Occ. Code 0319200
|
INFORMATION TECHNOLOGY EXAMINER 1 (BANKS),
GRADE 23
|
0319200
|
|
INFORMATION TECHNOLOGY EXAMINER 2 (BANKS),
GRADE 27
|
0319300
|
|
INFORMATION TECHNOLOGY EXAMINER 3 (BANKS),
GRADE 29
|
0319400
|
|
INFORMATION TECHNOLOGY EXAMINER 4 (BANKS),
GRADE 31
|
0319500
|
New
York State Department of Civil Service
Classification
Standard
BRIEF DESCRIPTION OF CLASS SERIES
Information Technology Examiners perform
comprehensive evaluations and operational risk reviews of the Information
Technology (IT) environment (i.e., systems management, electronic banking,
internet security, pc banking, etc.) at institutions regulated by the Banking
Department. These positions review the IT activities as part of a regularly
scheduled safety and soundness examination or perform independently targeted IT
examinations. Information Technology Examiners are classified in the Banking
Department only.
DISTINGUISHING CHARACTERISTICS
INFORMATION TECHNOLOGY EXAMINER 1 (BANKS): full performance level; conducts examinations of
low- to medium-risk institutions; may supervise lower level Bank Examiners
during examinations.
INFORMATION TECHNOLOGY EXAMINER 2 (BANKS): first supervisory level; conducts examinations
of medium-risk institutions; and assists higher level IT examiners in the
examination of large complex financial institutions.
INFORMATION TECHNOLOGY EXAMINER 3 (BANKS): second supervisory level; performs examinations of
high risk institutions and those having domestic and international presence.
INFORMATION TECHNOLOGY EXAMINER 4 (BANKS): third supervisory level; performs examinations of
high risk institutions such as data centers or service bureaus, which service
multiple financial institutions and those having a significant domestic (over
200 branch or agent offices) and international presence.
For additional information on the characteristics and
risk profiles of the institutions examined by the various ITEs,
see Appendix A.
RELATED CLASS
Bank Examiners conduct in-depth examinations of financial institutions and
other businesses regulated by the Banking Department. They perform either
on-site examination of institutions� financial condition, operating procedures
and management controls or, when assigned to one of the Department�s office
divisions, review and analyze examination reports and financial reports
submitted by institutions. They ensure that State-chartered financial
institutions conduct their businesses safely and soundly and that their
policies and operations conform to the Banking Law and the Department�s rules
and regulations.
ILLUSTRATIVE DUTIES
· Reviews policies and procedures relative to IT
effects upon bank operations.
· Determines adequacy of records, systems and controls
governing IT operations.
· Assesses the systems supporting �back office�
operations (i.e., systems for trading and investment activities and other
banking functions), and the automated systems providing the �middle office� and
�front office� with the position, limit and other reports necessary to manage
risk.
· Participates with representatives of federal
regulatory agencies in performing joint or concurrent IT examinations.
· Researches new electronic products and services and
performs pre- and post-implementation reviews of such products/services.
· Writes the IT portion of the overall examination report.
· Discusses IT examination findings with the Examiner-In-Charge,
Team Leader and/or Deputy Superintendent, and participates in meetings with
other Department staff and institutional staff.
· Conducts and participates in training Department
staff on examination issues.
· Supervises staff assigned to examinations by
developing the examination plan; organizing and coordinating activities during
the examination; assigning work; monitoring staff progress in accomplishing
assignments; providing guidance and assistance to staff; and evaluating staff
and reviewing examination results.
MINIMUM QUALIFICATIONS
INFORMATION
TECHNOLOGY EXAMINER 1 (BANKS)
Open Competitive: Bachelor�s Degree and three years of experience in
developing, analyzing, managing or auditing operations of IT systems at a bank,
other financial institution or bank regulatory agency. A Bachelor�s Degree in
computer science may substitute for one year of the experience.
