TENTATIVE
Occ. Code 0332200
INFORMATION TECHNOLOGY EXAMINER 1 (FINANCIAL SERVICES), GRADE 23 |
0332200 |
INFORMATION TECHNOLOGY EXAMINER 2 (FINANCIAL SERVICES), GRADE 27 |
0332300 |
INFORMATION TECHNOLOGY EXAMINER 3 (FINANCIAL SERVICES), GRADE 29 |
0332400 |
INFORMATION TECHNOLOGY EXAMINER 4 (FINANCIAL SERVICES), GRADE 31 |
0332500 |
New York State Department of Civil Service
Classification Standard
BRIEF DESCRIPTION OF CLASS SERIES
Information Technology Examiners (ITEs) perform comprehensive evaluations and operational risk reviews of the Information Technology (IT) environment (i.e., systems management, electronic financial transactions, internet security, and pc banking) at the institutions regulated by the Department of Financial Services (DFS). These positions review the IT activities as part of a regularly scheduled safety and soundness examination or perform independently targeted IT examinations.
Information Technology Examiners (Financial Services) are classified at the Department of Financial Services (DFS) only.
DISTINGUISHING CHARACTERISTICS
INFORMATION TECHNOLOGY EXAMINER 1 (FINANCIAL SERVICES): full performance level; conducts examinations of low- to medium-risk institutions and companies; may supervise lower level examiners during examinations.
INFORMATION TECHNOLOGY EXAMINER 2 (FINANCIAL SERVICES): first supervisory level; conducts examinations of medium-risk institutions and companies; and assists higher level IT examiners in the examination of large complex financial institutions and companies.
INFORMATION TECHNOLOGY EXAMINER 3 (FINANCIAL SERVICES): second supervisory level; performs examinations of high risk institutions and companies and those having domestic and international presence.
INFORMATION TECHNOLOGY EXAMINER 4 (FINANCIAL SERVICES): third supervisory level; performs examinations of high risk institutions and companies such as data centers or service bureaus, which service multiple financial institutions and/or companies and those having a significant domestic (over 200 branch or agent offices) and international presence.
For additional information on the characteristics and risk profiles of the institutions examined by the various Information Technology Examiners (DFS), see Appendix A.
RELATED CLASSES
Bank Examiners conduct in-depth examinations of financial institutions and other institutions regulated by DFS. They perform either on-site examination of institutions financial condition, operating procedures and management controls or, when assigned to one of the Departments office divisions, review and analyze examination reports, and financial reports submitted by institutions. They ensure that the institutions regulated by DFS conduct their businesses safely and soundly and that their policies and operations comply with applicable laws, rules and regulations.
Insurance Examiners audit the financial condition and treatment of policyholders of insurers licensed to do business in New York State (NYS) and investigate complaints from policyholders and consumers against licensees to determine compliance with NYS Insurance Law, Rules and Regulations, and perform other regulatory duties to assist DFS in carrying out its regulatory responsibilities.
ILLUSTRATIVE DUTIES
· Reviews IT policies and procedures relative to ITs impact upon financial institution or insurance company operations.
· Determines adequacy of records, systems, and controls governing IT operations.
· Assesses the systems supporting back office operations (i.e., systems for trading and investment activities and other financial and insurer functions), and the automated systems providing the middle office and front office with the position, limit and other reports necessary to manage risk.
· Participates with representatives of federal regulatory agencies in performing joint or concurrent IT examinations.
· Researches new electronic products and services, and performs pre- and post-implementation reviews of such products/services.
· Writes the IT portion of the overall examination report.
· Discusses IT examination findings with the Examiner-In-Charge, Team Leader and/or Deputy Superintendent, and participates in meetings with other department staff and institutional staff.
· Conducts and participates in training department staff on examination issues.
