FFIEC Guidance: Revision vs. Update

2 min read
December 8, 2015 at 10:00 AM

When it comes to technology, we hear of terms that are often times confused and interchanged. Some examples of these terms might include Vulnerability Scanning and Penetration Testing. Another example might be the age old debate of Risk Assessment versus Audit. While seemingly similar on the surface, there are in fact significant differences. The same holds true with a topic that I have discussed on this blog recently in reference to the FFIEC Guidance on the Management IT Booklet. The terms that I am referring to are “update” and “revision.” While seemingly similar, they are in fact quite different. 

A basic, working definition of update would be the act of bringing someone or something up to date or an updated version of something. Makes pretty good sense, but what about revision? A basic, working definition of revision would be “a new version of something.” Pretty similar but in the case of the recent FFIEC Guidance, this is a significant difference that we need to discuss.

On November 10, 2015, the FFIEC announced that they had made a complete revision to the Management IT Booklet. We discussed this in detail in this blog post and what that would mean to financial institutions and how they would prepare for their examinations moving forward. That was all great information, however since we have had some additional time to digest the new Management IT Booklet, there are some key pieces of information that we have noticed and read about:

  • This Management IT Booklet completely replaces the previous version. If you’re keeping score at home, that booklet was published in 2004. That was 11 years ago.
  • The revised Management IT Booklet makes significantly more references to Cybersecurity than the previous version. According to Compliance Guru, the new Management IT Booklet makes reference to Cybersecurity 53 times as compared to the single reference in the previous version. That should provide a clear indication of how important Cybersecurity has become in 2015.
  • Vendor Management used to have its own section in the previous version of the booklet. In the 2015 version, Vendor Management is intertwined throughout all 65 pages of the booklet. Again, this should be a sign as to how important this topic has become to financial institutions in 2015.
  • The Examination Procedures section was almost a complete rewrite and all the objectives have been expanded upon as well as several new objectives added

Don’t be fooled into thinking that this latest version of the FFIEC Management IT Booklet was a minor update. In fact, this was a major revision, for the first time in 11 years that is going to significantly impact how you conduct your audits in preparation for your examinations but will also significantly impact what your examiners look at when they come into your financial institution. Navigating these changes can be a bit tricky, which is why Compass IT Compliance is here to discuss these changes and suggestions for how you should prepare. Contact us today to discuss your unique situation!

Contact Us

Get Email Notifications

Comments (1)