The Garland Group uses the specific guidelines set forth by the FFIEC. Below are brief descriptions of each of the twelve FFIEC handbooks The Garland Group will cover for your Information Technology Audit. It will offer some insight about what each booklet consists of and what we will be doing to ensure your financial institution is in compliance. Click here to download an example of our controls review worksheet.
The FFIEC Audit Booklet provides direction concerning the proper implementation and function of a Financial Institution’s IT Audit program. In addition to defining the roles of IT Auditors, the booklet also describes the responsibilities of management and the Board of Directors. The Garland Group will take into account these guidelines as well as the institution’s size, complexity and overall risk profile when performing this and other evaluations.
The Garland Group will take into account the institution’s size, complexity, and overall risk profile when performing this and other evaluations. We will consider the following issues when evaluating the IT audit function:
- Identify areas of greatest IT risk exposure to the institution in order to focus audit resources
- Promote the confidentiality, integrity, and availability of information systems
- Determine the effectiveness of management’s planning and oversight of IT activities
- Evaluate the adequacy of operating processes and internal controls
- Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures
- Require appropriate corrective action to address deficient internal controls and follow up to ensure management promptly and effectively implements the required actions
- Independence of the audit function and its reporting relationship to the board of directors or its audit committee
- Expertise and size of the audit staff relative to the IT environment
- Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits
- Processes in place to ensure timely tracking and resolution of reported weaknesses
- Documentation of IT audits, including work papers, audit reports, and follow-up
Business Continuity Planning
Effective business continuity planning establishes the basis for financial institutions to maintain and recover business processes when operations have been disrupted unexpectedly. Reviewing a financial institution’s BCP is an established part of examinations performed by the FFIEC member agencies. However, new business practices, changes in technology, and increased terrorism concerns, have focused even greater attention on the need for effective business continuity planning and have altered the benchmarks of an effective plan. In most cases, recovery time objectives are now much shorter than they were even a few years ago, and for some institutions recovery time objectives are based on hours and even minutes.
Many financial institutions are incorporating business continuity considerations into business process development to mitigate, proactively the risk of service disruptions. In creating an effective BCP, financial institutions should not assume a reduced demand for services during the disruption. In fact, demand for some services (e.g., ATMs) may increase.
Development and Acquisition
Development and Acquisition is defined as “an organization’s ability to identify, acquire, install, and maintain appropriate information technology systems.” The process includes the internal development of software applications or systems and the purchase of hardware, software, or services from third parties.
The objectives of reviewing development, acquisition, and maintenance activities are to identify weaknesses or risks that could negatively impact an organization; to identify entities whose condition or performance requires special supervisory attention; and to subsequently recommend corrective action. The Garland Group will conduct risk-focused reviews that assess the overall effectiveness of an organization’s project management standards, procedures, and controls.
The E-Banking guidelines help identify the risks associated with electronic banking (e-banking) activities. The review primarily covers e-banking risks from the perspective of the services or products provided to customers.
The Garland Group will use the examination procedures and document request letter items to review risks in the electronic delivery of financial products and services. These procedures address services and products of varied complexity. The procedures could be used independently or in combination with procedures from other IT Handbook booklets or from agency handbooks covering non-IT areas.
The Fedline – FED Advantage guidelines address the risks, risk management practices, and mitigating controls necessary to establish and maintain an appropriate operating environment for the FedLine – FED Advantage Funds Transfer (FT) application. The Garland Group will review these and any other 3rd party funds transfer software settings and controls.
FedLine is the Federal Reserve Bank’s proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web. The guidance primarily targets operational (transaction) risks related to funds transfers. Management, however, should also understand the indirect impact this funds transfer system could have on other risk areas within the institution.
Information is one of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers. The Garland Group will provide guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.
Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintains information vital to its operations. Security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. The Garland Group will provide guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.
Effective IT management in financial institutions maximizes the benefits from technology and supports enterprise-wide goals and objectives. The Garland Group will use the Management guidelines to assist in evaluating a financial institution’s risk management and processes to ensure effective information technology (IT) management.
The examination procedures in the Management assist DCS in evaluating financial institution risk management processes to ensure effective information technology (IT) management. Effective IT management in financial institutions maximizes the benefits from technology and supports enterprise-wide goals and objectives. The IT department typically leads back-office operations, network administration, and systems development and acquisition efforts. IT management also provides expertise in choosing and operating technology solutions for an institution’s lines of business such as commercial credit and asset management, or enterprise-wide activities such as security and business continuity planning. This dual role and the increasing use of technology raise the importance of IT management in effective corporate governance.
Management of IT in financial institutions is critical to the performance and success of an institution. Sound management of technology involves more than containing costs and controlling operational risks. An institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall corporate governance efforts.
