Audit checklist · reviewed 2026-05-22

FFIEC IT Examination — IAM readiness checklist

IAM-specific evidence the FFIEC examiners (OCC, FDIC, Federal Reserve, NCUA, CFPB) request during banking-IT examinations.

Talk to a compliance lead

Applies to

US banks, credit unions, and bank service providers under FFIEC examination

Cycle cadence

12-18 month examination cycle; continuous evidence collection in between

Primary authority

Federal Financial Institutions Examination Council

9 evidence items across 4 sections.

Authentication + access controls (Information Security § II.C.7)

Risk-based authentication (2021 supplement)
Evidence
Documented authentication risk model + Conditional Access / risk-based MFA policy aligned to the 2021 FFIEC authentication guidance.
Who owns
CISO / IAM
Layered security for high-risk transactions
Evidence
Step-up MFA evidence on high-value customer transactions (wire transfers, ACH origination). For workforce: MFA enforcement on financial systems.
Who owns
IAM + Application security
Privileged access controls
Evidence
PAM platform export showing vaulted credentials + session monitoring on production financial systems.
Who owns
Privileged access lead

Access review + lifecycle (Information Security § II.C.13)

User access reviews
Evidence
Quarterly certification evidence + risk-tiered cadence for higher-risk systems.
Who owns
IAM governance
Termination + role-change provisioning
Evidence
HRIS-driven JML log + sample lifecycle events with same-day deprovisioning evidence.
Who owns
IAM engineering

Logging + monitoring (Audit booklet § II + III)

Identity event logging
Evidence
Documented identity event taxonomy + sample evidence of capture during the audit window.
Who owns
SOC / IAM
Privileged session logging
Evidence
PAM session-recording evidence covering all privileged sessions on production financial systems.
Who owns
Privileged access lead
Log retention
Evidence
Documented retention period (typically 7 years for banking records); sample retrieval from cold storage proving recoverability.
Who owns
SOC / Compliance

Third-party + service provider

Third-party IAM controls (Outsourcing Technology Services booklet)
Evidence
For each critical third-party: SOC 2 report + IAM evidence package covering the third-party's access to your environment.
Who owns
Vendor risk management
Collection tip
Third-party IAM is increasingly cited. Examiners want to see your vendor's IGA evidence treated as part of your control environment.

Practitioner notes

What auditors actually focus on.

FFIEC examinations are pre-scheduled but the specific examiner focus areas vary. Maintain continuous evidence collection so any focus area is ready.
The 2021 FFIEC Authentication and Access guidance update raised the bar materially on consumer-facing MFA. Layered security on high-value transactions is now table stakes.
CFPB Authority over consumer financial protection brings privacy + identity considerations into FFIEC examinations. Coordinate IAM evidence with privacy program evidence.

Pre-audit?

We pre-audit your FFIEC IAM evidence.

Two-week gap analysis against this checklist, scored by criticality, with a prioritized remediation plan. Done before the 3PAO / CPA / examiner shows up.

Get a pre-auditCompliance crosswalk