Exams or Audits

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Not sure what regulation(s) Direct access to systems is a very odd ask of a regulator.  Especially if you can provide any and all documentation needed.  As a Governance, Risk and Compliance analyst, direct access was never given. As an internal auditor, I wasn't provided direct access to any CUI, PHI or PII.  If I needed information or a holistic approach, I had to work with those that could provide information through an interview process or request for information.   Preventing a regulator from seeing information that isn't part of the examination could be a challenge and shouldn't be allowed.  I would definitely insist on an NDA and confidentiality agreement both on the individual basis as well as an agency basis.  

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Good afternoon.

This is becoming a more common request from examiners and external auditors. Please see my answer to your first three questions below:

1. Yes, at multiple institutions I have worked at. I have received this request from both examiners with the NCUA as well as external auditors.
2. No, I have never provided unsupervised access to either an examiner or regulator.
3. My main concern is that they see something that they misinterpret. It is very hard to reverse an opinion once they see something. I prefer to provide the samples requested, that way I have a chance to review them and anticipate questions or in the best case can provide an explanation at the time I provide the documents/screenshots.
4. As far as DNR, these concerns should be addressed in your engagement letters and policies. Although if you do allow access, I would want to ensure that it is added to a policy or procedure (depending on how your institution utilizes these) and speaks to your process of engagement DNR, granting access, and revocation of access upon the conclusion of the engagement, etc.

Not sure what regulation(s) Direct access to systems is a very odd ask of a regulator.  Especially if you can provide any and all documentation needed.  As a Governance, Risk and Compliance analyst, direct access was never given. As an internal auditor, I wasn't provided direct access to any CUI, PHI or PII.  If I needed information or a holistic approach, I had to work with those that could provide information through an interview process or request for information.   Preventing a regulator from seeing information that isn't part of the examination could be a challenge and shouldn't be allowed.  I would definitely insist on an NDA and confidentiality agreement both on the individual basis as well as an agency basis.  

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Good afternoon.

This is becoming a more common request from examiners and external auditors. Please see my answer to your first three questions below:

1. Yes, at multiple institutions I have worked at. I have received this request from both examiners with the NCUA as well as external auditors.
2. No, I have never provided unsupervised access to either an examiner or regulator.
3. My main concern is that they see something that they misinterpret. It is very hard to reverse an opinion once they see something. I prefer to provide the samples requested, that way I have a chance to review them and anticipate questions or in the best case can provide an explanation at the time I provide the documents/screenshots.
4. As far as DNR, these concerns should be addressed in your engagement letters and policies. Although if you do allow access, I would want to ensure that it is added to a policy or procedure (depending on how your institution utilizes these) and speaks to your process of engagement DNR, granting access, and revocation of access upon the conclusion of the engagement, etc.

Not sure what regulation(s) Direct access to systems is a very odd ask of a regulator.  Especially if you can provide any and all documentation needed.  As a Governance, Risk and Compliance analyst, direct access was never given. As an internal auditor, I wasn't provided direct access to any CUI, PHI or PII.  If I needed information or a holistic approach, I had to work with those that could provide information through an interview process or request for information.   Preventing a regulator from seeing information that isn't part of the examination could be a challenge and shouldn't be allowed.  I would definitely insist on an NDA and confidentiality agreement both on the individual basis as well as an agency basis.  

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!

Greetings.

I have worked with regulators in both mortgage banking (over 43 states) and insurance companies.  In New York State, the departments merged as Dept of Financial Services. However, as the Federal regulator as well as the State regulator (typically where the headquarters is "domiciled" as Legal likes to point out) -- you are a covered entity required to disclose all records to the examiner. We also had independent auditors for both financial/operations and IT/cybersecurity annually.

For any production systems, look at your policies -- there is no basis on production systems to grant anything but read-only access to any developer, contractor, examiner or auditor.

1. Direct access -- again, they have direct access to records. For mortgage banking, we provided a standalone access to every record we had for that State specific mortgage department (once upon a time, first and second/refinance mortgages had different examiner teams.  This was possible as we could extract all that state's records, place it on a standalone computer with a local printer in a conference room and leave them unattended. It's their audit.  [Note this was a first of it kind private cloud mortgage banking system for end-to-end mortgage life cycle system with continuous property, consumer and HMDA encoding/tracking system which was built to have my client's records extracted when they terminated -- the same feature worked very well for them when they had an auditor -- just provide scope of years to export, state, types of mortgages and a static web site was created with all data and images extracted from the multi-media databases.).  Who knew the contract termination allowed us to offer a service to support audits. [Note: At that time, other than printing, there was no allowance for examiner to leave with the static system.  In some states, with a few dozen to hundred loans, the entire "site" fit on a CDROM and at the time the examiners never knew they weren't live since every screen/result mirrored the live system used by processors and underwriters. 
   
