Welcome » IT Booklets » Operations » Appendix A: Examination Procedures » Tier I Objectives and Procedures
EXAMINATION OBJECTIVES: Assess the quality and effectiveness of
the institution's technology operations. These procedures will help
disclose the adequacy of risk management of, and controls around,
the institution's technology operations.
Examiners may choose to use only particular components of the
workprogram based upon the size, complexity, and nature of the
institution's business or upon a risk-focused examination plan.
The objectives and procedures are divided into Tier I and Tier
Tier I and Tier II are a tool set examiners will use when
selecting examination procedures for their particular examination.
Examiners should use these procedures as necessary to support
examination objectives. Examiners should coordinate this coverage
with other examiners to avoid duplication of effort while including
the operations-related issues found in other workprograms.
Objective 1: Determine scope and objectives for
reviewing the technology operations.
1. Review past reports for outstanding issues or previous problems.
2. Review management's response to issues raised during the
previous regulatory examination and during internal and external
audits performed since the last examination. Consider:
3. Interview management and review the operations information
request to identify:
Objective 2: Determine the quality of IT operations
oversight and support provided by the board of directors and senior
1. Describe the operational organization structure for technology
operations and assess its effectiveness in supporting the business
activities of the institution.
2. Review documentation that describes, or discuss with
management, the technology systems and operations (enterprise
architecture) in place to develop an understanding of how these
systems support the institution's business activities. Assess the
adequacy of the documentation or management's ability to
knowledgeably discuss how technology systems support business
3. Review operations management MIS reports. Discuss whether the
frequency of monitoring or reporting is continuous (for large,
complex facilities) or periodic. Assess whether the MIS adequately
Objective 3: Determine whether senior management and
the board periodically conduct a review to identify or validate
previously identified risks to IT operations, quantify the
probability and impact of the risks, establish adequate internal
controls, and evaluate processes for monitoring risks and the
1. Obtain documentation of or discuss with senior management the
probability of risk occurrence and the impact to IT operations.
Evaluate management's risk assessment process.
2. Obtain copies of, and discuss with senior management, the
reports used to monitor the institution's operations and control
environment. Assess the adequacy and timeliness of the content.
3. Determine whether management coordinates the IT operations
risk management process with other risk management processes such
as those for information security, business continuity planning,
and internal audit.
Objective 4: Obtain an understanding of the
1. Review and consider the adequacy of the environmental survey(s)
and inventory listing(s) or other descriptions of hardware and
software. Consider the following:
2. Review systems diagrams and topologies to obtain an
understanding of the physical location of and interrelationship
3. Obtain an understanding of the mainframe, network, and
telecommunications environment and how the information flows and
maps to the business process.
4. Review and assess policies, procedures, and standards as they
apply to the institution's computer operations environment and
Objective 5: Determine whether there are adequate
controls to manage the operations-related risks.
1. Determine whether management has implemented and effectively
utilizes operational control programs, processes, and tools such
2. Determine whether management has implemented appropriate
daily operational controls and processes including:
3. Determine whether management has implemented appropriate
human resource management. Assess whether:
Objective 6: Review data storage and back-up
methodologies, and off-site storage strategies.
1. Review the institution's enterprise-wide data storage
methodologies. Assess whether management has appropriately planned
its data storage process, and that suitable standards and
procedures are in place to guide the function.
2. Review the institution's data back-up strategies. Evaluate
whether management has appropriately planned its data back-up
process, and whether suitable standards and procedures are in place
to guide the function.
3. Review the institution's inventory of data and program files
(operating systems, purchased software, in-house developed
software) stored on and off-site. Determine if the inventory is
adequate and whether management has an appropriate process in place
for updating and maintaining this inventory.
4. Review and determine if management has appropriate back-up
procedures to ensure the timeliness of data and program file
back-ups. Evaluate the timeliness of off-site rotation of back-up
5. Identify the location of the off-site storage facility and
evaluate whether it is a suitable distance from the primary
processing site. Assess whether appropriate physical controls are
in place at the off-site facility.
6. Determine whether management performs periodic physical
inventories of off-site back-up material.
7. Determine whether the process for regularly testing data and
program back-up media is adequate to ensure the back-up media is
readable and that restorable copies have been produced.
Objective 7: Determine if adequate environmental
monitoring and controls exist.
1. Review the environmental controls and monitoring capabilities of
the technology operations as they apply to:
Objective 8: Ensure appropriate strategies and
controls exist for the telecommunication services.
1. Assess whether controls exist to address telecommunication
operations risk, including:
2. Determine whether there are adequate security controls around
the telecommunications environment, including:
3. Discuss whether the telecommunications system has adequate
resiliency and continuity preparedness, including:
Objective 9: Ensure the imaging systems have an
adequate control environment.
1. dentify and review the institution's use of item processing and
document imaging solutions and describe the imaging function.
2. Evaluate the adequacy of controls over the integrity of
documents scanned through the system and electronic images
transferred from imaging systems (accuracy and completeness,
potential fraud issues).
3. Review and assess the controls for destruction of source
documents (e.g., shredded) after being scanned through the imaging
4. Determine whether management is monitoring and enforcing
compliance with regulations and other standards, including if
imaging processes have been reviewed by legal counsel.
5. Assess to what degree imaging has been included in the business
continuity planning process, and if the business units reliant upon
imaging systems are involved in the BCP process.
6. Determine if there is segregation of duties where the imaging
Objective 10: Determine whether an effective
event/problem management program exists.
1. Describe and assess the event/problem management program's
ability to identify, analyze, and resolve issues and events,
2. Assess whether the program adequately addresses unusual or
non-routine activities, such as:
3. Determine whether there is adequate help desk support for the
business lines, including:
Objective 11: Ensure the items processing functions
have an adequate control environment.
1. Assess the controls in place for processing of customer
Objective 12: Discuss corrective action and communicate
1. Determine the need to proceed to Tier II procedures for
additional review related to any of the Tier I objectives.
2. From the procedures performed, including any Tier II procedures
3. Review your preliminary conclusions with the examiner in
charge (EIC) regarding:
4. Discuss your findings with management and obtain proposed
corrective action. Relay those findings and management's response
to the EIC.
5. Document your conclusions in a memo to the EIC that provides
report ready comments for all relevant sections of the FFIEC report
6. Develop an assessment of operations sufficient to contribute to
the determination of the Support and Delivery component of the
Uniform Rating System for Information Technology (URSIT)
7. Organize your work papers to ensure clear support for
significant findings and conclusions.