FFIEC Requirements: Credit Union Technology Audit

by Ongoing Operations

by Robin Remines

Often overlooked and always misunderstood (oh wait… wasn’t that a song?), Information Technology auditing can make even the most hardened CIO’s take defensive stands in a misguided attempt to protect the team and their operations. The fact is, IT folks are used to being “trusted” resources and can even be offended when called upon to demonstrate the integrity of their work. This is misguided! The reality is that a good audit program reinforces the trust of your team’s actions with the C-level team and also protects them from any perception of wrongdoing. A good CIOwill partner with the auditing staff in ways to not only ensure compliance but to “poke holes” and develop stronger policies and procedures to protect credit union assets.  Short of inviting your internal auditing staff to scrub your efforts, what can you do to become more knowledgeable about the expected auditing controls? That’s where the FFIEC IT Handbook – Auditing section comes in.

Since this is our first series, let’s break this section down to ensure you understand how to navigate/use the handbook itself. (If you are already familiar with the handbooks and know how to use them, skip this section and head down to the OGO Intel below)  In each handbook you’ll find:

  •  Description – The handbook provides a simple definition of what that section will cover.
  • Downloads – This is where we start getting the power tools!
    • Downloadable version of this sections handbook (great for when internet access is limited or unavailable)
    • Work program (both in Word and other word processing format) – If you’ve ever wanted a “cheat sheet” for an IT audit, this is as close as you are going to get. These work programs are very similar to the NCUA Aires IT Checklist (EC files). Download these and do an in-depth review of the work program vs. your own initiatives! This should leave you with no surprises come audit time.
    • Chapters – Provides detailed sections associated with the topic (auditing) as well as applicable appendices when necessary.
continue reading »