OIG Assesses FDIC’s Implementation of IT Risk Examination Program

2 mins read

The Federal Deposit Insurance Corporation’s office of inspector general conducted an audit to assess whether FDIC’s Information Technology Risk Examination Program can effectively evaluate and address cybersecurity and IT risks at banks and other financial institutions and offered several recommendations to address the weaknesses found in the InTREx program.

OIG said Wednesday it found that FDIC’s InTREx program is out of date and does not reflect federal frameworks and guidance for the program’s three of four core modules.

According to the report, FDIC failed to offer guidance to its examiners after changes were made to InTREx.

Catalogued missteps also included the complaints that the FDIC does not provide training to strengthen program procedures to advance consistent completion of IT examination procedures and decision factors. In addition, it was found that FDIC did not adopt a supervisory process to assess IT workpapers prior to the completion of the examination.

The OIG report presented 19 recommendations for FDIC to address such weaknesses, such as updating and implementing the InTREx program to reflect current IT and cyber risks and guidance; communicating updates to the InTREx program to examiners in a timely manner; and developing and implementing control mechanisms to ensure that examiners complete examination procedures and decision factors.

Other recommendations are providing refresher training to reinforce InTREx program procedures; developing and implementing metrics and indicators to determine the program’s effectiveness; and creating a process to gather and analyze relevant data regarding the program.

ExecutiveGov Logo

Sign Up Now! Executive Gov provides you with Free Daily Updates and News Briefings about Cybersecurity