IT Examiner School eBook May 2025

Control Test Perform a site/premise inspection to determine the existence of physical protection and detection controls. Enter Control Test notes here, if performed Decision Factor 5 Strong ☐ Satisfactory ☐ Less than satisfactory ☐ Deficient ☐ Critically deficient ☐ The adequacy of controls over electronic funds transfers and electronic banking activities. Click here to enter comments Procedure 20 Evaluate the adequacy of electronic funds transfer (EFT) oversight and controls, taking into consideration the nature and volume of wire transfer and ACH activity. Consider the following:  Adequacy of policies and procedures  Appropriateness of risk limits and tolerances  Segregation of duties  Adequacy of physical and logical security over EFT systems and applications  Adequacy of logging, reporting, and reconciling processes  Ability to prevent, detect, and respond to anomalous or fraudulent activity  Inclusion of EFT in BCP/DR plans  Scope and frequency of EFT audit coverage, including a NACHA self-assessment if required For institutions with significant or complex EFT activity, this core procedure may need to be augmented with additional procedures that address more complex risks. Examiners should utilize the Electronic Funds Transfer Risk Assessment ED Module and/or the FFIEC IT Examination Handbook – Retail Payment Systems as a resource at institutions with high volume and/or complex EFT activities. Significant findings and conclusions should be pulled forward from those workprograms into the comment box below. Click here to enter comments Decision Factor 6 (Optional) Strong ☐ Satisfactory ☐ Less than satisfactory ☐ Deficient ☐ Critically deficient ☐ If applicable, include a summary comment below for any additional risk factors reviewed or examination procedures performed that may not be directly referenced in the Decision Factors above. (These risk factors and procedures could include, but are not limited to, Supplemental Workprograms, FFIEC workprograms, agency-specific workprograms, and/or new guidance not addressed in the modules.)

Click here to enter comments