The Federal Deposit Insurance Corporation (FDIC) recently announced its updated Information Technology Risk Examination (InTREx) program to help provide a more focused and efficient risk-examination process.
The FDIC InTREx Program: What’s New and Different?
One of the major updates is that the Information Technology Profile (ITP) is 65% smaller than its predecessor, meaning the process is more focused and efficient. However, the new process requires financial institutions to submit profile paperwork that highlights risk management procedures.
As the FDIC Financial Institution Letters explain, “The InTREx Program includes a streamlined IT Profile that financial institutions will complete in advance of examinations that replaces the IT Officer's Questionnaire (ITOQ). The [ITP] is intended to provide examination staff with more focused insight on a financial institution's IT environment.”
Another new development is the Uniform Rating System for Information Technology (URSIT) adoption that results in composite ratings (audit, management, development and acquisition, support and delivery) in Examiner Conclusion (EC) reports. URSIT is a Federal Financial Institutions Examination Council (FFIEC) interagency rating system that provides a risk evaluation rating for an institution based on the audit, management, development and acquisition, and support and delivery categories. InTREx is adopting URSIT, meaning “all URSIT component and composite ratings assigned at each IT examination will be included in the Risk Management Report of Examination.”
The new diversity in the examination procedures allows financial institutions to be more flexible regardless of risk profile. The updated InTREx process allows for auditors to have more flexibility in the tools and processes they use to assess a financial institution’s security and risk management strengths and shortcomings. Third-party auditors can dig in, making InTREx-focused IT audits of greater value to financial institutions.
Focused IT Audits
At Security Pursuit, we conduct rigorous audits that you can apply to the InTREx process. Our audit services deliver a digestible and detailed view of the organization's cybersecurity strengths and deficiencies, insight into risk associated with your digital assets, and an action-oriented remediation plan to address critical issues observed. We keep up to date on all regulatory and audit procedure changes to ensure your organization a thorough and comprehensive third-party audit.