The Operations guidelines address IT operations in the context of tactical management and daily delivery of technology to capture, transmit, process, and store the information assets and support the business processes of the institution.
The examination procedures contained in this booklet assist The Garland Group in evaluating an institution’s controls and risk management processes relative to the risks of technology systems and operations that reside in, or are connected to the institution. The guidance in this section covers the risks and expected controls in IT operations and across the institution. It also emphasizes that risks involve more than IT technology and that controls include sound processes and well-trained people.
The Garland Group will use the Outsourcing guidance and examination procedures to assist examiners and bankers in evaluating a financial institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships.
Outsourcing Technology Services procedures provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships.
Financial institutions can outsource many areas of operations, including all or part of any service, process, or system operation. Examples of information technology (IT) operations frequently outsourced by institutions and addressed in this booklet include: the origination, processing, and settlement of payments and financial transactions; information processing related to customer account creation and maintenance; as well as other information and transaction processing activities that support critical banking functions, such as loan processing, deposit processing, fiduciary and trading activities; security monitoring and testing; system development and maintenance; network operations; help desk operations; and call centers. The booklet addresses an institution’s responsibility to manage the risks associated with these outsourced IT services.
Retail Payment Systems
Retail Payment Systems procedures provide guidance to examiners, financial institutions, and technology service providers (TSP) on identifying and controlling information technology (IT)-related risks associated with retail payment systems and related banking activities. The Garland Group will adjust the procedures, as appropriate, for the scope of the examination and the risk profile of the institution.
The Garland Group will use the examination procedures for evaluating the risks and risk management practices at financial institutions offering retail payment system products and services. These procedures address services and products of varied complexity, and DCS will adjust the procedures, as appropriate, for the scope of the examination and the risk profile of the institution.
Technology Service Providers
Technology Service Providers procedures primarily governs the supervision of technology service providers (TSPs) and briefly summarizes the Federal Financial Institutions Examination Council (FFIEC) member agencies’ (agencies) expectations of financial institutions in the oversight and management of their TSP relationships.
The Garland Group assesses the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers.
Wholesale Payment Systems
The Wholesale Payment Systems section provides guidance to examiners and financial institution management regarding the risks and risk-management practices when originating and transmitting large-value payments. In addition to describing the information technology risks and controls, the procedures also describes certain credit and liquidity risks that may be present when conducting wholesale payment services.
The Garland Group will use the examination procedures for reviewing risks in wholesale payment systems. These procedures address services and products of varied complexity, and will adjust the procedures for the scope of the examination and the size and risk profile of the institution.
Our report will summarize the scope of our work and include our findings and recommendations concerning the above procedures and results of our assessment of MIS general controls. We will recommend specific changes for your consideration in order to strengthen any controls, as believed necessary considering the associated cost and benefit relationships to the extent practical. If desired by your management, we will also be available to provide additional consulting services to address any finding or recommendations noted.
The procedures that we will perform are solely to assist you in the review of selected internal control considerations and completion of certain audit procedures related to your specific internal audit objectives. Ultimately, as is currently the case, the Board of Directors will be responsible for the scope of internal audit procedures and the resolution of any audit findings.
Our engagement will not include an examination of all aspects of your system of internal controls or testing of all areas of its operations, and therefore, we will not express an opinion on your system of internal controls. Our engagement will not enable us to address legal or regulatory matters or abuses of management discretion, including fraud or defalcations, of which matters should be properly discussed by you with legal counsel. Our procedures will not include a detailed examination of all transactions and cannot be relied on to disclose all errors or irregularities that may exist. Additionally, our engagement is not for the purpose of discovering security flaws within your MIS applications software or networking software. However, we will inform your designated management or Board representative of any such material matters that come to our attention. Because these procedures will not constitute an audit made in accordance with generally accepted auditing standards, they will not result in an opinion on any of the items specified in the above audit scope, on the financial statements of Bank taken as a whole, or on the Bank’s system of internal control.
Our report will be furnished solely for the information and use of the Board of Directors, the Audit Committee, management and the Bank’s regulatory agencies. Our procedures will not be planned or conducted in contemplation of reliance by any other party or with respect to any specific transaction. Therefore, items of possible interest to an unidentified party may not be specifically addressed or matters may exist that could be assessed differently by such party.
In the event we are requested or authorized by the Bank or are required by government regulation, subpoena, or other legal process to produce our documents or our personnel as witnesses with respect to our engagements for the Bank, the Bank will, so long as we are not a party to the proceeding in which the information is sought, reimburse us for our professional time and expenses, as well as the fees and expenses of our counsel, incurred in responding to such requests.