The "Development and Acquisition Booklet" is one in a series of booklets updating the 1996 Federal Financial Institutions Examination Council (FFIEC) Information Systems Handbook (FFIEC IS Handbook). The booklet, which rescinds Chapter 12 of the 1996 FFIEC IS Handbook, provides examiners and financial institutions guidance for identifying and controlling development and acquisition risks.This booklet uses the terms "organization" and "financial institution" to describe insured banks, thrifts, and credit unions, as well as the service providers that furnish technology-related services to such entities.
Development and acquisition is defined as "an organization's ability to identify, acquire, install, and maintain appropriate information technology systems."Federal Financial Institutions Examination Council's Uniform Rating System for Information Technology. The process includes the internal development of software applications or systems and the purchase of hardware, software, or services from third parties.The acquisition activities discussed in this booklet center on the acquisition of software products. Refer to the IT Handbook's "Outsourcing Technology Services Booklet" for guidance relating to the acquisition of third-party services and outsourced software development projects.
The development, acquisition, and maintenance process includes numerous risks. Effective project management influences operational risks (also referred to as transactional risks). These risks include the possibility of loss resulting from inadequate processes, personnel, or systems. Losses can result from errors; fraud; or an inability to deliver products or services, maintain a competitive position, or manage information. Refer to the FFIEC Information Technology Examination Handbook's (IT Handbook's) "Management Booklet" for additional information.
The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section. Examiners should use the summaries to identify primary issues within each section, but should be aware the summaries are not substitutes for reading the entire document.