“Documentation” or more specifically, the lack thereof, has accounted for nearly all the IT examination findings I’ve seen in the past year to year and a half in community financial institutions.
In other words, the financial institution’s policies and procedures were satisfactory, but their documentation to demonstrate that actual practices followed policy and procedure was either non-existent or insufficient.
Written polices begin the process, which must always have regulatory guidance as their target. Policies should track guidance precisely; if guidance states that you should or must do something, your policies should state that you do, or you will.
If polices are “what” you do, written procedures are the “how”. And just as polices align with guidance, procedures should flow logically from, and align with, your polices.
For example, your information security policy states (among other things) that you will protect the privacy and security of customer information. Your procedures contain the detailed steps (or controls) that you will take to prevent, detect and correct unauthorized access to, or use of, customer information, i.e., securing the perimeter of your network, updating server and workstation patches, installing and updating anti-virus, etc.
So you have the “what” and the “how”, but as I mentioned previously, the vast majority of audit and examination findings in the past couple of years were due to deficiencies in the third area; actual (documented) practices. And this is where technology can be of tremendous assistance.
Auditors and examiners much prefer automated systems to manual systems. Automated systems don’t forget, or get too busy, or take vacations or sick days. They aren’t subject to human error or inconsistencies. In fact, some processes like firewall logging, normalization and analysis are virtually impossible to implement manually because of the sheer volume of data generated by these devices.
While other areas like patch management and anti-virus updates are possible to implement manually, auditors much prefer automated processes because they ensure polices are applied in a consistent and timely manner.
Perhaps the biggest boost to your compliance efforts from technology is in the area of reporting, and specifically, automated reporting. In today’s compliance environment, if you can’t prove you’re following your procedures, the expectation from the examiners is that you aren’t.
This is the main area that has evolved more than any other in recent years: Automated reporting provides documentation without human intervention, which eases the burden on the network administrator. Auditors (internal and external) and examiners also like automated reporting because they have a higher confidence in the integrity of the data. The IT Steering Committee likes it because it is much easier to review and approve reports prepared and presented in a standardized format.
So technology enables automation, and automation enhances compliance. Even though technology can simplify the compliance process, it also greatly increases the volume of information available to management and directors for planning and decision-making. According to the FFIEC, in order to be useful this information must be:
- Complete, and
A compromise in any one of these elements can also compromise managements’ ability to make prudent and timely business decisions. Make sure that your institution has the expertise necessary to collect, interpret and present the data in a way that allows management to have confidence that your policies, procedures and practices are all in perfect alignment.
Tom Hinkel is Director of Compliance with Safe Systems Inc. in Alpharetta, Ga.