Entrepreneurial Spirit. Independent expertise.

IT Services for Financial Institutions

Our IT Audit professionals have more than 20 years of experience working with financial institutions. Our team members have earned regional and national recognition for their specialized Information Technology focus and service to the accounting profession, and regularly participate in IT strategy and compliance discussions with credit union management. The IT audit team is seamlessly integrated into our integrated financial services audit methodology and their expertise is invaluable in identifying business, technology, and financial misstatement risks that are invaluable to the efficiency and effectiveness of our audits.

Cyber Security Risk Assessment & Three Year Audit Plan
The Risk Assessment will include threats to systems, facilities, and data. Management will assist in the identification and prioritization of risks, and GBQ will recommend a Three Year Audit Plan for addressing the risks.

IT General Controls Review with Audit Tracking
This includes evaluating IT controls in accordance with guidelines established by FFIEC and ODFI and includes the evaluation of controls in the following areas:

  • Prior IT audit and examination findings
  • IT organization & administration
  • Information security program, policies, & procedures
  • Access rights administration
  • User authentication to networks and key financial applications
  • Physical and environmental security
  • Perimeter security
  • Workstation security
  • Server security
  • Backup and recovery
  • Change management
  • Fedline settings and review procedures

GLBA Compliance Review
This review will include assessing compliance with the “safeguard rule” under the Gramm-Leach-Bliley Act (GLBA) including:

  • Information Security Officer
  • Information security policy
  • Risk assessment
  • Tests of controls
  • Board of Directors involvement
  • Incident response procedures
  • System and media disposal
  • Vendor management program
  • Employee awareness and training

Review Business Continuity / Disaster Recovery Plans
GBQ will review existing documented Business Continuity/Disaster Recovery Plan elements and provide our observations and recommendations on the included or missing plan elements.

Network Vulnerability & Penetration Security Assessments
GBQ offers optional external, internal, wireless, and social engineering assessments targeted at specific technology assets. A specific fee quote will be provided depending upon the number of servers/devices/applications/locations to be included in the assessments.

  • External Network Security Assessments focus efforts on security of external facing routers, firewalls, remote access connections (VPNs), and Internet accessible servers.
  • Internal Network Security Assessments focus on components of the internal network infrastructure including servers, workstations, storage systems, databases looking for vulnerabilities that can be exploited to gain unauthorized access to system. We will also review operating systems and device patch management practices.

Wireless Security Assessments
GBQ will look at access point configurations and placement, broadcast signal patterns, network segmentation for visitors, and management practices for multiple access points.

Social Engineering Assessments
The assessments include attempts to gain access to systems or data by phishing, solicitation, e-mail, or by physical access to sensitive areas.

  • Michael Dickson
  • Director of Information Technology Services
  • (614) 947-5259