R. Kinney Williams & Associates®
R. Kinney Williams
Yennik, Inc.

FFIEC IT Audits

The Independent Bankers Association of Texas presented me the 2020 President's Award.  The reward is for 57 years of dictated service to the banking industry as a bank examiner, banker, and independent FFIEC/GLBA IT security auditor. Press release.  I want to express my sincere gratitude to IBAT and community bankers everywhere for this outstanding recognition. 

 

Yennik, Inc., performs FFIEC information security-technology (IT) /Architecture, Infrastructure, and Operations (AIO)* audits for federally insured community banks and credit unions across the country.   About our Company.

As a former bank examiner with over 40 years IT audit experience, we bring an examiner's perspective to the information technology audit.  In addition, we use our computer auditing experience to determine with reasonable assurance the safe and secure operation of the computer and Internet activities.  

The IT audit follows the examination procedures outlined in the Federal Financial Institutions Examination Council Information Technology Examination Handbook to ensure compliance with the Gramm-Leach-Bliley Act Section 501 (b).  

* As of the June 30, 2021 the FFIEC "Operations" booklet was replaced by the “Architecture, Infrastructure, and Operations” (AIO) booklet, which you can find at https://ithandbook.ffiec.gov/it-booklets/architecture,-infrastructure,-and-operations.aspx.

CoBit Audit Guidelines


The scope of the IT audits are based on examination procedures outlined in the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook, which includes Information Security (IS) and Architecture, Infrastructure, and Operations (AIO). Where applicable, we referenced various information systems/technology guidelines issued by the OCC, FDIC, and FRB.  We also reference the Control Objectives for Information and Related Technology (CobiT) published by the Information Systems Audit and Control Foundation, which is an international open standard of good practices for IT governance, security, and control.

The IT audit includes completing the FFIEC workpapers for Community Financial Institution IT Examination Workprogram, Fedline Examination Procedures, Information Security questionnaire, FRB Gramm-Leach-Bliley Act 501(b) questionnaire, Information Systems Technology Procedural Testing reports, and other applicable IT auditing questionnaires.

FDIC Electronic Banking Guidelines



The scope of the information systems-technology audit covers:
  1. Senior management involvement, review applicable minutes
  2. Network, workstation, Internet, disaster recovery, and other IT security policies
  3. Gramm-Leach-Bliley Act Section 501 (b)
  4. Overall security procedures
  5. Segregation of IT duties 
  6. Internal quality and integrity controls
  7. Data communication security
  8. User identification authorization
  9. User level of accessibility
  10. Restricted transactions
  11. Activity and exception reports
  12. Backup procedures
  13. Other operational security controls
  14. Insurance coverage
  15. Network security, which includes the Internet
  16. Internal auditing procedures
  17. Contingency planning and disaster recovery
  18. Internet security procedures
  19. Vendor due diligence
  20. Fedline Advantage security
  21. Internet banking controls and procedures
  22. Telephone banking
  23. Internal procedures and controls around your core banking system, whether internal or external processing
  24. Remote capture operations
  25. FFIEC Cybersecurity Assessment

At no additional cost and when applicable, the IT audit includes the following IT security tests:

1. External VISTA penetration-vulnerability study
2. Domain server security settings
3. Virtual machine/guest security settings
4. Workstation security setting
5. Network user access
6. Core application access
7. Network topology security analysis
8. Systems security features and controls
9. Sampling for unauthorized software
10. Outsourcing/cloud activities
11. Social Engineering Assessment
12 VoIP Review

If you need any of the following auditing services and for a discounted additional fee, we can perform the following during the IT audit:

  1. Internal network penetration-vulnerability test.  If you need an internal vulnerability audit, you will find more information about the internal-VISTA penetration study at http://www.internetbankingaudits.com/intrusion_internal_index.htm

  2. ACH audit in accordance with the ACH Rules (published by the National Automated Clearing House Association).  The audit will include completing the ACH Audit Questionnaire with your personnel.
  3. Web site audit of the institution’s informational web site and Internet banking.  The scope includes the FFIEC "Guidance on Electronic Financial Services and Consumer Compliance."  You will find more information about web site audits at http://www.bankwebsiteaudits.com/.

We are members of the Information Systems Audit and Control Association, the Society of Financial Examiners, the Institute of Internal Auditors, and the Association of Credit Union Internal Auditors.  We follow the code of ethics and auditing standards of these organizations.

If you are seeking an information technology audit from an examiner's perspective, please contact Kinney Williams at Office 806-535-8300 or send an email to examiner@yennik.com

Experience
(Over 50 years in banking and bank auditing experience that  includes 21 years as a bank examiner)

 About our Company.