FFIEC & GLBA Based Technology Audit

Breathe easy. Your business will be protected.  

The truth is that FFIEC and GLBA technology audits are technically very similar between providers; it’s having the right guide that makes all the difference. To us, security is much more than checking some boxes. If you’re going for the bare minimum to ensure compliance, you’ll find a more suitable partner elsewhere. Our client partners want to be more than compliant. They want to be secure. 

Here's some detail of our scope:

Our FFIEC based Technology Audit engagement will provide consulting services to your Audit Committee of the Board of Directors and/or designated management representative, assisting them in fulfilling their responsibility of establishing appropriate levels of internal audit scope and procedures. This assistance will include working with your management team in identifying risks associated with the Clients information systems.‌

Internal Controls Review and Risk Assessment

The objective of our engagement is to examine the risk of the general controls and the policies and procedures related to the Clients information systems.Our work steps will be based on the internal control guidelines set forth in the Information Systems Handbook of the Federal Financial Institutions Examination Council (FFIEC) including GLBA guidances. These are the same control objectives used to assist regulatory examiners in examining information systems in financial institutions and independent service bureaus. Additionally, we have incorporated the CobiT (Control Objectives for Information Technology)framework into our scope of work. CobiT, jointly created by ISACA and ITGI, is a generally accepted framework of best practices for the management of IT resources. By incorporating both frameworks, our reviews provide an overview of information systems concepts, practices, sound information systems controls, and examination work programs. These control objectives are employed to evaluate potential risk areas within the organization. The approach to reviewing the Technology general controls will follow a systematic pattern of data collection, testing, observation and analysis.
Specifically, we will:
  • Interview key data processing personnel.
  • Review selected documentation and other documented controls.
  • Observe operations activity and the control environment.
  • Review security procedures and physical safeguards.
  • Define and report overall risk in the Technology area.

Risk-Based Testing Approach

Testing will be performed to the extent necessary to confirm our understanding of the risk levels represented in the controls.In evaluating the MIS general controls as a basis of providing recommendations, we will consider:
  • Setting a baseline risk which will be based on the complexity of Information Systems.
  • The applicability of each MIS general control objective to the environment at the Client.
  • The relative effectiveness of existing controls that support the objectives.
  • The presence of compensating internal controls.
  • The relative cost/benefit of various control alternatives.


Client Responsibilities

This relationship is that of a partnership between Vala Secure and the Client. As you can expect an acknowledgement to a request from Vala Secure within a 24 period during normal business hours, we require the same in return to assure a steady progression for the Client to achieve the goal of continuous compliance.
The Client is also responsible for;
  • Assigning a primary contact.
  • Providing the names and contact information for personnel within your organization that are pertinent to the goals of this engagement.
  • Acknowledging the request for Work Papers or other relevant information within a 24 hour period during normal business hours. This is not saying that the request needs to be satisfied in this time frame. But communication does need to be in progress so that the time frame for the actual resolution of the issue can be made known to all involved parties.
  • Participation of appropriate personnel within your organization in an escalation process in the case that necessary information has not been made available in an acceptable timeframe or a findings resolution has not been resolved in the necessary time frame.

Vala Secure uses the specific guidelines set forth by the FFIEC and CobiT as a baseline to evaluate risk. Below are brief descriptions of each of the twelve FFIEC handbooks Vala Secure will cover for your Information Technology Audit. Each section provided in the our final reports will contain supplements and cross-mappings to applicable CobiT control objectives. This will provide insight about what each booklet consists of and what Vala Secure will be doing to ensure Client is in compliance.

Here’s what Vala Secure brings to the table:
  • We’ve got your back. Although technology audits are highly technical and specific, we’re doing much more than checking off some boxes. When you work with Vala Secure, it’s personal. We’re here to protect not only your company and its employees or customers. We’ve got your back too. We’ll guide you on your path toward #ValaSecure.

  • We’ve seen it all. Okay, maybe we haven’t seen everything, but we have seen a LOT. Highly regulated industries like banking and healthcare lean on us for thorough, professional, annual audits. Organizations know they can count on us when an urgent, immediate need arises. Whatever your goal, we’re here to help.

  • We speak human. You’re really great at your job. We’re pretty great at ours. But at no time will a member of this team talk down to you or otherwise make you feel uncomfortable during this process. We love our jobs and we love our clients.

Technology audits should make your life easier.

Partner with Vala Secure. We’ll take care of you.

Schedule a Call

This is what we know. This is what we do.

There is a lot of jargon in this industry. You shouldn’t have to learn our jargon in order to understand how technology audits affect your business. With Vala Secure, we’ll explain everything to you in real English, so that you not only understand what we found, but are a part of the solution.

Our audits are highly customized based on your organization and industry. We’ll ensure you’re prepared for exams from external auditors.

Technology audits include testing and reviewing hundreds of items in your organization. No stone is left unturned. You’ll understand what we’re doing and what your technology audit results mean for your business. Then, we’ll review our recommendations and game plan, so that you understand exactly what to do next.

Depending on your specific needs, we can even take care of the next steps, so that you don’t have to worry about a thing.