IT Examiner School eBook

Internal Use Only

Information Technology Risk Examination (InTREx) Procedures

Internal Use Only

InTREx Program Overview

An enhanced, risk-based, approach for conducting IT examinations of depository institutions

Based on the (URSIT) and includes Core Modules for Audit, Management, Development and Acquisition, and Support and Delivery component ratings

Incorporates procedures for assessing cybersecurity preparedness and compliance with Interagency Guidelines Establishing Information Security Standards

Examiners complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper to assess risk and document examination procedures, findings, and recommendations. Updated in September 2023 (by FDIC) to improve Audit module‘s usability, add steps related to Computer Security Incident Notification Rule (Part 304 Subpart C), provide specificity regarding examiner review of service provider ROEs, and to update links to references.