|
Banking -- Services
Banking Services
Banking Team
Banking Resources
Banking News
Banking Home
KraftCPAs is uniquely qualified and experienced to meet the financial management and technology needs of community banks. In addition to traditional audit, accounting and tax services, we offer a variety of consulting services, including information systems (IS) assurance and consulting services, to help banks achieve and maintain profitability while complying with applicable laws and regulations. We have experience in performing the following services for banks:
Financial Services
- External audit
- Internal audit
- Compliance
- SOX documentation & testing
- Tax planning & compliance
- Start-up assistance & filings
- Help with regulatory issues
- Loan reviews & grading systems
- Annual & quarterly SEC filings
- Employee benefit plan audits
- Goodwill & core deposit studies
- Interest rate risk assessments
- Outsourced accounting
- Merger/acquisition assistance
IS Audit and Security Services
Information systems security and IS controls should support and enable business objectives -- not hinder them. Because our IS professionals understand bank operations and regulatory requirements, we can help banks achieve and maintain regulatory compliance, while keeping an eye on the cost/benefit of IS controls. We help clients assess risks to their information systems and recommend controls to help mitigate those risks in an efficient and cost effective manner.
In additional to financial professionals with banking experience, KraftCPAs Banking Industry Group includes a team of professionals dedicated to information technology security. Our team includes:
- Certified Public Accountants (CPAs)
- Certified Information Systems Auditors (CISAs)
- Certified Information Systems Managers (CISMs)
- Certified Regulatory Compliance Manager (CRCM)
In addition, we have several vendor-specific, technical certifications. We invest heavily in continuing professional education for our team. They are technology, security and audit experts who also understand the banking industry. Our IS services for banks include:
Information asset risk assessments
The security of your information system must be assessed to protect your bank and your customers while meeting regulatory requirements. KraftCPAs' IS risk assessment procedures are designed to accommodate the objectives of the bank and its regulatory agencies.
Our approach:
- is enterprise-wide in scope (covering management, technical and operational controls)
- is based on documented risk assessments
- includes analysis of controls, policies, procedures and security measures
- is designed to meet the requirements of the Gramm-Leach-Bliley Act (GLBA) and provisions of the FFIEC Information System Handbook
Procedures include, but are not limited to, the areas listed below:
- IS processes related to internal audit
- Management/Organization
- Contingency Planning
- IS Policy Review
- Critique of Control Design
- Critique of Policy and Control Practice
- Testing of Core System Interfaces
- Systems Development and Programming
- Computer Operations
- Security – Physical and Data
- Network Controls
- End-User Computing (Personal Computers)
- Document Imaging
- EFT's (ATM, debit cards, home banking, ACH, Wire Transfer)
- Internet Banking
- Privacy Issues of Customer Data (to the extent necessary to satisfy requirements of the Gramm-Leach-Bliley Act)
External penetration testing
We conduct a test and review of your IS security using CORE IMPACT, an automated, comprehensive penetration-testing product. The steps in this penetration test are as follows:
- Information gathering -- Information is gathered regarding network access points to target hosts, and information about these hosts is identified.
- Attack and penetration -- Methods are used to find exploits in the targets in order to gain access into the system.
- Local information gathering -- Once system access is gained, a nondestructive agent is placed in the system to discover the same sort of information an unauthorized hacker would want to find.
- Privilege escalation -- An exploit can also be used to find information about other local hosts that may not necessarily be directly related to the target host.
- Clean up -- All installed agents are removed, and the host is returned to its original state.
- Report generation -- A report will be issued detailing the hosts that were tested, exploits that were found, and recommendations for correcting weaknesses.
Internal Penetration Testing
It is commonly estimated that up to 80 percent of all information security breaches are made possible due to the actions (intentional or unintentional) of insiders. An insider made be an employee, vendor, or anyone who has been granted any level of access to the internal network.
Internal penetration testing identifies the vulnerability level of your network to unauthorized access from within your organization. It identifies the information that could be compromised and the degree of difficulty required to exploit an identified vulnerability. Often discovered vulnerabilities include easily compromised passwords, insecure data exchange mechanisms, and exploitable file permissions and system configurations.
Social engineering
In the game of hacking the weakest link and easiest target is virtually always people. There is a tendency to rely too heavily on automated tools to monitor and/or enforce security policies. While highly valuable, these methods by themselves fall short of managing the human element of information security. Without extensive security training and monitoring, many bank employees are vulnerable to social engineering attacks, and unintentionally allow unauthorized access to customer accounts and information.
Social engineering is the use of deceptive and manipulative tactics to gain unauthorized access to information assets. Successful hackers use social engineering tactics to play on the emotions of unsuspecting victims. They may compromise employees by inducing stress, excitement, fear, or distraction to control the actions of their victim and obtain access (often easy access) to confidential information.
KraftCPAs can develop social engineering scenarios to test the real-world effectiveness of information security policies and procedures. Social engineering testing will determine if bank employees can be tricked into allowing unauthorized access to customer accounts and information through face-to-face interaction. Our team has performed social engineering test scenarios in banks and found that employees are typically vulnerable to these tactics.
Once we have uncovered weaknesses in the human element of IS security, we can help the bank design improved policies and procedures to combat these weaknesses and train bank employees to be on guard against social engineering tactics.
Business continuity/disaster recovery planning
Having had offices destroyed by a tornado, KraftCPAs knows first hand the critical nature of information asset security. Whether through natural disaster, electronic theft, physical loss, or unintentional exposure, having information compromised or exploited will negatively impact a bank. Depending on circumstances, the impact can range from inconvenient to catastrophic. We begin our contingency planning by understand the risks to and vulnerabilities of systems that store, transmit, and process critical information. We then analyze the impact to your bank if you lost critical systems and/or information. We provide you with a detailed plan for timely response and recovery. We help you test your plan, keep it updated and train both IS and management to make it work.
Other technology services are provided to banks through our affiliate Kraft Technology Group.
- Design, install and implement networks
- Assist in choosing bank processing systems and accounting software systems
- Design and implement telecommunications
- Implement remote access solutions
- Assist in designing security policies and procedures
"KraftCPAs' technology professionals were knowledgeable and easy to work with, and their constructive criticism was delivered in a positive manner. KraftCPAs combines a comprehensive process with fairness and friendliness. A good combination!"
Bill Adams
CIO
Greene Bank |
|
