Insights: Article

InTREx IT Examination Program

November 04, 2016

Cyber security threats within the financial institutions industry are persistent, adaptive and continue to escalate. Cyber security awareness, threat mitigation and incident response are necessary to maintaining security. In response, an overhaul to the FDIC Information Technology Risk Examination program was announced June 30, 2016. Announced through FDIC FIL 43-2016, the InTREx examination program places focus on inherent risk identification, assessment and evaluation of IT control procedures.

What’s Changing
Changes include the Uniform Rating System for Information Technology (URSIT) system that guides the risk-based approach to exam questions. A pre-examination process helps the examiner identify risks specific to the size and complexity of the financial institution, as well as assign proper resources to the onsite examination. Separate frameworks address audit, management, development and acquisition, and support/delivery. Questions are included to help identify and control risks, specifically, what an IT auditor looks for in evaluating and controlling risk.

Auditor’s Perspective
The FFIEC Cybersecurity Self-Assessment Tool and InTREx IT Examination program offer similar control perspectives. Both are essentially based on the FFIEC IT Handbook from July 2006.  However, the InTREx program provides more direct focus and, based on inherent risk identification, provides better guidance toward recommended risk mitigation. Of particular interest is how InTREx specifies “cyber security” controls within each framework. At a minimum, these sections could serve as an initial gap analysis, where the IT department and/or IT Committee could check potential security gaps. Overall, the InTREx program is well-focused and straight-forward, which helps in the evaluation and maintenance of an effective cyber security program.