What Is InTREx?
On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) implemented the Information Technology Risk Examination (InTREx) Program for conducting information technology and operations risk examinations of FDIC-supervised financial institutions.
The FDIC has indicated that banks will now receive ratings in various areas of risk that will then be combined for an overall composite IT rating. This will change the way that FDIC examinations take place.
Specifically, the FDIC created a new InTREx Information Technology Profile questionnaire for financial institutions to fill out 90 days before the examination. Surveys are to be returned to the examiner before an IT examination to help determine the scope and resources needed for the IT exam. At least 45 days before the exam, the FDIC in-charge examiner will send the institution an IT request letter listing additional items and documents needed. This will allow the institution to provide information in advance of the examination as opposed to ASAP when the examiners come onsite.
InTREx revises the FDIC’s Information Technology Risk Management Program (IT-RMP) questionnaire to include fewer questions and to focus on:
- Emerging risks and technologies (i.e., virtualization and mobile banking)
- Previous bank risk management efforts (i.e., Gramm-Leach-Bliley Act of 1999 risk assessment and automated clearing house risk assessment)
The Information Technology Profile questionnaire within InTREx includes 26 questions that cover the following categories:
- Core processing
- Online banking
- Development and programming
- Software and services
The InTREx Core Analysis Modules cover the following sections:
- Development and acquisition
- Support and delivery
- Information security standards
The new InTREx process will give auditors more freedom to customize and expand their examination processes and materials in order to focus on high-risk areas.
Prepare for the Changes
Financial institutions should prepare for InTREx by doing the following:
- Review all InTREx program information.
- Have IT departments assign dedicated personnel to address the changes and complete both the InTREx pre-exam Information Technology Profile questionnaire along with the FFIEC Cybersecurity Assessment Tool.
- Gather recent IT internal audit reports, ratings, and management remediation and action plans.