Two IT Examination Hot Spots

6/24/2010

Community banks are concerned with maintaining their compliance ratings in these challenging times. For most, information technology may be one of the last items on their agenda. Throughout the year, Information Security Officers and Compliance Officers pore over the FFIEC IT Booklets (http://tinyurl.com/mymde) to hopefully gain some type of understanding as to what bank examiners will be looking for in their next examination.

One of the first items that examiners are recommending is a verbose Patch Management Policy statement that addresses very specific circumstances. Examiners have been recommending that out-of-sequence or emergency computer patches be specifically outlined in the bank’s policy. We are not talking about critical system patches, but rather patches that, regardless of criticality, are to be installed immediately without the proper approval or patches that fall outside the release window.

The second item is not technical in nature. Examiners are recommending that international wire procedures be specifically outlined in the Wire Transfer Policy. Often, banks assume that international wires are covered by the basic policy statement because the processing is very similar in nature to domestic wire transfers. If your bank uses a correspondent bank or does not perform international wires, examiners still want to see that this is an area of your operations that you are cognizant of. As a result, ensure that international wire transfers are specifically noted in Board-approved policies.

There are a number of different controls that a bank can test to determine if it is subject to these types of control issues. So during your next IT exam, insist that these controls are included in the scope of the assessment.