IT Examiner School

Follow-up meeting with EVP Jones Examiner: Thanks for the files I requested. What happens when you get a high risk vendor that doesn’t comply with your request for the FI’s required information? I saw some information was outdated. EVP Jones: My staff tracks the requests and any information provide/not provided. I have my staff send follow-up requests on a monthly basis. Examiner: When you request your vendors’ audit reports, I see that you also request SSAE 16 reports. However, some are SOC Type I, why not press for a SOC Type II? EVP Jones: We stress to our vendors that they should obtain a SOC Type II; however, we have a couple of start-up entities we are using that have been operating for less than two years. Funds are tight for them right now and the value for cost is pretty good for us right now. They promise as more investors get behind them while they are growing that more funds will be allocated for these types of audits. Examiner: One last question. I noticed that these two vendors are also running behind on providing requested information. EVP Jones: Yes, these vendors are running thin on staff, so they are usually a month to three months behind on requests for information. Also, these vendors are “medium” risk since they provide limited mobile banking platforms we are testing with select non-commercial customers and employees. I told the owners that before we push these platforms bank-wide I would need more detailed audit reports and this means providing the SSAE 16 SOC Type II reports. They verbally agreed with this condition. Examiner: Your Program does require that vendors like this do require a SOC Type II Report. Has the Board waived this requirement or risk accepted the absence of SOC Type II Reports during the testing phase? EVP Jones: I have discussed this with the Board and they are ok with what I am doing, but there is no formal waiver for the Program requirement or risk acceptance. Examiner: Your use of spreadsheets looks like it takes a fair amount of time and effort to keep it current along with file maintenance. EVP Jones: Yes it does. The bank is in process with reviewing three vendor products that will automate our vendor management process. The products under review will allow us to integrate several functions to provide better management of our vendors. Essentially, it is a Cloud solution that we input the vendor information along with embed the contract, criticality, have a tickler file, checklist of what additional documents we need, like audits, etc. We trying to put this solution in as soon as possible before we grow any further.