“Documentation” or more specifically, the lack thereof, hasaccounted for nearly all the IT examination findings I've seen inthe past year to year and a half in community financialinstitutions.

In other words, the financial institution's policies andprocedures were satisfactory, but their documentation todemonstrate that actual practices followed policy and procedure waseither non-existent or insufficient.

Written polices begin the process, which must always haveregulatory guidance as their target. Policies should trackguidance precisely; if guidance states that you should or must dosomething, your policies should state that you do, or you will.

If polices are “what” you do, written procedures are the“how”. And just as polices align with guidance, proceduresshould flow logically from, and align with, your polices.

For example, your information security policy states (amongother things) that you will protect the privacy and security ofcustomer information. Your procedures contain the detailedsteps (or controls) that you will take to prevent, detect andcorrect unauthorized access to, or use of, customer information,i.e., securing the perimeter of your network, updating server andworkstation patches, installing and updating anti-virus, etc.

So you have the “what” and the “how”, but as I mentionedpreviously, the vast majority of audit and examination findings inthe past couple of years were due to deficiencies in the thirdarea; actual (documented) practices. And thisis where technology can be of tremendous assistance.

Auditors and examiners much prefer automatedsystems to manual systems. Automated systems don't forget, or gettoo busy, or take vacations or sick days. They aren't subjectto human error or inconsistencies. In fact, some processes likefirewall logging, normalization and analysis are virtuallyimpossible to implement manually because of the sheer volume ofdata generated by these devices.

While other areas like patch management and anti-virus updatesare possible to implement manually, auditors much prefer automatedprocesses because they ensure polices are applied in aconsistent and timely manner.

Perhaps the biggest boost to your compliance efforts fromtechnology is in the area of reporting, and specifically, automatedreporting. In today's compliance environment, if you can'tprove you're following your procedures,the expectation from the examiners is that youaren't.

This is the main area that has evolved more than any other inrecent years: Automated reporting provides documentation withouthuman intervention, which eases the burden on the networkadministrator. Auditors (internal and external) and examinersalso like automated reporting because they have a higher confidencein the integrity of the data. The IT Steering Committee likesit because it is much easier to review and approve reports preparedand presented in a standardized format.

So technology enables automation, and automation enhancescompliance. Even though technology can simplify thecompliance process, it also greatly increases the volumeof information available to management and directors for planningand decision-making. According to the FFIEC, in order to beuseful this information must be:

• Timely
• Accurate
• Consistent
• Complete, and
• Relevant

A compromise in any one of these elements can also compromisemanagements' ability to make prudent and timely business decisions.Make sure that your institution has the expertise necessary tocollect, interpret and present the data in a way that allowsmanagement to have confidence that your policies, procedures andpractices are all in perfect alignment.

Tom Hinkel isDirector of Compliance with Safe Systems Inc. in Alpharetta,Ga.