FFIEC IT Examination Handbook: A Practitioner's Walkthrough of What Examiners Actually Test

TL;DR

• The FFIEC IT Handbook has 11 booklets; examiners select based on your institution’s business model, complexity, and prior findings
• The FFIEC sunsetted the Cybersecurity Assessment Tool (CAT) on August 31, 2025 — NIST CSF 2.0 is now the expected reference framework for cybersecurity risk management
• The 2024 DA&M booklet update elevated maintenance and change control to first-class governance requirements — not just development and acquisition
• Information Security, Management, and AIO are the highest-frequency examination areas; Outsourcing Technology Services is critical if you rely on third-party core processors or cloud vendors

Your IT examination notice arrives with a 40-page pre-exam questionnaire. The questions span 11 booklets, reference frameworks you may not have heard of, and ask for documentation that may not exist in the format being requested. The temptation is to answer question by question and assume examiners are checking a list.

They’re not checking a list. They’re building a picture of your institution’s technology risk management maturity — and every gap you expose in the questionnaire becomes a starting point for a deeper conversation. Understanding what examiners are actually looking for in each booklet turns a reactive documentation exercise into preparation you can reuse.

The 11 Booklets: What Each One Covers

The FFIEC IT Examination Handbook is available at ithandbook.ffiec.gov. All 11 booklets are publicly available. Examiners don’t examine everything at every institution — they scope based on your charter type, business model, and prior exam findings.

The Management Booklet: IT Governance Is the Foundation

Examiners almost always start with Management. This booklet governs how IT risk is governed, overseen, and reported — the infrastructure on which everything else depends.

What examiners look for here:

IT Strategic Plan: Does the institution have a multi-year IT strategic plan that the board has approved? Does it connect IT investments to business objectives and risk capacity? Examiners aren’t looking for a flawless technology roadmap — they’re looking for evidence that leadership treats IT as a strategic function, not an afterthought.

IT Risk Management Integration: Is IT risk included in the enterprise risk management framework? Does the CIO or CISO report risk metrics to the board or risk committee? If your ERM process operates in parallel to your IT risk process without any integration, that’s a finding.

Resource Management: Is the IT budget appropriate for the institution’s risk profile? Examiners don’t expect every community bank to have a 50-person security team — but they do expect evidence that resource constraints are actively managed as a risk, not ignored.

Change Management: Does the institution have a formal change management process? Every infrastructure change, software deployment, and configuration update should go through a documented approval workflow. Undocumented changes are a consistent examination finding.

Information Security: The Highest-Frequency Finding Area

The Information Security booklet contains the most detailed examination procedures in the handbook and generates the most MRAs. Updated in 2016 (and due for revision, though current standards remain the exam basis), it covers:

Security Program Structure

Examiners expect a written information security program that has been approved by the board, reviewed at least annually, and updated when the risk environment changes materially. The program must address:

• Risk identification and assessment
• Safeguards and controls (technical, administrative, physical)
• Third-party service provider oversight
• Monitoring and testing
• Incident response procedures

A common finding: the security policy exists and was approved once, but there’s no evidence of annual board review or update. Another: the policy references outdated standards (e.g., the sunsetted FFIEC CAT rather than NIST CSF 2.0).

Access Controls

Access control failures are among the top three most common IT exam findings across institution size. Examiners look for:

• Terminated user access: Are accounts disabled within 24 hours of employee termination? Manual processes that rely on HR-to-IT notification chains fail constantly — usually because terminations happen on Fridays and IT doesn’t process until Monday.
• Privileged access reviews: Are admin and privileged accounts reviewed quarterly? Is there a formal process, or does someone periodically check the list when they remember?
• Least privilege enforcement: Are users given only the access required for their job function? In financial institutions, this is frequently violated in core banking systems where “easier to give broad access” becomes the default.
• Multi-factor authentication: Is MFA required for remote access and privileged accounts? Since the 2023 FFIEC authentication guidance updates, MFA gaps for remote access are essentially automatic findings.

Security Operations and Monitoring

Examiners assess whether the institution has active monitoring — not just controls that were configured and forgotten. Key evidence items:

• Log management: Are security logs collected, retained, and reviewed? What is the retention period?
• Alerting: Are there defined thresholds that trigger human review?
• Vulnerability management: Are vulnerability scans run regularly, and are findings remediated on a defined schedule?
• Penetration testing: Is external penetration testing conducted at least annually by an independent party?

Architecture, Infrastructure, and Operations (AIO): The Operational Layer

The AIO booklet (renamed from “Operations” to reflect the expanded scope) covers the technical execution layer — the actual systems and infrastructure that the Information Security policy is supposed to protect.

Patch Management

Patch management failures are the single most common AIO finding. Examiners want evidence of:

• A written patch management policy with defined severity-based remediation timelines (e.g., critical vulnerabilities patched within 30 days, high within 60 days)
• An active inventory of systems, including end-of-life tracking
• Documented evidence that patches were applied — not just a policy saying they should be

End-of-life systems — hardware or software that no longer receives security updates — are a specific red flag. Running Windows Server 2012 or an unsupported core banking version without compensating controls and a documented migration timeline is an MRA-level finding at most institutions.

Network Architecture

Examiners review network segmentation, firewall configuration documentation, and the logical separation between production, testing, and administrative networks. The standard question: can a compromised workstation on the user network reach production systems directly? If the answer is yes without compensating controls, that’s a finding.

