No time? No money? For many small credit union CEO’s, this is their tagline for their daily workload. Yet it doesn’t excuse them from the necessity of having to deal with IT examiners. The NCUA recommends third party risk assessments for credit union IT networks and systems, which often includes penetration and vulnerability scans.  But third parties don’t operate on good will alone, and money must be spent to perform such IT assessments. So when a small Credit Union, who has no room in their budget for a third party assessment, wants (or needs) to assess their IT risks, what options are available?

About a year ago we reported that credit union examiners are now asking smaller credit unions to perform self assessments (Read our article: Credit Union Examiners are Now Requiring You Do What to Yourselves?) While acknowledging these are not a replacement for the third party assessments that they often times require of larger credit unions, they can be valuable substitutes to smaller CU’s without the deeper pockets of their larger counterparts.

It is difficult for anyone to truly and honestly audit themselves.  An audit, by definition, is “an official inspection of an individual’s or organization’s accounts, typically by an independent body.” But when faced with a looming IT examination, having one’s “books in order” can go a long way for a smaller CU to start off on the right foot with the examiner.

continue reading »