Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
Information Technology Risk Examination (InTREx) Procedures


The FDIC updated its Information Technology Risk Examination (InTREx) procedures to improve the Audit module‘s usability, specify compliance review steps relative to the Computer Security Incident Notification Rule (Part 304 Subpart C), provide more specificity regarding examiner review of service provider reports of examination, and update links to references. Examiners use these procedures to review information technology risk management at each bank safety and soundness examination.

Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-supervised financial institutions.


  • The Audit module now positions the procedures next to the Core Analysis Decision Factors to increase examiner efficiency (the Support and Delivery module was changed in the same way previously and the other core modules will be changed similarly).
  • The Support and Delivery module now provides more specific instructions to examiners regarding checking for compliance with the Computer Security Incident Notification Rule that was effective on April 1, 2022.
  • The Management and Support and Delivery modules now provide more specific instructions to examiners regarding service provider report of examination review.
  • Links throughout the procedures were updated to current Internet locations.
Related Topics
Examination Processes and Procedures
Information Technology
Third-Party Relationships
Last Updated: September 29, 2023