Hi,

I realize the FFIEC has a good process for technology related vendors but was looking for a checklist or program to test other high risk or significant vendors . Does anyone have one they would be willing to share or one they would recommend.

2ndly
At our last technology exam we were criticized because we did not include our outsourced Internal Audit firm as a critical vendor. Our thought process was although they do have access to consumer information ... it is only what we provide; they do not actually have access to our system; and while it would be inconvenient there are others we could contract if this one could not provide the service. Our feeling is significant vendor at best. What do others do? If it matters we are under $250 in asset size.

Appreciate any help on both items!

We are currently going through our OCC examination and they have suggested that we perform an Internal Audit on our Vendor Management Program. I have been looking for an example of this type of audit and have had no luck. Does anyone have an example audit they would be willing to share with me or if you know somewhere I might be able to find one. Thanks

You could take a look at the FDIC Compliance Manual - https://www.fdic.gov/regulations/compliance/manual/pdf/VII-5.1.pdf. I always use these when I need to build an audit program.

Neither my internal or external audit provider is a "critical" vendor. We are OCC, $455 million in assets.

My logic for excluding them includes:
*The bank can easily function without them tomorrow should they have a disaster and take a week to be back up and running. External audit is two visits a year, internal is 6, they can be rearranged. If they go out of business, there are half a dozen other firms in town I can have in place in no time.
*The confidential information we share with them is only done through secure portals and monitored while on site.

The OCC has not questioned this logic/argument...yet. Hope that helps.

I agree with Jen on this as far as being able to replace these vendors easily. We are also OCC regulated and close to the same size. However, we did add this year a look at the security on these vendors' portals. I would recommend asking for their internal security procedures, as well as a SSAE16, if available, to document your due diligence.

FRB regulated, $350 million asset size- Even though the examination concluded our outsourced Internal Audit firm was satisfactory, we too were criticized for not including them in our vendor management audit. Management has decided to add them going forward.

I will never cease to be amazed at the different perspectives each regulatory body has on the same guidance.