Financial Institutions of all sizes are required to have an FFIEC audit at every 12 to 18 months, as required by their regulatory agency. The scope of an FFIEC audit covers many areas outlined in the most current FFIEC Handbook IT Examination Booklets, plus procedures designed to satisfy the requirements of the Gramm-Leach Bliley Act (GLBA) related to the Information Security Program. Procedures include, but are not limited to, review of IT related internal audit processes, such as the areas listed below:
- Management and Organization
- Disaster Recovery and Business Continuity Planning
- System Acquisition, Development, and Program Change Control
- Physical and Environmental Security
- Computer Operations
- Network Administration
- Network and Cyber Security
- Network Vulnerability Testing
- Penetration Testing (External, Internal, Wireless, Web Application)
- Social Engineering
- Application Security
- Core System Interfaces
- Vendor Management
- IT Policies and Procedures
- Strategic Planning
- Internal Control Design Assessment
- Policy and Procedures Assessment
- Remote Deposit Capture, ATM audits, and Credit Card audits
- End-User Computing
- Document Imaging
- EFT’S (ATM, debit cards, home banking, ACH, wire transfer)
- Internet and Mobile Banking
- Privacy Issues of Customer Data (to the extent necessary to satisfy requirements of the Gramm-Leach-Bliley Act 501(b))
- Technology controls related to financial reporting for Sarbanes-Oxley Section 404
- Sarbanes Oxley Compliance for Financial Institutions