Tentative Classification Standards issued by the Division of Classification & Compensation are shared with the operating agencies of State government for their consideration and comment. Accordingly, this document that you are viewing is subject to change and will be issued in final form at the completion of the review period.
TENTATIVE
Occ. Code 0332200
|
INFORMATION
TECHNOLOGY EXAMINER 1 (FINANCIAL SERVICES), GRADE 23
|
0332200
|
|
INFORMATION
TECHNOLOGY EXAMINER 2 (FINANCIAL SERVICES), GRADE 27
|
0332300
|
|
INFORMATION
TECHNOLOGY EXAMINER 3 (FINANCIAL SERVICES), GRADE 29
|
0332400
|
|
INFORMATION
TECHNOLOGY EXAMINER 4 (FINANCIAL SERVICES), GRADE 31
|
0332500
|
New York
State Department of Civil Service
Classification
Standard
BRIEF
DESCRIPTION OF CLASS SERIES
Information Technology Examiners (ITEs)
perform comprehensive evaluations and operational risk reviews of the
Information Technology (IT) environment (i.e., systems management, electronic financial
transactions, internet security, and pc banking) at the institutions regulated
by the Department of Financial Services (DFS). These positions review the
IT activities as part of a regularly scheduled safety and soundness examination
or perform independently targeted IT examinations.
Information Technology Examiners (Financial
Services) are classified at the Department of Financial Services (DFS) only.
DISTINGUISHING CHARACTERISTICS
INFORMATION TECHNOLOGY EXAMINER 1 (FINANCIAL
SERVICES): full
performance level; conducts examinations of low- to medium-risk institutions
and companies; may supervise lower level examiners during examinations.
INFORMATION TECHNOLOGY EXAMINER 2 (FINANCIAL
SERVICES): first
supervisory level; conducts examinations of medium-risk institutions and
companies; and assists higher level IT examiners in the examination of large
complex financial institutions and companies.
INFORMATION TECHNOLOGY EXAMINER 3 (FINANCIAL
SERVICES): second
supervisory level; performs examinations of high risk institutions and
companies and those having domestic and international presence.
INFORMATION TECHNOLOGY EXAMINER 4 (FINANCIAL
SERVICES): third
supervisory level; performs examinations of high risk institutions and
companies such as data centers or service bureaus, which service multiple
financial institutions and/or companies and those having a significant domestic
(over 200 branch or agent offices) and international presence.
For additional information on the
characteristics and risk profiles of the institutions examined by the various
Information Technology Examiners (DFS), see Appendix A.
RELATED CLASSES
Bank Examiners conduct in-depth examinations of financial institutions and
other institutions regulated by DFS. They perform either on-site examination of
institutions� financial condition, operating procedures and management controls
or, when assigned to one of the Department�s office divisions, review and
analyze examination reports, and financial reports submitted by institutions.
They ensure that the institutions regulated by DFS conduct their businesses
safely and soundly and that their policies and operations comply with
applicable laws, rules and regulations.
Insurance Examiners audit the
financial condition and treatment of policyholders of insurers licensed to do
business in New York State (NYS) and investigate complaints from policyholders
and consumers against licensees to determine compliance with NYS Insurance Law,
Rules and Regulations, and perform other regulatory duties to assist DFS in
carrying out its regulatory responsibilities.
ILLUSTRATIVE DUTIES
·
Reviews IT policies and procedures
relative to IT�s impact upon financial institution or insurance company
operations.
·
Determines adequacy of
records, systems, and controls governing IT operations.
·
Assesses the systems
supporting back office operations (i.e., systems for trading and investment
activities and other financial and insurer functions), and the automated
systems providing the middle office and front office with the position, limit
and other reports necessary to manage risk.
· Participates with representatives of
federal regulatory agencies in performing joint or concurrent IT examinations.
·
Researches new electronic
products and services, and performs pre- and post-implementation reviews of
such products/services.
·
Writes the IT portion of
the overall examination report.
·
Discusses IT examination
findings with the Examiner-In-Charge, Team Leader and/or Deputy Superintendent,
and participates in meetings with other department staff and institutional
staff.
·
Conducts and participates
in training department staff on examination issues.
