FDIC OIG Audit Report Discloses Weaknesses in Assessing IT and Cyber Risks During Examinations

The FDIC’s Office of the Inspector General (OIG) recently released its audit report regarding the FDIC’s Information Technology Risk Examination (InTREx) program (Program) finding multiple program weaknesses that limited the financial institution examiners’ ability to assess cyber and IT risks during IT examinations. 

Some of the findings in the audit report include that the:

• Program is outdated and not in line with current federal guidance;
• Examiners did not receive Program updates, guidance on implementation of those updates, or training to reinforce Program procedures;
• FDIC did not provide procedures and training to ensure examiner review and application of emerging threat information (available on a collaborative platform populated by multiple government agencies) in financial institution’s IT examinations;
• FDIC did not have Program goals and performance metrics; and
• Examiners failure to complete examination procedures meant there was not full assurance of proper risk assessment, leading to potentially inaccurate Uniform Rating System for Information Technology (URSIT) ratings.

The FDIC implemented the InTREx program in 2016.  The program assesses a financial institution’s IT and cyber risks.  This assessment becomes part of a composite rating that is a factor in a bank’s CAMELS (Capital, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk) rating.  The CAMELS rating of a financial institution effects the institution’s insurance premiums.