendor that it should not publicize his or her participation in the SASR program and no one should construe the review as an endorsement of the software program. |
|
|
Report—An internal confidential report, summarizing the review findings, must be completed and be strictly for regulatory purposes only. |
|
|
Exit Meeting—The AIC must conduct an exit meeting at the mutual convenience of the vendor and the participating examiners, unless the vendor refuses to meet. Ideally, the EIC will make a draft report available for this meeting with the vendor. The EIC may discuss the draft report with the vendor representative to ensure the accuracy of the information. However, the vendor cannot copy the draft and must return the draft to the examiners after the meeting. In addition, the EIC may request comments on planned enhancements to the software program. During the exit meeting, examiners should discuss significant areas of concern identified in the review. With the approval of the IT subcommittee or regional FFIEC contacts, the EIC may document significant concerns in a follow-up letter to the vendor. |
|
|
Review Submission—The EIC should complete and forward the SASR report for approval to the supervisory office of the AIC within 30 days from the completion of the on-site review. |
|
|
Document Review and Distribution—The AIC will review, approve, and distribute the final SASR report to the FFIEC agencies for internal agency use only. Each agency will distribute the final document to its respective regional office or district. |
|
|
Follow-up—The vendor should be requested to keep the AIC apprised of major software changes and enhancements. |
|
|
Scheduled Updates—Feedback from field examiners and other events can trigger a subsequent review. These events may include changes of ownership, significant software changes, or other developments. |