   Today, the regulatory law states all records are available upon request. Our systems have "read-only access" user role as a requirement for any systems or SaaS applications we use today.  Our policies don't grant unfiltered access to anyone in production in read-only roles. 
2. Yes, as mentioned, today we have a specific auditor rule.  In the past, we set up a conference room, with its own router and protected internet access they could plug their regulator laptops in.  Privacy was normal for examiners or auditors to request.  However, those systems had no direct access to our corporate network -- just the in-room local area network with printer and Internet access.  Today, that can still be provided as a virtual work area.
   For access to our systems, we used to set up workstations in that room and offer read only access. Today, using their own PCs and Internet access, they can access our secured Cloud Desktops that are secured with VPN and MFA to our corporate network and they are granted read only access. 
3. There is no engagement with any examiner or auditor without signed agreements, with very specific scope of the engagement, etc. Obviously Legal / corporate counsel and CEO work with regulator on those details.  For us, if they aren't interviewing and observing operations, then they can use the secured access with the read-only role.  As others mentioned, we expect courteous and respectful interactions and have received that year in and year out as we respond in kind.   So no specific concerns on providing direct access not covered by our risk-based cybersecurity program and maintaining our hardened security posture. 
   The key point -- no examiner or regulator or auditor has any right or role to alter our records, since their preservation and retention is what we are regulated to protect from outside or internal threats or unintended misuse or access.
4. As mentioned earlier -- there is no access with signed agreements, and our internal policies and procedures require a lot of documentation to set up the secured access in advance.   Typically for examination, we get a first day letter to respond to (what applications, who are players they will work with, etc.); then a few weeks later, an extensive pre-examination questionnaire that takes a massive effort (since I no longer have the custom system in this business) to gather in the format the typically sixty to eighty questions require (which are likely 200-300 sub-questions and deliverables) which must be uploaded.  Once that is available, the regulator will either send examiners or outsource the examination.  Of course, the outsourced party had to sign agreements, (NDA, HIPAA BAA, etc.) before they have access.  And at that time, typically two weeks after the upload, the examination begins.  I find on-site examiners always come for financial/operations audit; and mix of web meetings and at least one on-site auditor for the IT/cybersecurity audit.  We also verify any one with authorized access to our systems either provides individual evidence of cyber awareness training / and HIPAA training -- which Legal seems to confirm as always the case.
5. Today, denying direct connections to our network is a critical security requirement -- we can control the security on our domain computers; and our secured VPN-accessible with MFA Cloud Desktops. We find auditor and examiner regulators do not necessarily have as hardened group policies and other security controls -- and we require multiple agents on any domain connected computer before any application access is possible -- including activity monitoring and centralized logging agents (including command lines, web / API access via browser, file server access, etc.) as our regulator and our security policies, practices and procedures required.
   - If Windows enterprise/M365 shop, have your team investigate the secured cloud desktops, with all your agents (don't skimp), MFA and VPN access required before they auditor can access your network.  It meets requirement to provide access, but not expose your network if the examiner/auditor system had an intentional/unintentional/malicious software that can infect/affect your network.
   - DO LET ANYONE CIRCUMVENT YOUR CYBERSECURITY PROGRAM -- after all -- they might just ask to see if you will and then give you a fin(e)ding. 
   - Application access is only available as read-only.  All access must go through our IT ticketing system; and then is group reviewed (including IT cyber risk, cyber awareness/HIPAA training review, and CISO review) before anyone thinks of fulfilling ticket.
   - Rely on your business teams to develop the rapport -- as mentioned normal behavior.
   
   Good luck.  The only concerns since 1990 that I have seen is:
   1. Have someone be available to the examiner when 'roaming your office(s)'. One examiner roaming the hauls and asking maintenance people about business processes which while unqualified to answer re-stated bits of what they heard (having been with firm for 10 plus years) and that examiner considered using an unqualified mis-statement rather than asking underwriting or closing department for our process which we had the records to back it up. 
   
   2. This is a suggestion for your Compliance lead or team.  Until recently, since we are under a five-year examination in insurance, we didn't think to request the "IT/cybersecurity questionnaire" every year.  It had changed radically from the previous audit 5 years ago. It's possible if we had access whenever the questionnaire changed, we could improve internal training and let everyone keep up with examiner tactics to gather evidence, like we do when the regulation changes. We estimate It could have saved about 2 of the 4 weeks required to answer the last IT/cyber questionnaire which is worth something the larger the bank or insurance company you have. 

Hello all,

Our regulators have requested direct access to our systems to help them take a holistic approach with their reviews. I am interested in your experience and thoughts on the below and anything else you would like to share. 

1. Have any regulators asked for direct access to your systems?
2. Have you provided access to your systems to regulators?
3. What concerns do you have with providing direct access to your systems?
4. Should they be required to sign a confidentiality agreement or a contract? If so, do individuals sign, or someone on behalf of the agency?
5. Any best practices/stories/pros/cons to share?

I look forward to hearing back!

Thanks so much in advance!