INFORMATION
TECHNOLOGY EXAMINER 2 (BANKS)
Promotion: One year of service as an Information Technology
Examiner 1 (Banks).
Open Competitive: Bachelor�s Degree and five years of the experience
required for Information Technology Examiner 1 (Banks).
INFORMATION
TECHNOLOGY EXAMINER 3 (BANKS)
Promotion: One year of service as an Information Technology
Examiner 2 (Banks).
Open Competitive: Bachelor�s Degree and seven years of the experience
required for Information Technology Examiner 1 (Banks). One year of the
experience must have been supervisory. The Bachelor�s Degree in
computer science substitution
applies only to the non-supervisory experience.
INFORMATION TECHNOLOGY EXAMINER 4 (BANKS)
Promotion: One year of service as an Information Technology
Examiner 3 (Banks).
Open Competitive: Bachelor�s Degree and nine years of the experience
required for Information Technology Examiner 1 (Banks). Two years of the
experience must have been supervisory. The Bachelor�s Degree in
computer science substitution
applies to the non-supervisory experience. A current valid Certified
Information Systems Auditor designation may substitute for one additional year
of the non-supervisory experience.
NOTE: Classification Standards illustrate the nature,
extent and scope of duties and responsibilities of the classes they
describe. Standards cannot and do not include all of the work that might
be appropriately performed by a class. The minimum qualifications above
are those that were required for appointment at the time the Classification
Standard was written. Please contact the Division of Staffing Services
for current information on minimum qualification requirements for appointment
or examination.
Date: 9/07
Attachment
Appendix A
Characteristics of Institutions Examined by ITEs
|
Requirement
|
ITE1
|
ITE2
|
ITE3
|
ITE4
|
|
Number
of Information Technology Auditors at institution if IT audit has not been
outsourced to a third party consultant/audit firm.
|
1
|
1
|
2-5
|
5
|
|
Institution has an IT
and/or consultant staff consisting of:
|
1-5
|
6-99
|
100-299
|
Over 300
|
|
IT
project annual budget
|
$250k
|
$750k
|
$10 million
|
$10 million
|
|
Size of project
management staff/consultant
|
1-7
|
1-7
|
8-10
|
Over 10
|
|
Number
of known operating system software programs needed to support the application
platforms that support the financial institution. (IBM MVS, VSE, or AIX), Sun
Microsystems Solaris, Microsoft Windows, Tandem TACL, etc.)
|
1
|
1
|
2
|
3
|
|
IT
platform/environment
|
server/desktop database
software
|
Midrange platform database
software architecture and server/desktop database software
|
Midrange/
mainframe
|
Midrange/
mainframe
|
|
|
|
|
|
|
Risk Profiles of Institutions Examined by ITEs
|
|
Low
|
Medium
|
High
|
|
Assets
|
<
$ 1 Billion
|
>
$ 1 Billion < $10 Billion
|
> $10 Billion
|
|
Institutional Staff Size
|
<
5
|
>
5 <10
|
> 10
|
|
IT Operating Budget
|
<
$1 Million
|
>
$1 Million < $10 Million
|
> $10 Million
|
|
Operational Changes
|
None
|
Applications
Upgrade/Installation
|
Multiple Applications Upgrade/Merger
|
|
Previous Examination Rating
|
1,
2
|
1,
2, 3
|
2, 3, 4
|
|
Staff Turnover
|
Minimal
|
<
10%
|
> 10%
|
|
Notes:
|
|
|
|
|
|
|
The
risk assigned to any institution is fluid. It can change each fiscal year and
is dependent on many
factors including:
|
|
|
1) Size of institution and peer
comparison determination which can be decided by any regulator
that is responsible for the financial
institution (NYSBD, FDIC, or FRB).
|
|
|
|
|
|
2)
Previous examination ratings.
|
|
|
|
|
|
3)
Responses to preliminary examination questionnaires.
|
|
|
|
|
|
4)
Asset size.
|
|
|
|
|
|
5)
Changes made by management within the operating environment.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rating
|
Examination Rating Definition
|
|
1
|
Financial institutions and service providers rated composite �1� exhibit strong performance in every respect
and generally have components rated 1 or 2.
