Internal Audit Services

Information Technology General Controls Audit

Information Technology General Controls (ITGC) audits to evaluate IT governance, security, operations, and regulatory compliance for financial institutions, including URSIT readiness, cybersecurity, vendor management, change management, disaster recovery, and identity theft prevention.

Request For Proposal
Read Whitepaper
800
+
Organizations Assisted
23
+
Years of Superior Success
38
States Represented

Information Technology General Controls Audit

NETBankAudit’s audit methodology is based on the latest version of Control Objectives for Information Technology (COBIT), published by the Information Systems Audit and Control Association. Our process leverages COBIT’s audit framework and maturity model to determine appropriate tests for evaluating control areas and to comply with FFIEC IT Audit guidelines, including the Uniform Rating System for Information Technology (URSIT). All audit findings and control objective ratings are documented in a formal report and detailed workprogram with supporting work papers.

Risk-Based IT General Controls Audit Planning

In line with FFIEC guidance, NETBankAudit develops a tailored IT audit risk assessment for each client, ensuring the Board of Directors has an effective risk-based audit function. Our assessment includes:

  • Identification of data, applications, operating systems, technology, facilities, personnel, and related business activities
  • Profiles of significant business units, departments, product lines, or systems, with associated business risks and control features
  • A scoring system to rank and evaluate business and control risks
  • Board and/or Audit Committee approval of risk assessments and annual risk-based audit plans
  • Implementation of the audit plan through planning, execution, reporting, and follow-up
  • Regular re-evaluation and update of risk assessments for all significant business units, departments, and systems

This methodology provides objective information to prioritize audit resources and ensures compliance with FFIEC guidance.

Scope of the Audit

Our COBIT control objectives are tailored to the financial institution industry and include:

IT Governance

  • IT Governance Framework
  • Strategic Planning, Implementation, and Transparency
  • Risk Assessment
  • Compliance Monitoring

IT Management

  • Organizational Structure and Provisioning
  • Policies and Procedures
  • Project Management
  • Outsourcing and Vendor Management
  • Training and Awareness

IT Operations

  • System Design, Availability, and Capacity
  • Hardware and Software Controls
  • Change Management and Problem Management
  • Input/Output Controls
  • Data Assurance
  • Business Continuity and Disaster Recovery

IT Security

  • Information Security and Cybersecurity Programs
  • Network Security
  • User Access Controls
  • Logical Access Controls
  • Physical Controls
  • Logging and Monitoring Controls
  • Incident Prevention and Response

Evaluations are structured based on operational criticality and security risks. The audit typically encompasses:

  • Network (internal/external connectivity and related hardware, software, and services)
  • Core data processing (mainframe computer, application software, and related services)
  • Item processing/proof (hardware, software, and services related to item capture, processing, and balancing)
  • Digital Banking (hardware, software, and services for online account access)
  • Telephone banking (voice response systems)
  • ATM, debit, and credit cards (hardware, software, connectivity, and services)
  • Wire transfer and ACH (hardware, software, connectivity, and services)
  • Web-based applications (systems for HR, accounting, lending, marketing, etc.)

ITGC Audit Process Value-Add Reviews

Uniform Rating System for Information Technology (URSIT)

The Uniform Rating System for Information Technology (URSIT) is the regulatory framework used by federal and state agencies to assess and rate the IT-related risks of financial institutions and their technology service providers. URSIT provides a standardized approach for evaluating an institution’s overall risk exposure, risk management performance, and the degree of supervisory attention required to address identified weaknesses.

Comprehensive Ratings

URSIT assigns an overall composite rating (1 to 5, with 1 being the highest) and component ratings in four key areas:

  • Management: Oversight, governance, and effectiveness of IT management and risk management practices.
  • Audit: Scope, frequency, and quality of the IT audit function, including independence and reporting.
  • Development and Acquisition: Controls over the development, acquisition, and implementation of new systems and applications.
  • Support and Delivery: Effectiveness of IT operations, support, and service delivery, including business continuity and incident response.

Regulatory Expectations

The URSIT rating system is used by the FDIC, FRB, OCC, and NCUA to determine the level of regulatory oversight and the frequency of examinations. Ratings influence the degree of supervisory attention and the prioritization of follow-up actions.

