FDIC Releases Updated InTREx Procedures

On September 29, 2023, the Federal Deposit Insurance Corporation (FDIC) published FIL-52-2023 announcing the updated Information Technology Risk Examination (InTREx) procedures. If you're curious about what changed, you've come to the right place.

About InTREx

InTREx was initially published in 2016 (see FIL-43-2016). Since that time, InTREx has been used by the FDIC, Federal Reserve, and several of the state banking agencies to examine banks' technology and cybersecurity practices.

Why the Change?

In early 2023, InTREx was audited by the Office of Inspector General (OIG). According to the OIG's report, InTREx was pretty outdated and inconsistent with current guidance recommendations. For example, since 2016, the following FFIEC guidance was updated:

Following the audit, the FDIC announced plans to address the recommendations and got to work.

The InTREx Update

While InTREx looks largely the same today as it did before the update, there were some notable changes. In addition to the guidance updates, here are four updates you don't want to miss. Download the redline version of the work program to see a list of changes to the core modules.

1. Updated Information Technology Profile

This is the questionnaire at the beginning of the document. The updated profile was streamlined and its size was cut in half. (The 2016 version had 26 questions and the 2023 version now has 13 questions.)

To get there, they did a lot of merging and removing questions. For example:

Merging: The 2016 version had three individual questions that asked about changes in core applications, changes in other technologies or services, and changes in personnel. The 2023 version combines all these topics into one question about significant changes.
Removing: Five topics were removed from the questionnaire entirely, including the questions about virtualization, informational websites, customer-facing call centers, merchant acquiring institutions, and foreign-based technology service providers.

It wasn't all about streamlining though. The updated profile now features questions and answers on new and relevant topics, such as:

Same day ACH (Question 7)
Mergers and acquisitions (Question 8)
Emerging technologies (e.g., artificial intelligence, blockchain, P2P payments) (Question 13)

In short, these are quality-of-life improvements. They make the profile more accurate, more relevant, and easier to complete, which is always a welcomed change.

2. Updated Audit Core Module

The Audit core module received a few minor updates, primarily for formatting and clarity.

For example, in the 2016 version, the Decision Factors were listed at the beginning of the section. In the 2023 version, the Decision Factors are embedded into the program. This makes the module read more like a process and requires less jumping around the document.

There were a couple notable textual changes, as well. Here's a comparison of those.

Procedure Changes	Comment
Procedure 2 – Board and Management Support Evaluate the quality of oversight and support provided by the Board of Directors and management. Consider the following: The institution has a documented audit policy or charter that clearly states management's objectives and delegation of authority to IT audit The audit policy or charter outlines the overall authority, scope, and responsibilities of the IT audit function	In the 2023 version, the first bullet was removed, which seems appropriate, since the answer could be determined by the answer to the second bullet.
Procedure 8 – Control Evaluation Evaluate the ability of the IT audit function to accurately assess, test, and report the effectiveness of controls. Consider the following: IT examination and Audit findings Audit risk assessment Cyber incidents Other significant IT events Assessment of potential impact of control deficiencies on other areas of operations	These updates provide examiners with a few additional recommendations for determining control effectiveness. The 2023 version encourages examiners to look at recent audit findings, the bank's audit risk assessment, and a control impact assessment.
Procedure 4 – Risk Assessment Process Establishment of Board-approved audit plans and schedules based on risk	The 2016 version used the phrase "audit cycles" which is less clear than "audit plans and schedules based on risk."
Procedure 9 – Auditor Expertise and Training On-going training for both internal and external personnel as appropriate	This update clarifies that both internal and external auditors should be receiving ongoing training.
Procedure 10 – Audit Monitoring and Resolution A formal tracking system that assigns priority, responsibility, and target date for resolution Process to ensure findings are resolved in a timely manner	These updates indicate an emphasis on audit finding resolution. Finding resolution should be prioritized and performed in a timely manner.

While both changes are new items for examiners to review, both are related to recent regulation and emerging risks, so they seem like reasonable additions to the program.

3. Updated Management Core Module

There were two minor changes in the Management core module.

Procedure 11 (and its corresponding "Control Test") now refer to the Computer-Security Incident Notification Rule.
Procedure 13 now encourages examiners to review the Report(s) of Examination for the bank's vendors, when available for vendors subject to the BSCA. The examiner is then instructed to compare the examiners' ratings with the results of the bank's vendor management program. It's basically saying, "If the examiners find a vendor to be "less than satisfactory," has the bank reached the same conclusion, and if so, what are they doing about it?"

While both changes are new items for examiners to review, both are related to recent regulation and emerging risks, so they seem like reasonable additions to the program.

4. Updated Support and Delivery Core Module

Of the entire program, this module received the most updates. This is not surprising, as the OIG report indicated this module had already received some voluntary updates by the InTREx committee in 2019.

Here is a summary of the changes:

Procedures 2 – 3: The imaging and item processing procedures were consolidated into one brief procedure in the 2023 version (Procedure 2 – Imaging).
Procedure 4: The help desk procedure and its corresponding "Control Test" were removed entirely from the core. Help desk / call center procedures continue to exist in the expanded analysis section.
Procedures 5 – 11: The business continuity planning procedures were largely removed and replaced with updated procedures that more closely align with the FFIEC's updated Business Continuity Management booklet. If you've spent much time with the booklet, the updated language should look familiar.
Procedures 25 – 26: The electronic banking and mobile banking procedures were removed from the 2023 version of InTREx. This is likely related to the FFIEC's rescinding of the E-Banking booklet in 2022.

This Support and Delivery section was arguably the most outdated, so it makes sense that it was also the most refreshed. For a full listing of changes, download the redline version of the work program, provided by Tandem.

Conclusion

The InTREx program is a staple of the technology examination process for community banks. This update successfully modernizes the program, while also not adding to the regulatory burden for examiners or the banks being examined.

If you've already been examined by this new program, let us know what you thought about it! Connect with me on LinkedIn and share your thoughts. Also, if you're looking for tips and tricks on navigating exam processes, be sure to check out our article on How to Respond to an Audit or Exam Finding.

If you're looking for a way to better track and prioritize your exam comments, check out Tandem Audit Management. This solution is designed to help you standardize your documentation and ensure identified issues are addressed, ultimately making your business more secure. Learn more at Tandem.App/Audit-Management-Software.