BOARD OF GOVERNORS
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 95-45 (SUP)
September 11, 1995
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Inspections of Management Information Systems
Attached is a System task force "Report on the Target Inspections of Management Information Systems" that includes target inspection guidelines and preliminary procedures for reviewing this area. This report was prepared by an interdistrict team of senior examiners who participated in a project during 1994 to review the effectiveness of the management information systems (MIS) of three Top 50 bank holding companies. The project was conceived at the interdistrict bank holding company inspection coordination meeting held at the Board in September 1993. At the completion of the targeted reviews, it was agreed that the System should use the developed guidelines and procedures to enhance current MIS inspection procedures in recognition that effective MIS is becoming increasingly important to bank holding companies in measuring and managing risk.
The target MIS inspections focused on the evaluation of information flows to senior management and the board of directors, and the computer systems that support these information flows. The inspection team included a mix of examiners with bank holding company inspection and electronic data processing examination experience. These target inspections provided insight into the risk assessment process bank holding companies use in developing, implementing, and monitoring MIS policies and procedures, which resulted in suggestions for enhancements in the bank holding company inspection process relative to MIS that are suitable for immediate use.
The guidelines and procedures are primarily designed to facilitate an overall review of MIS at large bank holding companies, large state member banks, and large foreign banking offices. After these guidelines and procedures have been utilized by System examiners on a number of inspections over the next year, they will be reviewed and evaluated for possible revision based on examiners' experience and suggestions. It is anticipated that final guidelines and procedures will be prepared by System staff and incorporated into the Bank Holding Company Supervision Manual, the Commercial Bank Examination Manual, and the Branch and Agency Examination Manual, as appropriate.
The preliminary MIS inspection procedures were developed based on the inspection results from three Top 50 bank holding companies with varied organizational structures and business strategies. The inspection team observed that the structure and complexity of MIS was unique to each institution. Accordingly, these inspection guidelines and procedures may be tailored and modified, as necessary, to accommodate the characteristics of the financial institution being inspected.
It is recommended that a target MIS inspection be considered for Top 50 bank holding companies, other major regional bank holding companies, large state member banks, and large foreign banking offices. Although a targeted inspection of MIS may be performed periodically, it is not intended that a targeted inspection of MIS be performed annually. Reserve Banks should determine the appropriateness and frequency of a target MIS inspection based on its risk assessment of the financial institution. In many situations, examiner recommendations made as part of a target MIS inspection can be adequately reviewed during the following annual bank holding company inspection. Although the guidelines and procedures have been developed for use in a target inspection, they may be modified by the Reserve Banks to supplement existing MIS guidance in a full scope review of a financial institution.
To facilitate the evaluation of the guidelines and procedures, Reserve Banks are asked to forward any comments or suggestions that result from use of the procedures to Stephen C. Mackey, Supervisory Financial Analyst, Multinational Supervision Section (mail stop 179) who can be reached at 202-452-5264 for any questions you may have.
James I. Garner
Deputy Associate Director
Cross Reference: Bank Holding Company Supervision Manual Section 2060
Trading Activities Manual
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
The Target Inspections Of
Management Information Systems
FEDERAL RESERVE SYSTEM
Report on the Target Inspections of
Management Information Systems
TABLE OF CONTENTS
Page Project Summary 1 Recommendations 5 Exhibit A - Bank Holding Company Inspection Guidelines 7 Exhibit B - Holding Company Officer Questionnaire Exhibit C - Sample Format for Risk Management Process Exhibit D - Worksheets for Management and Board Reports Exhibit E - Conceptual Overview Model and Instructions Exhibit F - Target MIS Inspection Prodedures Exhibit G - Summary of Significant Inspection Findings
Inspection of Management Information Systems
A management information system ("MIS") can be described as a methodology or management tool used to facilitate the decision-making process. MIS encompasses the policies, procedures, and internal controls pertaining to the management reporting process that provides the board of directors and management with the information necessary to monitor and control operations and activities. Proper design and implementation of MIS provides timely, relevant, and accurate information that enables management and the board to make business decisions that facilitate meeting the organization's objectives.
At an interdistrict coordination meeting held at the Board of Governors in September 1993, the decision was made to assess the relevancy and completeness of current MIS inspection procedures due to:
- the realization that MIS is becoming increasingly important to financial organizations in managing risks; and
- the perception that current inspections do not cover all the areas relevant to assessing MIS.
The overall purpose for performing these targeted reviews was to determine if the policies, practices, procedures, and internal controls regarding MIS are satisfactory, and whether MIS provides reliable and sufficient information to senior management and the board to enable them to identify, monitor, and control risks throughout the organization. To start, specific MIS objectives and procedures were developed and field-tested by an interdistrict team of examiners at three large bank holding companies.1 Summary reports of each target inspection were prepared. In addition, information obtained during each inspection was used to modify the original objectives and procedures developed before the commencement of on-site reviews. At the conclusion of the target inspections, procedures were revised and a draft MIS section was prepared for the Bank Holding Company Supervision Manual.
