‘Outdated’ IT exam program for banks holds weaknesses, needs improvements, report finds

An information technology (IT) exam program for banks adopted just about seven years ago is now “outdated” and in need of major changes in procedures, according to a report issued Wednesday by the inspector general of the federal bank deposit insurance agency.

The report from the Office of Inspector General (OIG) for the Federal Deposit Insurance Corp. (FDIC) said it found the agency’s IT Risk Examination (InTREx) program needs improvement to effectively assess and address IT and cyber risks at financial institutions.

The OIG said, in its review, it found several weaknesses in the program, which include:

  • The program is outdated and does not reflect current federal guidance and frameworks for three of four the program’s “Core Modules”;
  • The agency did not communicate or provide guidance to examiners after updates were made to the program;
  • Examiners did not complete program examination procedures and decision factors required to support examination findings and the Federal Financial Institutions Examination Council’s Uniform Rating System for Information Technology (URSIT) ratings;
  • The agency has not employed a supervisory process to review IT workpapers prior to the completion of the examination in order to ensure that findings are sufficiently supported and accurate.

Further, the report stated, the FDIC does not provide guidance to exam staff on reviewing threat information to remain apprised of emerging IT threats and those specific to financial institutions. The report also stated that the agency “is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks, and has not established goals and performance metrics to measure its progress in implementing the InTREx program.”

The OIG asserted that the weaknesses it found “collectively demonstrate the need for the FDIC to take actions to ensure that its examiners effectively assess and address IT and cyber risks during IT examinations. Without effective implementation of the InTREx program, it said, “significant IT and cyber risks may not be identified by examiners and addressed by financial institutions.”

The OIG said it recommends that the agency take several actions to address the weaknesses outlined in the report:

  • Update the InTREx program consistent with applicable guidance as appropriate; ensure examiners complete the InTREx program procedures as intended; file all supporting workpapers timely; and review and apply threat information regularly.
  • Review IT examinations with identified deficiencies and take corrective actions as necessary, and provide refresher InTREx training to examiners to promote consistent completion of IT examination procedures and decision factors.
  • Determine if the agency’s AlphaRex tool (developed in 2017 to conduct analysis of unstructured data from examinations) could be used to improve the InTREx program and identify emerging IT risks and trends.
  • Develop and implement goals and metrics to assess program effectiveness.

Implementation of the FDIC’s Information Technology Risk Examination Program