2024 Annual Audit and Exam Issues: Insights from NETBankAudit

As a leader in IT auditing and risk management for financial institutions, NETBankAudit is pleased to share our insights from the 2024 audit season. Our analysis, based on over 150 financial institutions, provides a comprehensive view of the most pressing IT and compliance issues facing the industry today.

Download the 2024 Annual Audit and Exam Issues NETBankAudit whitepaper in PDF format.

Compare with last year’s analysis 2023 Annual Audit and Exam Issues

2024 Top Regulatory Issues for Financial Institutions

NETBankAudit Examination and Audit Volume

In 2024, NETBankAudit conducted 277 audit engagements, with over 95% including some form of internal and external vulnerability assessment and testing:

277 audit engagements
- 80% IT/operations related
- 13% BSA Compliance and BSA MIS
- 7% Compliance/Internal Audit
827 standalone technical testing engagements, including:
- Internal and external network penetration testing
- System and process assessments
- Social engineering testing

2024 Regulatory Issues Table (~ 150 financial Institutions)

Exam Issues	State	FDIC	FRB	OCC	NCUA	Total	%
ACH	0	0	0	0	0	0	0%
Business Continuity	1	15	1	3	4	24	10%
Business Operations	1	0	0	0	1	2	1%
Change Management	1	9	4	1	1	16	6%
Cybersecurity	5	20	5	2	8	40	16%
Data Assurance	0	0	0	1	0	0	0%
Hardware and Software Controls	0	3	1	0	1	5	2%
Incident Response	1	3	0	0	1	5	2%
IT Governance	1	20	2	1	2	26	11%
Organizational Structure	2	3	0	0	1	6	2%
Password	1	0	1	1	0	3	1%
Physical Security Controls	1	1	0	0	0	2	1%
Policies and Procedures	0	7	2	0	4	13	5%
Project Management	0	7	2	0	0	9	4%
Regulatory Compliance	2	12	2	0	1	17	7%
Risk Assessment	1	7	0	1	8	17	7%
Strategic Planning	1	8	0	0	0	9	4%
System Design	0	1	0	0	0	1	0%
Training and Social Engineering	0	5	0	0	2	7	3%
User Access	0	12	3	0	2	17	7%
Vendor Management	0	21	1	0	3	25	10%
Wire Transfer	0	1	1	0	0	2	1%
Totals	18	155	25	10	39	246	100%

‍

Top 5 Financial Institution Regulatory Exam Issues of 2024

In our annual review of the most common regulatory exam issues facing financial institutions, we identified key areas of concern based on survey data from approximately 150 institutions in 2024. This represents a smaller sample size compared to 2023, when around 250 financial institutions participated. Despite this difference, the findings provide valuable insights into shifting regulatory priorities and ongoing areas of scrutiny. Below, we compare the top five regulatory exam issues of 2024 against their prevalence in 2023, highlighting notable trends in examiner focus and enforcement actions.

Cybersecurity (16% overall)

Cybersecurity continues to be the top exam issue with 16% of the overall total (19% of overall total in 2023)
In 2024, FDIC accounted for 50% of cybersecurity issues, up from 18% in 2023
Cybersecurity issues from OCC and NCUA decreased in 2024, accounting for 25% of cybersecurity issues compared to 62% in 2023

IT Governance (11% overall)

In 2024, IT Governance made up 11% of total issues, driven mainly by FDIC which accounted for 77% of IT Governance issues, up from 40% in 2023.
FDIC's issue count remained stable at 23 in 2023 vs. 20 in 2024, while other regulators' issue count dropped from 35 in 2023 to 6 in 2024.

Vendor Management (10% overall)

Vendor Management is now the third most common issue in 2024, reflecting heightened scrutiny over third-party risks.
FDIC raised 84% of Vendor Management issues in 2024, up from 28% in 2023.
The total number of Vendor Management issues remained 25 in both years, but FDIC's issue count increased from 7 in 2023 to 21 in 2024, while other regulators' involvement dropped.

Business Continuity (10% overall)

In 2023, Business Continuity also made up 10% of total issues across regulators.
In 2024, FDIC accounted for 63% of Business Continuity-related issues, compared to 47% in 2023.

Risk Assessment (7% overall)

In 2023, Risk Assessment made up 7% of total issues, while Regulatory Compliance was not separately categorized.
FDIC raised 71% of the issues under these categories in 2024, compared to 28% for Risk Assessment in 2023.