SCOPE AND PROCEDURES
The three on-site MIS inspections were completed between April and September of 1994. The target inspections evaluated the ability of MIS to provide the reports necessary to enable management and the board to identify, monitor, and manage the various risks of the organization. A risk assessment was performed at each institution that encompassed reviews of the significant functional areas of the organization with a focus on identifying credit risk, interest rate risk, funding risk and market risk across the organization. Inspection resources were then allocated accordingly based on the perceived risk profile of the institution that was developed through the risk assessment process.
In addition to the risk assessment, the scope of the inspections included a review of the decision-making process for senior management and the board including the analysis of MIS reports generated to facilitate this decision-making process. Furthermore, the plans for meeting technology needs, the systems used in preparation of reports, and the internal controls over data integrity were analyzed. Results of internal and external audits pertaining to MIS within functional areas or business units were reviewed as well as the most recent regulatory examination reports.
The MIS inspection process was divided into the three following areas:
- Relevance and Utilization of MIS
- Overall risk assessment of the corporation;
- Identification of risk responsibilities and reporting lines within the organization; and
- Evaluation of quality and relevancy of MIS reports.
- Internal Controls Over MIS Integrity
- Identification of information flows and internal control points;
- Evaluation of internal controls over information flows; and
- Evaluation of report development process and contingency plans.
- MIS Architecture and Planning
- Analysis of the corporate strategic and technology plans, and the effect of their interrelationship on MIS;
- Identification of the system architecture, including planned enhancements, and its effect on MIS; and
- Evaluation of system architecture capability to assimilate acquired organizations and the subsequent effect on MIS.
Unlike an electronic data processing ("EDP") examination, which is aimed at providing an overall assessment of the organization's data processing activities (i.e., EDP audit, technology management, systems development, programming, and computer operations), the target MIS inspection evaluates the information flows to senior management and the computer, or manual, systems which support them. Bank holding company ("BHC") inspections place more emphasis on reports generated by MIS, rather than the process by which they are created.
Management information systems are made up of various sub-systems and will generally be unique to the organization. MIS will be influenced by the structure of the organization, its activities, its risk profile, and its technological capabilities. The target MIS inspection guidelines and procedures developed from the results of this project discuss the three broad areas outlined above and provide examiners with guidance on how to evaluate an institution's MIS process.
Composition of MIS Inspection Team
The three on-site MIS inspections were staffed by an interdistrict examination team which included the examiner-in-charge of the BHC inspection, two additional BHC examiners, and four EDP examiners. This mix of examiners proved vital to the successful completion of these target inspections. To conduct future MIS inspections of large BHCs, experience is essential, and desired staffing would include a balanced mix of BHC and EDP examiners.
Advance Request for MIS Information
To reduce the amount of time spent on-site and to maximize its effectiveness, it is vital to the success of an MIS inspection to plan effectively and to identify, request, and receive specific information. Gathering of specific information can be facilitated through the use of the sample formats included in Exhibit C to prompt management's response. During the course of this interdistrict project, several first day request formats were developed and are included in Exhibit B.
Meetings with Management
To get a preview of the major departments of the organization and how they use MIS to identify and manage risk, key senior officials were asked to make presentations at the beginning of each inspection. Sample topics are attached as a part of the first day request for information in the MIS Inspection guidelines and procedures (Exhibit B). These meetings proved extremely helpful by improving examiners' access to senior management.
The institution's internal auditors should utilize a risk assessment methodology in determining the frequency that the organizations activities are audited. In general, internal audit covers MIS in a fragmented manner as a component of the function being audited. However, an overall review of MIS and the systems that support it should be considered within the scope of these audits. A MIS inspection should include a determination of the extent of audit coverage of MIS either on an overall or fragmented basis. The level of coverage provided by internal audit may be used, in certain circumstances, to supplement examination procedures for the MIS inspection; although, lack of coverage should be cited as a deficiency.
BENEFITS OF PERFORMING MIS INSPECTIONS
The performance of a successful MIS inspection represents a considerable investment of time and effort; however, the benefits derived are numerous. Because of the continued evolution of technology and the manner in which it is applied to risk management and MIS within an organization, these benefits can significantly enhance the examination process. The MIS inspection process:
- Provides the Federal Reserve System ("System") with a methodology and the tools to better evaluate the consolidated organizations infrastructure for reporting the key information used by senior management and the board to measure and manage risk.
