After the FDIC OIG InTREx audit report: Implications and next steps for banks

May 23, 2023 Article 5 min read
Authors:
Colin Taggart
The FDIC Office of Inspector General’s audit report of the InTREx program identifies some serious concerns. After reviewing the report’s recommendations, we summarize key findings and share our recommendations for banks.
Business professionals learning about the FDIC OIG InTREx audit report.In January, the FDIC Office of Inspector General (OIG) issued an audit report, addressing the Implementation of the FDIC’s Information Technology Risk Examination (InTREx) Program. The results of the audit identify some serious concerns, which could prompt another significant overhaul of the approach followed by IT examiners in the near future.

Our team reviewed the 19 recommendations in the FDIC OIG audit report. Below, we share our summary of key concerns, including potential impacts on bank exams in upcoming years, and our recommendations for financial institutions. Banks regulated by the FDIC as well as those not directly examined by the FDIC should monitor upcoming plans for resolving the issues uncovered with the InTREx program, since changes to the FDIC’s approach may coincide with exam plan changes for the Federal Reserve Board, state examiners, National Credit Union Association (NCUA), and/or the Office of the Comptroller of the Currency.

Overview of OIG InTREx audit findings

The concerns identified in the OIG audit report center on the InTREx approach as well as larger issues with the IT exam environment. For the issues noted, the OIG points to consistent risk statements that the FDIC isn’t able to complete effective exams, potentially leading to poor security standards going undetected during banks’ exam cycles.

While strong independent security assessments help identify security concerns and recommendations, the OIG’s comments seem to suggest independent audits are the only in-depth assessment banks may be receiving each year. Banks have voiced similar concerns with the InTREx approach in recent years; now the OIG’s comments are likely to lead to major changes in the approach followed by IT examiners.

Updated guidance

The InTREx program was originally adopted in June 2016, with comments from InTREx Interagency Committee members stating that updates to Federal Financial Institutions Examination Council (FFIEC) guidance are the primary driver for updating the InTREx program. However, the FFIEC has published multiple updates to booklets and related guidance in the last few years, and the National Institute of Standards and Technology (NIST) has also updated the Cybersecurity Framework, yet the InTREx program hasn’t included these updates. (As a parallel, imagine switching multiple key applications and adding several new locations without updating your Business Continuity Plan over the last few years!)

Any of these regulatory updates takes significant time, with a constant arms race between the latest security attack tactics, feasibility for financial institutions to implement latest security controls, and trailing regulatory updates to require new controls. As the FDIC InTREx program takes an additional process to update after these FFIEC and NIST updates are completed, InTREx exams end up focusing on risks from more than five years ago — falling short on confirming how institutions are protected from threats of 2023.

Our recommendation

Continue to monitor FFIEC updates for new regulatory releases, but in areas where guidance hasn’t been updated in multiple years, banks should look to other industries and frameworks — NIST, state regulations, etc. — to ensure their financial institution is appropriately addressing current risks.

Banks should look to other industries and frameworks — NIST, state regulations, etc. — to ensure their financial institution is appropriately addressing current risks.

OIG InTREx audit findings: Lack of communication and training for examiners

While the InTREx program was updated once in 2019, changes weren’t clearly communicated to examiners. No official guidance was released, links within the internal tools still referenced 2016 information that had been replaced, and sampled exams were found to have followed the older approach. Given these findings, even if the official InTREx approach had been updated multiple times within the last few years, the updates may not have been consistently incorporated into exams.

The FDIC’s own risk assessment noted a key concern — the risk of not being able to maintain sufficient IT subject matter experts (SMEs) due to higher resignation rates in 2021 and 2022 as well as a significant number of SMEs eligible for retirement in upcoming years (64% of Advanced IT SMEs by 2027).

Similarly, 42% of examiners noted insufficient training as a material challenge for conducting IT examinations. The FDIC and OIG comments regarding lack of training and expertise are likely significant root causes for many of the other comments noted in the report. Coupled with the current cybersecurity job market, this is a particularly difficult problem to solve.

Our recommendation

Continue to focus on cross-training and succession planning efforts to ensure bank teammates can support evolving security responsibilities.

OIG InTREx audit findings: Incomplete exam procedures with no secondary review process

In 70% (seven of 10 sampled) of IT examinations reviewed, FDIC examiners didn’t document the work performed for required procedures. Unsurprisingly based on the 70% failure rate, the OIG also confirmed the lack of a strong secondary review process for IT exams.

With about 3,000 banks regulated by the FDIC in the last few years, that’s a staggering amount of required but incomplete exam procedures. For OIG samples noted, potential changes in the component URSIT ratings could have lowered composite URSIT ratings and CAMELS composite ratings.

Especially when combined with economic concerns, the risk of inaccurate CAMELS ratings due to weak IT exams is likely to lead to significant improvements to the exam process to course-correct. Expect more in-depth InTREx exams in upcoming years as supervisors will be paying closer attention to ensuring exam procedures are being completed.

Our recommendation

Banks should self-assess where IT controls may need some formalization prior to the next exam cycle — even controls that have passed previous exams.

Banks should self-assess where IT controls may need some formalization prior to the next exam cycle — even controls that have passed previous exams.

Expect upcoming InTREx changes

As part of its published report, the OIG commented that the FDIC plans to address 14 of the recommendations by Dec. 31, 2023. To meet this schedule, significant changes are likely to be made in the coming months, potentially leading to drastically different exams depending on the time of year your 2023 exam is scheduled.

Our recommendation

Closely monitor regulatory updates and stay in touch with your examiners, IT auditors, and peers regarding changes in exam requirements in the next few months.

Whether significant changes are made to IT exams in 2023 or upcoming years, don’t wait for your next exam. Banks should be proactive in testing — through IT audits, security assessments, penetration testing, and other methods — and ensuring their controls address current cybersecurity threats.

You can find the full FDIC OIG audit report at the OIG website

Related Services:

Consulting Cybersecurity

Related Industries:

Banks

Related Thinking

Business professionals in a conference room.
January 27, 2023

Financial Institutions Advisor: Insights for 2023 and beyond

White Paper 20 min read
Business professional holding a laptop while explaining something to another colleague.
August 10, 2023

Six steps to strengthening your cybersecurity program

Article 6 min read
professional woman working on her computer
September 6, 2016

FDIC releases InTREx program as new approach to IT examinations

Article 2 min read