Tom Hinkel, Director of Compliance
We’ve all seen the questions on the auditor and examiner IT questionnaires: “Do you have a written…”, “Do you have a process in place…”, “Do you have a system for…”, “Does audit coverage include…”. In almost all cases they are simple “Yes” or “No” questions and the vast majority of those should be answered “Yes.” But before answering, make sure you have the missing link, because in many cases, a “Yes” answer will be followed by an explicit “If Yes” demand for supporting documentation. In fact, each question actually carries an implicit “If Yes” response requirement, and if acceptable documentation cannot be provided, it’s the same as answering “No”.
With over two-hundred banks, each one subjected to multiple IT audits and exams, we see between ten to fifteen questionnaires each month. We also see almost the same number of exit letters. In many cases we find that audit and exam deficiencies are actually due to the inability of the bank to produce adequate documentation, and not because the proper process or system wasn’t in place.
Documentation can be found in many places, some obvious and others not so obvious. Committee meetings are an excellent way to document discussion of many IT risk management issues. All banks should have a technology steering committee, or equivalent. This is the perfect forum to discuss topics such as proposed new technology, user rights and permissions, network security reports, and network health and performance reports. Your Account Manager has a list of agenda items that should be included in every tech committee meeting. In fact many banks will schedule their committee meetings around the quarterly system health and compliance review visit, as the QSR Review form is a perfect way to document the discussion of these topics, and actions needed and taken.
Another excellent source of documentation is your Information Security Program itself. If you haven’t already, you should familiarize yourself with the contents of your Program. A properly designed Program should address all critical regulatory compliance issues, and in many cases you’ll simply reference the section and page.
So the next time you’re completing that questionnaire, go one step further than “Yes”, and ask yourself the “If Yes” question. Make sure you can find that missing link if you need to. It will demonstrate to the auditor or examiner that you truly understand the information security process. If you have any questions or need further guidance, your Account Manager and the Safe Systems Compliance Department is here to help.