Welcome » IT Booklets » Operations » Appendix A: Examination Procedures » Tier II Objectives and Procedures
The Tier II examination procedures for operations provide additional verification procedures to evaluate the effectiveness of a financial institution's technology operations. They also enable the examiner to identify potential root causes of weaknesses. These procedures may be used in their entirety or selectively, depending upon the scope of the examination and the need for additional verification. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the operations-related issues found in other workprograms. The procedures provided below are not requirements for control implementation. The selection of controls and control implementation should be guided by the risks facing the institution's operations environment and the size and complexity of the technology operations. Thus, the controls necessary for any single institution or any area of an institution may differ based on size and complexity of operations.
A. Operating Environment 1. Review the process in place to ensure the system inventories remain accurate and reflect the complete enterprise, including:
B. Controls Policies, Procedures and Practices 1. Determine if supervisory personnel review the console log and retain it in safe storage for a reasonable amount of time to provide for an audit trail.
C. Storage/Back-Up 1. Determine if management has processes to monitor and control data storage.
2. If the institution has implemented advanced data storage solutions, such as storage area network (SAN) or network-attached storage (NAS):
3. If a tape management system is in use, verify that only appropriate personnel are able to override its controls.
4. Determine if management has adequate off-site storage of:
D. Environmental Monitoring and Control 1. Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether:
E. Physical Security 1. Review and determine whether the identified physical security measures are sufficient to reasonably protect the operations center's human, physical, and information assets. Consider whether:
F. Event/Problem Management 1. Determine whether there is adequate documentation to support a sound event/management program, including:
2. Determine whether there is adequate documentation to support a sound event/management program, including:
3. Determine whether emergency procedures are posted throughout the institution.
4. Assess whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented.
5. Determine if the institution periodically conducts drills to test emergency procedures.
G. Help Desk/User Support Processes 1. Evaluate whether MIS is appropriate for the size and complexity of the institution.
2. Determine if the technology used to manage help desk operations is commensurate with the size and complexity of the operations. Consider:
3. Determine whether user authentication practices are commensurate with the level of risk and whether the types of authentication controls used by the help desk are commensurate with activities performed.
4. Determine whether the quality of MIS used to manage help desk operations is commensurate with the size and complexity of the institution. Consider the need for metrics to monitor issue volume trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.
5. Determine whether the institution uses risk-based factors to prioritize issues. Identify how the institution assigns severity ratings and prioritizations to issues received by the call center.
6. Assess management's effectiveness in using help desk information to improve overall operations performance.
H. Items Processing 1. Determine if there are adequate controls around transaction initiation and data entry, including:
2. Determine if the controls around in-clearings are adequate, including:
3. Determine if there are adequate controls for exception processing, including:
4. Determine the adequacy of controls for statement processing, including:
I. Imaging Systems 1. Review and evaluate the imaging system. Determine:
2. Review and evaluate back-up and recovery procedures.
3. Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan only defective images
4. Review and evaluate the process and controls over document indexing. Does the system index documents after each one is scanned or after all documents are scanned
5. Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hardware and software become unavailabl
6. Review and evaluate the access security controls, with particular attention to the following: