Some Corrective Actions to Address Reported Information Technology Weaknesses Were Not Adequately Documented and Effectively Implemented

The Chief Information Officer (CIO) should ensure that sufficient management oversight is provided to verify the use of older software versions is properly documented with an RBD or RAFT.

The Chief Information Officer (CIO) should ensure that the Enterprise Standards Profile is updated with fields to track the use of older software versions, along with their associated RBD or RAFT.

The CIO should ensure that ******************************************* *********************************************** are remediated by the plan of action and milestones due date.

The Chief Risk Officer should ensure that any appropriate documentation subsequently provided during this review is uploaded to the JAMES for the judgmentally sampled PCAs that lacked sufficient documentation to support their closure.

The Chief Risk Officer should ensure that the EAM organization evaluates sufficient testing documentation to demonstrate that corrective actions taken are fully implemented as stated in the PCA and ensures sufficient documentation is uploaded to the JAMES prior to approving PCA closures.