Audit Trail Archives - Safe Systems

10 Jan 2018

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Internal Audits are a Necessity — Better Done In-House or Outsourced?

Internal Audits are a Necessity

In the world of financial services, where institutions are governed by regulations and information security is of utmost importance, internal audits play a significant role in assuring an institution’s practices are aligned with business objectives, security protocols are in place and all regulations and government mandates are met.

The Institute of Internal Audits defines the process as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps improve risk management, security and controls by evaluating the procedures and processes of the organization.

The internal audit system at a community financial institution should be specifically designed to provide:

Independence and objectivity
Qualified personnel to conduct audits
Adequate monitoring of internal controls
The testing and review of information systems
Documentation of tests, findings and corrective actions, and
Verification that management and the board of directors reviewed the findings and addressed necessary changes.

The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.

In-House Internal Audits

Community financial institutions can choose to conduct internal audits themselves if they have an in-house auditor who is qualified, competent, independent from bank management and has a sense of objectivity. Ideally, a community financial institution has someone on staff with an accounting or business degree, professional industry experience, and the appropriate training to conduct a comprehensive, independent internal audit. One of the benefits of an in-house employee conducting the audit is the internal knowledge that person(s) has about the institution’s network and daily operations.

An in-house internal auditor must complete training conducted by industry organizations, such as the ICBA’s Community Banker University ®, to prove they understand the trends, issues, procedures and practices related to the financial services industry. Additionally, this demonstrates that the internal auditor function is taken seriously by the financial institution, which in turn, is important to government agencies and regulators.

Outsourcing

Smaller institutions that don’t have the budget or the staff to dedicate personnel to the internal auditor role must outsource this responsibility. While outsourcing this function can prove to be the most effective and efficient solution for any institution, selecting the right outsourced auditor can provide the additional benefit of helping maintain the overall health of an organization and better prepare a bank or credit union for its next regulatory examination.

Some of the advantages of outsourcing internal audits include:

Access to a team with a high level of expertise that is not cost-effective to maintain in house
Management has more time to work on strategic projects and focus on other revenue-generating activities
Issues associated with staffing and competitive compensation for in-house employees are eliminated, and
The issue of loss of objectivity is eliminated.

Whether done in-house or outsourced to a service provider, conducting internal audits is essential to ensure effective monitoring of security controls and to verify an institution’s ability to quickly correct significant IT and compliance vulnerabilities. At Safe Systems, our strategic advisors work with each client to perform quarterly self-assessments or internal audits to gauge IT performance and evaluate emerging risks to the institution. We also leverage this opportunity for the strategic advisor to educate bank personnel on new or changing government regulations to help the institution maintain compliance and be adequately prepared for IT audits and examinations.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

15 Aug 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Bank Compliance: How to Efficiently Respond to IT Exam Findings

Bank Compliance How to Efficiently Respond to IT Exam Findings

Community banks and credit unions have grown accustomed to the strenuous review processes of regulatory agencies on their practices and procedures. These reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations and are thorough in scope. As a result, preparing for an exam can be an extremely time consuming and stressful process to complete and, for many institutions, providing accurate responses to the review findings in a timely manner can be quite a challenge.

Upon the completion of the on-site visit, the reviewing agent will provide the financial institution with his or her findings in a review report or a notice. This report requires a response from the bank or credit union outlining the institution’s plan for correcting or improving specific findings from the review. Some proven tips for writing a response include:

Make your responses clear and concise
Respond directly to the finding and recognize any recommendations the reviewer suggests
Outline specific actions that the financial institution commits to take to correct the finding
Assign who is directly responsible for the implementation and oversight
Exclude information that is not pertinent to the finding or its corrective action plan
Provide a specific — and realistic — timetable for implementation.

Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.

Organize Your Efforts to Complete Review Findings

Safe Systems’ Audit Trail application helps financial institutions efficiently respond to the reviewing agent’s feedback and ensure each finding is completed in a timely manner. The application allows the user to input review findings into the system, customize reporting fields, assign each finding to specific team members and include due dates to ensure all updates are completed. This allows banks to automate the review finding process as opposed to a manual process such as a spreadsheet, providing a more effective, centralized way to address this complex project.

The Audit Trail application also allows the user to attach relevant documents and reports to each finding, making it easier to verify that each item has been corrected. In addition to this, all documents are housed in one centralized location to avoid reliance on one person for documents and reports usually stored on an individual computer. The document library helps to reduce the risk of data loss due to computer failure and ensures that all important information is readily available to complete the findings package.

Responding to review findings can be challenging, time consuming and stressful! However, working with Safe Systems can provide your financial institution with the right tools to keep this process organized and meet regulatory expectations. Streamlining this process helps community banks and credit unions improve on IT and compliance procedures in a timely manner and effectively demonstrate how the institution has addressed the reviewing agent’s feedback.

08 Aug 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

How to Beat IT Exam Stress and Boost Efficiency for Your Bank

External audits and exams have become a fact of life for financial institutions of all sizes. Community banks and credit unions undergo strenuous reviews of their procedures and practices anywhere between six and 18 times a year. While these reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations, preparing for these events can be an extremely time consuming and stressful process to complete.

Most reviews consist of two phases – preparation and findings. At the beginning of the process the reviewing agent typically sends financial institutions a list of items that they want to review, certain areas they plan to examine and items they plan to discuss with the organization. This list normally includes a number of reports and documentation the financial organization must prepare ahead of the review and provide to the reviewing agents before the on-site visit. Some only require a handful of reports to prepare up-front, but others can request more than 60 different reports. Some of the reports and information that may be requested include:

Organizational Charts
Financial Reports
Business Continuity Plans
Disaster Recover Plans and Test Results
Vendor Management Policies
Security Policies

Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.

Streamline the Pre-Exam Preparation Process

The Safe Systems’ Audit Trail™ application is designed to help financial institutions efficiently manage the preparation process. The application allows the user to import a variety of file types and formats, utilize the field matching wizard, and easily standardize items across the system despite the varied nature of the templates provided by the different agencies. To eliminate the mundane task of collecting the same documentation over and over, the application allows you to pull system reports directly from a variety of other Safe Systems’ services housed in theSafe, and store them in a central library so they are easily accessible the next time you need them.

All preparation reports are housed in the Audit Trail solution, meaning there is no duplication of documents; reports do not need to be saved in various folders; and the financial institution has peace of mind in knowing the most accurate and up-to-date information is sent to the reviewing agent. In addition, once all the preparation documents have been completed, a preparation item package is created in the form of a zip file, which makes it easier to input all the documents designated for the review into the reviewing agent’s delivery system. A report or manifest of documents attached to each audit is created, giving the financial institution a record of each review.

Preparing for an audit or exam can certainly be a headache! However, working with Safe Systems can provide your financial institution with peace of mind by ensuring you are well prepared and can feel confident for any upcoming review. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to a seamless and time efficient preparation process.