- Coordinates the review of the management information process across legal entities and integrates the review of EDP and safety and soundness issues. This provided examiners with a comprehensive picture of the organization and increased comfort with the MIS reports generated.
- Allows for the identification and evaluation of internal controls over the information in management and board reports.
- Identifies information gaps in management and board reporting.
- Identifies areas of risk that may be addressed in future inspections.
- Encourages organizations to aggregate information in order to identify and measure risk exposures.
- Enhances examiner skills through participation in an inspection that includes both EDP examination procedures and BHC inspection procedures.
MIS varied at each of the institutions reviewed and was significantly influenced by the history and politics of the corporation. The structure of MIS ranged from being organized by lines of business, geographical regions, or by individuals within the corporation.
The most significant outcome of these targeted inspections was the enhancement of the inspection process to effectively evaluate MIS. A matrix of the coverage by BHC inspection, EDP examination and that of the MIS target inspection is included at the end of the inspection guidelines in Exhibit A. As a result, consideration should be given to revising the scope of BHC inspection and EDP examination procedures to include (1) an evaluation of the internal controls over MIS and (2) an analysis of the role of MIS in an institution's risk assessment process.
Although there were significant variations in MIS among the three organizations, adequate MIS was in place at each institution. Recommendations for improvements were made to management as a result of each target. A summary of significant inspection findings is included as Exhibit G.
- The assessment of MIS can be significantly enhanced by the target inspection approach; therefore, a target MIS inspection should be considered for bank holding companies and State member banks not associated with a holding company of $1 billion or more in assets. In addition, specialty areas (such as International, Consumer Affairs, and Trust) can modify MIS procedures for use on these examinations.
- Examiners can generally follow-up on deficiencies noted and recommendations made from the target MIS inspection at the next full scope BHC inspection or EDP examination rather than performing another MIS inspection.
- In the case of subsequent MIS reviews, prior results should be reviewed, changes affecting MIS should be identified, and an in-depth assessment of selected high-risk management information systems should be performed.
- A balanced mix of EDP and BHC disciplines is essential for a comprehensive review of MIS. The team used for these targets consisted of four EDP examiners and three BHC examiners and was found to be very effective. In addition, where a specialty area is perceived to be of high risk, an examiner experienced in that discipline should be included on the inspection team.
- Sufficient time for the examiner-in-charge is vital to the success of the inspection, especially in the pre-planning process. In addition, the project team found a minimum of three weeks on site necessary in order to perform an effective MIS inspection. The amount of time on site may vary depending on the size and complexity of the institution and the amount of experience the inspection team has performing target MIS inspections.
- MIS inspection procedures should be established for appropriate coverage of MIS on all types of safety and soundness reviews and included in the appropriate sections of the Commercial Bank Examination Manual and the Bank Holding Company Inspection Manual. EDP procedures should also be enhanced to provide additional technical guidance for MIS reviews.
- On a basic level, cross-training between BHC and EDP examiners included on the target MIS inspection team will enhance the effectiveness of the inspection. After initial cross-training is completed, a determination should be made as to the need for additional specialized training.
- Because of the limited number of EDP examiners located in each district, pooling of examiner resources may be necessary to successfully complete future target MIS inspections.
Bank Holding Company Inspection Guidelines
The objective of a target MIS inspection is to evaluate the effectiveness of the corporation's management information system in providing the board of directors and senior management committees with timely, relevant, and accurate information that is necessary to monitor and manage risks and make informed decisions. As a result, the target MIS inspection utilizes a "top-down" approach, which focuses on the information used by the board and senior management committees and the overall MIS architecture. MIS that supports levels of management below those addressed in the inspection should continue to be reviewed during the appropriate examination.
In addition to the system task-force's recommendation for performing an initial target MIS inspection, an MIS inspection should also be considered for any company that has a notable alteration in its risk profile such as, aggressive expansion, significant change in business mix, or significant changes in information systems. An MIS target inspection would assess whether executive management and the board have taken into consideration MIS and its ability to adapt to significant changes within the organization. It should be noted that MIS is unique for each institution and will be influenced by the structure of the organization, the activities that it engages in, the resultant risk profile, and the technological environment that it operates under.
Effective MIS is critical to an organization because it is the primary tool used by executive management and the board to monitor risk and measure performance. Three key elements of an effective MIS are:
- Creation of adequate technological support systems,
- Effective internal controls over data integrity, and
- Design of MIS reports that balance comprehensiveness and materiality in a manner that facilitates informed decision-making.
To address these three key elements, the analysis of MIS is divided into three distinct areas which are discussed more fully in the following sections:
- Relevance and Utilization of MIS
- Internal Controls Over MIS Integrity
- MIS Architecture and Planning
RELEVANCE AND UTILIZATION OF MIS
Information requirements of management and the board should be consistent with the size and complexity of an organization's operations. As an organization grows in size and its operations become more complex, management must recognize that information needs will change, as will the organization's ability to collect and report information. Moreover, strategic goals may dictate a change in the focus of the organization, requiring revisions in data collection and presentation. Reporting policies and procedures should be established that recognize the differing information needs between executive management and the board, and the other levels of the organization .
