In this article:
Your examiner from the National Credit Union Administration (NCUA) isn't going to ask if you have antivirus. They're going to ask how your credit union identifies, assesses, and mitigates cybersecurity risk across your entire operation. They'll want to see documented policies, evidence that those policies are enforced, and proof that you test your controls regularly.
Most credit unions know their IT examination is coming. What they don't know is exactly what the examiner will focus on, what documentation they need to have ready, and which gaps are most likely to generate findings. This guide shows you how to pass your NCUA IT exam by covering what examiners actually look for, the most common findings credit unions receive, and a step-by-step preparation checklist so your credit union IT audit goes smoothly.
Note: While this article focuses on NCUA examinations for credit unions, the underlying requirements come from the Federal Financial Institutions Examination Council (FFIEC) — the same framework that applies to community banks examined by the OCC and FDIC. If you're a bank, the examination areas and evidence standards are nearly identical. Mortgage companies face parallel requirements under the FTC Safeguards Rule.
What NCUA Examiners Actually Check
The NCUA IT examination follows the FFIEC (Federal Financial Institutions Examination Council) Information Technology Examination Handbook, which covers eight specific areas. Understanding NCUA cybersecurity requirements across these domains is the first step toward passing your exam. Your examiner won't test all eight in equal depth during every exam cycle, but they expect you to have controls and documentation across all of them.
Information Security Program
This is the foundation. Your examiner wants to see a written information security program that includes:
- Board-approved information security policy (reviewed and updated annually)
- Designated information security officer with defined responsibilities
- Risk assessment methodology and documented results
- Security awareness training program with completion records
- Vendor management procedures for technology service providers
The most common mistake: having a policy document that was written three years ago and never updated. Examiners check the revision date. If your policy references Windows 7 or mentions your previous core system, it's a finding.
Access Controls
Who can access what, and how do you prove it? Examiners look at:
- User access review processes (quarterly minimum for critical systems)
- Privileged access management (who has admin rights and why)
- Multi-factor authentication deployment (especially for remote access and core banking)
- Password policies and enforcement
- Terminated employee access removal procedures and evidence
They'll often pull a terminated employee list from HR and cross-reference it against your active user accounts. If anyone who left six months ago still has an active login, that's a finding.
Network Security
Your examiner will evaluate how your network is segmented, monitored, and protected:
- Firewall rules and review schedule (at least annually)
- Network segmentation between member-facing and internal systems
- Systems that detect and block suspicious network activity (intrusion detection and prevention systems, or IDS/IPS)
- Wireless network security (separate network names for guests vs. staff at minimum)
- Remote access controls and VPN (virtual private network) configurations
Business Continuity and Disaster Recovery
Examiners want proof that your credit union can recover from a disruption:
- Documented BCP (business continuity plan) and DR (disaster recovery) plan with specific recovery time objectives for critical systems
- Annual BCP testing results (tabletop exercise at minimum, full failover test preferred)
- Backup verification and restoration testing records
- Pandemic and remote operations plans (post-2020, this is non-negotiable)
Vendor Management
This is where many credit unions get caught. Your examiner will review how you assess and monitor your critical technology vendors:
- Vendor risk assessment methodology
- Due diligence documentation for critical vendors (core processor, online banking, IT provider)
- SOC 2 report collection and review — SOC 2 Type II is a third-party assessment of a vendor's security controls over a sustained period. Collecting reports isn't enough; you need to document your review of any noted exceptions.
- Contract provisions for security, audit rights, and notification requirements
- Ongoing monitoring procedures
If your managed IT provider doesn't have a SOC 2 Type II report, your examiner will identify that as a gap. If you can't show that you've reviewed your core processor's SOC 2 and documented your assessment of the exceptions, that's another finding.
The Most Common IT Findings Credit Unions Receive
After working with hundreds of credit unions through their examination cycles, these are the IT findings we see most often:
1. Incomplete or Outdated Risk Assessment
The risk assessment is supposed to drive your entire information security program. If it's a checkbox exercise that lists "hacking" as a risk with "firewall" as the control, your examiner will see through it. A proper risk assessment identifies specific threats to your credit union's specific systems, evaluates likelihood and impact, documents existing controls, and identifies gaps that require remediation.
2. No Evidence of Security Awareness Training
It's not enough to tell the examiner "we did training." You need completion records showing which employees completed training, when they completed it, and what topics were covered. Phishing simulation results are a strong addition. If you ran simulations and 30% of staff clicked, the examiner wants to see what you did about it (additional training, policy changes, technical controls).
3. Privileged Access Not Reviewed
Credit unions often grant admin access to IT staff and never revisit it. Examiners want quarterly access reviews for privileged accounts. Who has domain admin? Who has core system admin rights? Who can approve wire transfers? Each privileged user should be documented with a business justification, and the review should be signed off by management.
