The FFIEC Bank IT Audit Is One of the Most Important—and Labor Intensive—Regulatory Burdens of The Year for Community Banks. But You Can Make It Easier on Your IT Department with the Right Preparation. Here’s How to Stay One Step Ahead of the Process.
If you’ve been in banking for a long time, you know—preparing for your annual FFIEC Bank IT Audit every year is one of the most labor-intensive, complex parts of your regulatory yearly exams. If there’s one thing we’ve learned assisting hundreds of banking clients during this process over the years, it’s this: preparation is essential. You’ll minimize the findings examiners make if you do a little proactive homework before the audits begin.
If you’re wondering how to make your audit preparedness process smoother, read on. We’ll walk you through the steps you need to take to stay prepared and use your resources wisely during the examination process.
But first, let’s get down to the basics about the Federal Financial Institutions Examination Council (FFIEC) and how it relates to your IT operations.
What Does an FFIEC IT Audit Do?
Every 12-18 months, community banks are required to conduct an extensive IT systems and cybersecurity audit, conducted according to the guidelines set down by the FFIEC.
According to its website, the council is “a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).” In short, they combine all the regulatory priorities of the organizations that govern banks and bring them all together in a coherent and actionable way for examiners.
Your IT audit is only one part of the overall examination your bank will receive. But it is crucial, as examiners need proof that you are following all the latest guidance on keeping your banking transactions and data safe. It covers information security policies, risk management, incident response, and technology infrastructure.
Who Should Conduct an IT Audit for Banks?
As a financial institution, you’ll be required to conduct an audit against current standards and present that to regulators. You have the option to conduct the audit internally. However, we recommend hiring a third party to complete your audit because of the time and workforce required to do this properly.
This party generally will not be any MSP or IT vendor you are currently working with. Instead, hire an outside accounting or consulting firm specializing in this assessment. Your MSP or local banking association can often provide you with a list of qualified providers.
What Does an FFIEC IT Audit Cover?
Annual audits are detailed and comprehensive. If you don’t have the proper reports or paperwork, you’ll be required to get it. Getting your MSP involved is helpful if you don’t have IT staff available to assemble the proof needed. They should be able to work through your vendors to help you gather the documentation you need.
Whether you do the audit internally or hire outside help, your audit will cover these areas:
- Access Controls: Assess user access, segregation of duties, and privileged accounts.
- Network Security: Test firewalls, intrusion detection/prevention systems, and encryption.
- Incident Response: Evaluate incident handling procedures and communication protocols.
- Vendor Management: Assess third-party risk management practices.
- Cybersecurity Awareness: Evaluate training programs for staff and staff performance during the training.
- Documentation: Compare your written policies to your written procedures and look at your monitoring and patching reports.
- Results of Remediation: Review audit findings from the prior year and determine if those remediations have been met expediently.
For more information about what is required, check out this guide from the FFIEC.
How Much Should You Pay for an Outside IT Audit for Your Bank?
How much you pay will depend entirely on the size and scope of your financial institution, the complexity of your IT operations, and the number of findings from the previous year that need to be checked. Generally, we usually tell our clients that most outside auditors will charge approximately $10,000 to $25,000 for a yearly review.
What Can I Do to Prepare my IT Infrastructure for Regulatory Review?
The more you have done in advance, the faster your audit will go, and hopefully, the fewer hours your consultants will burn. If your community bank or credit union is small or mid-sized, we recommend starting the preparation process about two months before your audit begins. Larger institutions may need as much as three to six months to prepare.
Specifically, we recommend you take these steps:
#1—Perform a Risk Assessment
Conduct a thorough risk assessment to identify critical assets, threats, and vulnerabilities. If you can, now would be a great time to hire a cybersecurity firm (like Integris) to conduct a PEN test. Do it far enough in advance that you’ll have time to remediate anything you find—before auditors begin their work.
#2—Review, Update, and Print all IT Policies and Procedures
Review and update cybersecurity policies, procedures, and incident response plans. Have you added new tools and processes this year? Ensure all your processes and policies are in alignment, in writing, and ready to produce for auditors.
#3—Documentation
Gather relevant documentation, including security logs, network diagrams, patching reports, service reports, scores from employee cybersecurity training, and access controls.
#4—Check Last Year’s Audit Findings
Ensure that any findings from your previous audit have been remediated and provide proof and documentation. If a remediation is still in process, prove that significant progress has been made.
How Long Should the Audit Process Take at My Bank?
While they can sometimes be done faster, we recommend you schedule approximately two months for the audit process from start to finish. Here are the steps you can expect:
#1—Entrance Meeting
The audit team meets with senior IT management to discuss the audit scope, objectives, and timeline. At this time, you’ll want to discuss the documentation you have available, any permissions they may need, who they’ll need to interface with during their fieldwork, and any remediations you’ve already completed as a result of last year’s exam. Your auditors must build in time to digest what you tell them and create a timeline for their fieldwork.
#2—Fieldwork & Testing
They’ll assess controls, interview staff, and review documentation during this time. They’ll evaluate your vulnerability management, access controls, and incident response. This process generally takes about one to two weeks.
#3—Exit Meeting:
Your auditors will need another week or two to assemble their findings into a written report that can be sent to regulators. They will present findings, recommendations, and areas for remediation.
What Happens After the Audit?
Your financial institution should act promptly on the roadmap your audit provides you. It’s important to note that banks generally don’t “fail” their audits. Instead, banks receive a list of remediations. A “good” result has few findings. While many findings can be addressed in 30 to 90 days, many can take years to solve. If this has happened to your organization, don’t worry. It’s normal!
After your audit, you’ll want to:
- Create a timeline for addressing the findings and setting aside a budget or resources to complete the job.
- Revise policies and procedures based on any new remediations you make
- Embrace the opportunity for continuous improvement by enhancing your cybersecurity practice and investments.
All this work can be exhausting, but it’s important to remember that compliance is a 365-day-a-year job. Your team is always working on your cybersecurity operation, and your audit is really only an expression of that. It’s a great way to take your system’s temperature and determine if your infrastructure is ready for the big goals your organization has set. It offers information you can grow on.
Looking for a handy cybersecurity compliance guide, you can print out? Check out this publication from the FFIEC.
Your Audit Is Only as Good as Your Preparation. Trust it to Experts Who Understand Banking.
At Integris, we don’t perform regulatory audits. However, we have spent decades helping hundreds of banking clients navigate the documentation demands and testing hurdles that come with their exams. We’d love to help you develop a proactive plan for attacking your audits. Contact us if you’d like to discuss it.