The effectiveness of MIS has to be analyzed in terms of its ability to assist executive management and the board in identifying, monitoring, and controlling the significant risks throughout the organization. Reports should be analyzed for timeliness, relevance, and accuracy. They should provide coverage of the major areas in the institution and communicate information in a clear and concise manner. An organization might have a comprehensive MIS, but if pertinent information is not flowing to executive management and the board of directors, the system is not effective. Conversely, if management and the board are being overwhelmed with trivial data, its usefulness can be diminished.
Information should generally be presented in a summarized form, which is both easy to read and understand yet comprehensive enough to facilitate informed decision- making. Procedures must be in place to allow for rapid collection and assimilation of data to provide for timely presentation to executive management and the board. Presentation from one period to another should generally be consistent, to avoid any undue confusion. Procedures should be established that require changes in report format and content to be approved by the appropriate users of the report prior to implementation. Reported information should cover all significant risk areas within the organization and, where appropriate, provide comparisons that enable executive management and the board to measure performance.
INTERNAL CONTROLS OVER MIS INTEGRITY
The review of internal controls over data integrity within board of directors and executive management committee reports is essential to ensure that information flows are accurate and consistently prepared. To a significant extent, the internal controls over MIS will be a part of the system of internal controls over financial reporting. Section 112 of FDICIA requires these controls to be evaluated by both management and the organization's independent public accountant. Therefore, reports and workpapers documenting management's evaluation of internal controls may provide valuable information on the effectiveness of internal controls over MIS integrity.
For each report reviewed, the flow of information through MIS must be identified, including computer platforms, applications software, and interrelationships with other computer systems. Data controls, such as data entry and modification, data security, disaster recovery, back-up, and controls over program changes should be assessed, as well as the controls that provide for reliable financial reporting. Points where manual intervention occurs should be identified, and information on the flexibility of the system should be obtained.
The procedures used to evaluate the internal controls that provide integrity over the data in a report will vary depending on the nature of the computer platform, application software, and the amount of manual intervention required to produce the report. However, in all cases the assessment of MIS data integrity controls should begin with a review of the results of prior examinations and internal/external audit reports. Uncorrected deficiencies that were previously identified can reduce the effectiveness of internal controls over MIS integrity.
Reports produced directly by a mainframe application system should have controls provided within the mainframe environment and by the major application system to govern report production. These controls are reviewed during the EDP examination as well as during periodic EDP internal audits. The findings of these examination and audit reports should be used to supplement inspection procedures. The current status of deficiencies noted in these reports should be ascertained through discussions with internal audit and management.
Reports may also be produced by personal computers using spreadsheet and other office product software in a distributed processing environment. Reviews of distributed processing systems require interviews with the person(s) responsible for preparation of the reports in order to identify and evaluate internal controls. In this situation in particular, instances of manual intervention must be identified and evaluated. In addition, the most recent EDP examination report should be reviewed for any deficiencies noted in the organization's overall microcomputer policies and procedures. A review of internal audit reports for the business area and discussions with audit personnel will reveal whether internal controls over PC/spreadsheet applications have been evaluated recently.
MIS ARCHITECTURE AND PLANNING
The organization's computer system architecture plan should be designed to complement its business plan and each must support the strategic plan. The business plan identifies the goals, target markets, and areas of risk of the organization. The architecture plan describes the corporate technological plans for implementing the systems that will achieve the strategic and business goals, and should include the needs of MIS.
The Interagency Policy Statement on Information Systems Planning (SP-7) states that information is a valuable corporate asset. In a competitive banking environment, the ability to effectively manage this asset is crucial to an organization's ability to remain competitive, introduce new products and services, and achieve desired goals. Therefore, the system architecture plan must be developed in conjunction with the business plan. The system architecture plan must ensure mainframe processing and MIS are appropriately integrated and in place for the institution to achieve its strategic goals.
The dynamic and competitive banking and technology environments make effective planning critical. Coordination of the business and system architecture plans is necessary to determine the effectiveness of the institution's planning process and compliance with SP-7. The proliferation of mergers and acquisitions in the banking industry makes this process more important and more complex. To effectively manage divergent technologies inherited through mergers and acquisitions, it is important for management to have a clear understanding of the organization's strategic goals and the technology necessary to achieve them. Institutions in this situation must decide which systems acquired will survive and establish an effective process to convert or merge systems. Documentation should support management's decision including any formal conversion plans. Telecommunications, compatibility of systems, data integrity, capacity, contingency planning, and data security are especially critical in this situation and should be evaluated in the planning and conversion process.