·
Supervises staff assigned
to examinations by developing the examination plan; organizing and coordinating
activities during the examination; assigning work; monitoring staff progress in
accomplishing assignments; providing guidance and assistance to staff; and
evaluating staff and reviewing examination results.
MINIMUM QUALIFICATIONS
INFORMATION
TECHNOLOGY EXAMINER 1 (FINANCIAL SERVICES)
Open Competitive: Bachelor�s degree and three years of
experience in developing, analyzing, managing or auditing operations of IT
systems at a bank, other financial institution, bank regulatory agency, or
insurance company. A bachelor�s degree in computer science may substitute for
one year of the experience.
INFORMATION TECHNOLOGY
EXAMINER 2 (FINANCIAL SERVICES)
Promotion: One year of service as an Information
Technology Examiner 1 (DFS).
Open Competitive: Bachelor�s
degree and five years of the experience required for Information Technology
Examiner 1 (DFS).
INFORMATION
TECHNOLOGY EXAMINER 3 (FINANCIAL SERVICES)
Promotion: One year of service as an Information
Technology Examiner 2 (DFS).
Open Competitive: Bachelor�s degree and seven years of
the experience required for Information Technology Examiner 1 (DFS). One
year of the experience must have been supervisory. The bachelor�s degree in
computer science substitution applies only to the non-supervisory experience.
INFORMATION TECHNOLOGY
EXAMINER 4 (FINANCIAL SERVICES)
Promotion: One year of service as an Information
Technology Examiner 3 (DFS).
Open Competitive: Bachelor�s
degree and nine years of the experience required for Information Technology
Examiner 1 (DFS). Two years of the experience must have been supervisory. The bachelor�s
degree in computer science substitution applies to the non-supervisory
experience. A current valid Certified Information Systems Auditor designation
may substitute for one additional year of the non-supervisory experience.
Date:
4/13
NOTE: Classification Standards illustrate
the nature, extent and scope of duties and responsibilities of the classes they
describe. Standards cannot and do not include all of the work that might
be appropriately performed by a class. The minimum qualifications above
are those that were required for appointment at the time the Classification
Standard was written. Please contact the Division of Staffing Services
for current information on minimum qualification requirements for appointment
or examination.
Attachment
Appendix A
Characteristics
of Institutions Examined by ITEs
|
Requirement
|
ITE1
|
ITE2
|
ITE3
|
ITE4
|
|
Number of
Information Technology Auditors at institution if IT audit has not been
outsourced to a third party consultant/audit firm.
|
1
|
1
|
2-5
|
5+
|
|
Institution
has an IT and/or consultant staff consisting of:
|
1-5
|
6-99
|
100-299
|
Over 300
|
|
IT project
annual budget
|
$250k
|
$750k
|
$10 million
|
$10 million+
|
|
Size of
project management staff/consultant
|
1-7
|
1-7
|
8-10
|
Over 10
|
|
Number of
known operating system software programs needed to support the application
platforms that support the financial institution. (IBM MVS, VSE, or AIX), Sun
Microsystems Solaris, Microsoft Windows, Tandem TACL, etc.)
|
10
|
20
|
30
|
30+
|
|
IT
platform/environment
|
server/desktop
database software
|
Midrange
platform database software architecture and server/desktop database software
|
Midrange/
mainframe
|
Midrange/
Mainframe/
cloud
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Risk
Profiles of Institutions Examined by ITEs
|
|
Low
|
Medium
|
High
|
|
Assets
|
< $ 1
Billion
|
> $ 1 Billion
< $10 Billion
|
> $10
Billion
|
|
IT
Operating Budget
|
< $1
Million
|
> $1
Million < $10 Million
|
> $10
Million
|
|
Operational
Changes
|
None
|
Applications
Upgrade/Installation
|
Multiple
Applications Upgrade/Merger
|
|
Previous
Examination Rating
|
1, 2
|
2, 3
|
3,4,5
|
|
Staff
Turnover
|
Minimal
|
< 10%
|
> 10%
|
|
Notes:
|
|
|
|
|
|
|
The
risk assigned to any institution is fluid. It can change each fiscal year and
is dependent on many factors including:
|
|
|
1) Size of
institution and peer comparison determination which can be decided by any
regulator or related association that is responsible for the financial
institution (e.g., NYSDFS, FDIC, FRB, OCC, SEC, FINRA, NCUA, NAIC, and CSBS).
