Category: Ask the Guru

  • Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

    Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

    Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]

  • Ask the Guru: Cybersecurity “Risk Appetite”

    Ask the Guru: Cybersecurity “Risk Appetite”

    Hey Guru I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool.  What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board  has defined the institution’s risk appetite and it’s risk tolerance levels. […]

  • Ask the Guru: The Vendor Report of Examination (ROE)

    Hey Guru Where in the handbook does it state the Bank should request exam reports on vendors from their regulatory body? Although there is no formal FFIEC written requirement for obtaining the service provider’s regulatory examination report (report of examination, or ROE), it is mentioned as a best practice in the FFIEC 2012 TSP Handbook: […]

  • Ask the Guru: The IT Audit “Scope”

    Hey Guru Our examiner is asking about the “scope” of our IT audits. What is she referring to, and how do we define a reasonable scope? Audit results are one of the first things examiners want to see, and the “scope” of the audit is very important to examiners.  In fact, the term is used […]

  • Ask the Guru: Vendor vs. Service Provider

    Hey GuruI recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider.  His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them.  He suggested that we should be focused instead only on those few […]