Ultimately, the business and the system architecture plans must support the strategic plan. If these plans do not complement one another, the ability of the organization to achieve its goals will be impaired.
- To review the organizational structure, including board and executive management committees, to determine the various levels of decision-making and reporting lines, risk assessment, and internal controls;
- To assess the adequacy of management reports generated by MIS for timeliness, relevance, and accuracy;
- To evaluate reports in terms of their ability to measure the company's progress in meeting its financial and business goals, including the capability to produce forecasts using various scenarios;
- To evaluate management procedures for reacting to elevated risk, internal control weaknesses, or deficiencies disclosed by the MIS, and the system's ability to adapt to change caused by internal or external conditions;
- To determine if the policies, practices, procedures, and internal controls regarding MIS and management reporting are adequate;
- To evaluate the internal controls in place over the integrity of the information within MIS, including data security, disaster recovery, and data program changes;
- To determine if the functions of automated systems, reconcilement procedures, and reporting processes are completely understood by staff, and that these functions are fully documented;
- To determine if an architecture plan exists that includes MIS and supports the business and strategic plans;
- To determine if a management process exists for MIS planning, including overall responsibility, development and implementation;
- To determine if a strategy exists for an effective consolidation of systems in the event of a merger or acquisition; and
- To recommend enhancements and/or corrective action when MIS-related policies, practices, procedures, or internal controls are deficient.
- Attachment 1:
- Management Information Systemís Architecture and Inspection Objective Overview diagram (41 KB PDF)
HOLDING COMPANY OFFICER QUESTIONNAIRE
_______________________________ _______________________________ Bank Holding Company
As of the Close of Business
_______________________________ _______________________________ Location Examiner
To expedite the Management Information Systems (MIS) inspection of your holding company as of _______________________, please furnish responses to the following questions and provide an accompanying list of contact persons:
A copy of the corporation's strategic, financial, and business plans.
A copy of the MIS plan to support the organization's long- and short-term business strategies and goals.
A network schematic of the MIS processing system, including a list of all software and hardware including local area networks and personal computers.
A copy of the corporate organizational structure by entity and individual, including reporting lines and decision-making authorities.
A copy of all corporate risk management policies and policies regarding internal reporting to senior management, committees, and the board of directors.
A listing of all senior management and board committees, including membership, mission, and authority. Please have available for review, copies of each committee's minutes for the past 12 months.
A copy of all internal and external audit reports relative to MIS and risk management, and the internal audit schedule for the past 24 months.
A listing (including frequency) of all internal reports submitted to corporate executive management, the board of directors, and related risk management committees. Please have available for review copies of each of the latest reports and a sample board package.
For each report identified in item number 8 above, provide a description of the flow of data through MIS to each data element on the reports. Please identify the computer platforms and application software utilized, and any interrelationships with other computer systems.
A copy of the corporation's data security policy, data security manual, disaster recovery plan, and system development life cycle methodology.
A copy of the procedures followed in developing internal management reports, including a description of the request, approval, and quality control processes.
A copy of any outside consultant's study in the MIS/risk assessment area.
All information submitted in response to the preceding questions will be treated as confidential by Federal Reserve Bank Examiners. An authorized officer of the corporation should execute a statement that the responses to the above questions are accurate and complete to the best of his/her knowledge.
TOPICS FOR FIRST DAY MEETINGS WITH MANAGEMENT
To facilitate this MIS inspection, we would appreciate meeting with key members of senior management to discuss the identification, control, and reporting of risks within the various operating areas of the company. Some samples of topics for discussion would include the following:
- Strategic Plan
- Overall corporate direction
- Risk/reward appetite
- Corporate Risk Profile
- Organizational structure and reporting line
- Policies and procedures for managing risk
- Structure for measuring and reporting risk
- Technology Strategy
- Technology Personnel
- Located within each business unit
- Central coordination
- Perform risk assessment
- Ownership of Information
- Internal Audit
- Audit Program for MIS
- Within general audit or separate
- Scope and detail
- Significant Deficiencies relative to MIS
- Corrective actions
- Internal Controls
- Program development/corporate practices
- Reconcilement process
- EDP Management
- Technology Architecture Overview
- Platforms, databases, telecommunications, use of microcomputers, security, disaster recovery.
- MIS Architecture
- Platforms, applications, databases
- EDP Policies and Procedures
- Business Areas
- Senior managers for each business line should discuss risk identification, control, and eporting. (Possibilities: Commercial, retail, financial, operations, major nonbank activities, asset/liability management, capital markets, trust, etc.)
