Vala Secure FFIEC Audit Program Update

by Karl Wood

In June 2021, the FFIEC updated their IT InfoBase Booklets. The Operations booklet was replaced with the new Architecture Infrastructure & Operations (AIO) booklet. An excerpt from the AIO booklet explains the updates to the new guidelines, and the changes you can expect during your next financial organization IT audit from Vala Secure.

As the new booklet name indicates, the AIO booklet is a much broader review of the business structure (architecture), including implementation of IT infrastructure components (infrastructure), and delivery of services to provide security and value for internal and external customers (operations). The enhancements to the booklet include the addition of new architecture, infrastructure, and emerging technology sections. Cybersecurity is incorporated throughout the booklet as a consideration for all technology employed by entity management, whether managed internally or contracted for from a third-party service provider (Ffiec).

The AIO booklet looks at enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services. The FFIEC defines AIO as:

  • Principles and practices for IT and operations as they relate to safety and soundness, consumer financial protection, and compliance with applicable laws and regulations.
  • Processes for addressing risk related to the design and implementation of IT systems.
  • Principles to help examiners evaluate the delivery of financial products and services.
  • Management oversight of AIO and its related components, including governance; common risk management topics; specific activities of AIO; and evolving technologies that examiners may encounter during their reviews.

So, what does this all mean for your next financial organization IT audit?

Vala Secure will continue to look at physical operational controls including document management, environmental controls, help desk functions, item processing, and physical security. You can expect that we will begin auditing and assisting you with a review of the architecture and infrastructure that is in place, as well as all operational processes. New categories and questions will be added to reflect the changes and updates to the AIO section of your IT audit.

In the architecture AIO category, we will review how IT architecture meets the needs of the organization and how it supports business objectives. Observations will be made on how the IT architecture aligns with your strategic initiatives and policies. IT architecture, both physical and virtualized will be assessed to ensure that confidentiality, integrity, and availability requirements are adequately met.

In the infrastructure AIO category of your audit, Vala Secure will be reviewing how infrastructure is managed and configured, the change control processes, security and the monitoring of the environment. Network and telecommunications hardware will be audited as before, for physical security and maintenance. However, asset inventory and tracking will now be included.

In the emerging technology AIO category, we will be assessing how and where data is stored, cloud computing and cloud service providers. Additionally, software as a service (SaaS), Platform as a service (PaaS) and Infrastructure as a service (IaaS) cloud service models will be evaluated if used. Private, community, public and hybrid deployment models will be reviewed as implemented. Cloud service provider’s contracts will be reviewed for service-level expectations, control responsibilities and security standards that match your organization’s requirements. Security controls for cloud environments will be inspected for access controls and policies.

While these changes may seem daunting, Vala Secure will guide you through your IT Financial audit, and your firm can be assured that the audit will meet the new FFIEC’s guidelines. At Vala Secure, we are committed to advanced auditing practices and keeping our clients’ ahead of the curve.



Ffiec. (n.d.). FFIEC it EXAMINATION HANDBOOK InfoBase. FFIEC IT Handbook InfoBase.