IT Examiner School, Seaside, CA

D & A ties to Vendor Management

• Most financial entities purchase or lease software and hardware • Standards should be required for dealing with vendors for these products (Vendor Management Program) • Requirements via policies and procedures for ensuring software and hardware are properly maintained – Get updates from vendors • Review process for technology – Determining IT goals and objectives are being achieved – IT solutions working and change management procedures are in place • Management is working with vendors for updates

D&A Control Practices

• Management must properly assess key risks to implement the right controls • Controls need to focus on the practices used to protect the entity • Controls need to be written and ensure the entity’s staff follows such controls (testing thru audits) • Controls, like software, need to be re-evaluated regularly

– Appropriate guidance and standards for ALL activities – Tailored to the organization’s unique characteristics – Provide for appropriate training – Reviewed and approved at least annually by the Board- documented in the Board minutes