Skip to main content


Auditing IT Governance

Auditing IT Governance

Yay, We Checked the Box!

What does information technology (IT) governance mean to you? Is it a checklist of items found in the FFIEC IT Examination Booklets? Is it the items located in your regulator’s examination handbooks? Is it meeting the baseline requirements in the Cybersecurity Assessment Tool? How important is governance to your institution?

Here’s the big secret: IT governance is much more than marking items off a list. Your IT governance is how you actively manage information and cybersecurity at your organization, demonstrated in documentation-form.

The Board of Directors and Senior Management must bring information and cybersecurity to the forefront of the organization’s priority list. Gone are the days of discussing information technology once a year during the annual information security report to the Board. Governance should include reviews and discussions of the IT Strategic Plan, risk assessments, policies, cybersecurity, asset management, vendor management, security awareness, incident response, business continuity, social engineering, network assessments (independent vulnerability and penetration testing), and IT audit.

The Board of Directors and Senior Management are also responsible for the comprehensive Information Security Program (ISP). Your ISP should add value and help the Board and management make informed decisions. The institution should follow a plan that provides direction and provides repeatable processes. Lastly, testing of the program needs to be completed to determine if the risk management measures are aligned between the institution’s priorities and objectives and to determine if gaps exist between your program and industry expectations.



Tone, Responsibility, and Promotion

The Board of Directors and Senior Management must set the tone and direction for the organization’s use of information technology and information security. An institution with a strong security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications. To accomplish this, the Board should have a clear understanding of the IT Strategic Plan, Information Security Program, other IT-related policies, and the IT Risk Assessment. Key Board responsibilities include:

  • Ensuring the IT Strategic Plan is aligned with the institution’s overall strategic plan.
  • Supporting information security and providing appropriate resources for developing, implementing, and maintaining the Information Security Program.
  • Prioritizing potential business disruptions based on severity and likelihood of occurrence. The risk assessment should include an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.

The Board of Directors and Senior Management have also been designated the responsibility to promote effective IT governance. The first question is, what exactly is IT governance? The FFIEC Information Security IT Examination Handbook defines governance as setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations.



IT Risk and IT Audit

Risk is the potential that events (a threat) - expected or unanticipated - may adversely affect the institution’s earnings, capital, or reputation. A risk assessment is essentially four things:

  • Prioritization of things (loans, IT assets, vendors, etc.) based on their importance to the bank
  • Ranking potential business threats based on impact and probability of occurrence
  • Identification of controls that mitigate risk to said threats
  • A framework to make informed decisions around what to do next to mitigate additional risk

When it comes to IT and information security, an IT Risk Assessment should identify the institution’s most important IT assets, the biggest threats to those IT assets, the controls that are in place to mitigate risk, and the next steps to take to mitigate risk further. An IT Risk Assessment should identify Inherent Risk (the risk before controls), Residual Risk (the risk after controls), and Risk Mitigation Goals (the amount of risk that should be reduced for certain IT assets).

An IT Audit should review the institution’s IT Risk Assessment to ensure it’s effective, as well as use the IT Risk Assessment as a guide for auditing the effectiveness of controls on the institution’s most important or most risky IT Assets. Monitoring of the effectiveness of controls should be ongoing, and periodic progress reports should be provided to management. The IT Risk Assessment process should be ongoing and not a one-time or annual event.

An independent assessment of the institution’s risk exposure and the quality of internal controls associated with the development, acquisition, implementation, and use of information technology can be completed by the IT Audit function, either internally or externally. An IT Audit can substantially increase the probability that an institution will detect potentially serious technology-related problems before they occur. The FFIEC Audit Examination Handbook states the following are keys to an effective IT Audit program:

  • Identify areas of greatest IT risk exposure to the institution in order to focus audit resources;
  • Promote the confidentiality, integrity, and availability of information systems;
  • Determine the effectiveness of management's planning and oversight of IT activities;
  • Evaluate the adequacy of operating processes and internal controls;
  • Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures; and
  • Require appropriate corrective action to address deficient internal controls and follow up to ensure management promptly and effectively implements the required actions.



The Plan

How does an institution ensure they have a sound IT governance and that key elements are not being overlooked? Simply, each institution needs a plan. The institution may not be progressive or have unlimited resources, but every institution needs to create a plan ensuring the institution is recognizing and managing risks, that it is protecting itself from ongoing and emerging threats, including those related to cybersecurity, and that the plan is proactive and not reactive based solely off of audit and examination results.

ISP Blueprint


With an Information Security Program, such as the ISP Blueprint shown above, the Board and Senior Management can make informed decisions in a repeatable way, ensuring information technology is being used to achieve the institution’s overall goals, provide value, and mitigate IT risks. A well-founded ISP allows institutions to better understand how individual components of information security work together to better manage risks and make more informed security decisions.

