Thread Options
|
#1664247 - 02/13/12 06:47 PM
Re: Auditing ID Theft Prevention Program???
Polo
|
Platinum Poster
Joined: Oct 2006
Posts: 995
Looking for my sanity
|
If someone can point to it, I'd appreciate it too. There is nowhere that I could find that says that. I had this same argument with an examiner in the past. She (FDIC examiner) tried to prove her point, but she couldn't find the requirement anywhere either. It was comical though because she'd say "well, it's in the federal register", and then I'd say, "well, I couldn't find it there, can you show me?". So she'd try and then say. "Oh, it's in the FDIC IT theft exam procedures", so I'd say, "oh, I couldn't find it there, can you show me?" this went on and on. She still insisted that it was required. My response was that it's on our audit risk assessment and will be conducted on whatever frequency we've determined. She ended up noting in our report that we hadn't fully complied with the regulation. This was in June 2009, and the program hadn't even been in place for a year yet. I've heard this once again since 2009 from the FDIC, but it had been covered in an audit within the past year, so I didn't press the issue at the time.
_________________________
"The reason I talk to myself is because I'm the only one whose answers I accept." - George Carlin
|
Return to Top
|
|
|
|
#1664328 - 02/13/12 07:46 PM
Re: Auditing ID Theft Prevention Program???
Polo
|
10K Club
Joined: Jul 2004
Posts: 18,989
|
I don't believe that an annual, independent audit is a requirement; however, this topic should some how be included in your risk-based audit schedule (be prepared to support your reasoning for the frequency).
Are you sure that you aren't confusing it with this - from Appendix J of Reg V:
VI. Methods for Administering the Program (a) Oversight of Program. Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include: (1) Assigning specific responsibility for the Program’s implementation; (2) Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 222.90 of this part; and (3) Approving material changes to the Program as necessary to address changing identity theft risks.
(b) Reports. (1) In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 222.90 of this part. (2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the Program.
_________________________
With the lights out, it's less dangerous.
|
Return to Top
|
|
|
|
#1664392 - 02/13/12 08:40 PM
Re: Auditing ID Theft Prevention Program???
Polo
|
10K Club
Joined: Jul 2004
Posts: 18,989
|
I sent you a PM...
_________________________
With the lights out, it's less dangerous.
|
Return to Top
|
|
|
|
#1664461 - 02/13/12 09:55 PM
Re: Auditing ID Theft Prevention Program???
Polo
|
Platinum Poster
Joined: Oct 2006
Posts: 995
Looking for my sanity
|
Mr. A_G-DDD - I think this is could be where they're trying to state that an annual audit is required, from our exam report last year "the bank should annually assess is's compliance with the regulation". We complete our annual report and the examiners don't have a any issues with our program at all, except to keep commenting that an annual audit is required. We have ID Theft as it's own line item on our Audit Risk Assessment, and I've tacked this onto our last IT audit as a scope item, but they are really dead set that the regulation requires an annual audit, which it does not state anywhere that I've been able to find, nor has the FDIC. And I'm not going to commit to an annual audit. So I just keep stating that it's on our risk assessment and we'll schedule audits based upon that.
_________________________
"The reason I talk to myself is because I'm the only one whose answers I accept." - George Carlin
|
Return to Top
|
|
|
|
#1664584 - 02/14/12 01:13 PM
Re: Auditing ID Theft Prevention Program???
ItNeverEnds CRCM
|
10K Club
Joined: Jul 2004
Posts: 18,989
|
Imo, as it says "Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors..." then by definition this isn't an audit.
Audit staff should have nothing to do with the development, implementation, and administration of operational stuff. An audit provides an independent assessment of the above.
_________________________
With the lights out, it's less dangerous.
|
Return to Top
|
|
|
|
#1685877 - 04/04/12 09:34 PM
Re: Auditing ID Theft Prevention Program???
HGICO
|
Diamond Poster
Joined: Apr 2001
Posts: 2,245
|
|
Return to Top
|
|
|
|
|
|