The Garland Group will take into account the institution’s size, complexity, and overall risk profile when performing this and other evaluations. We will consider the following issues when evaluating the IT audit function:

• Identify areas of greatest IT risk exposure to the institution in order to focus audit resources
• Promote the confidentiality, integrity, and availability of information systems
• Determine the effectiveness of management’s planning and oversight of IT activities
• Evaluate the adequacy of operating processes and internal controls
• Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures
• Require appropriate corrective action to address deficient internal controls and follow up to ensure management promptly and effectively implements the required actions
• Independence of the audit function and its reporting relationship to the board of directors or its audit committee
• Expertise and size of the audit staff relative to the IT environment
• Identification of the IT audit universe, risk assessment, scope, and frequency of IT audits
• Processes in place to ensure timely tracking and resolution of reported weaknesses
• Documentation of IT audits, including work papers, audit reports, and follow-up

Many financial institutions are incorporating business continuity considerations into business process development to mitigate, proactively the risk of service disruptions. In creating an effective BCP, financial institutions should not assume a reduced demand for services during the disruption. In fact, demand for some services (e.g., ATMs) may increase.

The objectives of reviewing development, acquisition, and maintenance activities are to identify weaknesses or risks that could negatively impact an organization; to identify entities whose condition or performance requires special supervisory attention; and to subsequently recommend corrective action. The Garland Group will conduct risk-focused reviews that assess the overall effectiveness of an organization’s project management standards, procedures, and controls.

The Garland Group will use the examination procedures and document request letter items to review risks in the electronic delivery of financial products and services. These procedures address services and products of varied complexity. The procedures could be used independently or in combination with procedures from other IT Handbook booklets or from agency handbooks covering non-IT areas.

FedLine is the Federal Reserve Bank’s proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and FedLine for the Web. The guidance primarily targets operational (transaction) risks related to funds transfers. Management, however, should also understand the indirect impact this funds transfer system could have on other risk areas within the institution.

Information security is the process by which an organization protects and secures systems, media, and facilities that process and maintains information vital to its operations. Security programs must have strong board and senior management level support, integration of security responsibilities and controls throughout the organization’s business processes, and clear accountability for carrying out security responsibilities. The Garland Group will provide guidance to examiners and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization’s risk management.

The examination procedures in the Management assist DCS in evaluating financial institution risk management processes to ensure effective information technology (IT) management. Effective IT management in financial institutions maximizes the benefits from technology and supports enterprise-wide goals and objectives. The IT department typically leads back-office operations, network administration, and systems development and acquisition efforts. IT management also provides expertise in choosing and operating technology solutions for an institution’s lines of business such as commercial credit and asset management, or enterprise-wide activities such as security and business continuity planning. This dual role and the increasing use of technology raise the importance of IT management in effective corporate governance.

Management of IT in financial institutions is critical to the performance and success of an institution. Sound management of technology involves more than containing costs and controlling operational risks. An institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall corporate governance efforts.

The examination procedures contained in this booklet assist The Garland Group in evaluating an institution’s controls and risk management processes relative to the risks of technology systems and operations that reside in, or are connected to the institution. The guidance in this section covers the risks and expected controls in IT operations and across the institution. It also emphasizes that risks involve more than IT technology and that controls include sound processes and well-trained people.

Outsourcing Technology Services procedures provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships.

Financial institutions can outsource many areas of operations, including all or part of any service, process, or system operation. Examples of information technology (IT) operations frequently outsourced by institutions and addressed in this booklet include: the origination, processing, and settlement of payments and financial transactions; information processing related to customer account creation and maintenance; as well as other information and transaction processing activities that support critical banking functions, such as loan processing, deposit processing, fiduciary and trading activities; security monitoring and testing; system development and maintenance; network operations; help desk operations; and call centers. The booklet addresses an institution’s responsibility to manage the risks associated with these outsourced IT services.

The Garland Group will use the examination procedures for evaluating the risks and risk management practices at financial institutions offering retail payment system products and services. These procedures address services and products of varied complexity, and DCS will adjust the procedures, as appropriate, for the scope of the examination and the risk profile of the institution.

The Garland Group assesses the agencies’ risk-based supervision approach, the supervisory process, and the examination ratings used for information technology (IT) service providers.

The Garland Group will use the examination procedures for reviewing risks in wholesale payment systems. These procedures address services and products of varied complexity, and will adjust the procedures for the scope of the examination and the size and risk profile of the institution.

The procedures that we will perform are solely to assist you in the review of selected internal control considerations and completion of certain audit procedures related to your specific internal audit objectives. Ultimately, as is currently the case, the Board of Directors will be responsible for the scope of internal audit procedures and the resolution of any audit findings.

Our engagement will not include an examination of all aspects of your system of internal controls or testing of all areas of its operations, and therefore, we will not express an opinion on your system of internal controls. Our engagement will not enable us to address legal or regulatory matters or abuses of management discretion, including fraud or defalcations, of which matters should be properly discussed by you with legal counsel. Our procedures will not include a detailed examination of all transactions and cannot be relied on to disclose all errors or irregularities that may exist. Additionally, our engagement is not for the purpose of discovering security flaws within your MIS applications software or networking software. However, we will inform your designated management or Board representative of any such material matters that come to our attention. Because these procedures will not constitute an audit made in accordance with generally accepted auditing standards, they will not result in an opinion on any of the items specified in the above audit scope, on the financial statements of Bank taken as a whole, or on the Bank’s system of internal control.

Our report will be furnished solely for the information and use of the Board of Directors, the Audit Committee, management and the Bank’s regulatory agencies. Our procedures will not be planned or conducted in contemplation of reliance by any other party or with respect to any specific transaction. Therefore, items of possible interest to an unidentified party may not be specifically addressed or matters may exist that could be assessed differently by such party.

In the event we are requested or authorized by the Bank or are required by government regulation, subpoena, or other legal process to produce our documents or our personnel as witnesses with respect to our engagements for the Bank, the Bank will, so long as we are not a party to the proceeding in which the information is sought, reimburse us for our professional time and expenses, as well as the fees and expenses of our counsel, incurred in responding to such requests.