Tier I Objectives and Procedures
Objective 1: Determine scope and objectives for reviewing the technology operations.
1. Review past reports for outstanding issues or previous problems. Consider:
- Regulatory reports of examination;
- Internal and external audit reports, including third-party reviews;
- Any available and applicable reports on entities providing services to the institution or shared application software reviews (SASR) on software it uses; and
- The institution's overall risk assessment and profile.
2. Review management's response to issues raised during the previous regulatory examination and during internal and external audits performed since the last examination. Consider:
- Adequacy and timing of corrective action;
- Resolution of root causes rather than just specific issues; and
- Existence of any outstanding issues.
3. Interview management and review the operations information request to identify:
- Any significant changes in business strategy or activities that could affect the operations environment;
- Any material changes in the audit program, scope, or schedule related to operations;
- Changes to internal operations infrastructure, architecture, information technology environment, and configurations or components;
- Key management changes;
- Changes in key service providers (core banking, transaction processing, website/Internet banking, voice and data communication, back-up/recovery, etc.) and software vendor listings; and
- Any other internal or external factors that could affect the operations environment.
Objective 2: Determine the quality of IT operations oversight and support provided by the board of directors and senior management.
1. Describe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the institution.
2. Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institution's business activities. Assess the adequacy of the documentation or management's ability to knowledgeably discuss how technology systems support business activities.
3. Review operations management MIS reports. Discuss whether the frequency of monitoring or reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS adequately addresses:
- Response times and throughput;
- System availability and/or down time;
- Number, percentage, type, and causes of job failures; and
- Average and peak system utilization, trends, and capacity.
Objective 3: Determine whether senior management and the board periodically conduct a review to identify or validate previously identified risks to IT operations, quantify the probability and impact of the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the control environment.
1. Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate management's risk assessment process.
2. Obtain copies of, and discuss with senior management, the reports used to monitor the institution's operations and control environment. Assess the adequacy and timeliness of the content.
3. Determine whether management coordinates the IT operations risk management process with other risk management processes such as those for information security, business continuity planning, and internal audit.
Objective 4: Obtain an understanding of the operations environment.
1. Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other descriptions of hardware and software. Consider the following:
- Computer equipment - vendor and model number;
- Network components;
- Names, release dates, and version numbers of application(s), operating system(s), and utilities; and
- Application processing modes:
- On-line/real time;
- Batch; and
- Memo post.
2. Review systems diagrams and topologies to obtain an understanding of the physical location of and interrelationship between:
- Network connections (internal and external);
- Modem connections; and
- Other connections with outside third parties.
3. Obtain an understanding of the mainframe, network, and telecommunications environment and how the information flows and maps to the business process.
4. Review and assess policies, procedures, and standards as they apply to the institution's computer operations environment and controls.
Objective 5: Determine whether there are adequate controls to manage the operations-related risks.
1. Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as:
- Performance management and capacity planning;
- User support processes;
- Project, change, and patch management;
- Conversion management;
- Standardization of hardware, software, and their configuration;
- Logical and physical security;
- Imaging system controls;
- Environmental monitoring and controls; and
- Event/problem management.
2. Determine whether management has implemented appropriate daily operational controls and processes including:
- Scheduling systems or activities for efficiency and completion;
- Monitoring tools to detect and preempt system problems or capacity issues;
- Daily processing issue resolution and appropriate escalation procedures;
- Secure handling of media and distribution of output; and
- Control self-assessments.
3. Determine whether management has implemented appropriate human resource management. Assess whether:
- The organizational structure is appropriate for the institution's business lines;
- Management conducts ongoing background checks for all employees in sensitive areas;
- Segregation and rotation of duties are sufficient;
- Management has policies and procedures to prevent excessive employee turnover; and
- There are appropriate policies and controls concerning termination of operations personnel.
Objective 6: Review data storage and back-up methodologies, and off-site storage strategies.
1. Review the institution's enterprise-wide data storage methodologies. Assess whether management has appropriately planned its data storage process, and that suitable standards and procedures are in place to guide the function.
2. Review the institution's data back-up strategies. Evaluate whether management has appropriately planned its data back-up process, and whether suitable standards and procedures are in place to guide the function.
