On June 30th, 2016, the FDIC announced that the Information Technology Risk Examination (InTREx) Program would be replacing the existing Information Technology Risk Management Program (IT-RMP) effective July 1st, 2016.
InTREx is “designed to enhance identification, assessment, and validation of IT in financial institutions and ensure that identified risks are effectively addressed by FI management.” The InTREx Program applies to all FDIC supervised institutions, regardless of size.
InTREx significantly changes how audits are planned and performed. Here’s what you need to know:
About 90 days prior to the IT examination, institutions will receive an Information Technology Profile through FDICconnect. This profile is less than half as long as the IT-RMP Officer's Questionnaire but still allows FDIC examiners to appropriately plan and perform the institution audits.
At least 45 days before the scheduled exam date, the IT examiner-in-charge will send the institution an IT Request Letter listing additional items and documents needed. This will allow the institution to provide vital examination information ahead of time, reducing the need to immediately produce documents when the examiners are on site.
The IT Technology Profile and the items in the IT Request Letter will allow examiners to take an enhanced risk based approach to their work, appropriately planning and performing work that addresses the high risk areas of an institution’s business and operations.
Examiners will use InTREx Core modules and other work papers (as appropriate) to assess risk as well as document procedures, recommendations, and findings.
For institutions with more complex IT environments, examiners will perform additional procedures, including the use of supplemental work programs and the FFIEC Information Technology Examination Handbook.
InTREx reports will continue to use the Uniform Rating System for Information Technology (URSIT) to report an overall composite score for the institution. The examination report will include URSIT component ratings, recommendations, findings, management responses, and information on cybersecurity preparedness and the institution’s compliance with standards.
The examination and resulting reports are designed to not only test and ensure adherence to FDIC guidelines, but help institutions to be more proactive in designing their information technology game plan. Reacting to issues is the bare minimum; world class organizations anticipate hard and soft trends in cybersecurity, IT systems design, and risk management. InTREx can be helpful in assessing risks but should be viewed as a part of the larger overall IT strategy of an institution.
All institutions manage risk to some degree, though all too often it’s only to the extent that they are required to by regulation and legislation. Seizing the opportunity to capitalize on risks as part of an integrated strategy will help an institution stand out. Everyone is offering online banking, mobile deposit, and bill pay. Sure, that’s what customers want, but that’s become baseline, the minimum. What about services that aren’t customary yet, those services that most institutions are leery of offering due to the risk and uncertainty involved?
Institutions that are willing to forge new ground and gain a deeper understanding of new technologies and innovations are the institutions that will continue to grow and prosper. Pioneering cutting edge products certainly bring new risks along with them. The difference between success and stagnation may just be the ability to take advantage of risks, not just mitigate them.