NETBankAudit’s Approach

  • Explain the URSIT rating system, its components, and regulatory expectations to management and the board.
  • Evaluate your institution’s examination findings within the context of overall and component URSIT ratings.
  • Proactively share examination intelligence and trends from our extensive client base and regular contact with regulatory agencies.
  • Provide actionable recommendations to address any weaknesses that could impact your URSIT rating.
  • Help your institution understand the potential ramifications of URSIT ratings on regulatory relationships and future examinations.

Continuous Regulatory Insight

NETBankAudit recognizes that regulatory expectations and interpretations can vary by agency, region, and examiner. We leverage our broad client base and ongoing dialogue with regulators to provide you with up-to-date intelligence and best practices, helping you anticipate and address emerging issues before they become findings.

Our URSIT-focused review ensures your institution is well-prepared for regulatory examinations, understands its risk profile, and can demonstrate effective IT governance, management, and control to examiners and stakeholders.

Cybersecurity and Information Security Program Review

NETBankAudit reviews your institution’s cybersecurity and information security risk assessments and programs against both FFIEC guidelines and industry standards. The Information Security review determines the effectiveness of the documented program and compliance with the GLB Act 501(b) and other regulatory expectations. The cybersecurity program evaluation covers current practices and overall cybersecurity preparedness, including:

  • Risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls and external dependency management
  • Cyber incident management and resilience

We review your GLBA Information Security Risk Assessment and the FFIEC Cybersecurity Self-Assessment Tool for input into audits of relevant control areas. Specialized cybersecurity testing may also be incorporated into the internal and external network vulnerability assessment to validate controls. Our approach ensures your institution’s security program is robust, compliant, and aligned with regulatory and industry expectations.

Security Awareness Assessment (Social Engineering Controls)

NETBankAudit’s Security Awareness Assessment evaluates your institution’s preparedness to defend against social engineering threats. Our process begins with a review of your information security policies, procedures, and security awareness training program, which are foundational for minimizing human error in information security. Based on our understanding of your internal policies and training, we conduct targeted testing and assessment of your social engineering controls.

Onsite Security Awareness Review

NETBankAudit believes the best defense against social engineering is a strong culture of awareness. All employees should receive regular training to recognize suspicious situations and ensure proper handling of sensitive information, including secure disposal of materials to prevent “dumpster diving” attacks.

  • Interviews with personnel responsible for security awareness training
  • Evaluation of training content, frequency, and relevance to employee roles
  • Review of procedures for regular training, scenario-based awareness, and employee responsibilities in safeguarding information
  • Assessment of guidelines for periodic testing and communication that such testing is for program improvement, not individual performance
  • Verification of procedures for proper disposal of sensitive materials to prevent attacks such as “dumpster diving”

Physical Security Review

As a part of the Physical Security Review at your data center and select branch/locations, our trained CISSP or CISA will interview select employees to determine their understanding of existing security policies and procedures, to help determine if they understand their role in preventing social engineering.

  • Interviews with select employees at data centers and branch locations to assess understanding of security policies and procedures
  • Review of physical branch locations from a customer’s perspective to identify potential information exposure
  • Inspection of areas such as computer screen placement, unsecured paperwork, and trash disposal for sensitive information
  • Direct interaction with employees to gauge their awareness and understanding of social engineering risks

Our assessment provides actionable recommendations to strengthen your institution’s human defenses and security culture.

Change Management Procedures Review

NETBankAudit evaluates your change management policies and procedures to ensure effective control over software, system, and infrastructure changes. Our review is based on Systems Development Life Cycle (SDLC) standards and covers the entire change and implementation life cycle for proper management and controls. We assess:

  • Change management definitions and methodology
  • Employee responsibility and function identification
  • Tracking and documentation of changes and updates, including those from external sources
  • Testing and implementation access control policies
  • Security management for physical network, systems, and applications

Our recommendations focus on reducing operational risk, supporting regulatory compliance, and ensuring that all changes are properly authorized, tested, and documented.

Disaster Recovery and Contingency Plan Assessment

NETBankAudit reviews your business continuity and disaster recovery planning to ensure your institution is prepared for disruptions. Our assessment covers:

  • Alignment of the business continuity plan (BCP) with your institution’s size and complexity
  • Consistency with overall business strategy and regulatory expectations
  • Minimization of financial losses and operational disruptions
  • Effectiveness of recovery and communication protocols

We evaluate the comprehensiveness of your BCP, including its ability to serve customers and financial markets with minimal disruptions and to mitigate the negative effects of disruptions on business operations. Our review assists your institution in meeting examination requirements and regulatory expectations for business continuity planning.