4. Vendor SOC Reports Not Reviewed
Collecting your core processor's SOC 2 report and filing it isn't enough. Your examiner expects a documented review: Did you read the exceptions? Did you assess whether those exceptions affect your credit union? Did you implement compensating controls if they do? Most credit unions collect the reports but skip the documented review step.
5. BCP Testing Documentation Gaps
You tested your business continuity plan. But did you document what was tested, what worked, what failed, and what changes you made as a result? Examiners want to see test results, lessons learned, and plan updates that resulted from the test. A BCP test without documentation is a BCP test that didn't happen, as far as your examiner is concerned.
6. Patch Management Gaps
Examiners review your patching cadence for critical systems. If your workstations are 90 days behind on patches or your servers haven't been updated in six months, that's a finding. They'll also check that you have a documented patch management policy with defined timeframes for critical, high, and medium-severity patches.
Building Your Evidence Package
Don't wait for the examination notice to start assembling documentation. Maintain a running evidence package that covers each examination area:
| Exam Area | Evidence to Maintain |
|---|---|
| Information Security Program | Board-approved policy (with revision date), risk assessment, security officer designation memo, training completion records |
| Access Controls | Quarterly access review reports, privileged user list with justifications, MFA configuration documentation, terminated employee access removal logs |
| Network Security | Firewall rule review documentation, network diagram, intrusion detection (IDS/IPS) logs, penetration test results, vulnerability scan reports |
| BCP/DR | BCP plan (current version), test results with lessons learned, backup verification logs, recovery time objective documentation |
| Vendor Management | Vendor risk assessments, SOC 2 reports with documented review notes, contract inventory for critical vendors |
| Incident Response | IR plan (current version), tabletop exercise results, incident log (even if no incidents occurred, document that) |
Your managed IT provider should maintain the technical evidence (access reviews, patch reports, firewall reviews, vulnerability scans). You maintain the governance evidence (policies, board minutes, training records). If your IT provider can't produce their half of this evidence on request, you have a gap.
How to Pass Your NCUA IT Exam: 90-Day Prep Checklist
If you want to pass your NCUA IT exam with confidence, start preparing the day you receive your examination notice. This 90-day timeline covers the three phases of credit union IT audit preparation: reviewing and updating your documentation, testing your controls and closing gaps, and assembling the evidence package your credit union examiner expects to see.
Days 1-30: Review and Update
- Review and update your information security policy (check the revision date)
- Run a current risk assessment or review your most recent one for accuracy
- Verify all employee security awareness training is current
- Confirm your IT provider's SOC 2 Type II report is current (within 12 months)
- Pull current access review documentation for all critical systems
Days 31-60: Test and Document
- Run a vulnerability scan and document remediation of critical findings
- Conduct a tabletop BCP exercise if you haven't tested within the past year
- Review firewall rules and document any changes
- Verify patch levels on all critical systems (workstations, servers, network equipment)
- Collect and review SOC 2 reports from all critical vendors
Days 61-90: Assemble and Brief
- Assemble your evidence package (all documentation listed in the table above)
- Brief your information security officer on key items the examiner may focus on
- Brief your IT provider on the examination timeline and their responsibilities
- Identify any remaining gaps and document your remediation plan (examiners give credit for identified gaps with active remediation plans)
- Prepare a summary document that maps your controls to the FFIEC examination handbook areas
How ABT Helps Credit Unions Prepare for NCUA IT Examinations
ABT currently supports over 750 active financial institutions — including banks, credit unions, and mortgage companies — which means our team goes through examination cycles with clients multiple times per year. Here's how that experience translates to exam readiness:
- Continuous compliance documentation. ABT's Guardian platform maintains running evidence of your Microsoft 365 security configuration, including login and access policies (Conditional Access), rules that prevent sensitive data from leaving your organization (Data Loss Prevention, or DLP), encryption settings, and endpoint compliance. When your examiner asks, the documentation exists. You don't scramble to produce it.
- FFIEC maturity mapping. Guardian maps your security posture against the FFIEC cybersecurity maturity domains so you can see where you stand before your examiner does. Gaps are identified with specific remediation steps, not generic recommendations.
- Quarterly access reviews. ABT runs quarterly privileged access reviews and produces the documentation your examiner expects: who has access, why they have it, and management sign-off confirming it's appropriate.
- Vendor risk management support. ABT helps financial institutions collect and review SOC 2 reports from critical vendors, document the review findings, and maintain the vendor risk assessment records examiners require.
- Free security assessment. Start with ABT's Microsoft 365 Security Assessment to see where your environment stands against financial services benchmarks. The report shows you the same types of gaps your examiner would identify.
Frequently Asked Questions
What does the NCUA examiner look for during the IT portion of the exam?
