The FDIC’s Information Technology Risk Examination (InTREx) Program is its current information technology and IT operations examination procedures. Originally introduced in 2016, InTREx takes a risk-based approach to performing examinations of IT. By focusing examiner procedures on areas of elevated risk based on the institution’s IT Profile, the program should lead to a more efficient engagement for the institution and examiners.
At the end of the InTREx examination, a composite rating based on the Uniform Rating System for Information Technology (URSIT) of the Federal Financial Institutions Examination Council (FFIEC), is produced to quantify the effectiveness of the institution’s IT risk management practices and condition.
Let us delve deeper into the different components of the InTREx Program
The Information Technology Profile (ITP) questionnaire, used to scope the examination, will be provided to the institution approximately 90 days before a scheduled examination. The ITP contains 29 questions which will assist the examiner with scoping the examination procedures.
Approximately 45 days prior to the examination, an IT request letter will be provided listing the items the examiners will need to review. This listing will be scoped based on the ITP responses.
The InTREx examination core modules, defined by the FFIEC’s URSIT methodology, cover the four following IT functions: Audit, Management, Development & Acquisition, and Operations & Maintenance.
A URSIT component rating is assigned to each of these modules as part of the InTREx examination, and these component ratings are then used to develop an overall composite rating.
URSIT ratings are on a scale of 1-5 with 1 being the highest rating and degree of least concern; and 5 being the lowest rating and degree of most concern. The examination procedures for each of the core modules are based on the FFIEC’s IT Work programs associated with the functions listed.
Additionally, workpapers covering Cybersecurity Preparedness and Information Security Standards are also included in the program. The workpaper results are not assigned a URSIT rating but comments on adherence to Information Security Standards and Cybersecurity Preparedness are included in the final report. The URSIT ratings, comments and management action plans are used by the FDIC determine the degree of ongoing supervisory oversight for IT functions.
To prepare for a FDIC InTREx examination, institutions should perform the following steps.
As a general practice management, auditors, and compliance officers at financial institutions, should be familiar with the FFIEC IT Examination Procedures and Cybersecurity Assessment Tool as they form the core of many IT related examinations at financial institutions (such as the InTREx Program). Incorporating FFIEC guidance into internal audit programs can help prevent surprises from popping up at examination time.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.