IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Audit Core Module Procedure 5 – Audit IT Risk Exposure Determine whether audit plans or audit risk assessments adequately addresses IT risk exposure throughout the institution and its service providers. Areas to consider include, but are not limited to, the following:  Information security, including compliance with the Interagency Guidelines Establishing Information Security Standards  Incident response  Cybersecurity  Network architecture, including firewalls and intrusion detection/prevention systems  Security monitoring, including logging practices

 Change management  Patch management  Third-party outsourcing  Social engineering

 Funds transfer  Online banking  Business continuity management

Click here to enter comments

Audit Core Module Procedure 6 – Audit Frequency Determine whether the frequency of IT audits aligns with the risk assessment results and whether the scope of IT audits is appropriate for the complexity of operations.

Click here to enter comments

Audit Core Module Procedure 10 – Audit Monitoring and Resolution Evaluate the audit department’s process for monitoring audit and regulatory findings until resolved. Consider the following:  A formal tracking system that assigns priority, responsibility, and target date for resolution  Timely and formal status reporting  Tracking and reporting changes on target dates or proposed corrective actions to the Board or Audit Committee  Process to ensure findings are resolved in a timely manner  Independent validation to assess the effectiveness of corrective measures

Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 8 of 17