Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 05-22
November 22, 2005

TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT:  Revised Training Program for Information Technology Examiners

This letter modifies the training program for information technology (IT) examiners as approved by the Staff Development Subcommittee (SDS) of the Strategic Plan Steering Committee (SPSC). Effective with the publication of this SR letter, the revised training program applies to all assistant IT examiners currently employed by the Federal Reserve Banks, as well as to those hired in the future. Completion of this program is a requirement for IT specialists to obtain commissioned examiner status at the Federal Reserve Banks.

This letter replaces SR letter 98-36, dated December 17, 1998, which described the training program leading to commissioned examiner status for the IT examination specialty. Under SR letter 98-36, IT examiners had been required to complete all training classes and three examinations: the First and Second Proficiency Examinations and the Certified Information Systems Auditor (CISA) examination, which is sponsored by the Information Systems Audit and Control Association (ISACA). After analysis of the knowledge and skills tested in the First and Second Proficiency Examinations and the CISA examination, the SDS determined that the level of examination knowledge required for IT examiners is adequately tested under the First Proficiency Examination and the CISA examination. Consequently, the SDS has approved the elimination of the Second Proficiency Examination for examiners specializing in IT. All other aspects of the training program for IT examiners will remain in place. The remainder of this letter sets forth the training program leading to commissioned examiner status for the IT examination specialty.

Objectives of Information Technology Training

Based on an assessment of the knowledge and skills required of an IT examiner, the following objectives were identified for the System’s IT Examiner training program.


Structure

The training program for an assistant IT examiner involves a three-level approach that starts when an assistant examiner is hired and continues until he or she is commissioned.1 Level One generally stresses the core knowledge needed by every examiner regardless of the area of specialization. Level Two emphasizes an assistant examinerís specialty area. Level Three focuses on understanding the bankerís perspective in managing a financial institution, including risk management, in contrast to the supervisorís perspective in examining and regulating the institution. In addition, training at this level promotes the skills needed to evaluate risk management examination processes and analyze issues that are prevalent in all areas under an integrated supervisory approach. The Second Proficiency Examination, which will now be eliminated, had been part of the Level Two program.

The IT training program also includes a framework for post-commissioning classes and other ongoing educational opportunities:  Levels Four-A and Four-B. This framework is similar to the Systemís current approach for specialized capital markets training. While the first three levels of the training program promote the knowledge and skills needed by assistant IT examiners to achieve the base level of specialty expertise required to examine noncomplex financial organizations, Levels Four-A and Four-B provide the competencies required by the advanced specialist. Level Four-A develops IT expertise that enables the examiner to evaluate larger, more complex financial organizations. Level Four-B develops the skills needed to analyze the most complex IT risks, platforms, products, emerging technologies, and processes.

Information Technology:  Level One

Training Requirements.  Assistant IT examiners will complete the following training requirements as part of Level One:

Level One generally provides a foundation of core knowledge that is essential for all examiners, regardless of specialty. Included with Level One is a two-week Orientation Program, the second week of which provides specialty-specific training that prepares the assistant IT examiner for initial on-the-job responsibilities. This second week acquaints the assistant IT examiner with the basic examination procedures and methods, risk framework, preparation of examination work papers, examination program, and rating system.

First Proficiency Examination.  After successfully completing the Level One training requirements, an assistant IT examiner is eligible to take the System’s First Proficiency Examination, which tests the examiner’s knowledge of the basic core curriculum. The 80-question, multiple-choice examination includes all of the Level One training requirements, except IT Concepts.

Information Technology:  Level Two

The System will continue to use the CISA program for the assistant IT examinerís Level Two training requirements.2 The CISA program provides and measures the achievement of fundamental audit, security, and control skills. This industry program is a globally accepted standard of achievement among information system professionals. Also, this designation demonstrates the Systemís commitment to a high level of expertise for its IT examiners.

CISA Program.  The CISA designation is required before an assistant IT examiner can be eligible for commissioning. To achieve the CISA designation, a candidate must successfully complete a multiple-choice CISA examination, adhere to ISACAís Code of Professional Ethics, and submit evidence that the minimum experience level in professional information systems audit, control, or security has been achieved.3 Complete requirements for achieving the CISA designation are detailed in Attachment I.

CISA-Related Training Requirements.  ISACA does not mandate that specific training requirements be met before taking the CISA examination and obtaining a CISA designation. In order to be prepared for the examination, at a minimum, the typical assistant IT examiner should have successfully reviewed and completed the following training activities before taking the CISA examination. It would also be acceptable for equivalent experience to be substituted; however, until further experience is gained, the rigor of the examination, which is given twice per year (in June and December), should not be underestimated.

CISA Examination.  The CISA examination is offered each year in June and December and consists of 200 multiple-choice questions, administered during a four-hour session. A score of 75 percent is required to pass the examination. Test locations are throughout the United States, including all Reserve Bank cities except Kansas City, Missouri. The CISA test location for that district is in Kansas City, Kansas.