SAMPLE FORMAT OF RISK MANAGEMENT INFORMATION
The following sample format is provided with the first day request letter. Hopefully this will solicit information for use on an MIS inspection in a user-friendly form. This is for illustrative purposes only and is not intended to be forced on management of the institution being reviewed.
RISK MANAGEMENT OVERVIEW
The corporation has established several processes which enable management to measure, limit and monitor risk throughout the organization. The major risk categories defined by management include:
- Interest rate
These risks are managed by the following entities:
Board of Directors and Its Committees
- Audit Committee
- Executive Committee
Senior Management Committees
- Credit Review Committee
- Funds Management Committee
Risk Management and Control Units
- Internal Audit Division
- Legal Division
RISK MANAGEMENT STRUCTURE
The following represents:
a description of the policies and procedures in effect throughout the organization to monitor risk;
an overview of the board of directors and senior management committees responsible for risk management; and
the key reports that are utilized to accomplish this task.
I. RISK MANAGEMENT POLICY AND PROCEDURES
Risk Nature of Risk Corporate Policies/Procedures Market Possible exposure from
changes in the value of
assets, liabilities, and off
balance sheet positions
II. OVERALL RISK MANAGEMENT
Senior Management Committee
Interest Rate Risk
III. BOARD, COMMITTEES, and KEY REPORTS
BOARD OF DIRECTORS Description to include: Mission
Frequency of meetings
Regularly scheduled presentations
MIS reports: Financial Review
Asset Quality Recap
AUDIT COMMITTEE Description to include: Mission
Frequency of meetings
Regularly scheduled presentations
MIS Reports: Cash Outage Report
Analysis of Insurance Coverage
SENIOR MANAGEMENT INFORMATION REPORTS Market Risk Foreign Exchange - FX Position and Limit Report Derivative Products/Securities - Trading Limits
Application System Information Flow Exhibit Name Computer Platform/
Description of Inputs Backup Frequency/
A Word Processing LAN/Novell Word Processor/
Both Link to Lotus spreadsheet & data input
by administrative assistant.
Monthly/Department A Lotus Spreadsheet Linked to
LAN/Novell Spreadsheet/Lotus Manual Data imput by financial analyst None B Financial Accounting Forecasting
Mainframe/MVS Database/DB2 Automated General Ledger Daily/Tape Library & Offsite B General Ledger Mainframe/MVS Database/DB2 Both Integrated Accounting System &
data input by accounting analysts
Daily/Tape Library & Offsite B Integrated Accounting System Mainframe/MVS Database/DB2 Manual Data imput by analysts in each
Daily/Tape Library & Offsite C Financial Analysis System LAN/OS2 Database/
Both General ledger system; data input by
administrative assistant; and Lotus
Weekly/Department C Lotus Spreadsheet for Financial
LAN/OS2 Spreadsheet/Lotus Manual Financial Analyst Weekly/Department C General Ledger Mainframe/MVS Database/DB2 Both Integrated Accounting System &
data input by accounting analysts
C Integrated Accounting System Mainframe/MVS Database/DB2 Manual Data imput by analysts in each
Daily/Tape Library & Offsite
Senior Management and Board Reports Exhibit Name Purpose Frequency Area/Dept.
Application System Distribution Asset Quality A Credit Review Review of credit risk Quarterly Credit Admin. Word Processing Name of senior Officer Interest Rate
B Simulation Model Summarized results of
interest rate simulations
Financial Accounting Forecasting
Name of senior officer C Financial Review Summarization of asset
quality, profitability, and
capital protection coupled
with a funding review
describing the financial
markets and corporate
Quarterly Mgt. Accounting &
Financial Analysis System Board of Directors
CONCEPTUAL OVERVIEW MODEL INSTRUCTIONS
The Conceptual Overview Model (model) is designed to provide a simplistic overview of the flow of information beginning with feeding systems through consolidating and reporting systems. Examiners should consider developing a model when a summarized version of the available system documentation would be beneficial. An example of the model is presented on the following page.
The model is used to help determine how many steps are involved in the reporting process so that control points and areas of risk can be identified. The reasonableness of information flows can be assessed, and inappropriate information mapping to a specific report can de identified (i.e., all interest-sensitive products should be mapped to the asset-liability model).
Generally, a feeding system is a financial or transaction processing application that provides input to the MIS process (identified in column one of the sample model on the following page). The feeding systems generate reports and interface with the general ledger or other consolidating systems, with information downloaded into a central data repository. From this repository, the information is accessed by various reporting systems and additional reports are generated that support the board's and management's decisions. In order to preserve clarity in the attached example, specific reports from the various feeding systems have not been identified. However, when the model is prepared during an inspection, specific reports that flow to senior management and the board should be identified on the flowchart or cross-referenced to an attached listing of reports.
