• Client Portal
Valukoda - IT Consulting and Managed Services
Contact Us
Valukoda Industry Perspectives blog category

Financial Services IT: What the Examiners Actually Look For

Your financial services organization will be examined. The SEC, FINRA, OCC, or other regulators will send examiners to assess your controls, your processes, and your compliance with rules. These examinations are not theoretical. Findings can result in fines, consent orders, and operational restrictions. As the chief information officer, you will be in the examination room. You need to understand what the examiners actually care about.

The Examination Reality

Financial services examiners are not interested in your technology stack. They do not care whether you use Java or Python. They do not care whether you are on AWS or Google Cloud. What they care about is control. They care about whether you have documented processes. They care about whether you follow those processes. They care about whether you can demonstrate that you follow them.

Examiners do not examine your technology. They examine your discipline.

The examination process is systematic. Examiners request documents. They observe processes. They interview personnel. They attempt to find evidence of process failures or control gaps. They assess how you responded to findings from prior examinations. The examination concludes with a report detailing findings and recommendations. Your response to findings goes into a regulatory file.

Change Management Control

Change management is consistently a focus area in examinations. Examiners want to understand how you prevent unauthorized changes from reaching production.

  • Change Documentation: You must maintain written change requests for every production change. Who requested the change? What does it do? When is it scheduled? Who approved it? This documentation must be completed before the change, not after. Email trails do not count; you need formal documentation.
  • Approval Chain: Changes must be approved by someone independent of the person making the change. If a developer makes a change, a manager must approve it. If a system administrator makes a change, a different team member must approve it. Approval must be documented.
  • Test Verification: Critical changes must be tested before production deployment. Testing must be documented: what was tested, what were the results? You cannot verbally claim you tested something. You must have records.
  • Rollback Planning: For significant changes, you must have a rollback plan. If something goes wrong, how do you revert? This plan must be documented and tested.
  • Change Log Inspection: Examiners will inspect your system change logs. They will look for changes that were not in your change documentation. If they find evidence that you deployed changes without following your process, this is a finding.

Access Control

Financial services examiners will examine who has administrative access to critical systems. They will assess whether access is appropriately restricted.

  • Segregation of Duties: You cannot have the same person developing code and deploying it to production. You cannot have the same person requesting access and granting it. You cannot have the same person creating transactions and authorizing them. Examiners will map out who can do what and look for conflicts.
  • User Access Reviews: Quarterly or at minimum annually, you must document who has administrative access to each critical system. You must verify that each person still needs that access. If someone has moved roles and no longer needs elevated access, they must be removed. This must be documented with approvals.
  • Privileged Access Management: Shared accounts are a major examination focus. If multiple people share a single account password, you cannot track who did what. You need individual credentials. If elevated access is necessary, it should be through privileged access management systems that log and record access.
  • Vendor Access: If vendors have administrative access to your systems, you must have formal agreements documenting what access is granted, for what purpose, and for how long. You must monitor vendor access. Unattended vendor access is a significant concern.

Business Continuity and Disaster Recovery

Examiners will examine your ability to continue operations if your primary systems fail.

  • Business Continuity Plans: You must have documented business continuity plans. For each critical business function, what is the recovery time objective (RTO)? What is the recovery point objective (RPO)? How will you recover if the primary location is unavailable? This must be documented and tied to budget.
  • Disaster Recovery Testing: You must test your disaster recovery plans at least annually. Testing means actually recovering systems and validating that they work. Tabletop exercises are nice; actual recovery is required. Examiners will ask for test results.
  • Failover Capability: If you claim you can failover to a secondary location, that must be tested. Can you actually recover customer accounts? Can you actually process transactions? If you have never actually tested this, it will be a finding.
  • Communication Plans: During a disaster, who communicates with customers? Who communicates with regulators? This must be documented. Leadership must be trained on their roles.

Cybersecurity Controls

Cybersecurity oversight has increased significantly in recent years. Examiners will assess your controls.

  • Vulnerability Scanning: You must regularly scan your infrastructure for known vulnerabilities. Examiners will ask for evidence of scanning. They will ask about vulnerabilities you found and how you remediated them. If you found vulnerabilities and did not remediate them, this is a finding.
  • Penetration Testing: Large financial institutions conduct annual penetration testing. You must have documented results and evidence of remediation of findings. If a penetration test found a critical vulnerability that you have not remediated, examiners will ask why.
  • Encryption: Data must be encrypted in transit and at rest. Examiners will ask what encryption standards you use. They will ask whether you are using weak encryption standards (DES, MD5, SHA1) or modern standards. They will ask how you manage encryption keys.
  • Multi-Factor Authentication: For administrative access and customer-facing systems, multi-factor authentication is expected. If your systems do not require MFA, examiners will note this as a gap.
  • Incident Response Readiness: You must have a written incident response plan. It must address detection, investigation, containment, recovery, and notification. You must have contacts for key personnel. You must have tested your incident response process.

Vendor Management

Third-party vendor risk is a primary examination area. Examiners want to know that you manage vendor security.

  • Vendor Risk Assessment: Before using a vendor, you must assess their security practices. This may include security questionnaires, certifications review, or onsite assessments. You must document this assessment.
  • Vendor Agreements: Agreements with critical vendors must include specific security and operational requirements. Requirements must include data protection clauses, incident notification timelines, audit rights, and contingency planning.

Examiners will often request agreements with major vendors. They will assess whether the agreements adequately protect your organization.

Regulatory Reporting

Financial services have specific regulatory reporting requirements.

  • Cybersecurity Incident Reporting: SEC rules require notification of material cybersecurity incidents. You must have processes to identify incidents that are material. You must have timelines for notification (typically 4 business days for initial notification). If you experience an incident that should have been reported and you did not report it, this is a serious finding.
  • Examination Findings: Previous examination findings must be remediated. When examiners return, they will assess whether you addressed prior findings. If you have not, this is a significant concern.

The Examination Process

Knowing what to expect helps you prepare. Examiners typically follow a process.

First, they request documents. Change logs, access reviews, incident response plans, business continuity plans, vendor agreements, penetration testing results. Provide these promptly and completely. Slow responses create negative impressions.

Second, they conduct interviews. They may ask your team about processes. The goal is to determine whether the documented process matches actual practice. Inconsistencies are findings. Train your team to be honest. If your documented process and actual process differ, that is a problem you should already know about.

Third, they observe processes. They may watch a change being deployed. They may observe a system recovery test. They will assess whether practice matches documented procedures.

Fourth, they issue a report. The report identifies findings and recommendations. Findings are gaps that must be remediated. Recommendations are suggested improvements. You must respond to findings with a remediation plan and timeline.

Preparation

The time to prepare for examination is now, not when the examination notice arrives. Conduct a self-assessment. Do your processes match your documentation? Are your controls operating as designed? Have you addressed findings from prior examinations? Start there.

Valukoda helps growing businesses make smarter technology decisions. Whether you need strategic IT leadership, managed services, or a security program built from the ground up, we bring decades of CIO and CISO experience to your team. Schedule a conversation or call us at 888.380.7212.

© 2026 Valukoda, Inc. All rights reserved.

Your Cloud Exit Strategy: Plan It Before You Need It
The Right-Sizing Discipline: Stopping Cloud Cost Creep Before It Starts