Frequently Asked Questions

Transaction monitoring systems are sometimes inadequately calibrated, resulting in too many false positives. This may impair the detection of potentially suspicious activity. Also, if a system is generating too few alerts, unusual activity may be undetected. A regularly scheduled review by an independent party and thorough analysis of filters and settings can ensure the transaction monitoring system is effective and performing as designed.

Change management in cloud environments offers unique challenges over on-premises technology environments due to the underlying cloud platform changes. Organizations need to have a solid understanding of what aspects of the cloud environments are being used and a current inventory should be maintained. Monitoring notifications and alerts on changes from the cloud provider should be performed and assessed if the changes will impact the organization's services. When impactful changes are identified technical staff should communicate these to the end users and perform training as needed. Traditional change management procedures should also be performed such as documenting user access changes, obtaining authorization for adding new services, and routine review of services and removing inactive assets.

NETBankAudit is a specializes in cybersecurity and regulatory compliance. We offer audits, testing, and consulting services. We perform over 250 IT/Operations and Regulatory Compliance Audits per year. We perform over 700 external and internal network vulnerability assessments with penetration testing per year. Our consulting primarily consists of risk assessment facilitation, model validations, program development, and Project Management/SDLC oversight.

NETBankAudit was formed in 2000 by a team of IT bank executives and regulatory specialists. Convinced that advancements in information technology would significantly affect the future of banking, particularly in the movement of money and data through electronic channels, the team resolved to help bankers adjust to this changing environment. Since then, we have expanded to service over 800 institutions across 38 states.

Yes, NETBankAudit has been a virtual company since inception. We provided our first fully remote IT General Controls Audit in 2017 and validated our processes through the COVID Pandemic. Our remote audits are approved by all regulatory authorities.

NETBankAudit provides a value-add approach to our audit process to serve as a true audit partner. Every auditor on our team has senior/executive level banking, operational, and/or regulatory experience in addition to certified auditing expertise. This provides our auditors with an informed perspective to prioritize recommendations to increase effectiveness, efficiency, and compliance.

NETBankAudit works with organizations ranging from $5 million to $30 billion in assets. We also work with small businesses.

NETBankAudit is not like our competitors. Accounting and Consulting firms generally do not have the technical and regulatory practical, real-world experience needed to provide the specific expertise needed. NETBankAudit is designed to audit your compliance functions, evaluate effectiveness and efficiency, and provide detailed value-add recommendations to determine and ensure compliance. All engineers and auditors are senior-level, full time employees with applicable certifications and extensive industry experience. We do not sub-contract.

Providing application income instead of relied on income on the LAR. Ideally, the incomes should reconcile; however, it's important to provide the relied-on income on the LAR. The relied-on income is the income used to calculate the debt-to-income ratio. It is important to verify income thoroughly, round properly, and do not discount government assistance.

Focus on reimbursements. Typically, construction loans and ARMs are more likely to have reimbursements than conventional fixed lending. Also, insure that loan officers can't override controls on the HUD by inserting fees erroneously. Today's automation has gotten very good with APR calculations. Nonetheless, it is still important to have a solid understanding of finance charge definitions, as well as APR calculation methods and tolerances.

An RTO is the time to recovery a business process or system to avoid unacceptable outcomes from a disruption. For example, if a process must be performed at a minimum of every 72 hours to avoid regulatory code violations and customer impact, a RTO of 72 hours would be appropriate. A RPO is the point in time to which a business process or system is restored after a disruption beyond which data is lost. For example, restoring a server to the previous night's back up would be a RPO of 24 hours as any actions taken on the server after the backup was made will be lost.

It is important to have a layered approach to protect your organization from ransomware attacks. As most ransomware starts as a social engineering attack security awareness training and testing are key controls. Patch management and vulnerability management are also essential to ensure vulnerabilities on end user devices are minimized. Multi-factor (MFA) and/or token-based authentication on all externally facing logins should also be implemented. As Ransomware also targets backup systems it is essential that backups are performed as well as tested on a regular basis. Air gapped or offline backups are also important to ensure the organization is able to recover from a Ransomware attack.

Incorrect reason provided on the Adverse Action Notice. This is often created by the loan officer being too helpful. Keep it simple. The reason for denial should be credit history or debt/income ratio 99% of the time. Only provide the #1 reason. Don't state inadequate collateral on an unsecured loan. Don't state employment history or length of residence when you have numerous approvals with the same statistics.

Yes. The IT Audit Risk Assessment is a critical document. The risk assessment must address both the likelihood and impact of threats and risks associated with operational malfunctions and/or security incidents. The risk assessment should cover all IT-related systems and processes and their respective vulnerabilities and controls. A formal scoring system should be established. Scores should be clear, meaningful, and include inherent and residual risks. While overlap with other IT-related risk assessments will occur, the purpose of the IT Audit Risk Assessment is to determine the allocation of audit resources (i.e. hours). Thus, a one-for-one alignment with other risk assessments (e.g., high-risk systems with low-risk errors/issues) may not occur.

You get what you pay for. The costs of audits are essentially the same, regardless of firm. The only way to reduce costs is to employ inferior resources and/or reduce allocated hours. FFIEC guidance comprehensively depicts audit requirements including scope, frequency, and quality. NETBankAudit complies fully with FFIEC guidance. The cut-rate competitors do not. The dangers of choosing a cheap audit firm can be significant and include operational, security, regulatory, and reputational risks. When selecting an audit firm, it is important to get an apples-to-apples comparison with regards to expertise, approach, methodology, technology, scope, and allocated hours. Avoid firms that underestimate audit hours during the RFP processes to win the contract. These firms are often the most expensive and less effective because the focus is on billable hours instead of quality coverage.

Audit follow-up and issue tracking is a commonly reported examination issue. All audit issues should be documented, tracked, and resolved promptly based on risk and priority. Risk acceptance of reported issues should be done judiciously, and such risk acceptances should be thoroughly documented by the Audit Committee and Risk Management function. Repeat issues are considered significant examination deficiencies and often used to justify unsatisfactory examination ratings.

Inherent risk is defined as the level of risk of an area or asset before actions are taken to alter the risk's impact or likelihood. Residual Risk is the remaining level of risk following the development and implementation of controls.