Vendor Management Policy and Procedure Assessment

NETBankAudit assesses your institution’s vendor management program to ensure effective oversight of third-party technology service providers. Our review includes:

  • Risk assessment and due diligence for technology vendors
  • Selection and ongoing monitoring of service providers
  • Contract review and compliance with FFIEC and industry best practices
  • Alignment of outsourced relationships with internal risk management, security, privacy, and other policies

We focus on ensuring that outsourced relationships are subject to the same risk management, security, and privacy standards as in-house activities. Our assessment helps you manage third-party risk, maintain regulatory compliance, and protect your institution from vendor-related exposures.

Incident Response Assessment

NETBankAudit evaluates your institution’s incident response program to ensure readiness for security incidents and data breaches. Our assessment focuses on:

  • Policies and procedures for incident detection, response, and recovery
  • Customer notification processes in line with GLBA and regulatory requirements
  • Alignment with industry-accepted incident response practices
  • Testing and documentation of incident response capabilities

We review your program’s ability to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience. Our recommendations help improve your institution’s ability to respond to and recover from security incidents, ensuring compliance with regulatory requirements and industry standards.

Identity Theft Prevention Program Review

NETBankAudit reviews your institution’s compliance with the Fair and Accurate Credit Transaction Act (FACT Act) and related identity theft prevention requirements. Our review includes:

  • Assessment of Red Flags Rule compliance and program effectiveness
  • Evaluation of policies and procedures for detecting, preventing, and mitigating identity theft
  • Appropriateness of the program for your institution’s size, complexity, and activities
  • Review of staff training and incident response related to identity theft

We ensure your program is designed to identify patterns, practices, or specific activities that indicate possible identity theft, and that it is tailored to your institution’s risk profile. Our review helps you safeguard customer information and meet regulatory expectations.