|
|
|
|
|
|
2)
Previous examination ratings.
|
|
|
|
|
|
3)
Responses to preliminary examination questionnaires.
|
|
|
|
|
|
4)
Asset size.
|
|
|
|
|
|
5)
Changes made by management within the operating environment.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rating
|
Examination Rating Definition
|
|
1
|
Institutions regulated by DFS rated
composite �1� exhibit strong performance in every respect and generally have
components rated �1� or �2.� Weaknesses in IT are minor in nature and are
easily corrected during the normal course of business. Risk management
processes provide a comprehensive program to identify and monitor risk
relative to the size, complexity and risk profile of the entity. Strategic
plans are well defined and fully integrated throughout the organization.
This allows management to quickly adapt to changing market, business and
technology needs of the entity. Management identifies weaknesses promptly
and takes appropriate corrective action to resolve audit and regulatory
concerns. The financial condition of the service provider is strong and
overall performance shows no cause for supervisory concern.
|
|
2
|
Institutions regulated by DFS rated
composite �2� exhibit safe and sound performance but may demonstrate modest
weaknesses in operating performance, monitoring, management processes or
system development. Generally, senior management corrects weaknesses in the
normal course of business. Risk management processes adequately identify and
monitor risk relative to the size, complexity and risk profile of the entity.
Strategic plans are defined but may require clarification, better
coordination or improved communication throughout the organization. As a
result, management anticipates, but responds less quickly to, changes in
market, business, and technological needs of the entity. Management normally
identifies weaknesses and takes appropriate corrective action. However,
greater reliance is placed on audit and regulatory intervention to identify
and resolve concerns. The financial condition of the service provider is
acceptable and while internal control weaknesses may exist, there are no
significant supervisory concerns. As a result, supervisory action is
informal and limited.
|
|
3
|
Institutions regulated by DFS rated
composite �3� exhibit some degree of supervisory concern due to a combination
of weaknesses that may range from moderate to severe. If weaknesses persist,
further deterioration in the condition and performance of the institution or
service provider is likely. Risk management processes may not effectively
identify risks and may not be appropriate for the size, complexity, or risk
profile of the entity. Strategic plans are vaguely defined and may not
provide adequate direction for IT initiatives. As a result, management often
has difficulty responding to changes in business, market, and technological
needs of the entity. Self-assessment practices are weak and are generally
reactive to audit and regulatory exceptions. Repeat concerns may exist,
indicating that management may lack the ability or willingness to resolve
concerns. The financial condition of the service provider may be weak and/or
negative trends may be evident. While financial or operational failure is
unlikely, increased supervision is necessary. Formal or informal supervisory
action may be necessary to secure corrective action.
|
|
4
|
Institutions regulated by DFS rated
composite �4� operate in an unsafe and unsound environment that may impair
the future viability of the entity. Operating weaknesses are indicative of
serious managerial deficiencies. Risk management processes inadequately
identify and monitor risk, and practices are not appropriate given the size,
complexity, and risk profile of the entity. Strategic plans are poorly
defined and not coordinated or communicated throughout the organization. As
a result, management and the board are not committed to, or may be incapable
of, ensuring that technological needs are met. Management does not perform
self-assessments and demonstrates an inability or unwillingness to correct
audit and regulatory concerns. The financial condition of the service
provider is severely impaired and/or deteriorating. Failure of the financial
institution or service provider may be likely unless IT problems are
remedied. Close supervisory attention is necessary and, in most cases,
formal enforcement action is warranted.
|
|
5
|
Institutions regulated by DFS rated
composite �5� exhibit critically deficient operating performance and are in
need of immediate remedial action. Operational problems and serious
weaknesses may exist throughout the organization. Risk management processes
are severely deficient and provide management little or no perception of risk
relative to the size, complexity, and risk profile of the entity. Strategic
plans do not exist or are ineffective, and management and the board provide
little or no direction for IT initiatives. As a result, management is
unaware of, or inattentive to technological needs of the entity. Management
is unwilling or incapable of correcting audit and regulatory concerns. The
financial condition of the service provider is poor and failure is highly
probable due to poor operating performance or financial instability. Ongoing
supervisory attention is necessary.
|