IT Examiner School eBook May 2025

Relevance

•

Control Test

Obtain feedback from risk management and compliance examiners regarding the quality and usefulness of reports provided for management decisions.

Procedure 5

Evaluate management’s ability and willingness to take timely and comprehensive corrective action for known problems and findings noted in previous IT examination reports, audits, service provider/vendor reviews, and internal reviews (e.g., disaster recovery, incident response, cybersecurity tests).

Control Test

Review the audit tracking report to ensure management is resolving issues in a timely manner.

Procedure 6

Evaluate whether written policies, control procedures, and standards are thorough and properly reflect the complexity of the IT environment. Also, evaluate whether these policies, control procedures, and standards have been formally adopted, communicated, and enforced. Consider the following:

• Information security, including cybersecurity

• Network security, including intrusion detection

• Incident response, including Suspicious Activity Reports

Business continuity

•

Acceptable use

•

Access rights

•

Electronic funds transfer

•

Vendor management/Third-party risk

•

Remote access

•

Bring Your Own Device (BYOD)

•

Institution-issued mobile devices

•

Anti-virus/Anti-malware

•

Patch management

•

Unauthorized/Unlicensed software

•

InTREx Mapping

9

Tandem, LLC | Copyright © 2024

Confidential - Internal Use Only