Welcome » IT Booklets » Management » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization's management of information technology. Examiners should use these procedures to measure the adequacy of the institution's IT risk management process, including management awareness and participation, risk assessment, policies and procedures, reporting, ongoing monitoring, and follow-up.
This workprogram is intended to assist examiners in determining the effectiveness of a financial institution's IT management process. However, examiners may choose to use only particular components of the workprogram based upon the size, complexity, and nature of the institution's business.
Objective 1: Determine the appropriate scope and objectives for the examination. 1. Review past reports for outstanding issues or previous problems. Consider:
2. Review management's response to issues raised at, or since the last examination. Consider:
3. Interview management and review the response to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institution's risk. Consider:
Objective 2: Determine whether board of directors and senior management appropriately consider IT in the corporate governance process including the process to enforce compliance with IT policies, procedures, and controls. 1. Review the corporate and Information Technology (IT) departmental organization charts to determine if:
2. Review biographical data of key personnel and the established staff positions to determine the adequacy of:
3. Review and evaluate written job descriptions to ensure:
4. Identify key positions and determine whether:
5. Determine the effectiveness of management's communication and monitoring of IT policy compliance across the organization. 6. Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage and management's responsiveness to identified weaknesses. Objective 3: Determine the adequacy of the IT planning and risk assessment. 1. Review the membership list of board, IT steering, or relevant management committees established to review IT related matters. Determine if board, senior management, business lines, audit, and IT personnel are represented appropriately and regular meetings are held.
2. Review the minutes of the board of directors and relevant committee meetings for evidence of senior management support and supervision of IT activities.
3. Determine if committees review, approve, and report to the board of directors on:
4. Determine if the board of directors or senior management gives adequate consideration to the following IT matters when formulating the institution's overall business strategy:
5. Review the strategic plans for IT activities. Determine if the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the last examination or planned that affect the institution's organizational structure, hardware/software configuration, and overall data processing goals. Determine:
6. Review turnover rates in IT staff and discuss staffing and retention issues with IT management. Identify root causes of any staffing or expertise shortages including compensation plans or other retention practices. 7. If IT employees have duties in other departments, determine if:
8. Review the adequacy of insurance coverage (if applicable) for:
Objective 4: Evaluate management's establishment and oversight of IT control processes including business continuity planning, information security, outsourcing, software development and acquisition, and operations 1. Review the board of directors and Management IT oversight program. Determine if the Board:
2. Review the IT governance (i.e., steering committee) practices established by management. 3. Review major acquisitions of hardware and software to determine if they are within the limits approved by the board of directors. 4. Review the IT management organizational structure to determine if the Board established:
Objective 5: Determine whether Board of Directors and management effectively report and monitor IT-related risks.
1. Determine if management and the Board of Directors:
2. Review the risk assessment to determine whether the institution has characterized their system properly and assessed the risks to information assets. Consider whether the institution has:
3. Identify whether the institution effectively updates the risk assessment before making system changes, implementing new products or services, or confronting new external conditions.
4. Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor the following IT activities:
Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature and complexity of the institution's operations. 1. Determine if IT management has adequate standards and procedures governing the following items through examination or by discussing the issues with other examiners performing reviews in these areas:
Objective 7: If the institution provides IT services to other financial institutions, determine the quality of customer service and support. 1. If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSP's financial condition and note any potential strengths and weaknesses. 2. Determine whether the service provider provides adequate customer access to financial information. Consider:
3. Determine the adequacy of service provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues.
4. Determine the quality of customer service and support provided to customer institutions by:
5. Determine the quality of management's follow up and resolution of customer concerns and problems through analysis of the information above.
Objective 8: IF MIS is included in the scope of the review, complete the following procedures. 1. Review previous IT MIS review-related examination findings. Review management's response to those findings and:
2. Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any material changes involving the usefulness of information and the five MIS elements of:
Objective 9: Discuss corrective action and communicate findings. 1. Review preliminary conclusions with the EIC regarding:
2. Discuss findings with management and obtain proposed corrective action for significant deficiencies.
3. Document conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the Report of Examination and guidance to future examiners.
4. Organize work papers to ensure clear support for significant findings by examination objective.