In preparation for the CISA examination, the assistant IT examiner will need an organized study plan. The assistant examiner must review the study aids and attend the courses that were previously outlined.

Other Level Two Training Requirements.  In addition to the courses recommended for the CISA examination, assistant IT examiners must also complete the System’s other Level Two training requirements.  These requirements include:


Information Technology:  Level Three

Training Requirements.  The assistant IT examiner is required to complete the System’s following Level Three training requirements, which are also required for assistant safety and soundness examiners and assistant trust examiners:


On-The-Job Experience

Reserve Bank management should ensure that the assistant IT examiner is provided the opportunity to complete assignments that reinforce the knowledge and skills obtained from the System’s training requirements. Particular emphasis should be given to reinforcing the IT examination concepts. Reserve Bank management may choose to have assistant examiners occasionally complete examination procedures in other areas to enhance their understanding of core examination skills and integration concepts. It is also highly desirable for Reserve Bank management and training staff, whenever possible, to coordinate on-the-job assignments to reinforce the knowledge and skills presented in the CISA programs. This post-course intervention is critical to ensuring that the learning objectives for each training program are mastered.

Sequence for Completing Levels One, Two, and Three

The order in which the training requirements are completed is somewhat flexible. Thus, at times, an assistant IT examiner may be completing aspects of Levels One and Two simultaneously. The assistant examiner may also complete aspects of Levels Two and Three simultaneously. The responsibility is placed on Reserve Bank management and training staff to ensure that courses are taken at a relevant time in an assistant IT examiner’s career. Based upon an individual examiner’s skill advancement and the timing of the CISA examination, it may be appropriate for the assistant IT examiner to complete Level Three training courses prior to completing the CISA examination. For example, the assistant IT examiner may complete all or some of the Level Three training requirements before completing the CISA review course and CISA examination. This flexibility is in recognition that the CISA examination is offered twice per year.

Projected Time to Obtain Commission

The time frame for entry-level IT examiners to obtain the CISA designation approximates the time required for all entry-level examiners to achieve an examiner commission. Under normal circumstances, it should take an assistant IT examiner three to five years to complete the training requirements, the First Proficiency Examination, and the CISA examination.

Continuing Education6

After commissioning and based on Reserve Bank needs, IT examiners may obtain additional expertise in Levels Four-A and/or Four-B. IT examiners achieving Level Four-A expertise would be responsible for evaluating larger, more complex organizations. Level Four-B provides knowledge and skills needed in evaluating specific IT risks, platforms, products, emerging technologies, and processes.

Levels Four-A and Four-B training will primarily be achieved through outside programs. The System Staff Development Sectionís training center at the Board will act as a clearinghouse of information on these vendor programs that could be accessed by the Reserve Banks. The SDS, based on its own research and recommendations from Reserve Banks, is primarily responsible for providing this information to the training center. The Staff Development training center will also facilitate coordination of course delivery if sufficient System interest in a certain topic is evident. In addition, the System may host Senior Forum seminars focusing on IT issues and technologies as Level Four-A or Four-B training opportunities.

Overview of IT Training Program

The following table presents an overview of the IT training program requirements during Levels One through Four.

IT Training Program

Level Training Requirement
Level One
Core Examination Skills
  • Orientation Program
  • BASE
  • Federal Reserve Act BEST/STaRT Module
  • IT Concepts BEST/STaRT Module
  • Internal/External Audit BEST/STaRT Module
  • Investment Portfolio Management BEST/STaRT Module
  • Loan Policy and Administration BEST/STaRT Module


First Proficiency Examination7
Level Training Requirement
Level Two
Specialty Fundamentals
  • Educational videotape, textbook, or manual8
  • CACS Conference’s Core Competencies Track
  • CISA Review Course
    • Candidate’s Guide to the CISA Examination
    • CISA Review Technical Information Manual
    • CISA Review Questions, Answers & Explanations Manual
  • Report Writing
  • Conducting Meetings with Management
  • Applications BEST Module
  • Bank Secrecy Act CBT
  • Community Reinvestment Act CBT
  • Regulation O CBT
  • Residential Mortgage Regulations CBT


CISA Examination9
Level Training Requirement
Level Three
Integration
  • Bank Management
  • Management Skills
  • Examination Management
  • Regulation B CBT
  • Trust Issues BEST/STaRT Module


Level Training Requirement
Level Four-A
Specialty Skills for Larger, More Complex Organizations
  • Information Systems Continuing Education
  • FFIEC IT Conference
Level Four-B
Expertise in IT Risks, Platforms, Products, Emerging Technologies, and Processes
  • Information Systems Continuing Education
  • Federal Reserve IT Supervision Conference


Implementation

All assistant IT examiners are subject to the training requirements (Levels One, Two, and Three) set forth in this letter. All training requirements leading to the CISA designation and enrollment for the CISA examination should be coordinated through the training staff at the assistant examiner’s Reserve Bank. The SDS and the Reserve Banks will work jointly with the Staff Development training center at the Board to identify and provide Levels Four-A and Four-B training opportunities to System IT staff. Enrollment in these courses will also be facilitated through the Reserve Banks’ training staffs.

