By Sam | February 4, 2013
FFIEC Requirements: Credit Union Technology Audit

Credit Union IT Audit

Mini-Series Part 2 – FFIEC Requirements – I.T. Handbook – Audit

Often overlooked and always misunderstood (oh wait… wasn’t that a song?), Information Technology auditing can make even the most hardened CIO’s take defensive stands in a misguided Credit Union IT Auditattempt to protect the team and their operations. The fact is, IT folks are used to being “trusted” resources and can even be offended when called upon to demonstrate the integrity of their work. This is misguided! The reality is that a good audit program reinforces the trust of your team’s actions with the C-level team and also protects them from any perception of wrongdoing. A good CIO will partner with the auditing staff in ways to not only ensure compliance but to “poke holes” and develop stronger policies and procedures to protect Credit Union assets. Short of inviting your internal auditing staff to scrub your efforts, what can you do to become more knowledgeable about the expected auditing controls? That’s where the FFIEC IT Handbook – Auditing section comes in.

Since this is our first series, let’s break this section down to ensure you understand how to navigate/use the handbook itself. (If you are already familiar with the handbooks and know how to use them, skip this section and head down to the OGO Intel below) In each handbook you’ll find:

  • Description – The handbook provides a simple definition of what that section will cover.
  • Downloads – This is where we start getting the power tools!
    • Downloadable version of this sections handbook (great for when internet access is limited or unavailable)
    • Work program (both in Word and other word processing format) – If you’ve ever wanted a “cheat sheet” for an IT audit, this is as close as you are going to get. These work programs are very similar to the NCUA Aires IT Checklist (EC files). Download these and do an in-depth review of the work program vs. your own initiatives! This should leave you with no surprises come audit time.
    • Chapters – Provides detailed sections associated with the topic (auditing) as well as applicable appendices when necessary.

OGO INTEL (Our experts weigh in):

  • The validity of your IT auditing program has been placed front and center when it comes to passing exams lately. It is not enough to simply have written procedures and policies. Credit unions must be able to demonstrate that the program is being monitored and managed at all levels AND with the appropriate expertise! Are you simply relying on the IT staff to provide answers to the audit questionnaires? Does your internal audit staff have the requisite expertise to evaluate the responses? Why risk non-compliance or worse, a breech, when experts exist to provide assistance in this area?
  • It’s not fun but it is worth the effort to review the workbook section. Gaining familiarity with examination type questions helps to ensure you and the audit staff are speaking the same language.
  • If you didn’t know it by now, all things compliance are based on risk assessments that evaluate the likelihood and potential impact of threats. Your IT Audit program must be risk based and avoid subjectivity. Easier said than done, right? The mistake many Credit Unions make is jumping straight to the identification of risks/threats (power outages, weather, data breech, etc.). And while these are important, if you don’t know what you are protecting FIRST, it’s virtually impossible to have confidence in your threat assessment. Lay a good foundation by first identifying the items to be protected such as: data (including where member sensitive data is stored electronically or otherwise), applications and operating systems, infrastructure (including servers, firewalls, desktops, laptops, and smartphones), physical locations/facilities and personnel.
  • Lastly, don’t make the mistake of thinking you are done once you’ve assigned risk values to your critical systems. A system alone can’t make/break your Credit Union but the process (or business function) supported by that system may if it has been determined critical. Perform a business impact analysis (BIA) to identify all business functions and identify those which pose the greatest risk to the Credit Union should it be disrupted. More to come on this in Part 3 of our FFIEC IT Handbook Series.

RELATED CONTENT:

Credit Union Compliance and Credit Union Risk Management

Is your IT Audit Program meeting all the requirements as outlined by the FFIEC? Curious about the how to find and learn about general FFIEC guidelines? If you have questions or feedback for us please fill out this quick form below and a member of the OGO team will be in touch shortly!

 

 

Posted in Business Continuity Planning, P3 - Plan, Prepare, Protect and tagged ,

Cost-Effective Solutions for Your Credit Union

Simply fill out this form and select the topic(s) that you would like more information for, and our team will reach out shortly.

Medium

Role
I agree to receive marketing communications from Ongoing Operations regarding news, updates, products, etc.(Required)

blank
modal close button

Welcome to the Ongoing Operations blog archive.

For our most up-to-date information, please visit ongoingoperations.com.

HOME