IT Examiner School - Oct 2025

Internal Use Only

FDIC AEPs - Five (5) Examination Procedures

1. Assessment of IT risk management practices and actions taken as result of risk assessment.

2. Assessment of information security and cybersecurity risk management programs.

3. Assessment of IT audit or independent review program, including independent assessment of bank cybersecurity preparedness. 4. Assessment of resilience and preparedness for responding to and recovering from unexpected event, both business continuity management and incident response.

5. Assessment of effectiveness of vendor management and service provider oversight programs.

Internal Use Only

FDIC AEPs – Workpaper Documentation

Procedure 1 - Management Core Module Procedures 1, 2, 11, and 12.

Procedure 2 - Support and Delivery Core Module Procedure 17; Management Core Module Procedures 7, 8, 10, and 11; and Development and Acquisition Procedure 7 (End-of-Life Only). Procedure 3 - Audit Core Module Procedures 1, 2, 5, 6, and 10; and Development and Acquisition Procedure 7.

Procedure 4 - Support and Delivery Core Module Procedures 4-9 and 13.

Procedure 5 - Development and Acquisition Core Module Procedures 2-5.