IT Examiner School eBook

• Adequacy of employee training

Procedure 2

Evaluate the quality of IT reporting to the Board of Directors. Consider reports such as:

• IT risk assessments

• IT standards and policies

• Resource allocation (e.g., major hardware/software acquisitions and project priorities)

• Status of major projects

• Corrective actions on significant audit and examination deficiencies

• Information security program, including cybersecurity

Control Test

Review the most recent annual information security program report to the Board and ensure it covers the minimum required elements outlined in the Information Security Standards.

Procedure 3

Evaluate the adequacy of the short- and long-term IT strategic planning and budgeting process. Consider the following:

• Involvement of appropriate parties

• Identification of significant planned changes

• Alignment of business and technology objectives

• Ability to promptly incorporate new or updated technologies to adapt to changing business needs

• Coverage of any controls, compliance, or regulatory issues which may arise or need to be considered

Procedure 4

Evaluate the adequacy of management information system (MIS) reports (e.g., lending, concentrations, interest rate risk) and the reliability management can place upon those reports in the business decision-making process. Consider the following elements of an effective MIS report:

• Timeliness

• Accuracy

• Consistency

• Completeness

InTREx Mapping

8

Tandem, LLC | Copyright © 2024

Confidential - Internal Use Only