Weaknesses in IT are minor in nature and are easily corrected during
the normal course of business. Risk
management processes provide a comprehensive program to identify and monitor
risk relative to the size, complexity and risk profile of the entity. Strategic plans are well defined and fully
integrated throughout the organization.
This allows management to quickly adapt to changing market, business
and technology needs of the entity.
Management identifies weaknesses promptly and takes appropriate corrective
action to resolve audit and regulatory concerns. The financial condition of the service
provider is strong and overall performance shows no cause for supervisory
concern.
|
|
2
|
Financial institutions and service providers rated
composite �2� exhibit safe and sound performance but may demonstrate modest
weaknesses in operating performance, monitoring, management processes or
system development. Generally, senior
management corrects weaknesses in the normal course of business. Risk
management processes adequately identify and monitor risk relative to the
size, complexity and risk profile of the entity. Strategic plans are defined
but may require clarification, better coordination or improved communication
throughout the organization. As a
result, management anticipates, but responds less quickly to, changes in
market, business, and technological needs of the entity. Management normally identifies weaknesses
and takes appropriate corrective action. However, greater reliance is placed
on audit and regulatory intervention to identify and resolve concerns. The financial condition of the service
provider is acceptable and while internal control weaknesses may exist, there
are no significant supervisory concerns.
As a result, supervisory action is informal and limited.
|
|
3
|
Financial institutions and service providers rated
composite �3� exhibit some degree of supervisory concern due to a combination
of weaknesses that may range from moderate to severe. If weaknesses persist, further deterioration
in the condition and performance of the institution or service provider is
likely. Risk management processes may
not effectively identify risks and may not be appropriate for the size,
complexity, or risk profile of the entity.
Strategic plans are vaguely defined and may not provide adequate
direction for IT initiatives. As a
result, management often has difficulty responding to changes in business,
market, and technological needs of the entity. Self-assessment practices are weak and are
generally reactive to audit and regulatory exceptions. Repeat concerns may exist, indicating that
management may lack the ability or willingness to resolve concerns. The financial condition of the service
provider may be weak and/or negative trends may be evident. While financial or operational failure is
unlikely, increased supervision is necessary.
Formal or informal supervisory action may be necessary to secure
corrective action.
|
|
4
|
Financial institutions and service providers rated
composite �4� operate in an unsafe and unsound environment that may impair
the future viability of the entity.
Operating weaknesses are indicative of serious managerial
deficiencies. Risk management processes inadequately identify and monitor
risk, and practices are not appropriate given the size, complexity, and risk
profile of the entity. Strategic plans
are poorly defined and not coordinated or communicated throughout the
organization. As a result, management
and the board are not committed to, or may be incapable of, ensuring that
technological needs are met.
Management does not perform self-assessments and demonstrates an
inability or unwillingness to correct audit and regulatory concerns. The financial condition of the service
provider is severely impaired and/or deteriorating. Failure of the financial institution or
service provider may be likely unless IT problems are remedied. Close supervisory attention is necessary
and, in most cases, formal enforcement action is warranted.
|
|
5
|
Financial institutions and service providers rated
composite �5� exhibit critically deficient operating performance and are in
need of immediate remedial action. Operational problems and serious
weaknesses may exist throughout the organization. Risk management processes are severely
deficient and provide management little or no perception of risk relative to
the size, complexity, and risk profile of the entity. Strategic plans do not exist or are
ineffective, and management and the board provide little or no direction for
IT initiatives. As a result,
management is unaware of, or inattentive to technological needs of the
entity. Management is unwilling or
incapable of correcting audit and regulatory concerns. The financial condition of the service
provider is poor and failure is highly probable due to poor operating
performance or financial instability.
Ongoing supervisory attention is necessary.
|