The FDIC’s Information Technology Risk Examination (InTREx) Program is its current information technology and IT operations examination procedures. Originally introduced in 2016, InTREx takes a risk-based approach to performing examinations of IT. By focusing examiner procedures on areas of elevated risk based on the institution’s IT Profile, the program should lead to a more efficient engagement for the institution and examiners.
At the end of the InTREx examination, a composite rating based on the Uniform Rating System for Information Technology (URSIT) of the Federal Financial Institutions Examination Council (FFIEC), is produced to quantify the effectiveness of the institution’s IT risk management practices and condition.
Let us delve deeper into the different components of the InTREx Program
The Information Technology Profile (ITP) questionnaire, used to scope the examination, will be provided to the institution approximately 90 days before a scheduled examination. The ITP contains 29 questions which will assist the examiner with scoping the examination procedures.
Approximately 45 days prior to the examination, an IT request letter will be provided listing the items the examiners will need to review. This listing will be scoped based on the ITP responses.
The InTREx examination core modules, defined by the FFIEC’s URSIT methodology, cover the four following IT functions: Audit, Management, Development & Acquisition, and Operations & Maintenance.
A URSIT component rating is assigned to each of these modules as part of the InTREx examination, and these component ratings are then used to develop an overall composite rating.
URSIT ratings are on a scale of 1-5 with 1 being the highest rating and degree of least concern; and 5 being the lowest rating and degree of most concern. The examination procedures for each of the core modules are based on the FFIEC’s IT Work programs associated with the functions listed.
Additionally, workpapers covering Cybersecurity Preparedness and Information Security Standards are also included in the program. The workpaper results are not assigned a URSIT rating but comments on adherence to Information Security Standards and Cybersecurity Preparedness are included in the final report. The URSIT ratings, comments and management action plans are used by the FDIC determine the degree of ongoing supervisory oversight for IT functions.
To prepare for a FDIC InTREx examination, institutions should perform the following steps.
Review the InTREx Work program
Review the FFIEC IT Examination Procedures for the InTREx core modules
Complete the FFIEC Cybersecurity Assessment Tool and identify a target maturity level.
As a general practice management, auditors, and compliance officers at financial institutions, should be familiar with the FFIEC IT Examination Procedures and Cybersecurity Assessment Tool as they form the core of many IT related examinations at financial institutions (such as the InTREx Program). Incorporating FFIEC guidance into internal audit programs can help prevent surprises from popping up at examination time.
Ask Schneider Downs Cybersecurity Advisors or your Schneider Downs representative about how to prepare for IT related examinations (including InTREx) that might impact your institution or organization.