Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Information Technology and Your Trust Department

June 01, 2008

by Sharon Johnson, Mike Vesel, and Tammy Wollersheim

When a bank evaluates and manages information technology (IT), it should not forget to include its trust department. Many institutions overlook their trust department when evaluating and managing IT issues, but a trust department has many of the same IT concerns as other departments of the bank. Problems can arise because the trust department often uses separate systems not utilized elsewhere in the bank and those systems may get overlooked. Furthermore, the bank may consider the trust department to be responsible for its own evaluation and management, even though it is often staffed with individuals who don't have IT expertise. Other concerns can include the following:

  • Security controls
  • Information security
  • Operating controls
  • User activity monitoring
  • Management oversight
  • Backup procedures and business continuity planning
  • Risk assessment
  • Vendor management

Regular evaluations are key

The IT program of a bank should be and probably already is subject to evaluation or audit. An adequate IT audit should include regular testing of the systems and compliance with the IT program requirements and should be enterprise-wide. System monitoring reports for the trust department, such as user activity, exception, transaction suppression, and account maintenance, should also be generated and subject to regular review. Not performing reviews of user activity can be construed as inadequate oversight of the trust department. Inadequate oversight could place customer funds at risk and also impact a bank's reputation and cause regulatory concerns.

Equally important is a regular evaluation of user IDs on the primary trust accounting system, as well as any subsidiary systems utilized in the accounting and recordkeeping for trust accounts. Evaluations should take into consideration such things as assignment of user IDs, appropriate access and transaction rights based on responsibilities within the department, adequate system security settings, password controls, and appropriate segregation of system administrator capabilities from account transaction capabilities.

Often service providers are utilized to perform operational functions for the trust department. The Service Organization Report (SAS 70) of each provider should be obtained, control considerations carefully appraised, and the scope of the SAS 70 report evaluated for adequacy. The IT program, the trust department, and the bank's systems should not be overlooked when studying control considerations. Control considerations in the SAS 70 may place IT-related requirements on the trust department and the bank and could create additional risks if not addressed appropriately and in a timely manner.

Include the trust department when establishing the IT program

IT-related concerns and management of the trust department should be part of the IT Committees focus. The trust department manager should be included in IT Committee discussions, as well as risk assessments, to ensure there is adequate consideration of any trust department IT-related concerns and activities. The systems utilized by the trust department may be different than others within a bank's structure, and not understanding the systems and including them in the IT review processes could open a bank to unnecessary risks.

The utilization of electronic file storage systems has increased in recent years and is of particular interest to trust departments as an answer to physical storage constraints. An adequate IT program should assist the trust department not only in establishing the filing system on the bank's network and training personnel on appropriate use but also in establishing appropriate access rights to ensure trust customer information is adequately safeguarded and retention policies are consistent with bank policies, applicable state statutes, and federal regulations.

Not to be forgotten is electronic banking, which may include the trust department. Correspondence with trust customers may often occur through e-mail, and many trust accounting systems now allow customers electronic access to statements and account activity summaries. Are e-mail procedures in the trust department consistent with the bank's IT program for confidentiality and safeguarding of customer information? Have controls over accessing account statements electronically and procedures for establishing system user IDs and passwords for customers been evaluated? The company that provides the accounting system may dictate these controls and procedures, but these should be evaluated to ensure they are appropriate and consistent with the bank's IT program requirements.

When developing the IT risk assessment, information security program, policies, procedures, controls, vendor management program, IT audit plan, and business continuity plans, a bank should make sure to include its trust department. Incorporating the trust department into these processes will ensure comprehensive IT management is present in the entire enterprise, thereby meeting overall regulatory and business expectations.