Implementation of the FDIC’s Information Technology Risk Examination (InTREx) Program

Update and implement the InTREx program to reflect current IT and cyber risks and guidance.

Work with the InTREx Interagency Committee to develop and implement procedures to govern the process to update the InTREx program.

Communicate updates to the InTREx program to examiners in a timely manner and prior to implementation.

Issue revised or updated guidance to examiners to address InTREx program updates.

Develop and implement control mechanisms to ensure that examiners complete examination procedures and decision factors.

Review the sampled examinations in which examination procedures and decision factors were not completed in order to determine whether or not the ratings are accurate.

Take corrective actions to address any inaccuracies identified as a result of the review recommended above.

Update and implement examination policy and InTREx procedures to require that IT examination workpapers be reviewed for adequacy and that workpapers sufficiently support examination conclusions prior to the issuance of the ROE.

Share the results of ICRS Regional Reviews with all supervisory regions.

Provide refresher training to reinforce InTREx program procedures, such as the completion of all examination procedures and decision factors, and address updates and changes to the InTREx program.

Develop and implement examination policy and procedures to designate the roles and responsibilities for filing and maintaining IT examination workpapers in RADD.

Develop and implement procedures and controls to ensure that workpapers are properly filed in RADD in accordance with the FDIC’s examination policy and procedures.

Establish and document the timeframe for uploading IT examination workpapers to RADD.

Establish and implement procedures that define responsibilities for reviewing and applying threat information during IT examinations.

Provide training for applying threat information during IT examinations.

Conduct a review to determine areas in which the AlphaRex tool could be utilized to identify areas of improvement for the InTREx program and emerging IT risks and trends at financial institutions.

Develop and implement defined, objective, quantifiable, and measurable goals related to the InTREx program.

Develop and implement a process to collect and analyze relevant data regarding the InTREx program.

Develop and implement metrics and indicators, including outcome measures, to assess the effectiveness of the InTREx program and to determine if the program is achieving its desired results and outcomes.