To help ensure better results on bank audits and examinations, all financial institutions should complete periodic (generally quarterly) control self-assessments that allow management to gauge IT performance, system status, and emerging risks. These proactive self-assessments are key in providing ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”
Auditor feedback indicates that financial institutions with an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process. Simply put, this results in fewer, and less severe, audit findings. This makes sense because these institutions tend to identify, correct, and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent audit, this often results in fewer examination findings as well.
Specific areas that should be reviewed in the assessment
Network Compliance Reporting
- Antivirus, Patch Management, Server Health and Warranty Analysis
Network Security Reporting
Policy and Procedure Verification
- Vendor Management, Network/Internet, Information Security
Regulatory Trends and Changes
Site/Server Recovery and Disaster Recovery Plans
Expect support from your IT network management provider
Actually conducting the self-assessment can be a challenge, and requires a mix of regulatory and technical understanding. One way to improve this process is by working with an experienced IT network service provider who is knowledgeable in financial regulatory requirements. You should expect your account manager to help with every step of the self-assessment by providing structure, feedback, and an impartial outside perspective. This control self-assessment is also a time for the financial institution to share with account managers issues and pain points they have come across. This way the account manager is able to provide informed guidance, and help the bank utilize the right tools and procedures to adequately address any issues.
At Safe Systems our account managers work with each client to perform quarterly technology self-assessments. This assessment is a tool to help the institution ensure all things related to IT network technology controls are working and up to date. However, the self-assessment is more than a simple diagnostic procedure. This is a time for the account manager to educate bank personnel on new or changing government regulations, helping the bank to remain in compliance, and setting the institution up for success in audits and exams.
Regulatory compliance is always on a financial institution’s mind. Quarterly control self-assessments provide the bank with peace of mind, because by the time the examiner gets there, they have already had a trial run and feel well prepared and confident of the upcoming exam result. Working with Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved audit and examination ratings!