From information requested in the first day letter or from the current EDP Examination Report's confidential page B, create a list of application systems that support products and services of the corporation. The applications should be sorted into logical groups as shown in the sample on the following page. In addition, each application should be listed within the appropriate group or cross-referenced to a separate application listing.
Using the APPLICATION SYSTEM INFORMATION FLOW forms provided with the response to the first day letter and interviews with management, determine how the information flows from the feeding application systems through the consolidating systems and into the reporting systems. Once these relationships have been identified, document them in the model.
It is important to determine the platform on which each of the various systems is operating. This information will be used to identify control points and areas of risk. The platform should be identified within the symbol for each process group (see the Deposit Group in the attached example). To simplify the Model, the use of a key may be helpful.
The model is now complete and can be used as a summarization of the information flows through the organization.
- Attachment 2:
- Conceptual MIS Overview diagram (192 KB PDF)
TARGET MIS INSPECTION PROCEDURES SECTION 1 - RELEVANCE and UTILIZATION of MIS
The objective of this section is to evaluate the organization's risk structure and the effectiveness of its MIS reports.
Management Information Systems Reviewed
1.1 Review the organizational structure and orientation a. Centralized/decentralized management
- Organization chart by companies and personnel
- Legal entity or lines of business
________ ________ ________ b. Risk management policies
- Authorized types of risk
- Identification of risks
- Risk limits and controls
________ ________ ________ c. Risk decision-making responsibilities
- Committee structure and membership
- Reporting lines
________ ________ ________ d. Risk limits and controls
- Approval process
- Review and reporting
________ ________ ________ 1.2 Review the board and executive management committee structures a. Board/Committee members
- Length of time on board/committee
________ ________ ________ b. Committees
________ ________ ________ 1.3 Read and analyze the board and executive management committee minutes a. Information flows ________ ________ ________ b. Scope of information presented ________ ________ ________ c. Identification/understanding of risks ________ ________ ________ 1.4 Review all reports presented to board/committees and analyze for: a. Timeliness
- last date for changes
- when final due
________ ________ ________ b. Clarity
- clear presentation
________ ________ ________ c. Completeness
- enough data to make informed decisions
- covers all areas of the company
________ ________ ________ d. Relevancy
- extensive detail or big picture
- significant area of risk
________ ________ ________ e. Measurability
- accurate comparisons
- fixed or moving target (budget)
________ ________ ________ 1.5 Identify management's procedures for reacting to:
a. Elevated risks, deficiencies, or weaknesses disclosed by MIS ________ ________ ________ b. Regulatory and accounting changes ________ ________ ________ c. Market changes ________ ________ ________ 1.6 Discuss perceptions of MIS reports with executive management as to their timeliness, clarity, completeness, relevancy, and measurability.
________ ________ ________
1.7 Review the results of your work. Summarize and document your conclusions. Discuss your findings/conclusions with management. a. Identify significant control deficiencies as warranted ________ ________ ________ b. Obtain management's corrective commitments and time frames ________ ________ ________ 1.8 Prepare comments for the report. ________ ________ ________
SECTION 2 - MIS INTEGRITY and INTERNAL CONTROLS
The objective of this section is to evaluate the integrity of the organization's MIS.
Management Information Systems Reviewed
2.1 Review policies and procedures related to MIS to ensure that they include: a. Systems development life cycle methodology ________ ________ ________ b. Data security ________ ________ ________ c. End user computing ________ ________ ________ d. Disaster Recovery and Business Continuation planning ________ ________ ________ 2.2 Review the network schematic of the MIS processing system. a. Determine whether there is a single MIS system or a number of related systems. Identify each system. ________ ________ ________ b. Ascertain whether management information is provided from mainframes, local area networks, stand-alone personal computers, or a combination of the above. ________ ________ ________ c. Identify the databases in use for management reporting, including those used by spreadsheets and other office product software. ________ ________ ________ d. Evaluate the flexibility of the MIS systems (e.g., the ability to perform stress tests). ________ ________ ________ 2.3 Review the Application System Information Flow forms showing the MIS process for the reports requested in Section 1. a. Determine the hardware and software components in the flow of information. ________ ________ ________ b. Identify any additional application systems that provide inputs to the application systems that produce the Board of Director and Senior Management Reports. ________ ________ ________ c. Identify the controls in place to ensure data integrity ________ ________ ________ d. Identify the points where manual intervention occurs (i.e., data entry, data adjustments) ________ ________ ________ e. Verify the flow of information for each report identified. ________ ________ ________ f. Determine the type of logical access security used for each application and that data is restricted to authorized users. ________ ________ ________ 2.4 Review the MIS reports provided to ascertain how the information is gathered, controlled, and presented. a. Determine the source of the information. ________ ________ ________ b. Determine the timeliness of report distribution. ________ ________ ________ c. Determine the controls over the report distribution process. ________ ________ ________ d. Determine that preparation and reconciliation processes are sufficient to assure the accuracy of the information. ________ ________ ________ e. Determine the system's ability to produce ad hoc reports. ________ ________ ________ 2.5 Request the following MIS related reports and review for deficiencies and/or recommendations, and follow-up on corrective actions: a. regulatory examination reports ________ ________ ________ b. internal and external audit reports ________ ________ ________ c. outside consultant reports ________ ________ ________ 2.6 Review the internal audit schedule for the past 24 months. a. Request copies of all audit reports that are relevant to the applications and computer platforms in the application system information flow. ________ ________ ________ b. Review each report for deficiencies and/or recommendations and follow-up on corrective actions. ________ ________ ________ 2.7 Discuss the quality of MIS with executive management and determine if any significant changes are planned. ________ ________ ________
2.8 Review the results of your work. Summarize and document your conclusions. Discuss your findings/conclusions with management. a. Identify significant control deficiencies as warranted. ________ ________ ________ b. Obtain management's corrective commitments and time frames. ________ ________ ________ 2.9 Prepare comments for the report. ________ ________ ________
SECTION 3 - MIS ARCHITECTURE AND PLANNING
The objective of this section is to reconcile the business and system architecture plans to the strategic plan and determine if they fit the overall strategic direction of the organization.
