Welcome » IT Booklets » Operations » Appendix A: Examination Procedures » Tier I Objectives and Procedures
EXAMINATION OBJECTIVES: Assess the quality and effectiveness of the institution's technology operations. These procedures will help disclose the adequacy of risk management of, and controls around, the institution's technology operations. Examiners may choose to use only particular components of the workprogram based upon the size, complexity, and nature of the institution's business or upon a risk-focused examination plan.
The objectives and procedures are divided into Tier I and Tier II:
Tier I and Tier II are a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the operations-related issues found in other workprograms.
Objective 1: Determine scope and objectives for reviewing the technology operations. 1. Review past reports for outstanding issues or previous problems. Consider:
2. Review management's response to issues raised during the previous regulatory examination and during internal and external audits performed since the last examination. Consider:
3. Interview management and review the operations information request to identify:
Objective 2: Determine the quality of IT operations oversight and support provided by the board of directors and senior management. 1. Describe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the institution.
2. Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institution's business activities. Assess the adequacy of the documentation or management's ability to knowledgeably discuss how technology systems support business activities.
3. Review operations management MIS reports. Discuss whether the frequency of monitoring or reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS adequately addresses:
Objective 3: Determine whether senior management and the board periodically conduct a review to identify or validate previously identified risks to IT operations, quantify the probability and impact of the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the control environment. 1. Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate management's risk assessment process. 2. Obtain copies of, and discuss with senior management, the reports used to monitor the institution's operations and control environment. Assess the adequacy and timeliness of the content.
3. Determine whether management coordinates the IT operations risk management process with other risk management processes such as those for information security, business continuity planning, and internal audit.
Objective 4: Obtain an understanding of the operations environment. 1. Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other descriptions of hardware and software. Consider the following:
2. Review systems diagrams and topologies to obtain an understanding of the physical location of and interrelationship between:
3. Obtain an understanding of the mainframe, network, and telecommunications environment and how the information flows and maps to the business process. 4. Review and assess policies, procedures, and standards as they apply to the institution's computer operations environment and controls. Objective 5: Determine whether there are adequate controls to manage the operations-related risks. 1. Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as:
2. Determine whether management has implemented appropriate daily operational controls and processes including:
3. Determine whether management has implemented appropriate human resource management. Assess whether:
Objective 6: Review data storage and back-up methodologies, and off-site storage strategies. 1. Review the institution's enterprise-wide data storage methodologies. Assess whether management has appropriately planned its data storage process, and that suitable standards and procedures are in place to guide the function.
2. Review the institution's data back-up strategies. Evaluate whether management has appropriately planned its data back-up process, and whether suitable standards and procedures are in place to guide the function. 3. Review the institution's inventory of data and program files (operating systems, purchased software, in-house developed software) stored on and off-site. Determine if the inventory is adequate and whether management has an appropriate process in place for updating and maintaining this inventory. 4. Review and determine if management has appropriate back-up procedures to ensure the timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media. 5. Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from the primary processing site. Assess whether appropriate physical controls are in place at the off-site facility. 6. Determine whether management performs periodic physical inventories of off-site back-up material. 7. Determine whether the process for regularly testing data and program back-up media is adequate to ensure the back-up media is readable and that restorable copies have been produced. Objective 7: Determine if adequate environmental monitoring and controls exist. 1. Review the environmental controls and monitoring capabilities of the technology operations as they apply to:
Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services. 1. Assess whether controls exist to address telecommunication operations risk, including:
2. Determine whether there are adequate security controls around the telecommunications environment, including:
3. Discuss whether the telecommunications system has adequate resiliency and continuity preparedness, including:
Objective 9: Ensure the imaging systems have an adequate control environment. 1. dentify and review the institution's use of item processing and document imaging solutions and describe the imaging function.
2. Evaluate the adequacy of controls over the integrity of documents scanned through the system and electronic images transferred from imaging systems (accuracy and completeness, potential fraud issues). 3. Review and assess the controls for destruction of source documents (e.g., shredded) after being scanned through the imaging system. 4. Determine whether management is monitoring and enforcing compliance with regulations and other standards, including if imaging processes have been reviewed by legal counsel. 5. Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process. 6. Determine if there is segregation of duties where the imaging occurs.
Objective 10: Determine whether an effective event/problem management program exists. 1. Describe and assess the event/problem management program's ability to identify, analyze, and resolve issues and events, including:
2. Assess whether the program adequately addresses unusual or non-routine activities, such as:
3. Determine whether there is adequate help desk support for the business lines, including:
Objective 11: Ensure the items processing functions have an adequate control environment. 1. Assess the controls in place for processing of customer transactions, including:
Conclusions Objective 12: Discuss corrective action and communicate findings. 1. Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I objectives. 2. From the procedures performed, including any Tier II procedures performed:
3. Review your preliminary conclusions with the examiner in charge (EIC) regarding:
4. Discuss your findings with management and obtain proposed corrective action. Relay those findings and management's response to the EIC. 5. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC report of examination. 6. Develop an assessment of operations sufficient to contribute to the determination of the Support and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating. 7. Organize your work papers to ensure clear support for significant findings and conclusions.