Finding #23

Description *

Priority (1-4) Category 1 Category 2

Formatted Text *

Lack of Change Control and Issue Tracking

Severity Level: Priority 3 Category: Governance / Compliance

Description: The bank lacks a formal change control and issue tracking process, closely tied to the absence of a ticketing system. This gap hinders the ability to track IT changes, monitor issues, and ensure compliance with FFIEC requirements for change management.

Impact:

Increased risk of unauthorized or undocumented changes, leading to system instability.
Non-compliance with FFIEC change management guidelines, risking audit findings.
Difficulty in identifying and resolving recurring issues, impacting operational efficiency.

FFIEC Reference:

FFIEC IT Examination Handbook, Management (June 2004):

"Institutions should implement formal change management processes to control IT modifications." (p. 15)
"Change control processes must include documentation and tracking of changes." (p. 17)

Recommendations:

Implement a change control process integrated with the recommended ticketing system.
Document all IT changes, including approvals, testing, and outcomes.
Conduct regular audits of change logs to ensure compliance and identify potential risks.

<h2 style="margin: 0in; font-size: 14pt; font-family: Arial, sans-serif; color: rgb(89, 89, 89); letter-spacing: 0.25pt;">Lack of Change Control and Issue Tracking<o:p></o:p></h2>Severity Level: Priority 3 Category: Governance / Compliance<o:p></o:p>Description: The bank lacks a formal change control and issue tracking process, closely tied to the absence of a ticketing system. This gap hinders the ability to track IT changes, monitor issues, and ensure compliance with FFIEC requirements for change management.<o:p></o:p>Impact:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Increased risk of unauthorized or undocumented changes, leading to system instability.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Non-compliance with FFIEC change management guidelines, risking audit findings.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Difficulty in identifying and resolving recurring issues, impacting operational efficiency.<o:p></o:p></li></ul>FFIEC Reference:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">FFIEC IT Examination Handbook, Management (June 2004):<o:p></o:p></li><ul type="circle" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Institutions should implement formal change management processes to control IT modifications." (p. 15)<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">"Change control processes must include documentation and tracking of changes." (p. 17)<o:p></o:p></li></ul></ul>Recommendations:<o:p></o:p><ul type="disc" style="margin-bottom: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Implement a change control process integrated with the recommended ticketing system.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Document all IT changes, including approvals, testing, and outcomes.<o:p></o:p></li><li class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">Conduct regular audits of change logs to ensure compliance and identify potential risks.<o:p></o:p></li></ul>

Back to list