The compliance burden on critical IT staff can be crippling.Tracking the moving target of regulatory requirements is afull-time job for some, and seems to be a game of catch up ratherthan the proactive approach preferred by auditors andexaminers.

There is a process that can facilitate earlyidentification of emerging or changing risks in order to moreeffectively manage compliance requirements; the controlself-assessment process. Properly implemented, the CSA process isan extremely effective risk management tool.

Implementing a CSA process is highly recommended by the FFIEC,earning plenty of regulatory support with 43 mentions in seven ofthe 12 FFIEC IT Examination Handbooks. But the Information SecurityHandbook makes the most compelling argument for utilizing CSA inyour risk management program:

Control self-assessments validate the adequacy and effectivenessof the control environment. They also facilitate earlyidentification of emerging or changing risks.

All of the major auditing standards bodies (IIA, AICPA, ISACA)also address the importance of internal control reviews. Mostauditors say institutions with an internal CSA process in placedemonstrate a more-evolved risk management process, resulting infewer and less severe audit findings. This stands to reason, as adedicated internal CSA process identifies and corrects controlweaknesses prior to audit, as opposed to waiting for theauditor to identify them.

From the examination perspective, credit unions should institutea CSA process in order to maximize their IT composite ratings. Oneof the biggest differentiators between a “1” and a “2” is aninstitution's ability to identify weaknesses promptly and takeappropriate corrective measure to resolve the concerns.

Granted, the last thing you need is another resource-drainingcommittee. Fortunately, the framework could already be in placethrough your IT or Tech Steering Committee. Chances are thiscommittee already consists of members representative of allfunctional units within the organization.

The committee has the support of senior management, and isempowered to report on all risk management controls. All that'sneeded is a standardized agenda to follow. The only possibledifference between this agenda and the standard IT committee agendais that any and all findings in the gap analysis must be assignedto a responsible party for remediation.

IT Enables the Process

Credit unions should look to automate IT reporting systems toseamlessly incorporate the CSA process. Automated systems aren'tsubject to human error or inconsistencies, and they don't takevacations or sick days, making them more accurate, consistent andup to date.

Both auditors and examiners prefer automated reporting becausethey have a higher degree of confidence in the accuracy andintegrity of the data. According to the FFIEC, IT systems should bedesigned and managed to “provide accurate, timely reports tomanagement. These reports serve as the basis of major decisions andas an effective performance-monitoring tool.”

The FFIEC strongly encourages a control self-assessment process,and for most institutions it's not too difficult to implement andadminister. Simply add an automated IT reporting capability and youhave a very powerful toolset to achieving higher URSIT scores.

Since higher URSIT scores contribute to higher CAMEL scores (andpotentially lower deposit insurance assessment rates), everyonefrom your examiners to your board of directors and shareholderswill see the benefits.

TomHinkel is director of compliance with Safe Systems Inc. inAlpharetta, Ga.