Hey Guru Our examiner is asking about the “scope” of our IT audits. What is she referring to, and how do we define a reasonable scope? Audit results are one of the first things examiners want to see, and the “scope” of the audit is very important to examiners. In fact, the term is used […]
The Problem with PEN Tests
This is a true story, the names have been changed to protect the guilty. Al Akazam (not his real name) is an IT consultant with a solid background in
Read the rest of the article
Bank Directors and Officers targeted in 2011
The final numbers are in for 2011, and it was a record year for Director and Officer (D&O) lawsuits by the FDIC. In 2011 alone, 264 defendants were named in FDIC lawsuits. To put that in perspective, that’s more than twice the number sued in the previous 2 years combined. Some of the most frequently […]
Access Rights a frequent finding
In reviewing recent audit and examination findings, the issue of access rights and permissions is coming up with increasing regularity. Making sure that end-users have no more access rights than absolutely necessary to do their job is one of the best information security controls. According to the FFIEC, formal access rights administration for users consists […]
Audits vs. Examinations
As I speak with those in financial institutions responsible for responding to audit and examination requests, I find that there is considerable confusion over the differences between the two. And some of this confusion is understandable…there is certainly some overlap between them, but there are also considerable differences in the nature and scope of each […]
Using Technology to Drive Compliance
In the past year to year and a half, nearly all of the IT examination findings I’ve seen have in the broad category of “documentation”, or more specifically, lack thereof. In other words, policies and procedures were satisfactory, but documentation was either non-existent, or insufficient, to demonstrate that actual practices followed policy and procedure. To […]
The Control Self-Assessment (CSA)
If there was a process that was mentioned 43 times in 7 of the 12 FFIEC IT Examination Handbooks, (including 12 times in the Information Security Handbook alone!), would you consider implementing it? How about if it virtually assured better audits and examinations? OK, you’re interested, but the last thing you need is to implement […]
IT Composite Ratings: 1 vs. 2
In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better). The average score was 1.8 on the 5 point scale. Of course the results could be attributed […]
Auditor rotation – pro and con
The practice of periodically changing, or rotating, your external auditor has been a topic of interest with our customers lately, and there are two schools of thought on this. The pro-rotation side takes the position that a different set of eyes…
Top 5 Compliance Trends for 2011 – Part 2
A recent survey of auditors and examiners asked:
During the past year, in which category would you say MOST of your IT audit/exam findings occurred?
Top 5 Compliance Trends for 2011 – Part 1
I recently looked back at 2010, and the predictions I made a year ago. This post begins a series of the top regulatory compliance trends for the current year. I’m going to focus on the top 5, and my sources for these are the following: Recent audit and examination experience from our customers Recently released […]