1. Conducting a Risk-based Audit of IT Security: Complying with FFIEC Guidance

Conducting a Risk-based Audit of IT Security: Complying with FFIEC Guidance

Conducting a Risk-based Audit of IT Security: Complying with FFIEC Guidance
Event ID: 16512
Session ID: 15094

Duration: 90 minutes including question and answer period.
Presenter(s): Gary Deutsch, CPA, president, BRT Publications, LLC
Price: $299.00, On-Demand includes full audio presentation, question and answer session, and presentation slides.
Who Should Attend? CTOs, IT officers, internal auditors, electronic banking officers, security personnel, financial officers, fraud control personnel, risk managers, operations managers, compliance officers, attorneys advising financial institutions

The Federal Financial Institutions Examination Council (FFIEC) recently issued a revised Information Security booklet, updating the council’s Information Technology Examination Handbook. The update addresses how to:

  • Assess the level of security risks facing a financial institution’s information systems
  • Assess the status of an information security program’s integration into the institution’s overall risk management program
  • Effectively identify, monitor and respond to cyber threats and incidents


According to the FFIEC, information security is a “process” that institutions have to follow. More specifically, institutions have to protect how their sensitive information is:

  • Created
  • Collected
  • Used
  • Disposed


Information security also requires having the appropriate hardware and infrastructure to store and transmit the information.

To comply with the FFIEC’s guidance, institutions need to have a plan in place to demonstrate that they can effectively manage the confidentiality, integrity, and availability of sensitive information. Serious violations could result in a consent order since the regulators consider weaknesses to be a safety and soundness issue.

Management’s plan has to address the risk of malicious and non-malicious actions that could adversely impact earnings, capital, or enterprise value. Of concern to the regulators is the potential for:

  • Disclosing sensitive information to unauthorized individuals
  • Increased exposure to misappropriation or theft of information or services
  • Attacks that could degrade services or even render them unavailable
  • Unchecked modification or destruction of systems or information
  • Records that are not timely, accurate, complete, or consistent Information security has become a mission critical obligation for financial institutions. Internal audit, as well as managers that are responsible for implementing security measures, need to conduct periodic audits to ensure compliance with FFIEC guidance.



During this important webinar, our speaker will discuss conducting audit procedures related to:

  • Assessing the adequacy of board and senior management support
  • Evaluating the integration of security activities and controls throughout the institution’s business processes
  • Assessing the adequacy of accountability for carrying out security responsibilities
  • Determining the adequacy of cybersecurity measures
  • Evaluating the effectiveness of security controls
  • Evaluating the institution’s ability to react appropriately to mitigate threats as technologies and business conditions evolve
  • Evaluating the enterprise risk management approach for integrating processes, people, and technology to maintain a risk profile consistent with the board’s risk appetite
  • Determining the effectiveness of oversight and controls related to outsourced IT security functions



Your conference leader for "Conducting a Risk-based Audit of IT Security: Complying with FFIEC Guidance” is Gary Deutsch, president, BRT Publications LLC. Mr. Deutsch is a licensed CPA in Maryland and has a B.A. in accounting and an MBA in finance from Loyola University Maryland. He has also achieved the Certified Management Accountant, Certified Internal Auditor and Certified Bank Auditor designations. Mr. Deutsch is the founder and president of BRT Publications LLC. Mr. Deutsch has trained thousands of financial institution professionals in all aspects of risk management and has written numerous books in the U.S. and Europe on topics such as credit risk, internal audit and compliance with Generally Accepted Accounting Principles. Mr. Deutsch has extensive risk management and internal audit experience through his association with financial institutions of all sizes as well as through his role leading the KPMG financial institution consulting practice in the Mid-Atlantic region.


BankersWEB, a division of DKG Media, LP, wants you to be satisfied with your webinar. If this webinar does not meet your expectations, email us at service@bankersweb.com.


BankersWEB certificates of participation are available to everyone completing this webinar.