Audit:

Review the bank’s Audit Risk Assessment, Audit Schedule, Internal Auditor Qualifications, and Audit Policy. This review is designed to determine if the bank has identified the high risk areas of the bank’s IT operation, implemented an appropriate audit schedule, and assigned audit responsibilities (in-house and/or outsourced).

Review previous Regulatory Exams and Audits that pertain to Information Technology. Review Board of Directors minutes, Audit Committee minutes, and steering committee minutes to ensure the proper oversight and resolution to action items/findings.

Management:

Identify the committee(s) responsible for Information Technology, review minutes of those committees, and review Board of Directors’ minutes to ensure oversight by senior management and the directorate.

Review Information Technology policies to ensure currency with bank operations, meet specific regulatory requirements, meet industry best practices, and are approved at least annually.

Review the bank’s Strategic Plan to determine if it adequately addresses Information Technology.
Determine if the bank has appropriately addressed management succession through chain of command, thorough cross-training and written function descriptions/task lists for critical Information Technology employees.

Review the depth of the bank’s Network Administration staff and if needed, review the support vendor’s contract to ensure the appropriate privacy commitments and service level agreements are in place.

Review the bank’s insurance coverage as it relates to Information Technology.

Review the bank’s new hire and annual employee training schedules and attendance records to ensure appropriate coverage as it relates to Information Technology.

Review the bank’s Information Security Program to determine if risk assessments, policies, and required reporting meet current regulatory requirements and reflect the bank’s current risk environment.

Test the bank’s Information Security Program with pretense calling, assess shredding practices through trash receptacle inspections (dumpster diving), assessing monitors and printers that are in customer service areas to ensure they have adequate controls, etc.

Review OFAC, USA Patriot Act, Customer Identification Policies, including the methods used to maintain and monitor compliance as well as training schedules and training documentation.

Review the bank’s vendor management procedures and records.

Development and Acquisition:

Review the bank's method for identifying, purchasing, installing, updating, maintaining, or developing personal computers, networking, mainframe, or other processing devices. The review of this process also includes an evaluation of methods for ensuring the installation of updates and releases or emergency fixes (patch management).

Support and Delivery:

Review warranty and maintenance agreements for critical hardware and software.

Review the frequency and individuals that are responsible for reviewing and balancing correspondent, loan and deposit settlement accounts.

Review negotiable item controls (e.g. Interest and any other checks printed in IT).

Review Fedline Advantage controls (if applicable).

Review cash letter processes.

Review wire transfer policies and procedures.

Review bank policies and procedures controlling Internet and email access.

Data and Physical Security:

Review the bank’s client/server environment (logical and physical controls and policies).

Review the bank’s antivirus and antispyware systems and controls.

Review the bank’s computer equipment/media disposal policies and procedures.

Review the bank’s portable media device environment (e.g. laptops, smartphones, PDAs etc.), policies, and procedures.

Review the bank’s host system environment and controls. This review includes physical and logical security and user access levels.

Review the bank’s loan, deposit, and image platform general controls.

Review the bank’s Input and Output (separation of duties) controls in the Operations and Retail areas of the bank.

Disaster Recovery Planning/Business Continuity Planning:

Review the bank’s Disaster Recovery and Business Continuity plan and/or policy. This review is designed to ensure the plan meets the regulatory requirements and is operable in the event of a disaster/contingency.

Review any disaster recovery testing results/documentation. This includes core, item, and image processing test, LAN/WAN network recovery test, tabletop test, etc.

Review tape backup procedures and contingency supplies.

Electronic Banking Programs:

Review the bank’s website for strategic, transaction, and compliance risk.

Review the bank’s ATM/debit card issuance, monitoring, maintenance, and termination procedures.

Review the bank’s Internet banking/bill pay, mobile banking, electronic statements/notices, new account setup, monitoring, maintenance, and termination procedures.

Review the bank’s telephone banking new account setup, monitoring, maintenance, and termination procedures.

Review Remote Deposit Capture customer risk assessment, setup procedures, training.