Has anyone been through an Electronic exam recently (last 12mos.) by the FDIC? What are the "hot spots" in this exam? The FDIC's examination procedures for electronic banking makes my head "whirl"!!!! Especially since I'm not a technical person when it comes to IT/IS auditing.

I am a former FDIC examiner (S&S) and I have done a lot of e-banking reviews in my time. What we always looked for were policies (should cover e-mail procedures, changes to web-site and web-site content, independent review of changes to web-site...dual verification...virus scan, 3rd party review of ISP and/or web-site host, etc.) We also wanted to see periodic review of the functionality of any links provided on the bank's site and that the calculators provided on these links were accurate. If you do provide links, the FDIC also wants to see a disclaimer. And, of course, we always wanted an independent audit of the whole area by internal/external personnel. The FDIC examination procedures (8-2000) are pretty thorough...and if they "make your head spin"...use this rule. If you don't understand something and your site's not transactional, it's probably not applicable to your exam. Just make sure that you've got the policies, independent review of changes to site, periodic review of site content, and independent annual review of whole area.

Let me know if you need more specific information.

In our recent exam the FDIC emphasized the need for technical audits of the various aspects of IS, including e-banking.

Give me some details regarding the FDIC emphasizing the need for technical audits.......... Did you internally performed 2 audits (IS/E-banking) or did you combine the audits?

I had been combining various IS audit areas into 2 or 3 audits, one being electronic banking. The FDIC examiner recommended that IS audits be broken into 8 or more separate areas, with technical audits needed in most areas. When we bring E-banking processing in-house in future, a technical audit of its security, including the firewall and IDS, will be necessary.

The FDIC recommended outsourcing some or all of this since our two person department would be pressed to obtain and maintain the needed technical expertise from year-to-year.

There are two sections. one covering e-banking, one covering IS. The IS section is standard, but the e-banking section is all over the map, in that what they want to see depends on what you are doing in the area of e-banking and who is doing it. The smart thing to do is outsource almost everything. By the way, the FDIC is looking for specific insurance coverage, contracts, e-banking policies, contingency/back-up plans, feasibility studies (cost/benefit), due diligence (third party vendors), and internal training. Those of us in small growing banks just have to do the best we can to respond.

I was looking around this site for assistance, but this subject, as well as other subjects that require subjective documentation, seems to require outside support, versus providing samples of policies, responses, etc. on these subjects.