Fast, easy and intuitive control audits
Doing a risk assessment and developing a credit union or bank risk management plan is only one part of the challenge of keeping data safe and secure and meeting compliance requirements. As required by the FFIEC, you then must audit your information controls and reexamine them semiannually, annually, or even more often, based on the criticality of the risk. That used to be a tough, time-consuming task. With Scout it’s intuitive, easy and highly automated. Here’s how:
- Scout automatically generates control audit schedule by using information from your risk assessment and FFIEC guidelines. Change a risk rating or an information asset and Scout immediately updates the audit schedule.
- Scout automatically defines the scope of the controls audit, telling you when and where to perform preventive reviews and system checks
- You’ll always know which control audits your examiner expects. Plus, Scout allows you to track audit activity, with notes about when controls were tested and by whom—creating well-organized logs your examiner will appreciate.
Think about it. No more relying on memory or paper files to trigger the necessary audit activities. Scout gives you the big picture so you can plan and budget for future events.
Take the time and worry out of exams and audits
Institutions are required to audit their information controls based on the extent of risk identified in the risk assessment. For example, a control that is mitigating a high risk will need to be reevaluated more frequently than controls that impact low-risk threats. The results of these audits must be presented to boards of directors annually.
Most financial institutions can improve their information controls audits by focusing on four key areas:
- Document, document, document
And then document some more. Make sure that every control reviewed is thoroughly documented. Auditors or internal examiners will want to want see what was done in previous years and will expect that such documentation is part of your permanent records. Documentation also makes it easy to demonstrate follow-through on previous audit report recommendations. If you agreed with a recommendation, you need to show who was assigned the task internally and when and how the recommendation was implemented. If you disagree with a recommendation, you need to document the reasons for your disagreement. Also, make sure you document at the time the action was taken. That’s a lot easier than attempting to reconstruct your reasoning months later when an audit report is coming due.
- Get an outside perspective
One purpose of information controls audits is to identify where controls are inadequate or needed controls are missing. That’s why periodically getting an outside perspective on your information controls is helpful. Sometimes, internal staff are a little too close to the issue to have the needed perspective for this. A fresh set of eyes can help you assess your information controls in new and more insightful ways, especially when it comes to identifying new controls that are often all too easy for internal personnel to overlook. An independent banking or risk management specialist who is tied into the changing regulatory, industry and information security scene is an appropriate candidate for such a task. An external review is not required but is highly recommended at least every third year.
- Don’t audit yourself
While it may seem obvious, it’s important that information controls are audited by someone other than the person responsible for those controls to avoid any conflict of interest. If you were responsible for the risk assessment or the IT department and therefore IT controls, turn the job over to someone independent of the process. If you don’t have someone on staff who is both independent of the process and knowledgeable about risk assessments and IT, you might want to outsource the job to an external auditing firm.
- Report in the right ways
The results of information controls audits must be reported to boards annually. As with other types of risk management activities, little guidance is available to compliance officers when it comes to the right way to do this. Don’t burden boards with eye-glazing spreadsheets and page after page of lists. Instead, provide them with a short summary of the controls you reviewed, any inadequacies you found, the corrective actions you took, and recommendations for improving any controls where improvement is needed.