Why custom report verification should be part of your IT controls
Although the primary focus of IT examinations comes directly from the Federal Financial Institutions Examination Council’s IT Examination guidebooks, there have been many varying areas of focus depending on current trends, changes in the cybersecurity landscape and advances in technology.
Each time there has been a new area of focus, a multitude of different webinars, seminars and other presentations and articles are written to help get a grip on how to address the coming requirements surrounding that new focal point. Oftentimes this can cause important security measures to be overlooked.
One such overlooked area that can be identified as a reportable finding in regulatory exams and independent IT controls reviews is the verification of data provided to the board of directors using customized reports.
These reports can come in the form of custom documents created by:
- Importing and manipulating or manually entering information from a core banking system or other applications.
- A query written in a core system report writer or third-party utility that will import data directly from the source system.
- Default or canned reports provided by the system or application.
The key for all these reports is ensuring the data in the final report provided to your board of directors is fully validated so that they aren’t making decisions based on incorrect information.
Though it can involve extra time and effort, it’s in the best interest of your financial institution to ensure information provided to the board is as accurate as possible.
Verifying IT reports
Incorrect data reporting can happen if any changes made are not verified.
Examples of negative changes can include:
- Incorrect formulas being used.
- Data that is sorted and deleted based on specific criteria that isn’t performed correctly.
- Accidental or even purposeful alterations and deletions.
Ideally, a request for a custom report is made officially, whether through a help desk ticket or other documented means. The request is then approved by the proper authority and sent to the proper department to be created. The query and resulting data are then reviewed for accuracy to ensure the results reflect the correct requested information.
All these tasks would also be performed by independent entities with a sign-off for each step.
Ensuring accuracy at your institution
Unfortunately, the reality of the situation is that most small to mid-sized institutions cannot afford the varying departments and personnel required to implement the ideal process.
In many cases, the board will request information and a member of senior management will, in turn, ask an employee with appropriate access to provide the needed information. Regardless of how it’s created from that point on, steps should be taken to ensure the information is accurate.
If the request can be fulfilled by a default report from the system, it can largely be trusted, since the information is being pulled directly and is not manipulated. Institutions may also choose to trust information created using the system’s report-writing software because the criteria is given to the system and it is pulled directly without manipulation. In this case, it’s best to supply the report criteria so the board can be sure the information provided fits their request.
However, if an individual is manually making changes, the report should be subject to one of two methods of verification:
- Submit the report (or reports) used to create the custom report at the same time. This will allow anyone to verify the data by checking against the report for accuracy. This method isn’t always ideal because some board members may not want to take the extra time to do their own verification.
- Have someone that is not involved with the creation of the report review the information and attest to its accuracy. This can be done by a manual or digital sign-off.
No matter the method, the desired outcome is to ensure board members are provided the most accurate information possible for making decisions.
How Wipfli can help
Let Wipfli support your financial institution’s information security efforts with our IT audit services. We examine your existing controls to help ensure that you’re complying with regulations and provide actionable insights into how your organization can improve. Contact us today for help in keeping your critical assets secure.
Sign up for more additional financial institution content in your inbox or continue reading: