SCOPE OF ENGAGEMENT
A large nationwide Bank brought in a key BASG Risk Expert to work on an IT Controls Project. The goal was to assist with three regulatory and audit issues and then develop content to migrate policy controls and Quality Assurance content to a new internal platform.
The first challenge BASG’s Risk Consultant faced was determining the current state of the organization in the key areas outlined above. That was done through a series of one-on-one and group sessions. Once that goal was met, the Risk Consultant worked closely with Bank staff members to develop and re-write Technology and Information Security policies and procedures. Further, he was tasked with identifying and documenting Technology control activities and developing a Technology QA process and the requisite templates.
The Risk Consultant, specifically selected for his expertise in Risk and in IT Controls, also spent time evaluating existing policies and then re-writing them to meet current standards and needs. He also recommended and created new policies as determined by identified policy gaps.
Utilizing UCF, control objectives that aligned with appropriate external authority documents and support policy statements were selected. Also covered was development of a new control activity description to support RCSA, SOX, BASEL, and other key risk activities.
Lastly, the Consultant developed a QA process and templates to enable the organization to plan, design, perform and document QA activities going forward.
This lengthy effort resulted in an A+ score for the Risk Management Consultant. The three outstanding audit issues were resolved in a timely manner. Further, the systems, policies and procedures created allowed efficient migration to a new internal platform and were geared to avoid recurrence of similar issues and give the Client confidence in its IT Controls program.