Table of Contents
This is also a heading
This is also a heading
Related Services
Internal & External Network Security Assessment
Ransomware Assessment Facilitation
Social Engineering Testing
Generative AI Risk Assessment
Related Articles
2024 Annual Audit and Exam Issues: Insights from NETBankAudit
Assessing It Department Performance And Staffing
IT Governance: Aligning Technology with Business Strategy for Optimal Performance
IT Security Incident Reporting: A Guide for Financial Institutions
IT Crisis Management Guide for Financial Services: Protecting Your Institution
IT Business Continuity Plans for Financial Institutions
IT Change Management for Financial Services
IT Risk Management Solutions for Financial Services: Safeguarding Your Digital Assets
IT Network Security Management: Protecting Your Digital Assets
"NETBankAudit is more than just an audit firm. They take the time to truly understand your organization. By working as a partner they made recommendations that best fit our bank while helping us realize resources that were already at our disposal. The employees we work with are extremely knowledgeable and always available to assist"
Garrett Henry, Chief Information Technology Officer
Franklin Savings Bank
$822M total assets, FDIC regulated
Franklin Savings Bank Logo
"Our Auditor was accommodating when appropriate, but never at the expense of principle.  She has my respect in every regard, and it is a privilege having her as a resource especially during exams. Our Engineer was great as well.  He was able to perform the penetration testing and vulnerability scanning with little disruption to our team.  This year’s engagement was on point as usually."
Beth Worrell, EVP, Chief Risk Officer
Skyline National Bank
$855M total assets, OCC regulated
"We were very satisfied with the model validation of our Verafin System. The NETBankAudit team was great to work with, very professional and kept us in the loop throughout the engagement. We will definitely consider working with them again for the annual validation"
Ken Helmrich, CAMS, CFCS
Kearny Bank
$7B total assets, FDIC regulated
"NETBankAudit provides us with top notch Information Security Professionals to allow us to continually improve our organizations security posture. Springs Valley is able to utilize them to stay abreast of the changing regulatory and cybersecurity landscape. It is great to have a reliable resource like them as a valued partner."
Craig Buse, CLO, COO
Springs Valley Bank & Trust Company
$494M total assets, FDIC regulated
"We appreciate working with professionals respected in the financial services community for their individual expertise and their attention to detail in the audit programs.  Always accessible when we need their assistance. "
Teresa Welty, SVP Internal Audit and Risk Officer
Capital Bank
$1.8B total assets, OCC Regulated
Capital Bank Logo
"We have been doing business with NETBankAudit since 2018 and their team of professionals have been amazing to work with.  They are experienced, objective, and responsive in performing our audit. Plus, they have been readily available to assist us with any issues during regulatory exams."
Robin Harris, Vice President
Carolina Bank
$579M total assets, FDIC regulated
Carolina Bank Logo
"The auditors have been very helpful and patient in giving us guidance with starting, developing, and improving our cybersecurity program. We have an active relationship with NETBankAudit and they are not just an audit firm. NETBankAudit wants us to succeed and not only meet regulatory requirements but understand them as well."
Leslie Nicely, Cybersecurity and BSA Officer
Highlands Community Bank
$172M total assets, FRB Regulated
Highlands Community Bank Logo
"First Citizens National Bank selected NETBankAudit to provide audit services for Information Technology Systems in early 2005.  Since that time, we have added cybersecurity, digital banking, and network penetration testing.  NETBankAudit is not only our auditor, but our partner in developing new digital strategies, policies and procedures. When we are implementing anything digital, NETBankAudit is a resource we use to ensure we have covered all aspects of risk management"
Judy Long, President and COO
First Citizens National Bank
$2B total assets, OCC Regulated
First Citizens National Bank Logo
"We were very satisfied with our first NETBankAudit experience and impressed with the thorough report. Working with our assigned auditor was a pleasure - he possesses great field experience and regulatory experience that was very helpful to us."
Dan Hagedorn, Audit Liaison/Compliance
International Bank of Chicago
$845M total assets, FDIC regulated
International Bank of Chicago Logo
"NETBankAudit's auditor was very knowledgeable and explained clearly what was needed from our side to help complete the audit as well as providing clear recommendations on where we could improve our controls.  The audit was done very professionally. Everyone here at SECU that interacted with NetBankAudit here at SECU had the feeling of a partner."
Rodney Hill, VP Technology
Schlumberger Employees Credit Union
$945M total assets, NCUA regulated
SLB Employee Credit Union Logo
"NETBankAudit serves as our internal auditing team. Their attention to detail and mastery of regulations are invaluable tools to our organization. During the audit, when they have a recommendation or finding, they partner with us and aide us in an internal audit liaison capacity. It is not a typical auditor firm’s approach, who just present their report and findings with limited direction or follow-up. NETBankAudit’s approach also helps us prepare for regulatory reviews with regular “heads-up” guidance and coaching. The examiners value NETBankAudit’s quality and depth of coverage and leverage the detailed audit work papers to facilitate the examination process. "
Dave Kittleson, Director of IT
Arundel Federal Savings Bank
$444M total assets, OCC regulated
Arundel Federal Logo
"We are very satisfied with NETBankAudit’s IT Audit services. The people we worked with are very personable, knowledgeable, and professional."
Sue Richardson, ISO
BayPort Credit Union
$2.2B total assets, NCUA regulated
BayPort Credit Union Logo
"We've partnered with NETBankAudit for over 10 years. We know we'll always receive a thorough review, but the service is always above and beyond our expectations. NETBankAudit keeps us apprised of recent regulatory changes, potential exam issues, and other areas for focus. Engaging NETBankAudit is creating a partnership for the future."
Leslie Hambrick, CFSA, CRMA
Peoples Bank, Newton, NC
$1.5B total assets, FDIC regulated
Peoples Bank Logo

More Services

Value-Add Consulting
Leveraging Decades of Industry Experience

As your trusted partner for compliance and security, our audits include informed recommendations to improve.
Request For Proposal
How NETBankAudit Delivers Value-Add Consulting:

Our Value-Add approach to auditing and compliance provides tailored, actionable advice drawn from our experts' practical industry experiences.

  • Senior-level auditing team each bringing 10+ years of industry and regulatory experience.
  • Our team has broad expertise with certifications from CISA, CISSP, CISM, CRISC and more.
NETBankAudit Logo PNG
2024 NETBankAudit. All Rights Reserved.
Privacy PolicyTerms of Service