FDIC's Information Technology Risk Examination (InTREx) Program

image of Keith A. Ferguson, CISA, CISSP, CRISC

About the author
Keith A. Ferguson, CISA, CISSP, CRISC

InTREx Program

The FDIC revised its information technology and operations risk (IT) examination procedures to a more efficient approach called the Information Technology Risk Examination (InTREx) Program. InTREx is a superior, risk-based method to performing IT examinations that ensures bank management identifies and addresses IT and cybersecurity risks swiftly and efficiently. 

 InTREx uses a work program based on the Uniform Rating System for Information Technology (URSIT) and includes Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings.

Features of the InTREx Program

Enhanced Pre-Examination Process 

The pre-examination scoping process has been modified to focus on emerging risks and technologies.

  • Approximately three months before a scheduled IT examination, your bank will receive an Information Technology Profile (ITP) questionnaire to complete and return to the FDIC. The ITP  questionnaire helps determine what resources will be needed to perform the IT examination and also assists with scoping the examination. 
  • The IT examiner-in-charge will customize the IT examination based on the ITP responses, prior examination reports, and new products or services. Your bank will receive an IT Request Letter that includes the IT profile at least 45 days before the scheduled examination.
Examination Procedures

Examiners will analyze risk and document examination procedures, findings, and recommendations by completing the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper. For banks with a higher IT profile, examiners can use additional examination procedures, supplemental work programs, and the FFIEC Information Technology Examination Handbook.

Report Presentation

The Examiner Conclusions and Comments page will include a summary of the overall state of the IT function that corroborates the URSIT composite rating. The Information Technology Assessment page will note URSIT component ratings, examination findings, recommendations, management's responses, including periods for corrective action, and supporting comments for cybersecurity preparedness and compliance with information security standards.

Optimizing Your Bank's Approach

The amount of time spent on an IT Review, such as the new InTREx Program, is determined by a bank’s technology profile. Some banks will require extra time to complete their reviews.

In order to provide you with the best possible IT Review solutions, your bank’s IT specialists must be constantly on alert for new IT updates and expectations from the FFIEC. Your IT specialists should amend their work programs to comply with new regulatory expectations and established best practices in support of IT security, confidentiality, integrity and accessibility.

If you would like more information about FBLG’s IT Services please contact Keith Ferguson.  

Click here for additional information and a copy of the InTREx program available on the FDIC’s website.