OCC 2003-41	
OCC Bulletin	

Subject:      FFIEC Information Technology Examination Handbook
Description:  E-Banking, Audit, and FedLine Booklets

Date:         October 2, 2003 

TO:  Chief Executive Officers of All National Banks, Federal 
     Branches and Agencies, Technology Service Providers and 
     Software Vendors, Department and Division Heads, and All 
     Examining Personnel


The Federal Financial Institutions Examination Council (FFIEC) has 
issued updated guidance in three booklets on electronic banking 
(e-banking), information technology (IT) audit, and the FedLine 
electronic funds transfer application.  These booklets are the most 
recent in a series that will completely update and replace the 1996 
FFIEC Information Systems (IS) Examination Handbook.  The work 
programs contained in the booklets represent expanded procedures 
that examiners can use if appropriate for the risk and complexity 
of the bank’s operations.

The Audit Booklet rescinds chapter 8, and the FedLine Booklet 
rescinds chapter 19 of the 1996 FFIEC IS Examination Handbook.  The 
E-Banking Booklet replaces the OCC Internet Banking Handbook and 
OCC Bulletin 98-38, “Technology Risk Management: PC Banking.”
  
E-Banking Booklet

This booklet reflects the OCC’s views on the risks specific to 
e-banking and provides bankers and examiners with guidance on those 
risks and the risk management issues associated with the delivery 
of e-banking products and services.  

Banks face unique risks based on the choices they make when 
implementing and enhancing their e-banking services.  Decisions on 
network Internet connectivity, outsourcing various system components, 
and the specific products and services affect the level of risk and 
the complexity of risk management.  Senior management and boards of 
directors must understand these risks before investing in and 
expanding their e-banking activities.  They need to integrate the 
e-banking-related controls into their existing strategic plan, 
information security program, vendor management process, and 
business continuity plans.  Banks must have appropriate controls, 
testing, and expertise for all internally managed e-banking system 
components.  In addition, banks with outsourced e-banking processes 
should carefully select and monitor service providers to ensure that 
appropriate controls exist.  The bank can outsource the process or 
service, but remains responsible for the adequacy of the controls 
to ensure confidentiality, integrity, and availability.  

Senior management and the board should look beyond the IT planning 
and control issues and involve all affected stakeholders in their 
e-banking activities including auditors, compliance management, and 
the various lines of business.

Audit Booklet

This booklet provides bankers and examiners with guidance on 
maintaining an effective risk-based IT audit program.  Technology 
and related operational controls are essential to safe and sound 
banking.  Banks must have appropriate audit programs that 
incorporate IT coverage based on the nature and complexity of their 
operations.  The IT audit program should be consistent with the 
overall audit program described in the Comptroller of the Currency’s 
(OCC) Internal and External Audit Handbook.  IT audit programs 
should define the appropriate scope, expertise, independence, 
and frequency of coverage to address areas such as payment systems, 
Internet connectivity, networks, software applications, access 
controls, and systems development.  The audit program should also 
incorporate the oversight of critical service providers through 
third-party audit reports and direct audit coverage when third-party 
coverage is insufficient.

FedLine Booklet

The FedLine Booklet provides bankers and examiners with guidance on 
security and control expectations for the Federal Reserve Banks’ 
FedLine application. [FedLine, DOS-based FedLine, and Fedwire are 
registered servicemarks of the Federal Reserve Banks.  References 
to FedLine refer specifically to DOS-based FedLine, unless 
otherwise noted.]  FedLine provides community banks with access 
to wire transfer services.  The ability to transfer funds makes 
FedLine one of the highest risk applications in most community banks.  
If not adequately controlled, a person could generate unauthorized 
wire transfers of sufficient size or volume to jeopardize the safety 
and soundness of the bank.  National banks have the ability to set 
automated and procedural controls that support segregation of duties, 
dual control, large item reviews, audit trails, and operator 
accountability.  Senior management should implement the recommended 
controls and system settings or justify instances where they decide 
not to implement the recommendations to the board.  

The attached FFIEC press release describes the handbook update 
process and provides the following link [www.ffiec.gov/guides.htm] 
to electronic versions of all three booklets.  To accommodate banks 
with limited access to the Internet, the OCC will also include these 
booklets in the next release of e-files, the CD-based library of OCC 
publications provided to all national banks.  Any bank that is not 
able to download the booklets may order printed copies.  Please send 
your request to the Office of the Comptroller of the Currency, 250 
E Street, SW, Mail Stop 4-8, Washington, DC 20219.  If you need 
assistance obtaining a copy, please contact the OCC’s Communications 
Division at (202) 874-4700.

Other questions regarding these booklets should be directed to your 
OCC supervisory office or the Bank Technology Division at 
(202) 874-5920.



____________________________________
Ralph E. Sharpe
Deputy Comptroller for Technology 

Attachment
[http://www.occ.treas.gov/2003-41a.pdf]