These findings highlight the continued focus of regulators on institutions' ability to protect against and respond to cyber threats, as well as the importance of strong IT governance frameworks.

2024 Exam Issue Distribution by Regulatory Body

Below is a breakdown of how different regulators contributed to the reported exam issues in 2024:

FDIC (Federal Deposit Insurance Corporation): Accounted for 155 out of 246 (63%) of reported issues, making it the most active regulatory body in our survey. The FDIC showed particular concern with Cybersecurity (20 issues), IT Governance (20 issues), and Vendor Management (21 issues).
FRB (Federal Reserve Board): Responsible for 25 out of 246 (10%) of reported issues. The FRB's focus was spread across Cybersecurity (5 issues), IT Governance (2 issues), and User Access (3 issues).
OCC (Office of the Comptroller of the Currency): Contributed to 10 out of 246 (4%) of reported issues. The OCC placed a strong emphasis on Cybersecurity (2 issues) and Risk Assessment (1 issue).
NCUA (National Credit Union Administration): Generated 39 out of 246 (16%) of reported issues. The NCUA showed a particular focus on Cybersecurity (8 issues), Business Continuity (4 issues), and Risk Assessment (8 issues).
State Regulators: Accounted for 18 out of 246 (7%) of reported issues, with a balanced focus across various areas.

These findings indicate that the FDIC played an even greater role in regulatory scrutiny in 2024 compared to 2023, with a marked increase in issues related to Vendor Management and IT Governance. Meanwhile, other regulators showed decreased overall involvement in reported exam issues, particularly the OCC and FRB.

Understanding these shifts in regulatory focus can help financial institutions prepare for future exams by strengthening controls in key areas such as Cybersecurity, IT Governance, Vendor Management, Business Continuity, and Risk Assessment.

NETBankAudit's Top Identified IT Audit Control Evaluation Issues

NETBankAudit's COBIT-Based Audit Methodology

NETBankAudit employs a risk-based IT audit methodology founded on the latest version of COBIT, published by the Information Systems Audit and Control Association. This framework is widely recognized in the industry and aligns well with FFIEC IT Audit guidelines, including URSIT (Uniform Rating System for Information Technology).

Our COBIT-based approach involves:

Evaluating 22 control objectives across four main areas:
- IT Governance
- IT Management
- IT Operations
- IT Security
Using COBIT's audit framework and maturity model to determine appropriate tests for each control area.
Providing overall and component control objective ratings, supported by detailed documentation in our formal reports and work programs.

This methodology ensures a thorough, standardized approach to IT auditing that addresses both regulatory requirements and operational best practices. The table below outlines the identified issue prevalence.

2024 NETBankAudit Issues Table (~150 financial institutions)

Control Evaluation (NETBankAudit COBIT Model)	Totals	%
IT Governance Framework	26	2%
Strategic Planning, Implementation, and Transparency	17	1%
Risk Assessment	43	4%
Compliance Monitoring	12	1%
Organizational Structure and Provisioning	8	1%
Policies and Procedures	14	1%
Project Management	24	2%
Outsourcing and Vendor Management	78	6%
Training and Awareness	40	3%
System Design, Availability, and Capacity	11	1%
Hardware and Software Controls	124	10%
Change Management and Problem Management	152	12%
Input/Output (End-to-End) Controls	11	1%
Data Assurance	24	2%
Business Continuity Management	89	7%
Information Security and Cybersecurity Programs	9	1%
Network Security	311	26%
User Access Controls	86	7%
Logical Access Controls	51	4%
Physical Controls	25	2%
Logging and Monitoring Controls	30	2%
Incident Prevention and Response	34	3%
Total	1219	100%

‍

Top IT Audit Issues for Financial Institutions Identified in 2024

Based on our COBIT-aligned audits of approximately 150 financial institutions, our analysis of IT audit issues in 2024 reflects both ongoing concerns and shifting priorities compared to 2023, when approximately 250 institutions were surveyed. The following are the top five identified audit issues in 2024:

Network Security (26%) – Network security remains the most pressing concern, with a significant increase in focus compared to 18% in 2023. This category includes evaluations of internal and external network vulnerabilities, firewall configurations, and overall network architecture security. The rise in network security findings indicates heightened regulatory and institutional awareness of evolving cyber threats.
Change Management & Problem Management (12%) – The second most common audit issue in 2024, up from 9% in 2023, reflecting increasing scrutiny on IT change controls, software updates, and incident handling. Institutions are being urged to strengthen their patch management policies, update tracking mechanisms, and enhance oversight on IT system changes.
Hardware & Software Controls (10%) – Although still a major issue, its proportion has decreased from 13% in 2023, indicating some improvement in IT asset management practices. This category includes managing IT inventories, ensuring lifecycle security, and enforcing configuration controls on software and hardware.
Business Continuity Management (7%) – Consistent with 2023 (7%), financial institutions continue to face challenges in ensuring resilience during disruptions. Deficiencies often relate to BIAs (Business Impact Analyses), RTOs/RPOs (Recovery Time and Point Objectives), and incident response exercises.
User Access Controls (7%) – A continued concern from 2023 (8% previously), user access management remains a critical area, especially with increased remote work and cloud adoption. Key issues include privileged access oversight, segregation of duties, and monitoring unauthorized access attempts.

This data underscores the necessity for financial institutions to adopt a proactive IT governance strategy that aligns with regulatory expectations while mitigating evolving cybersecurity and operational risks. Our COBIT-based methodology provides a comprehensive assessment, helping institutions strengthen their IT control environment beyond regulatory compliance.

2024 Distribution of Overall IT Audit Ratings

As part of our comprehensive IT audit process, NETBankAudit assigns overall ratings to each institution, providing a snapshot of their IT risk management maturity and effectiveness. The overall distribution of IT Audit ratings for 2024 was as follows:

Overall IT Audit Ratings	2024	2023
Strong	0%	< 1%
Satisfactory	84%	47%
Satisfactory with Recommendations	14%	42%
Needs Improvement	< 2%	10%
Unsatisfactory	0%	< 1%

‍

These ratings demonstrate significant improvement of Financial Institutions from 2023, with a large shift to Satisfactory rating, which now accounts for 84% of audits.

Hot Topics and Emerging Trends

As part of our commitment to providing value-added insights, NETBankAudit continuously monitors the evolving landscape of IT risk in the financial sector. Our analysis, informed by our extensive audit experience and ongoing engagement with regulatory developments, has identified several key areas of focus for financial institutions in the coming year. These hot topics reflect both persistent challenges and emerging risks that institutions must address to maintain robust IT governance and security postures.

1. IT Governance Framework:

Information Security Program Report to the Board
Insurance Limits (Wire Transfer amounts, Bond Coverage)
Information Security Program
Thresholds
Exceptions
Role of ISO

2. Risk Assessment:

Information Technology and Security Risks
Overall Content and Completeness
Presentations to the Board
Risk Appetite
IT Audit Risk Presented to the AC
ACH Risk Assessment – Transaction Limits

3. Outsourcing and Vendor Management:

Insufficient Vendor Oversight
Due Diligence
Risk Rating
Vendor Management Policy (content and details)

4. Policies and Procedures:

Policy Updates
Encryption Standards
RDC
Incident Response
Risk Management
Wire Transfer
Project Management
Change Management

5. Change Management and Problem Management:

Insufficient Change Management Policies and Procedures
Incomplete Patching Policies
Patching Frequency

6. Business Continuity Management:

Exercises not performed (full scale or table-top)
Incomplete BIAs
RTO, RPOs, MTD
Risk Rating of critical functions
Reporting of Test Results

7. Network Security:

Patching Reporting Systems
System Monitoring
End of Life Servers
Network Device Configuration Reviews
Frequency of Vulnerability Tests

8. User Access Controls:

Segregation of Duties
Privileged Access Risks and Oversight Controls
Remote Access Monitoring

How NETBankAudit Can Help

As a specialized firm serving over 800 financial institutions across 38 states, NETBankAudit is uniquely positioned to help your institution navigate these challenges. Our comprehensive services include:

Risk-based IT General Controls Auditing
Internal and External Vulnerability Assessments
Penetration Testing
Social Engineering Testing
Specialized Transactional Audits (Digital Banking, Wire Transfer, RDC, ACH)
Value-Add Management Consulting

Our team of certified, senior-level auditors brings a wealth of experience in IT engineering, regulatory compliance, and financial services operations. We're committed to delivering high-quality, risk-based audits that not only meet regulatory requirements but also provide actionable insights to improve your institution's overall security posture and operational efficiency.

Don't let IT risks and compliance gaps hold your institution back. Contact NETBankAudit today to learn how we can help strengthen your IT risk management program and secure your institution's digital future.

 
class SampleComponent extends React.Component { 
  // using the experimental public class field syntax below. We can also attach  
  // the contextType to the current class 
  static contextType = ColorContext; 
  render() { 
    return <Button color={this.color} /> 
  } 
}