Business Continuity Management Interface

The AIO booklet and the Business Continuity Management booklet overlap on disaster recovery. Examiners look for documented RTOs and RPOs for critical systems, evidence that recovery procedures have been tested, and consistency between the BIA and the actual recovery capabilities of the IT environment. A bank with a four-hour RTO for core banking that has never tested failover is a common finding.

The 2024 DA&M Booklet: Why Maintenance Matters Now

The Development, Acquisition, and Maintenance booklet released in August 2024 replaced a 20-year-old document. The core update: maintenance is now explicitly a governance function, not just a technical one.

What changed in practice:

Change Control Governance: The booklet explicitly requires that change management processes apply to all modifications — patches, configuration changes, system updates — not just major development projects. Institutions that treated patch management as purely operational (not a formal change control process) now need to integrate them.

Acquisition Due Diligence: Vendor acquisition decisions must be documented with risk assessment evidence. The booklet sets an expectation that acquiring a new IT vendor or software product goes through the same risk management rigor as a material third-party relationship — not just a procurement decision.

Software Development Lifecycle (SDLC): For institutions that build or significantly customize software, the booklet requires security to be embedded throughout the SDLC — requirements, design, testing, deployment, and maintenance phases. Security testing at the end of development is insufficient.

Outsourcing Technology Services: Most Institutions Miss This

The single most consistently under-prepared area in community bank IT exams is vendor oversight under the Outsourcing Technology Services booklet. Most community banks rely on third-party core processors, cloud-based applications, and IT service providers — which means most of their IT risk is concentrated in their vendor relationships.

What examiners look for:

Vendor Inventory: Is there a complete inventory of IT service providers, including subcontractors? Examiners ask specifically about fourth-party exposure — do you know which subcontractors your core processor uses?

Risk Tiering: Are vendors classified by criticality? The exam expects at least two tiers — critical vendors that could materially impact operations if they failed, and non-critical vendors — with different due diligence standards for each.

Contract Requirements: Do contracts with critical vendors include: SLA requirements with financial remedies, data security and breach notification obligations, audit rights, business continuity requirements, and exit provisions? Missing audit rights or breach notification clauses in vendor contracts are consistent exam findings.

Ongoing Monitoring: Annual due diligence isn’t just a checklist — examiners look for evidence that monitoring is continuous. Did you review the SOC 2 report? Did you follow up on exceptions? Did you track vendor performance against SLAs?

For a structured approach to vendor due diligence documentation, see Vendor Due Diligence Techniques: What to Verify When the Questionnaire Comes Back and our Vendor Risk Questionnaire Template.

The CAT Is Gone: What to Use Instead

The FFIEC Cybersecurity Assessment Tool was the dominant self-assessment framework for financial institutions from 2015 through its sunset on August 31, 2025. Its removal created a vacuum — no direct replacement was issued.

The FFIEC’s guidance: use NIST Cybersecurity Framework (CSF) 2.0, the NIST Privacy Framework, and sector-specific guidance from each member agency. For financial institutions, the relevant additions include OCC guidance on technology risk and FDIC cybersecurity resources.

In practice, examiners are currently assessing cybersecurity posture through the Information Security booklet examination procedures — looking at program elements rather than maturity tier scores. Institutions that want a structured self-assessment framework should use NIST CSF 2.0 as the primary reference. The framework’s five functions (Identify, Protect, Detect, Respond, Recover) map reasonably well to the FFIEC Information Security booklet’s structure.

Preparing for the IT Exam: Where to Start

The institutions that handle IT examinations smoothly share one characteristic: they treat the handbook as a gap assessment tool, not a test-time reference document.

A practical pre-exam preparation approach:

1. Map your documentation to each relevant booklet: For each booklet in scope, list the key policies, procedures, and evidence items the examination procedures require. Identify what you have, what’s outdated, and what’s missing.

2. Pull your prior exam findings: Every open or recently closed IT-related finding should have a documented corrective action status. Examiners ask about prior findings in the first meeting.

3. Test your access control lists now: Before the exam, run a terminated user account review and a privileged access review. Find the exceptions before the examiner does.

4. Verify vendor documentation is current: Collect current SOC 2 reports for all critical vendors. Review contract terms for the audit rights and breach notification clauses. Document what you’ve reviewed.

5. Confirm BCP/DR test documentation is recent: If your last IT disaster recovery test was more than 12 months ago, schedule one. An untested BCP is a finding.

For policy infrastructure, the Information Security Policy Template and Cybersecurity Policy Template provide the structural framework examiners expect to see documented.

So What?

The FFIEC IT Handbook isn’t a gotcha framework — it’s a roadmap of what sound technology risk management looks like for a federally supervised institution. Examiners use it to evaluate whether your IT environment could withstand operational stress, a cyberattack, a vendor failure, or a regulatory change without harming customers or the financial system.

The institutions that consistently get clean IT exams don’t just comply — they operationalize the booklet requirements as standard management practice. Patch management isn’t a pre-exam scramble. Vendor reviews aren’t done when the examiner asks. Access control reports are already sitting in the audit committee’s quarterly package.

That’s the gap between a bank that generates IT findings and one that doesn’t.

External Sources:

• FFIEC IT Examination Handbook InfoBase
• OCC Bulletin 2024-26: DA&M Booklet
• Federal Reserve SR 24-6: DA&M Booklet
• OCC Bulletin 2024-25: FFIEC CAT Sunset
• FFIEC Press Release: DA&M Booklet Update