It’s Monday and you open your email to see that your Credit Union’s annual NCUA IT Exam is scheduled for some time in the first quarter. You don’t have the dates yet but almost certainly you start to dig through the mounds of compliance related information you’ve compiled to start preparing. Maybe you send out emails to your peers or hit the tech boards/blogs to see if you can get a “heads up” on any key topics that NCUA may be focused on this year. And where is that report from the last exam?
Prepping for an NCUA IT Exam can be quite stressful – but it doesn’t have to be. You see, you can have access to the set of questions the examiner will be reviewing LONG before the audit date. NCUA Examiners use an Automated Integrated Regulatory Examination System (AIRES) to complete examinations covering the whole spectrum of Credit Union operations. The AIRES IT Questionnaire is specific to the information technology, audit and member services. It literally is your cheat sheet to passing an NCUA exam.
The AIRES IT exam covers questions regarding the strategic oversight and operational controls for:
- Member Information Security (Part 748)
- Anti-Virus & Malware
- Audit Program
- Business Continuity
- Electronic Banking
- Policy Checklist
And even goes into more detailed questions related to a Tier 2 Review on:
- Pen Test Review
- Physical & Environmental
- Remote Access
- Wireless Networks
To someone like me who likes to prepare as much ahead a time for an audit, this checklist is like GOLD. Don’t get me wrong though – just because you have a checklist doesn’t mean that preparation won’t still take a lot of time. Gathering the data required to pass the exam will require pulling reports, logs, network diagrams, vendor contracts, etc. To do it right could take your teams full time focus for weeks before the exam.
Steps to take now:
- Download the AIRES IT Questionnaire and start becoming familiar with it.
- Having the questions creates an opportunity to poke holes in your current strategies. The AIRES file is broken down into sections (shown above) and could easily be used to hold technical and strategic discussions with your team.
- Understand that NCUA requires “evidence” that your Credit Union is following the guidelines and regulations that are related to IT. So when a question says something like “Are logs monitored to identify potential threats” – understand that just checking “YES” is not good enough. You need to be able to demonstrate the who, what , why and when of each question that is given.
- Identify what you can “prove” and what you can’t. Look for solutions to close the gaps.
At Ongoing Operations, our clients have shared that the compliance load is threatening their ability to innovate. If Credit Union IT leaders cannot find time to innovate their Credit Unions risk possible failure by not being able to meet member demand and other financial institution competition. Our new CU Control portal was designed to lift some of that compliance burden (as much as 50%) and get you back to innovating.