Formerly a blip on the regulators’ radar, information technology has become the subject of intensive examinations in recent years. An army of former safety and soundness examiners now has their IT examiner stripes and they are ready for battle. Regulators now devote more resources to the IT examination than ever before. Accordingly, the IT examination rating your financial institution receives has become much more significant than in years past.
To help you survive your next IT examination, we have the following tips:
- Avoid repeat findings. Nothing will bring your rating down like repeat findings. Ignore past findings at your own risk. It is a good idea to review the previous report of examination prior to your next examination. This will allow you to blitz any outstanding items and avoid this costly mistake.
- Don’t overpromise. The easiest thing to do when responding to examination findings is to say that you will correct every finding right away. Unless you are in violation of the law, keep in mind that there are some IT risks that you might be willing to accept. Articulate your response carefully and follow through on your commitments.
- Be aware of regulatory hot buttons. Don’t be blindsided by being unaware of what is foremost in the minds of examiners (e.g., Section 501b of the GLBA). Review the regulators’ work programs which are available online, seek the advice of your external IT auditors and consultants, read industry publications, attend conferences on IT issues, and network with your peers.
- Be prepared. It’s not just the Boy Scout motto, it’s a good practice to complete your examination successfully. When you receive the examiner’s “request for information,” tackle it immediately, gather the information requested, index it to the examiner’s documentation, and have it ready when the examiner arrives.
- Use the exit conference wisely. The exit conference is an excellent forum to clear up any miscommunication or misunderstanding, on either the examiner’s part or your part. Don’t rush through the conference, thinking ahead to the report. Instead, take copious notes, ask the examiner to explain his or her findings in great detail, and include the appropriate people in the conference so certain items can be addressed immediately. While it should go without saying, this is also the time to turn off cell phones, hold all calls and devote your management team’s full attention to the exit conference.
Being on the receiving end of an IT examination is never easy. By properly preparing for the examination, communicating effectively during the examination, and responding promptly and thoughtfully to examination findings and recommendations, you can help your financial institution not only survive the examination but emerge with a better, more secure IT environment that will contribute to the safety and soundness of the entire institution.
Note: These tips appeared originally in Jimmy's book, IT Auditing for Financial Institutions, available in the BOL Bookstore.
First published on BankersOnline.com 7/21/03