Tag: URSIT

Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007.  The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase.  In fact, the InTREx has only 26 questions vs. 59 for the 12/07 version.  But what the new version gives up in the pre-exam phase, it more than makes up for in the actual on-site examination portion.  I believe most institutions should prepare for a much more thorough (i.e. time-consuming) examination experience going forward.

The InTREx is based on the URSIT methodology (Uniform Rating System for Information Technology), which dates back to 1999.  URSIT consists of four main components used to assess the overall performance of IT management within an organization; Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).  Additionally InTREx adds an Expanded Analysis section for both Management and Support and Delivery.

First, the similarities:  Both the old and new model share a pre-exam and an on-site phase.  The pre-exam phase consists of the questionnaire, which is designed to help the examiner “scope” the examination (see #2 below), and determine exactly what documentation they will require from you (some of which they will request ahead of time, some will be requested on-site).

Once on-site the differences between the old and new are more apparent.  The new exam procedures require examiners to “review” (47 instances) and “evaluate” (54 instances) your documentation, and “determine” (30 instances) whether it is sufficient to prove that you’re doing what you say you will do.  The examiner uses the “Core Analysis Procedures” to assess each “Decision Factor” as either Strong, Satisfactory, Less than satisfactory, Deficient, or Critically deficient.  Examiners will then assign a 1 – 5 rating score to each AMDS component, and then assign an overall composite score.  All component ratings and scores, along with examination findings and recommendations, will appear in the final report.

Here is how the pre-exam and on-site phases break down in terms of type and volume of information requested:

• The pre-exam phase is divided into 6 sections, with a total of 26 questions (most of which have an “If Yes…” portion, very similar to the 12/07 version):

• The on-site exam phase is where the new examiner procedures are defined, and is divided into the AMDS sections, plus the 2 Expanded Analysis sections.  Each of the AMDS sections has a Core Analysis Decision Factors, and a Core Analysis Procedures sub-section:

* These components are not assessed separately, but are scattered throughout the program.

1. This is much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank.  Proper documentation will often make the difference between a “satisfactory” and a “less than satisfactory” assessment.  If you prepared for previous exams by not just answering “Yes” or “No” to the pre-exam questions, but identifying all supporting documentation whether or not it was asked for, you should be fine with the InTREx.  If you were used to answering “Yes” or “No” with little or no examiner follow-up, download the InTREx now and focus on all the items in the Core Analysis Procedures sections.  Pay particular attention to the 34 “Control Test” items marked with  , and make sure you can get your hands on those items.  Again, being able to provide the documentation may make all the difference in your final exam score.
2. The pre-exam portion of the questionnaire should (in theory) allow the exam to scale to the size and complexity of the institution.  We’ll have to wait and see if that actually occurs, but let’s hope so.  We’ve heard from far too many smaller institutions that said they felt their examiner treated them as if they were much larger.
3. There is quite a bit of overlap between the elements in the InTREx and the Declarative Statements in the Cybersecurity Assessment Tool.  That should mean that actions taken to strengthen your cybersecurity control maturity will also strengthen your overall IT controls.  Also, cybersecurity elements are now permanently baked-in to the IT examination process, not a separate assessment.  This is consistent with what I’ve been saying all along, that cybersecurity is simply a subset of information security.  However, as with the Control Tests, you should make sure you have documentation available for all items marked with  .
4. Hopefully, one potentially positive outcome from all this will be a more consistent examination experience.  Inconsistent examination results have been a source of concern for many institutions recently.  This new process should address that by removing some of the subjectivity that results when different examiners interpret the same guidance differently, and also by clarifying precisely what resources they need to “review”, and “evaluate” in order to “determine” the level of compliance achieved. 
5. It is uncertain how quickly the new format will be adopted by regulators, but I’m guessing it will be pretty quickly.  Since they will send the questionnaire 90 days prior to your scheduled exam, we should expect the new methodology to be implemented for exams conducted in Q4 2016 at the soonest.
6. It’s also unclear whether the other (non-FDIC) regulators will adopt this format. However, the FDIC insures the funds in all banks they have supervisory authority at all insured institutions (including those for which it is not the primary federal supervisor), so a single standard would make sense.  In any case, even non-FDIC institutions would be wise to familiarize themselves with this guidance.

Shoot me an email if and when you get the new InTREx, and let me know your experiences with it.  I’ll update the post periodically.