Once a well-founded ISP has been implemented, the information technology audit will evaluate the effectiveness of the ISP and determine if any significant gaps exist.





Management Considerations

While the items noted below should be part of each institution’s ISP, they are also common findings noted by IT auditors and examiners. Areas needing improvement related to governance tend to be training, policy review, the Annual ISP Report to the Board, and audit risk acceptance reviews.


Information and cybersecurity training for the Board can no longer be reduced to four bullet points provided once annually and be included with topics such as Fair Lending, Bank Secrecy Act, and Regulation O. This does not truly meet the expectations of a trained Board. Management has the responsibility to train the Board whereby the members can ask challenging questions.

Policy Review

Policies are the guidelines for the institution and the institution’s employees. Board members are expected to have adequate knowledge of each policy they review and approve. When the institution decides to present all policies and risk assessments to the Board during one meeting per year, it is not feasible to expect them to read hundreds of pages on a wide variety of topics and understand the information provided. Spreading out the delivery of different ISP policies to the Board throughout the year can give Directors a better understanding of individual policies.

Annual ISP Report to the Board

Management should provide a report to the Board at least annually that describes the overall status of, and material matters related to the ISP, including the following:

  • Risk Assessment process, including threat identification and assessment
  • Risk Management and control decisions, including risk acceptance and avoidance
  • Third-party service provider arrangements
  • Results of testing
  • Security breaches or violations of law or regulation and management’s responses to such incidents
  • Recommendations for updates to the ISP

It is also recommended this annual report include the results of the FFIEC Cybersecurity Assessment Tool (CAT), any weaknesses noted, and the institution's mitigating strategy. The cybersecurity information should illustrate the institution’s overall Inherent Risk profile and the institution’s Cybersecurity Maturity by Domain.

Risk Acceptance

Frequently, the Board and Senior Management are quick to accept the risk of an audit or assessment finding. The acceptance of the risk is usually discussed in a one-time Board or Audit/Supervisory Committee meeting. As new Board members are appointed, current Board members become more educated related to information security and cybersecurity risks, and as the cybersecurity threat environment changes, the Board needs to be reminded of the risks that have been accepted. Institutions are increasingly presenting a comprehensive list of risks accepted annually, so the Board members can determine if risk acceptance remains feasible.




A comprehensive, risk-based IT Audit will focus on all the institution’s major activities, including policies and risk assessments. The IT Audit will review the Board of Directors, Information Technology (IT), and audit/supervisory committee minutes to determine the transparency of the ISP to the Board. From the review of the minutes and the reports presented to the Board and committees, it will be determined if information and cybersecurity is a prevalent discussion. The minutes will be reviewed to determine if the following have been discussed: current cyber threats or events; annual vendor reviews; new projects; results and management responses of audits and examinations as well as follow up to the findings and recommendations; and the results of emergency preparedness testing.



Are We Getting IT Right?

The management of information technology and information security is much more than checking boxes to satisfy FFIEC guidance or regulatory requirements. Effective IT governance consists of the Board and Senior Management setting the tone and promoting clear expectations, contains policies specifically designed for the institution, includes risk assessments that are continually reviewed, and provides training for the Board, management, and employees.

An independent IT Audit should be conducted on a frequency related to the institution’s size and complexity. The IT Audit should ensure the institution is compliant with its own plans (“Are you doing what you say you are doing?”) and is adequately addressing risks (“Is what you say you are doing enough to protect your customer/member information?”).

With the close alignment of the Board, Senior Management, Information Security Officer, and IT Auditor, the institution will be better prepared to detect potentially serious technology-related problems.

Always remember, information security is a journey, not a destination.


Written by: Laura Zannucci
Information Security Consultant - SBS CyberSecurity

SBS Resources: 

  • {Service} IT Audit: SBS has created a propriety risk-based audit approach based on relevant guidance and industry best practices. Our audit includes an easy-to-read, management-ready report that outlines findings and recommendations to improve and mature your Information Security Program. You also receive complimentary access to the TRAC™ Action Tracking module – a secure platform for report delivery and exchange of information that assists institutions in automating their recommendation tracking as well as assigns and tracks remediation tasks to other users. Learn More | Request a Quote
  • {Blog} Cybersecurity Primer for Directors: An understanding of cybersecurity is rarely a pre-requisite for a Director, but perhaps it’s time to reconsider the technical knowledge of bank Directors. Today, Board members may understand IT threats at a high-level, but most Directors are not sure what types of questions to ask the Information Security Officer in the first place. Read blog.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager     Certified Banking Security Executive

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, March 11, 2020
Categories: Blog