Most banks use the Internet to provide access to resources and to deliver information, products and services; however, they may be unaware of the Internets inherent security risks. The FDIC has issued a paper to help identify many of those risks, as well as several systems controls that financial institutions can use to manage them.
The paper, Security Risks Associated With the Internet , identifies the FDICs areas of concern relating to transactional and systems security issues, such as data privacy and confidentiality, data integrity and authentication. For example, the paper explains that sniffer programs can be set up to look for and collect data, such as account numbers or passwords, and IP spoofing programs can be used to make one computer actually claim to be another by mimicking its Internet protocol address.
The paper also discusses the primary technologies, standards and controls that manage Internet risks, such as encryption, digital signatures and certificate authoritiestrusted third-parties that verify the identity of a party to a transaction. It also examines other methods of systems security, including the use of firewalls, smart cards and biometric technologies, such as retina scanning.
A copy of the paper (FIL-131-97) is available online at www.fdic.gov (click on banking news) or by calling the FDIC public information center at 800-276-6003.
Regulators Issue Internal Audit Paper
Four federal banking agencies issued a policy statement on internal audits, including information on outsourcing the internal audit function. The statement emphasizes the importance of sound risk-management processes and internal controls, and it warns of certain risks related to outsourcing internal audits to vendors that also perform the financial statement audit or other services requiring independence.
Federal regulators have had concerns over the independence of certain outsourcing arrangements, said Doris L. Marsh, examination specialist in the FDIC Division of Supervision. Marsh said there also were instances when the oversight agencies thought the number of staff was not sufficient to oversee the internal audit function. We consider this a best practices paper, said Marsh.
The statement, Interagency Policy Statement on the Internal Audit Function and Its Outsourcing , was sent to the CEOs of all banks by their respective regulators. It was issued by the FDIC, the board of governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.
The statement focuses on the sound practices necessary to manage effectively the internal audit function of insured depository institutions, bank holding companies and U.S. operations of foreign banking organizations. It also examines how outsourcing arrangements may affect an examiners internal control assessment and discusses how certain outsourcing arrangements could affect the independence of an external auditor that is also providing internal audit services. The statement notes that an entitys board must select an external auditor that will satisfy the independence requirements established by the AICPA and relevant requirements of the SEC.
The statement is available on the FDIC Web site at www.fdic.gov and the Federal Reserve Boards Web site at www.bog.frb.fed.us.