Welcome » IT Booklets » Management » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Determine the quality and effectiveness
of the organization's management of information technology.
Examiners should use these procedures to measure the adequacy of
the institution's IT risk management process, including management
awareness and participation, risk assessment, policies and
procedures, reporting, ongoing monitoring, and follow-up.
This workprogram is intended to assist examiners in determining
the effectiveness of a financial institution's IT management
process. However, examiners may choose to use only particular
components of the workprogram based upon the size, complexity, and
nature of the institution's business.
Objective 1: Determine the appropriate scope and
objectives for the examination.
1. Review past reports for outstanding issues or previous problems.
2. Review management's response to issues raised at, or since
the last examination. Consider:
3. Interview management and review the response to
pre-examination information requests to identify changes to the
technology infrastructure or new products and services that might
increase the institution's risk. Consider:
Objective 2: Determine whether board of directors
and senior management appropriately consider IT in the corporate
governance process including the process to enforce compliance with
IT policies, procedures, and controls.
1. Review the corporate and Information Technology (IT)
departmental organization charts to determine if:
2. Review biographical data of key personnel and the established
staff positions to determine the adequacy of:
3. Review and evaluate written job descriptions to ensure:
4. Identify key positions and determine whether:
5. Determine the effectiveness of management's communication and
monitoring of IT policy compliance across the organization.
6. Consult with the examiner reviewing audit or IT audit to
determine the adequacy of coverage and management's responsiveness
to identified weaknesses.
Objective 3: Determine the adequacy of the IT planning
and risk assessment.
1. Review the membership list of board, IT steering, or relevant
management committees established to review IT related matters.
Determine if board, senior management, business lines, audit, and
IT personnel are represented appropriately and regular meetings are
2. Review the minutes of the board of directors and relevant
committee meetings for evidence of senior management support and
supervision of IT activities.
3. Determine if committees review, approve, and report to the
board of directors on:
4. Determine if the board of directors or senior management
gives adequate consideration to the following IT matters when
formulating the institution's overall business strategy:
5. Review the strategic plans for IT activities. Determine if
the goals and objectives are consistent with the institution's
overall business strategy. Document significant changes made since
the last examination or planned that affect the institution's
organizational structure, hardware/software configuration, and
overall data processing goals. Determine:
6. Review turnover rates in IT staff and discuss staffing and
retention issues with IT management. Identify root causes of any
staffing or expertise shortages including compensation plans or
other retention practices.
7. If IT employees have duties in other departments, determine
8. Review the adequacy of insurance coverage (if applicable)
Objective 4: Evaluate management's establishment and
oversight of IT control processes including business continuity
planning, information security, outsourcing, software development
and acquisition, and operations
1. Review the board of directors and Management IT oversight
program. Determine if the Board:
2. Review the IT governance (i.e., steering committee) practices
established by management.
3. Review major acquisitions of hardware and software to determine
if they are within the limits approved by the board of
4. Review the IT management organizational structure to determine
if the Board established:
Objective 5: Determine whether Board of Directors
and management effectively report and monitor IT-related
1. Determine if management and the Board of Directors:
2. Review the risk assessment to determine whether the
institution has characterized their system properly and assessed
the risks to information assets. Consider whether the institution
3. Identify whether the institution effectively updates the risk
assessment before making system changes, implementing new products
or services, or confronting new external conditions.
4. Determine the effectiveness of the reports used by senior
management or relevant management committees to supervise and
monitor the following IT activities:
Objective 6: Determine the appropriateness of IT
policies, procedures, and controls based on the nature and
complexity of the institution's operations.
1. Determine if IT management has adequate standards and procedures
governing the following items through examination or by discussing
the issues with other examiners performing reviews in these
Objective 7: If the institution provides IT services
to other financial institutions, determine the quality of customer
service and support.
1. If the TSP is not a bank, credit union, thrift, or holding
company, analyze the TSP's financial condition and note any
potential strengths and weaknesses.
2. Determine whether the service provider provides adequate
customer access to financial information. Consider:
3. Determine the adequacy of service provider audit reports in
terms of scope, independence, expertise, frequency, and corrective
actions taken on identified issues.
4. Determine the quality of customer service and support
provided to customer institutions by:
5. Determine the quality of management's follow up and
resolution of customer concerns and problems through analysis of
the information above.
Objective 8: IF MIS is included in the scope of the
review, complete the following procedures.
1. Review previous IT MIS review-related examination findings.
Review management's response to those findings and:
2. Review reports for any MIS target area (i.e., business line
selected for MIS review). Determine any material changes involving
the usefulness of information and the five MIS elements of:
Objective 9: Discuss corrective action and
1. Review preliminary conclusions with the EIC regarding:
2. Discuss findings with management and obtain proposed
corrective action for significant deficiencies.
3. Document conclusions in a memo to the EIC that provides
report ready comments for all relevant sections of the Report of
Examination and guidance to future examiners.
4. Organize work papers to ensure clear support for significant
findings by examination objective.