At the end of January 2023, the Office of the Inspector General (OIG) for the Federal Deposit Insurance Corporation (FDIC) released a report on the FDIC’s Information Technology Risk Examination (InTREx) program. It had no fewer than 19 recommendations for improvement. These recommendations cover how exams are conducted, how controls are defined, how data is collected and how specific threats are addressed.
Financial institutions anticipating an InTREx examination with the FDIC can expect much more rigorous treatment. We expect that other regulatory bodies will take the hint from the FDIC’s OIG and step up their own examination practices as well. Internal audit teams may also choose to lean in on audits, anticipating greater regulatory scrutiny.
In light of these anticipated increases in rigor, we recommend proactively reviewing the quality of control definitions and the integrity of data demonstrating the effectiveness of those controls. Certainly, depository institutions can expect more thorough attention soon, but all regulated organizations should be prepared.
Stay connected to Cherry Bekaert’s guidance section for more information on this topic in the coming month. Please contact your Cherry Bekaert team advisor or a member of the Information Assurance & Cybersecurity practice for additional information about the InTREx examination.