Be Prepared For Increased IT Scrutiny From Examiners
Regulators are no longer allowing the size of an institution to affect the depth of their examinations and severity of the penalties. More than ever before, examiners are demanding that even small institutions strictly adhere to rules and regulations that formerly were applied only to larger institutions.
As an information technology consultant for financial institutions nationwide, I see more and more evidence of increased scrutiny by examiners at institutions of all sizes, including relatively small community institutions that were formerly given a little slack. The result could be unnecessary corrective action costs and a damaged reputation. The good news is that most, if not all, of the problems easily can be avoided with a little proactive planning.
Examiners To Have IT Certification
We have observed that the OTS is now having its examiners obtain a high level IT certification, equivalent to that held by IT engineers. They are being trained to look harder than ever before at IT systems to uncover more detailed information. Based on feedback from our more than 500 financial institution clients, examiners are focusing on several key areas including information security, business continuity and compliance.
A case in point is a relatively small ($43-million) credit union from which we recently received a call for assistance following a regulatory examination. With just eight employees and two fileservers, this credit union thought it was safe from harsh federal scrutiny of its security and compliance practices. Ignoring its small size, the examiner dug deep and tore apart their operations, finding many deficiencies. Most of the deficiencies easily could have been corrected prior to the exam. Now they faced the expense of quickly making the mandated changes and the embarrassment of explaining to their board and members why the audit report was so negative. This example is being repeated every day and serves as a red flag warning to other small institutions.
The First Step
Avoiding unnecessary negative items in an IT audit report is relatively simple. The first step is to obtain a professional, third party "IT Risk Assessment" far in advance of an audit. This risk assessment examines and evaluates the institution's IT security policy and practices. It assesses how these measure up to the current complex regulations, identifies potential audit issues and prioritizes and recommends corrective actions. Adjustments can then be made in a practical, judicious and cost-effective manner. Investments can then be made to the infrastructure and processes that will result in a more secure, productive environment and ensure a cleaner audit. As a bonus, when the examiners find a secure, well-maintained IT environment, their overall confidence level in the institution rises and is normally reflected in their report.
Corrective action should be taken in a reasonable, cost-effective manner before the examination. This will reduce costs and ensure a cleaner audit report. The examiners are reassured, the board is pleased and your reputation in the community is intact. Financial institutions need to be proactive and prepare now for the increased regulatory scrutiny that is upon us.
Romir Bosu is president of Compushare, a provider of IT integration, consulting and support services to community financial institutions nationwide. For more information, visit www.compushare.
The Credit Union Journal welcomes and encourages reader input on our editorial pages. If you have a viewpoint to share, e-mail fdiekmann