Officers in Charge of Supervision are asked to ensure that supervisory personnel and examiners are fully informed of the new training program for their IT examination staffs. Copies of the proposal prepared by the SDS are available from your Reserve Bank’s training staff. If you have questions regarding this letter, please contact William Spaniel, Deputy Associate Director, at (202) 452-3469 or Robert Leibowitz, Manager, System Staff Development, at (202) 973-5078.

Richard Spillenkothen
Director


Attachments:
  1. CISA Program Requirements
  2. CACS Conference
  3. CISA Examination Content Area
Supersedes:
SR letter 98-36
Cross Reference:
SR letters 91-1, 95-51, 98-2, 98-9, and 98-26






Attachment I


CISA Program Requirements

To earn a CISA designation, candidates are required to:

Experience must have been gained within the 10-year period preceding the application for certification or within five years from the date of initially passing the examination. All experience will be verified independently with employers. The assistant IT examiner may choose to take the CISA examination prior to meeting the experience requirements. This practice is acceptable, although the CISA designation will not be awarded until all requirements are met.

To receive a comprehensive information package including a current membership application, the assistant IT examiner should contact:

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008-3105
Phone: (847) 253-1545
Fax: (847) 253-1443
E-mail: membership@isaca.org
Web:  http://www.isaca.org

The application for certification must be submitted within five years from the passing date of the CISA examination.







Attachment II


CACS Conference

The CACS Conference is offered annually, typically in the spring. The conference format generally consists of more than 70 sessions divided into seven specific educational tracks. One track concentrates on core competencies, with other tracks providing advanced technical knowledge for the senior professional.

A recent core competencies track included the following 11 sessions:

Other tracks have provided training in:

Each of these tracks offers eight to twelve sessions. Participants typically attend all sessions within a track; however, the conference permits the flexibility to attend sessions in other tracks if desired. Contact ISACA for complete information on the next scheduled CACS Conference.







Attachment III


CISA Examination Content Areas

The content areas are defined through a practice analysis that is conducted by an examinationís oversight committee at regular intervals and consists of both process and content components in a CISAís job function. Accordingly, examinations consist of tasks that are routinely performed by a CISA and the required knowledge to perform these tasks. The following is a brief description of these areas, their definitions, and approximate percentage of test questions allocated to each area.

Management, Planning, and Organization of Information Sytems (11%)

Evaluate the strategy, policies, standards, procedures and related practices for the management, planning, and organization of IS

Technical Infrastructure and Operational Practices (13%)

Evaluate the effectiveness and efficiency of the organizationís implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organizationís business objectives.

Protection of Information Assets (25%)

Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organizationís business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage, or loss.

Disaster Recovery and Business Continuity (10%)

Evaluate the process for developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in the event of a disruption.

Business Application System Development, Acquisition, Implementation, and Maintenance (16%)

Evaluate the methodology and processes by which the business application system development, acquisition, implementation, and maintenance are undertaken to ensure that they meet the organizationís business objectives.

Business Process Evaluation and Risk Management (15%)

Evaluate business systems and processes to ensure that risks are managed in accordance with the organizationís business objectives.

The IS Audit Process (10%)

Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organizationís information technology and business systems are adequately controlled, monitored, and assessed.

 


Notes:
  1. At the discretion of the Reserve Bank, an assistant examiner may receive other training in addition to that required for commissioning.  Return to text
  2. Information regarding the CISA program and designation is reprinted with permission from ISACA, Rolling Meadows, Illinois. Copyright 1998.  Return to text
  3. Conducting IT examinations of financial institutions is accepted by ISACA as information systems audit, control, or security experience.  Return to text
  4. The SDS will evaluate various products to determine which videotape, textbook, or manual will be required.  Return to text
  5. The content areas of the CISA examination are described in Attachment III.  Return to text
  6. Continuing education for IT examiners will ultimately become part of any continuing professional development structure that is adopted for the System’s supervision staff.  Return to text
  7. Concepts from the second week of the Orientation Program and the IT Concepts BEST/STaRT Module are not included in the First Proficiency Examination; however, the general comments are tested on the CISA examination.  Return to text
  8. The IT Course Committee of SDS will determine which of these materials will be required and incorporated into the second week of the Orientation Program.  Return to text
  9. The CISA examination does not include concepts from Report Writing, Conducting Meetings with Management, or the listed BEST Modules and CBTs.  Return to text
  10. Conducting IT examinations of financial institutions is accepted by ISACA as information systems audit, control, or security experience.  Return to text
SR letters | 2005
Home | Banking information and regulation
Accessibility | Contact Us
Last update: November 28, 2005