3. Review the institution's inventory of data and program files (operating systems, purchased software, in-house developed software) stored on and off-site. Determine if the inventory is adequate and whether management has an appropriate process in place for updating and maintaining this inventory.
4. Review and determine if management has appropriate back-up procedures to ensure the timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media.
5. Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from the primary processing site. Assess whether appropriate physical controls are in place at the off-site facility.
6. Determine whether management performs periodic physical inventories of off-site back-up material.
7. Determine whether the process for regularly testing data and program back-up media is adequate to ensure the back-up media is readable and that restorable copies have been produced.
Objective 7: Determine if adequate environmental monitoring and controls exist.
1. Review the environmental controls and monitoring capabilities of the technology operations as they apply to:
- Electrical power;
- Telecommunication services;
- Heating, ventilation, and air conditioning;
- Water supply;
- Computer cabling;
- Smoke detection and fire suppression;
- Water leaks; and
- Preventive maintenance.
Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services.
1. Assess whether controls exist to address telecommunication operations risk, including:
- Alignment of telecommunication architecture and process with the strategic plan;
- Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity utilization; and
- Assurance of adequate availability, speed, and bandwidth/capacity.
2. Determine whether there are adequate security controls around the telecommunications environment, including:
- Controls that limit access to wiring closets, equipment, and cabling to authorized personnel;
- Secured telecommunications documentation;
- Appropriate telecommunication change control procedures; and
- Controlled access to internal systems through authentication.
3. Discuss whether the telecommunications system has adequate resiliency and continuity preparedness, including:
- Telecommunications system capacity;
- Telecommunications provider diversity;
- Telecommunications cabling route diversity, multiple paths and entry points; and
- Redundant telecommunications to diverse telephone company central offices.
Objective 9: Ensure the imaging systems have an adequate control environment.
1. dentify and review the institution's use of item processing and document imaging solutions and describe the imaging function.
- Describe or obtain the system data flow and topology.
- Evaluate the adequacy of imaging system controls including the following:
- Physical security;
- Data security;
- Error handling;
- Program change procedures;
- System recoverability; and
- Vital records retention.
2. Evaluate the adequacy of controls over the integrity of documents scanned through the system and electronic images transferred from imaging systems (accuracy and completeness, potential fraud issues).
3. Review and assess the controls for destruction of source documents (e.g., shredded) after being scanned through the imaging system.
4. Determine whether management is monitoring and enforcing compliance with regulations and other standards, including if imaging processes have been reviewed by legal counsel.
5. Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process.
6. Determine if there is segregation of duties where the imaging occurs.
Objective 10: Determine whether an effective event/problem management program exists.
1. Describe and assess the event/problem management program's ability to identify, analyze, and resolve issues and events, including:
- Escalation of operations disruption to declaration of a disaster; and
- Collaboration with the security and information security functions in the event of a security breach or other similar incident.
2. Assess whether the program adequately addresses unusual or non-routine activities, such as:
- Production program failures;
- Production reports that do not balance;
- Operational tasks performed by non-standard personnel;
- Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and reports;
- Database modifications or corruption; and
- Forensic training and awareness.
3. Determine whether there is adequate help desk support for the business lines, including:
- Effective issue identification;
- Timely problem resolution; and
- Implementation of effective preventive measures.
Objective 11: Ensure the items processing functions have an adequate control environment.
1. Assess the controls in place for processing of customer transactions, including:
- Transaction initiation and data entry;
- Microfilming, optical recording, or imaging;
- Proof operations;
- Batch processing;
- Check in-clearing;
- Review and reconcilement;
- Transaction controls; and
- Terminal entry.
Objective 12: Discuss corrective action and communicate findings.
1. Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I objectives.
2. From the procedures performed, including any Tier II procedures performed:
- Document conclusions related to the effectiveness and controls in the operations environment; and
- Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the effectiveness of the operations controls.
3. Review your preliminary conclusions with the examiner in charge (EIC) regarding:
- Violations of law, rulings, regulations;
- Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and
- Noncompliance with supervisory guidance.
4. Discuss your findings with management and obtain proposed corrective action. Relay those findings and management's response to the EIC.
5. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC report of examination.
6. Develop an assessment of operations sufficient to contribute to the determination of the Support and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.
7. Organize your work papers to ensure clear support for significant findings and conclusions.
Appendix A: Examination Procedures
Tier II Objectives and Procedures