Compliance Consulting: FFIEC, GLBA, SOX

Compliance with The Federal Financial Institutions Examination Council’s (FFIEC) 12 information systems booklets is integrated into our IS audit programs. The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.

Specific areas that are covered in our community bank audit services include:

• Management and Organization
• IS Risk Assessment
• Change Management
• Network Security
• Core Application Security
• GLBA 501(b) Information Security Program
• IS Security Awareness
• Internet Banking
• Wire Transfer and Automated Clearing House
• Third Party and Vendor Management
• Computer Operations
• Disaster Recover and Business Continuity

Compliance

KraftCPAs will help the community bank establish a formal information security program that complies with the Guidelines Establishing Standards for Safeguarding Customer Information mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999 and in compliance with FDIC Rules and Regulations (Part 364 (Appendix B)).

Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) requires controls to help ensure the security and confidentiality of customer information. Community banks should have an information security program that protects against any anticipated threats or hazards to the security or integrity of such information; and protects against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

Added value

KraftCPAs assists community banks in developing and implementing an effective, practical, and sustainable information security program. We can help create or improve upon the core components of an information security program including:

• Assigning and training a program coordinator
• Identifying customer information base (CIB)
• Conducting a risk assessment program based on a dynamic CIB
• Implementing an employee security awareness training program
• Conducting periodic monitoring and testing
• Conducting program maintenance

Protecting customer information is more than a compliance issue. Information security should be permeate the bank’s culture from the top down in order to provide customers with the greatest security possible.

In order to create such a culture and to develop and maintain the most efficient and effective security system, bank management must be involved. We strive to involve management at every step, to ensure that they understand the risks and the controls in place to help protect against them. Only with management support, will the bank reap get the greatest value as it maintains compliance, while enhancing the bank’s over security posture.

Adding Value

To comply with Section 404 of the Sarbanes-Oxley Act of 2002, publicly traded community banks are required to document and test key controls, including many controls related to information systems. Our IS audit professionals have been assisting community banks with this SOX requirement since 2004.

We understand information systems audit, as it should be effectively and efficiently applied to community banks. Unlike some IS auditors, we do not insist that the bank purchase an expensive tool for SOX documentation. We have developed an IS SOX control spreadsheet specifically for community banks, containing typical IS SOX control objectives and control guidance, which we provide at additional charge. The spreadsheet helps facilitate the process thereby saving the bank time and money.

We do require time and effort from you staff to document, test, and when necessary remediate weaknesses. However we realize that time is finite resource that is unrecoverable once expended, and we are committed to being respectful of your time. Our knowledge and experience in community banks makes us efficient in our inquiry and interview processes. You need only discuss your specific controls. You will not need to explain community banking to your KraftCPAs IS audit team.

All KraftCPAs IS audit services, including SOX consulting, are focused on identifying IS risks that challenge the bank’s ability to meet business objectives. Our IS SOX consulting programs offers additional value beyond SOX compliance. We will report to management any risks we may uncover whether or not the risk is directly related to SOX compliance.

Risk remediation is an investment; therefore, we do not subscribe to the “one size fits all” approach to IS control. We will help you identify the effective remediation solutions with consideration to the potential risks present and the cost for remediation options. The emphasis of our SOX consulting service is on adding value to the bank’s ability to succeed in business. We believe this approach is much more valuable to the bank than services that target SOX compliance as the sole objective.

Client communication is essential to our value proposition. A discovered deficiency or improvement suggestion is only as effective as our ability to communicate it. We take the time to explain and discuss each issue in clear, articulate business terms. Needless technical jargon provides little value to a community bank that is being challenged to meet SOX 404 compliance requirements.

SOX 404 Compliance Consulting

Our programs incorporate a COBIT approach to SOX 404 compliance. We have taken this approach and developed a comprehensive yet practical SOX IS control framework designed specifically for a community bank. Our core control areas include:

• IS General Controls
• Deposit Operations
• Loan Operations
• Internet Banking
• Wire Transfer and ACH
• Item Processing and/or Item Capture
• Trust Processing
• Payroll
• General Ledger
• Accounts Payable

At the completion of our SOX IS consulting engagement, the bank has fully documented and tested controls contained in easily maintained spreadsheets. Whenever possible, supporting documents are scanned and their locations linked within the control matrix spreadsheet. The approach helps to reduce the amount of time an external auditor will spend shuffling through binders searching for supporting evidence -- potentially resulting in a cost savings to the bank. We also make ourselves available to your external auditors to answers their questions in an expedient, efficient manner.