Management Information Systems Reviewed
3.1 Strategic, Business, and System Architecture review a. Obtain copies of plans if they exist ________ ________ ________ b. Review, outline, and compare the plans ________ ________ ________ c. Analyze specifics contained in both plans:
________ ________ ________
________ ________ ________
- Internal risk ratings
- Central liability by customer (group number)
- Download a customer and compare to CIF
________ ________ ________
- Off balance sheet
________ ________ ________
- Country risk
________ ________ ________
- Interest rate risk (overseas)
________ ________ ________ d. Does the architecture support the strategic and business plans? ________ ________ ________ 3.2 Request/create a model identifying the flow of data throughout the organization. ________ ________ ________ 3.3 Conversion systems methodology a. Choose an MIS application or system ________ ________ ________ b. Review conversion plan ________ ________ ________ c. Review status of conversion ________ ________ ________ d. Review impact on telecommunications due to conversion ________ ________ ________ e. Determine if a post implementation review was conducted ________ ________ ________ 3.4 Merger conversion a. Which institution's applications have been chosen and how has this been determined? ________ ________ ________ b. Review conversion plan ________ ________ ________ c. Is the converted system in agreement with the consolidated strategic and business plans? ________ ________ ________ 3.5 Request a copy of the development plan for significant MIS-related projects. a. Review project objectives and determine if they meet cited MIS weaknesses. ________ ________ ________ b. Review project timeliness and determine status of approved projects. ________ ________ ________ c. Determine whether projects follow an established and adequate development methodology. ________ ________ ________ 3.6 Discuss any inconsistencies among the business, systems architecture, and strategic plans with executive management. ________ ________ ________
3.7 Review the results of your work. Summarize and document your conclusions. Discuss your findings/conclusions with management. a. Identify significant control deficiencies as warranted. ________ ________ ________ b. Obtain management's corrective commitments and time frames. ________ ________ ________ 3.8 Prepare comments for the report. ________ ________ ________
Summary of Significant Inspection Findings
The significant findings of the three target MIS inspections are presented below. In addition to these findings, numerous recommendations for additional improvements were made in each inspection report.
Relevance & Utilization of MIS
- Management Reports - In all three institutions, management reports were found to communicate effectively the condition and risks of the organization in a timely manner.
- Board Reports - In one institution, the board was given only verbal reports by senior management which were supplemented by slides. In addition, board information packets were not provided to the directors prior to the meeting. The board was requested to address these deficiencies by changing board reporting procedures. In the other two institutions, reports submitted to the board were generally effective in communicating the condition and risks of the organization. However, for one institution, enhancements of trading, derivative, and off-balance sheet exposures were recommended.
- End-User Computing Policy and Procedures - For one institution, it was recommended that spreadsheets utilized in decision making processes be defined as business systems and that end-user computing policy and procedures be distributed institution-wide.
- Disaster Recovery Plans - Sufficient disaster recovery plans were in place for the major computer system at each institution. However, recovery plans for local area networks were in need of improvement. In addition, one institution had never successfully completed disaster recovery testing of the general ledger system. It was recommended that disaster recovery plans and testing for the general ledger system be improved.
MIS Architecture and Planning
- Technological architecture and infrastructure - In one institution, the architecture and infrastructure plans were sufficient for current needs, however, future business plans required significant revisions. In addition, a technology plan had been developed but had not been approved and implemented.