IT Examiner School eBook May 2025

11. Evaluate management succession and cross training. Consider the following:  Existence and appropriateness of job descriptions  Adequacy and training of back-up individuals  Existence of plans in the event of loss of a key manager or employee

Decision Factor 5 ▲

Control Test Review the management succession plan to ensure it meets the needs of the institution.

Click here to enter comment

Vendor Management – Ongoing Monitoring (See also Development and Acquisition Module – Procedures #2-4 for Vendor Management – Acquisition)

12. Evaluate whether a risk-based vendor management program has been implemented to monitor service provider and vendor relationships (both domestic and foreign-based). Consider the following:  Coverage of service providers and vendors, including affiliates, in the risk assessment process  Foreign-based risks, as applicable  Ongoing monitoring, which may include the following:  Financial statements  Controls assessments, such as SSAE 16 SOC Reports (Statement on Standards for Attestation Engagement Service Organization Control Reports)  Information security program  Cybersecurity preparedness and resilience  Incident response  Internal/external audit reports  Regulatory reports  Affiliate relationships (e.g., Federal Reserve Regulation W)  Consumer compliance  Onsite reviews  Participation in user groups  Business continuity program, including integrated testing with the institution’s plan  Service level agreement compliance  Vendor awareness of emerging technologies  Report to Board of Directors Decision Factor 6 ▲ Oversee Service Provider Arrangements. Each bank shall:  Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. The institution has policies commensurate with its risk and complexity that address the concepts of external dependency or third-party management. A list of third-party service providers is maintained. A risk assessment is conducted to identify criticality of service providers. The third-party risk assessment is updated regularly. Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties.