BOARD OF GOVERNORS
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 95-49 (SUP)
October 17, 1995
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Addition to the "Report on the Target Inspections of Management Information Systems"
On September 11, 1995, Board staff issued SR letter 95-45 which included as an attachment the Federal Reserve System's "Report on the Target Inspections of Management Information Systems." The attached chart was inadvertently left out of this report and should be inserted as page 12 of Exhibit A, the last page of the Bank Holding Company Inspection Guidelines.
If you have any questions regarding the attachment or the report, please contact Stephen C. Mackey, Supervisory Financial Analyst, Multinational Supervision Section (mail stop 179) who can be reached at 202-452-5264.
Howard A. Amer
Cross Reference: SR 95-45
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
This includes Exhibit A with page 12 and Exhibits C and G which were not transmitted with SR 95-45.
Bank Holding Company Inspection Guidelines
The objective of a target MIS inspection is to evaluate the effectiveness of the corporation's management information system in providing the board of directors and senior management committees with timely, relevant, and accurate information that is necessary to monitor and manage risks and make informed decisions. As a result, the target MIS inspection utilizes a "top-down" approach, which focuses on the information used by the board and senior management committees and the overall MIS architecture. MIS that supports levels of management below those addressed in the inspection should continue to be reviewed during the appropriate examination.
In addition to the system task-force's recommendation for performing an initial target MIS inspection, an MIS inspection should also be considered for any company that has a notable alteration in its risk profile such as, aggressive expansion, significant change in business mix, or significant changes in information systems. An MIS target inspection would assess whether executive management and the board have taken into consideration MIS and its ability to adapt to significant changes within the organization. It should be noted that MIS is unique for each institution and will be influenced by the structure of the organization, the activities that it engages in, the resultant risk profile, and the technological environment that it operates under.
Effective MIS is critical to an organization because it is the primary tool used by executive management and the board to monitor risk and measure performance. Three key elements of an effective MIS are:
Creation of adequate technological support systems,
Effective internal controls over data integrity, and
Design of MIS reports that balance comprehensiveness and materiality in a manner that facilitates informed decision-making.
To address these three key elements, the analysis of MIS is divided into three distinct areas which are discussed more fully in the following sections:
Relevance and Utilization of MIS
Internal Controls Over MIS Integrity
MIS Architecture and Planning
RELEVANCE AND UTILIZATION OF MIS
Information requirements of management and the board should be consistent with the size and complexity of an organization's operations. As an organization grows in size and its operations become more complex, management must recognize that information needs will change, as will the organization's ability to collect and report information. Moreover, strategic goals may dictate a change in the focus of the organization, requiring revisions in data collection and presentation. Reporting policies and procedures should be established that recognize the differing information needs between executive management and the board, and the other levels of the organization.
The effectiveness of MIS has to be analyzed in terms of its ability to assist executive management and the board in identifying, monitoring, and controlling the significant risks throughout the organization. Reports should be analyzed for timeliness, relevance, and accuracy. They should provide coverage of the major areas in the institution and communicate information in a clear and concise manner. An organization might have a comprehensive MIS, but if pertinent information is not flowing to executive management and the board of directors, the system is not effective. Conversely, if management and the board are being overwhelmed with trivial data, its usefulness can be diminished.
Information should generally be presented in a summarized form, which is both easy to read and understand yet comprehensive enough to facilitate informed decision- making. Procedures must be in place to allow for rapid collection and assimilation of data to provide for timely presentation to executive management and the board. Presentation from one period to another should generally be consistent, to avoid any undue confusion. Procedures should be established that require changes in report format and content to be approved by the appropriate users of the report prior to implementation. Reported information should cover all significant risk areas within the organization and, where appropriate, provide comparisons that enable executive management and the board to measure performance.
INTERNAL CONTROLS OVER MIS INTEGRITY
The review of internal controls over data integrity within board of directors and executive management committee reports is essential to ensure that information flows are accurate and consistently prepared. To a significant extent, the internal controls over MIS will be a part of the system of internal controls over financial reporting. Section 112 of FDICIA requires these controls to be evaluated by both management and the organization's independent public ccountant. Therefore, reports and workpapers documenting management's evaluation of internal controls may provide valuable information on the effectiveness of internal controls over MIS integrity.
For each report reviewed, the flow of information through MIS must be identified, including computer platforms, applications software, and interrelationships with other computer systems. Data controls, such as data entry and modification, data security, disaster recovery, back-up, and controls over program changes should be assessed, as well as the controls that provide for reliable financial reporting. Points where manual intervention occurs should be identified, and information on the flexibility of the system should be obtained.
The procedures used to evaluate the internal controls that provide integrity over the data in a report will vary depending on the nature of the computer platform, application software, and the amount of manual intervention required to produce the report. However, in all cases the assessment of MIS data integrity controls should begin with a review of the results of prior examinations and internal/external audit reports. Uncorrected deficiencies that were previously identified can reduce the effectiveness of internal controls over MIS integrity.
Reports produced directly by a mainframe application system should have controls provided within the mainframe environment and by the major application system to govern report production. These controls are reviewed during the EDP examination as well as during periodic EDP internal audits. The findings of these examination and audit reports should be used to supplement inspection procedures. The current status of deficiencies noted in these reports should be ascertained through discussions with internal audit and management.
Reports may also be produced by personal computers using spreadsheet and other office product software in a distributed processing environment. Reviews of distributed processing systems require interviews with the person(s) responsible for preparation of the reports in order to identify and evaluate internal controls. In this situation in particular, instances of manual intervention must be identified and evaluated. In addition, the most recent EDP examination report should be reviewed for any deficiencies noted in the organization's overall microcomputer policies and procedures. A review of internal audit reports for the business area and discussions with audit personnel will reveal whether internal controls over PC/spreadsheet applications have been evaluated recently.
MIS ARCHITECTURE AND PLANNING
The organization's computer system architecture plan should be designed to complement its business plan and each must support the strategic plan. The business plan identifies the goals, target markets, and areas of risk of the organization. The architecture plan describes the corporate technological plans for implementing the systems that will achieve the strategic and business goals, and should include the needs of MIS.
The Interagency Policy Statement on Information Systems Planning (SP-7) states that information is a valuable corporate asset. In a competitive banking environment, the ability to effectively manage this asset is crucial to an organization's ability to remain competitive, introduce new products and services, and achieve desired goals. Therefore, the system architecture plan must be developed in conjunction with the business plan. The system architecture plan must ensure mainframe processing and MIS are appropriately integrated and in place for the institution to achieve its strategic goals.
The dynamic and competitive banking and technology environments make effective planning critical. Coordination of the business and system architecture plans is necessary to determine the effectiveness of the institution's planning process and compliance with SP-7. The proliferation of mergers and acquisitions in the banking industry makes this process more important and more complex. To effectively manage divergent technologies inherited through mergers and acquisitions, it is important for management to have a clear understanding of the organization's strategic goals and the technology necessary to achieve them. Institutions in this situation must decide which systems acquired will survive and establish an effective process to convert or merge systems. Documentation should support management's decision including any formal conversion plans. Telecommunications, compatibility of systems, data integrity, capacity, contingency planning, and data security are especially critical in this situation and should be evaluated in the planning and conversion process.
Ultimately, the business and the system architecture plans must support the strategic plan. If these plans do not complement one another, the ability of the organization to achieve its goals will be impaired.
To review the organizational structure, including board and executive management committees, to determine the various levels of decision-making and reporting lines, risk assessment, and internal controls;
To assess the adequacy of management reports generated by MIS for timeliness, relevance, and accuracy;
To evaluate reports in terms of their ability to measure the company's progress in meeting its financial and business goals, including the capability to produce forecasts using various scenarios;
To evaluate management procedures for reacting to elevated risk, internal control weaknesses, or deficiencies disclosed by the MIS, and the system's ability to adapt to change caused by internal or external conditions;
To determine if the policies, practices, procedures, and internal controls regarding MIS and management reporting are adequate;
To evaluate the internal controls in place over the integrity of the information within MIS, including data security, disaster recovery, and data program changes;
To determine if the functions of automated systems, reconcilement procedures, and reporting processes are completely understood by staff, and that these functions are fully documented;
To determine if an architecture plan exists that includes MIS and supports the business and strategic plans;
To determine if a management process exists for MIS planning, including overall responsibility, development and implementation;
To determine if a strategy exists for an effective consolidation of systems in the event of a merger or acquisition; and
To recommend enhancements and/or corrective action when MIS-related policies, practices, procedures, or internal controls are deficient.
MANAGEMENT INFORMATION SYSTEMS
- Management Information Systemís Architecture and Inspection Objective Overview diagram (41 KB PDF)
SAMPLE FORMAT OF RISK MANAGEMENT INFORMATION
The following sample format is provided with the first day request letter. Hopefully this will solicit information for use on an MIS inspection in a user-friendly form. This is for illustrative purposes only and is not intended to be forced on management of the institution being reviewed.
RISK MANAGEMENT OVERVIEW
The corporation has established several processes which enables management to measure, limit and monitor risk throughout the organization. The major risk categories defined by management include:
* Credit  * Interest rate * Market * Liquidity
These risks are managed by the following entities:
Board of Directors and
- Audit Committee
- Executive Committee
Senior Management Committees
- Credit Review Committee
- Funds Management Committee
Risk Management and
- Internal Audit Division
- Legal Division
RISK MANAGEMENT STRUCTURE
The following represents:
a description of the policies and procedures in effect throughout the organization to monitor risk;
an overview of the board of directors and senior management committees responsible for risk management; and
the key reports that are utilized to accomplish this task.
I. RISK MANAGEMENT POLICY AND PROCEDURES
Risk Nature of Risk Corporate Policies/Procedures Market Possible exposure from
changes in the value of
assets, liabilities, and off
balance sheet positions
II. OVERALL RISK MANAGEMENT
Senior Management Committee
Interest Rate Risk
III. BOARD, COMMITTEES, and KEY REPORTS
BOARD OF DIRECTORS Description to include: Mission
Frequency of meetings
Regularly scheduled presentations
MIS reports: Financial Review
Asset Quality Recap
AUDIT COMMITTEE Description to include: Mission
Frequency of meetings
Regularly scheduled presentations
MIS Reports: Cash Outage Report
Analysis of Insurance Coverage
SENIOR MANAGEMENT INFORMATION REPORTS Market Risk Foreign Exchange - FX Position and Limit Report Derivative Products/Securities - Trading Limits
Summary of Significant Inspection Findings
The significant findings of the three target MIS inspections are presented below. In addition to these findings, numerous recommendations for additional improvements were made in each inspection report.
Relevance & Utilization of MIS
- Management Reports - In all three institutions, management reports were found to communicate effectively the condition and risks of the organization in a timely manner.
- Board Reports - In one institution, the board was given only verbal reports by senior management which were supplemented by slides. In addition, board information packets were not provided to the directors prior to the meeting. The board was requested to address these deficiencies by changing board reporting procedures. In the other two institutions, reports submitted to the board were generally effective in communicating the condition and risks of the organization. However, for one institution, enhancements of trading, derivative, and off-balance sheet exposures were recommended.
- End-User Computing Policy and Procedures - For one institution, it was recommended that spreadsheets utilized in decision making processes be defined as business systems and that end-user computing policy and procedures be distributed institution-wide.
- Disaster Recovery Plans - Sufficient disaster recovery plans were in place for the major computer system at each institution. However, recovery plans for local area networks were in need of improvement. In addition, one institution had never successfully completed disaster recovery testing of the general ledger system. It was recommended that disaster recovery plans and testing for the general ledger system be improved.
MIS Architecture and Planning
- Technological architecture and infrastructure - In one institution, the architecture and infrastructure plans were sufficient for current needs, however, future business plans required significant revisions. In addition, a technology plan had been developed but had not been approved and implemented.
SR letters | 1995