Pub. 4 2013 Issue 4

winter 2013 17 West Virginia Banker • Credit, Interest Rate, Liquidity and Price (Market) Risks – Processing errors related to investment income or repay- ment assumptions could lead to poor investment or liquidity decisions, increasing market risks. • Compliance risk – The failure to comply with legal or reg- ulatory requirements can subject a bank to legal sanctions and regulatory findings. Inaccurate or untimely data related to consumer compliance disclosures or unauthorized disclo- sure of confidential customer information could expose a bank to civil money penalties or litigation. The vendor must not only agree to follow the appropriate banking regulations, but must have the ability to monitor the regulatory changes which could increase a bank’s compliance risk. In addition other risks may be considered including continuity risk and information security risk among others. Upon completion of the vendor risk assessment, the bank should be able to conclude on which vendors are considered critical and will require additional assessment and monitoring. Please note that the vendor risk assessment document will include both vendors that are considered critical and those that the bank has concluded are not considered critical. Assessment and Monitoring Vendors that are considered critical will require additional assess- ment and monitoring. Some examples of the additional assess- ment and monitoring include: • SOC 1 report reviews for vendors who may be processing transactions that have an impact on the financial reporting of the bank. • A detailed review of audited financial statements of key vendors that is critical for the bank to deliver ongoing cus- tomer services. For example, a bank’s core processing ven- dor would be considered a critical vendor that would require a detailed review of the audited financial statements (both in a service provider arrangement or if the bank processes the core processing solution in-house). • SOC 2 report review for vendors who provide critical services that does not have a direct impact on the financial reporting of the bank. Examples of these types of services include backup services, anti-virus administration, patch management, eMail, security monitoring and co-location services. • Review the Agencies Report of Examination (ROE) on the technology service provider. The ROE includes an “Open Section” which includes all significant findings and conclu- sions that is available to a serviced bank. The Open Section of the ROE is either distributed automatically to a serviced bank or upon request. When the composite Uniform Rating System for Information Technology of the technology service provider is a 4 or 5, the ROE is automatically sent to the serviced bank. A copy of the ROE can also be obtained provided the serviced bank can demonstrate they had a valid and current contract with the technology service provider as of the date of the examination. • Determine if the vendor has recently had a security test (penetration test and / or vulnerability assessment) conduct- ed. For security reasons, the detailed results will probably not be available. However, a summary of the results should be requested. • Controls to monitor the accuracy of processed transactions. • Periodic review of the vendor contracts. • Obtain an understanding of the vendor’s business continuity plan. Other procedures should also be considered based upon the service provided, terms of the vendor contract and impact on customer services. Conclusion Bank management should establish and maintain effective vendor management programs. Increased reliance on nonbank vendors to assist a bank in the delivery of customer products and services can provide bank customers with certain benefits. However, there are risks involved in utilizing the nonbank vendors and bank management should ensure they have a program that assists them in understanding the complex nature of the outside arrangement and provides bank management the tools to continuously monitor the relationship. Chris Joseph is a Member of Arnett Foster Toothman PLLC, Certified Public Accountants, in the Charleston, West Virginia office. A Certified Public Ac- countant, Certified Information System Auditor, Certified in Risk and Infor- mation Systems Control and Certified Information Technology Professional, Mr. Joseph has twenty-eight years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris. joseph@aftcpas.com. Resourceful.Responsive.Reliable. Do business with someone who thinks like you. www.CBBonline.com 804.239.0452