Technology Matters
Common Deficiencies Noted in IT Examinations
By: Glen Caspers, Regional Manager - Technology Division
Federal and State regulations target the security of information assets; therefore, Information Technology (IT) examinations and audits are focused on the confidentiality, integrity, and availability of those assets. While every examination is different and procedures may vary slightly depending on the agency, examiner, and institution, a common group of recommendations is usually being discussed in IT Reports of Examination. The intent of this article is to identify the most common deficiencies uncovered during a typical IT regulatory examination.
This information resulted from a random sample of state and federal IT examination reports for state banks in Kansas in 2006. The results represent a very unscientific survey, however, they do a good job of highlighting the most common IT issues. The ranking is based on the number of instances the recommendation and/or criticism appeared in the sample. Has your auditor and management team also identified and addressed these deficiencies at your institution?
1. The most common Report topic is IT audit. Exceptions ranged from very minor to extreme. On the extreme side, several banks did not have any IT audit procedures in place. Some of the less extreme recommendations involved (a) scope - several key areas were not being included in the audit's scope; (b) frequency - audits should generally be done on an annual basis; (c) independence - the person conducting the review also had some control in that area; and (d) follow up - audit exceptions were not being addressed or the Board was not being kept up-to-date on correction efforts.
2. The next most common topic relates to the risk assessment. Recommendations regarding the risk assessment process included: no ranking system of the identified risks; the need to expand the assessment to cover more areas and functions; and the lack of a regular review (the risk assessment is a living document and must change as the bank changes).
3. IT policies are another common issue. A variety of operating policies needed expanded detail to address key technology topics and procedures. Many times, actual procedures were adequate, however, the procedures needed to be formalized and added to bank policy. A common example of this is need to document how vendor vulnerability patches and updates are applied (i.e., patch management).
4. Board reporting and involvement is addressed regularly in IT reports. At least annually, the Board of Directors needs to be informed of the status of the bank's information security program. Also, the Board needs to be involved in technology issues and audit results, and approve IT policies. Sufficient detail to demonstrate this involvement is sometimes lacking in the Board meeting minutes.
5. Another common topic relates to Disaster Recovery/Business Continuity. Some common deficiencies in this area include the lack of a detailed plan; the failure to test various recovery and continuity plan elements; the addition of new bank services or functions without expanding the plan; and issues with remote storage of data tapes and supplies.
6. Lastly, Report comments regularly address the Incident Response Plan. This is basically a plan for outlining what actions should be taken in case a security breach occurs or is suspected. In numerous banks, the plan was either lacking or in need of expansion.
While there are many other IT recommendations and issues that appear in Reports on a periodic basis, these topics appear to be the hot buttons at the current time. I hope this information will give you a starting place as you prepare for your next IT examination.
