I.B.7 Other Functions
The IT function at a financial institution is influenced by several other functions, which should include the following:
- The human resources function should hire and maintain competent and motivated IT staff.
- The IT audit function should validate appropriate controls to mitigate IT risk.
- The compliance function should validate that systems and applications adhere to applicable laws and regulations.
I.B.7(a) Human Resources
Human resources (HR) supports the IT function's ability to hire and maintain a competent and motivated staff. IT management should integrate its management of HR with IT planning to ensure optimum development and availability of IT skills.
Components of an effective IT HR management process include compensation planning, performance reviews, knowledge transfer mechanisms (e.g., rotational assignments), training, and mentoring. The board should actively and effectively provide oversight of incentive compensation programs for IT management to ensure that the programs appropriately balance risk and reward and are compatible with effective controls and risk management.
An institution should have programs in place to ensure that staff members have the expertise necessary to perform their jobs and achieve company goals and objectives. The institution may need to look externally to find necessary expertise for specialized areas.
Management should develop training programs for new technology and products before their deployment in the institution. The institution may use its own certification program or encourage employees to obtain an external certification to ensure that the staff maintains the necessary expertise to support the business.
The board and senior management should consider appropriate succession and transition strategies for key managers and staff members. Some strategies include the use of employment contracts, professional development plans, and contingency plans for interim staffing of key management positions. Management should have backup staff for key positions and should cross-train additional personnel. The objective is to provide for a smooth transition in the event of turnover in vital IT management or IT operations.
I.B.7(b) IT Audit
The audit department should send IT audit reports to appropriate management and directly to the board of directors or a designated board committee. The board of directors is responsible for overseeing the IT auditors' performance and compensation, including whether the IT auditors have the necessary expertise and the audit coverage is adequate, timely, and independent. Depending on the institution's size and complexity, the board of directors may completely outsource the IT audit function. In those cases, the outsourced auditor should be engaged by the board or audit committee.
IT auditors should validate that IT controls are designed appropriately to mitigate risk and are operating as management intended. IT audit should be completely independent, should have no role in designing or implementing controls, and should not have primary responsibility for enforcing policy. Management should have processes in place to monitor and enforce policy compliance. IT audit should verify that those processes function effectively and report the results to the board.
Senior management should ensure cooperation between business unit management and IT audit. Management should also ensure timely and accurate response to audit concerns and exceptions and ensure appropriate and timely corrective action.
Refer to the IT Handbook's "Audit" booklet for more information.
Senior management should ensure that compliance staff reviews new products, systems, applications, or changes to ensure compliance with applicable laws and regulations. New implementations or changes can cause noncompliance through, for example, inaccurate interest rate calculations, inadequate or inaccurate disclosures, weak security controls over the creation, storage, or transmission of customer information, or poor customer verification procedures.
I.B.6 Planning IT Operations and Investment
II Risk Management