· Supervises staff assigned to examinations by developing the examination plan; organizing and coordinating activities during the examination; assigning work; monitoring staff progress in accomplishing assignments; providing guidance and assistance to staff; and evaluating staff and reviewing examination results.
MINIMUM QUALIFICATIONS
INFORMATION TECHNOLOGY EXAMINER 1 (FINANCIAL SERVICES)
Open Competitive: Bachelors degree and three years of experience in developing, analyzing, managing or auditing operations of IT systems at a bank, other financial institution, bank regulatory agency, or insurance company. A bachelors degree in computer science may substitute for one year of the experience.
INFORMATION TECHNOLOGY EXAMINER 2 (FINANCIAL SERVICES)
Promotion: One year of service as an Information Technology Examiner 1 (DFS).
Open Competitive: Bachelors degree and five years of the experience required for Information Technology Examiner 1 (DFS).
INFORMATION TECHNOLOGY EXAMINER 3 (FINANCIAL SERVICES)
Promotion: One year of service as an Information Technology Examiner 2 (DFS).
Open Competitive: Bachelors degree and seven years of the experience required for Information Technology Examiner 1 (DFS). One year of the experience must have been supervisory. The bachelors degree in computer science substitution applies only to the non-supervisory experience.
INFORMATION TECHNOLOGY EXAMINER 4 (FINANCIAL SERVICES)
Promotion: One year of service as an Information Technology Examiner 3 (DFS).
Open Competitive: Bachelors degree and nine years of the experience required for Information Technology Examiner 1 (DFS). Two years of the experience must have been supervisory. The bachelors degree in computer science substitution applies to the non-supervisory experience. A current valid Certified Information Systems Auditor designation may substitute for one additional year of the non-supervisory experience.
Date: 4/13
NOTE: Classification Standards illustrate the nature, extent and scope of duties and responsibilities of the classes they describe. Standards cannot and do not include all of the work that might be appropriately performed by a class. The minimum qualifications above are those that were required for appointment at the time the Classification Standard was written. Please contact the Division of Staffing Services for current information on minimum qualification requirements for appointment or examination.
Attachment
Appendix A
Characteristics of Institutions Examined by ITEs
Requirement |
ITE1 |
ITE2 |
ITE3 |
ITE4 |
|
Number of Information Technology Auditors at institution if IT audit has not been outsourced to a third party consultant/audit firm.
|
1 |
1 |
2-5 |
5+ |
|
Institution has an IT and/or consultant staff consisting of: |
1-5 |
6-99 |
100-299 |
Over 300 |
|
IT project annual budget
|
$250k |
$750k |
$10 million |
$10 million+ |
|
Size of project management staff/consultant |
1-7 |
1-7 |
8-10 |
Over 10 |
|
Number of known operating system software programs needed to support the application platforms that support the financial institution. (IBM MVS, VSE, or AIX), Sun Microsystems Solaris, Microsoft Windows, Tandem TACL, etc.)