NCUA examiners evaluate your credit union's IT environment across eight areas defined in the FFIEC Information Technology Examination Handbook: information security, access controls, network security, business continuity, vendor management, audit, data classification, and incident response. They review documented policies, evidence that controls are enforced, testing results, and your risk assessment methodology.
How often does the NCUA examine a credit union's IT controls?
NCUA examines federally insured credit unions on a regular cycle, typically annually or every 18 months depending on asset size, risk profile, and previous examination results. The IT portion receives varying focus each cycle. Credit unions with prior findings, recent security incidents, or significant technology changes may receive more intensive IT examination.
What happens if a credit union receives IT findings from the NCUA?
When a credit union receives IT findings, the examiner documents them in the examination report and the credit union must develop a formal remediation plan with action items, responsible parties, and target dates. The NCUA monitors progress through follow-up correspondence or the next examination. Repeated or severe findings can lead to increased examination frequency or formal supervisory actions.
How should a credit union prepare for an NCUA IT examination?
Credit unions should prepare for NCUA IT examinations by maintaining continuous documentation rather than assembling evidence only when notified. Key steps include keeping your information security policy current, conducting regular risk assessments, maintaining quarterly access reviews, collecting and reviewing vendor SOC 2 reports, testing your business continuity plan annually, and keeping security awareness training records current.
Does a credit union's managed IT provider affect the NCUA examination?
Yes, your managed IT provider directly affects your NCUA examination in two ways. First, as a critical third-party vendor, examiners review whether you performed due diligence on your provider and whether they hold SOC 2 Type II certification. Second, your provider implements many technical controls examiners evaluate. If they cannot produce compliance documentation, your credit union receives the findings.
What Microsoft 365 Conditional Access and DLP configurations does the NCUA examiner expect?
NCUA examiners expect credit unions to configure Conditional Access policies that enforce multi-factor authentication for all users, restrict access from unmanaged devices, block legacy authentication protocols, and require device compliance for access to sensitive systems. Data Loss Prevention (DLP) rules should detect and block sharing of member personally identifiable information — including Social Security numbers, account numbers, and loan data — outside the organization. Additional configurations include DMARC email authentication to prevent domain spoofing, sensitivity labels for document classification, and audit logging sufficient to produce evidence packages during examination.
Technical Reference
The following tables provide definitions for regulatory frameworks and technical terms used in this article. These are provided as a reference for IT professionals and compliance officers preparing examination documentation.
Regulatory Frameworks
| Term | Full Name | What It Means |
|---|---|---|
| NCUA | National Credit Union Administration | Federal agency that regulates and insures credit unions. Conducts IT examinations. |
| FFIEC | Federal Financial Institutions Examination Council | Interagency body that publishes the IT Examination Handbook used by NCUA, OCC, and FDIC examiners. |
| OCC | Office of the Comptroller of the Currency | Federal regulator for national banks. Uses the same FFIEC examination framework as NCUA. |
| FTC Safeguards Rule | Federal Trade Commission Safeguards Rule | Requires mortgage companies and non-bank financial institutions to maintain comprehensive information security programs. |
| SOC 2 Type II | System and Organization Controls 2, Type II | Independent audit that evaluates a vendor's security controls over a sustained period (typically 6-12 months). |
Glossary
| Term | Definition |
|---|---|
| BCP | Business Continuity Plan — documented procedures for maintaining operations during and after a disruption. |
| Conditional Access | Microsoft 365 login policies that control who can access what, from which devices, and under what conditions. |
| DLP | Data Loss Prevention — rules that detect and block sensitive data (Social Security numbers, account numbers) from leaving the organization. |
| DMARC | Email authentication protocol that prevents attackers from sending emails that appear to come from your domain. |
| DR | Disaster Recovery — procedures for restoring IT systems after a major outage or incident. |
| IDS/IPS | Intrusion Detection System / Intrusion Prevention System — monitors network traffic for suspicious activity and can automatically block threats. |
| MFA | Multi-factor authentication — requiring two or more verification methods (password plus phone, for example) to sign in. |
| Sensitivity labels | Microsoft 365 classification tags that control how documents can be shared, printed, or forwarded based on their content. |
| VPN | Virtual Private Network — encrypted connection that allows remote users to securely access internal systems. |
Next Steps
Whether your next NCUA examination is three months away or a year out, the best way to pass your NCUA IT exam is to assess your readiness now — before your examiner does.
- Get your free security grade. ABT's Microsoft 365 Security Assessment shows you where your environment stands against the benchmarks examiners expect. You'll see the gaps before your examiner does.
- Talk to a financial institution IT specialist. Schedule a conversation with ABT's team to discuss your examination readiness and IT challenges — whether you're a credit union preparing for NCUA, a community bank facing OCC examination, or a mortgage company under the FTC Safeguards Rule.