The regulatory examination: Few combinations of words are soeffective at inspiring a cold sweat in even the most preparedcredit union.

Increased regulatory oversight is the new normal in thepost-financial crisis age. And along with new rules and regulationscomes an increased focus on the methodology employed byinstitutions. For a credit union just trying to succeed in thebusiness of banking, the increased scrutiny can add up to a lot ofextra work. Oh, and by the way, regulators still expect financialinstitutions to be profitable, too.

But the process doesn't have to be a nightmare. Remember, examsare a part of life for financial institutions. Instead of anintrusion in your daily routine, they can serve to validate yourefforts as well as management's commitment to your corporateculture. Of course, no two regulatory bodies, or examiners, arecreated equal. Nevertheless, there are a few preparation stepscommon to all examinations.

In this checklist, we'll cover eight steps to preparing for abetter IT exam.

1. Resolve any prior written examination findings

The worst possible thing from an examiner's perspective is tohave to repeat findings from one exam cycle to the next. From anexaminer's point of view, repeat offenses mean one of two things:Either your institution didn't take the finding seriously the firsttime or you haven't put sufficient effort into the remediationprocess. Either way, it also reflects poorly on management.

2. Resolve any prior verbal observations

Verbal observations might not be as formal as written findings,but they can be just as important. During the exam process, theexaminer may suggest certain items that they'd like to see yourinstitution improve or implement in the future. While these thingsaren't listed on the final report as a finding, they may stillappear in the examiner's work papers and get carried over to futureexams. If it's worth an examiner's time and attention to make theverbal observation, it might be worth your institution's time andeffort to address it, even if your response is, “We acknowledge theexaminer's observation, but …”

3. Complete your IT audit at least 90 days before anexam

Although it's difficult to pin down an exact date for your nextexam, the general rule is that examiners work on a six-, 12- or18-month cycle. You already know your rotation and the examiner'sapproximate return date. Keep this in mind when scheduling an ITaudit. One of the first things the examiner will want to see isyour last audit. The key is to make sure to leave enough time toaddress any audit findings before the examiner arrives.

4. Update and board-approve all policies

Nothing says lack of preparation quite like playing by the oldrule book. Be sure to check all policies prior to an examinationand update them as needed. This includes policies that you simplyneed to tweak from year to year, as well as the incorporation ofany new regulatory changes into existing policies, and the additionof altogether new policies. Be sure to get board approval for allchanges prior to the exam, otherwise only your older, lastboard-approved policies will apply.

Next: Steps 5-8

5. Complete all awareness training

Whether you need to update your members, your board or yourstaff on new policies and procedures, it's good to start thatprocess well in advance of an exam. Even better, conduct anynecessary training ahead of the IT audit. This will give the creditunion ample time to ensure everyone is on the same page in terms ofpolicy education and awareness. And if an examiner interviews anemployee about a particular procedure, they are more likely toremember it. In fact many examination findings are caused byemployee unfamiliarity with existing policies and procedures, notany actual policy deficiencies.

6. Show your work

Building on the previous concept, another common category ofexamination findings is when actual practices deviate from policiesand procedures. In other words, you can't prove that you areactually doing what your policies say you're doing, even if you arefollowing them to the letter. Make sure all board and seniormanagement minutes and committee meetings (IT, audit, loan, etc.)are fully documented and up-to-date. Regulators expect policies,procedures and practices to be in perfect alignment, and the onlyacceptable verification for this is documentation. Remember, theassumption is if it isn't documented, it didn't happen.

7. Management involvement

This goes hand-in-hand with showing your work. Regulators nowexpect the board and senior management to take more active roles inthe day-to-day affairs of the institution, and routinely ask to seeBoard and committee meeting minutes. They expect that strategicgoals and objectives be clearly communicated from the top down, andthat all new and existing initiatives align with those goals.Again, documentation is key here. Furthermore, the ability toidentify weaknesses and correct them internally prior to anexternal audit is one of the hallmarks of a well-run institution.Internal control self-assessments are the best way to achievethis.

8. Complete any testing

Whether its business continuity tests, PEN testing or incidentresponse testing, it is good strategy to conduct it prior to anexaminer's visit. And just as with audits, build a little extralead time into it in case testing uncovers any potential weaknessesin your policies or procedures that need to be updated. Third-partyreview of test results prior to the exam is a plus, but notabsolutely necessary.

The reality of the examination process is that you will probablynever have a perfect exam in the sense that you'll have zerofindings. In today's environment of increased scrutiny, that'sexpected. However, by following these steps and documenting theprocess, you'll be better prepared to respond to regulators'findings if they do occur. In those cases, where you feel compelledto push back on a finding, documentation becomes the foundation ofa successful defense.

Recent client survey data indicates that less than one-third offinancial institutions challenge an examiner's findings. But ofthose that do, two-thirds are successful in amending or removing afinding in the examiner's final report. In these cases,preparedness and documentation have resulted in direct improvementsto those financial institutions' outcomes.

If your institution is looking to build a stronger complianceprogram, you might want to consider the sort of reporting,documentation and IT management support you'll need to add depth toyour pre- and post-exam and audit efforts.

TomHinkel is director of compliance for Safe Systems Inc. inAlpharetta, Ga.