|
10 |
20 |
30 |
30+ |
|
IT platform/environment
|
server/desktop database software |
Midrange platform database software architecture and server/desktop database software |
Midrange/ mainframe |
Midrange/ Mainframe/ cloud |
|
|
|
|
|
|
|
Risk Profiles of Institutions Examined by ITEs
|
Low |
Medium |
High |
Assets |
< $ 1 Billion |
> $ 1 Billion < $10 Billion |
> $10 Billion |
IT Operating Budget |
< $1 Million |
> $1 Million < $10 Million |
> $10 Million |
Operational Changes |
None |
Applications Upgrade/Installation |
Multiple Applications Upgrade/Merger |
Previous Examination Rating |
1, 2 |
2, 3 |
3,4,5 |
Staff Turnover |
Minimal |
< 10% |
> 10% |
Notes:
|
|
|
|
|
|
|||||
The risk assigned to any institution is fluid. It can change each fiscal year and is dependent on many factors including:
|
|
|||||||||
|
1) Size of institution and peer comparison determination which can be decided by any regulator or related association that is responsible for the financial institution (e.g., NYSDFS, FDIC, FRB, OCC, SEC, FINRA, NCUA, NAIC, and CSBS). |
|
|
|
|
|||||
|
2) Previous examination ratings. |
|
|
|
|
|||||
|
3) Responses to preliminary examination questionnaires. |
|
|
|
|
|||||
|
4) Asset size. |
|
|
|
|
|||||
|
5) Changes made by management within the operating environment. |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
Rating |
Examination Rating Definition |
1 |
Institutions regulated by DFS rated composite 1 exhibit strong performance in every respect and generally have components rated 1 or 2. Weaknesses in IT are minor in nature and are easily corrected during the normal course of business. Risk management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity. Strategic plans are well defined and fully integrated throughout the organization. This allows management to quickly adapt to changing market, business and technology needs of the entity. Management identifies weaknesses promptly and takes appropriate corrective action to resolve audit and regulatory concerns. The financial condition of the service provider is strong and overall performance shows no cause for supervisory concern. |
2 |
Institutions regulated by DFS rated composite 2 exhibit safe and sound performance but may demonstrate modest weaknesses in operating performance, monitoring, management processes or system development. Generally, senior management corrects weaknesses in the normal course of business. Risk management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity. Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization. As a result, management anticipates, but responds less quickly to, changes in market, business, and technological needs of the entity. Management normally identifies weaknesses and takes appropriate corrective action. However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns. The financial condition of the service provider is acceptable and while internal control weaknesses may exist, there are no significant supervisory concerns. As a result, supervisory action is informal and limited. |
3 |
Institutions regulated by DFS rated composite 3 exhibit some degree of supervisory concern due to a combination of weaknesses that may range from moderate to severe. If weaknesses persist, further deterioration in the condition and performance of the institution or service provider is likely. Risk management processes may not effectively identify risks and may not be appropriate for the size, complexity, or risk profile of the entity. Strategic plans are vaguely defined and may not provide adequate direction for IT initiatives. As a result, management often has difficulty responding to changes in business, market, and technological needs of the entity. Self-assessment practices are weak and are generally reactive to audit and regulatory exceptions. Repeat concerns may exist, indicating that management may lack the ability or willingness to resolve concerns. The financial condition of the service provider may be weak and/or negative trends may be evident. While financial or operational failure is unlikely, increased supervision is necessary. Formal or informal supervisory action may be necessary to secure corrective action. |
4 |
Institutions regulated by DFS rated composite 4 operate in an unsafe and unsound environment that may impair the future viability of the entity. Operating weaknesses are indicative of serious managerial deficiencies. Risk management processes inadequately identify and monitor risk, and practices are not appropriate given the size, complexity, and risk profile of the entity. Strategic plans are poorly defined and not coordinated or communicated throughout the organization. As a result, management and the board are not committed to, or may be incapable of, ensuring that technological needs are met. Management does not perform self-assessments and demonstrates an inability or unwillingness to correct audit and regulatory concerns. The financial condition of the service provider is severely impaired and/or deteriorating. Failure of the financial institution or service provider may be likely unless IT problems are remedied. Close supervisory attention is necessary and, in most cases, formal enforcement action is warranted. |
5 |
Institutions regulated by DFS rated composite 5 exhibit critically deficient operating performance and are in need of immediate remedial action. Operational problems and serious weaknesses may exist throughout the organization. Risk management processes are severely deficient and provide management little or no perception of risk relative to the size, complexity, and risk profile of the entity. Strategic plans do not exist or are ineffective, and management and the board provide little or no direction for IT initiatives. As a result, management is unaware of, or inattentive to technological needs of the entity. Management is unwilling or incapable of correcting audit and regulatory concerns. The financial condition of the service provider is poor and failure is highly probable due to poor operating performance or financial instability. Ongoing supervisory attention is necessary. |