IT Examiner School - Oct 2025

6) Identifying critical services and recovery attributes. 7) Assessing the completeness and effectiveness of recovery physical testing including testing method, cadence, last test dates, and results. 8) Determining if the bank has effectively demonstrated the ability to physically recover critical services. v. Assessment of the effectiveness of vendor management and service provider oversight programs. Determine whether the bank: 1) Exercises appropriate due diligence in selecting its service providers. 2) Requires its service providers by contract to implement appropriate measures consistent with Part 364, Appendix B. 3) Monitors its service providers to confirm that they have satisfied their contractual obligations. As part of this monitoring, an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers. IT Examination Ratings: Examiners should assign a summary or composite Uniform Rating System for Information Technology (URSIT) rating based on the overall results of the evaluation. Component Ratings will not be assigned. 1 Component ratings are to be entered as zeroes in ViSION. Report of Examination: A summary of the overall condition of the IT function consistent with the assigned Composite URSIT rating should be included on the Examination Conclusions and Comments page. Comments specific to the Information Security Program and Cyber Security Preparedness are still required under these procedures. In cases where significant IT issues are identified, please consult with the supervisory examiner, field or territory supervisor, or Regional Office regarding expanding the examination scope and the report of examination treatment. When recommendations are made, they should be accompanied by management’s response, including name and title, as well as the timeframes for corrective actions. Workpaper documentation: Examination findings should be entered in the InTREx comment sections for the InTREx procedures listed below. Additionally, the Decision Factors do not need to be completed. o Procedure 1 - Management Core Module Procedures 1, 2, 11, and 12. o Procedure 2 - Support and Delivery Core Module Procedure 17; Management Core Module Procedures 7, 8, 10, and 11; and Development and Acquisition Procedure 7 (End-of-Life Only). o Procedure 3 - Audit Core Module Procedures 1, 2, 5, 6, and 10; and Development and Acquisition Procedure 7.

o Procedure 4 - Support and Delivery Core Module Procedures 4-9 and 13. o Procedure 5 - Development and Acquisition Core Module Procedures 2-5.

1 Federal Financial Institutions Examination Council Information Technology Examination Handbook, Supervision of Technology Service Providers Booklet, Appendix A: URSIT.

3