IT Examiner School - Oct 2025

Internal Use Only

FFIEC Regulatory Context InTREx Decision Factor Items to Request from an Organization

• Board Meeting Minutes • Management Committee Meeting Minutes • Strategic Plan (alignment of projects with org goals) • Business Case / Project Justification Documents • Capital Expenditure (CAPEX) Approval Documentation • Vendor Risk Management Documentation (if reviewed at board level) • Risk Assessments (high-level summaries presented to board/management) • Compliance Reviews and Reports (with board visibility)

• Business Case or Project Justification Documents (also applicable here) • Approved Budgets & Budget Tracking Reports • Status Reports and Dashboards • Internal Audit Reports (focused on project execution) • Third-party Reviews or Assessments (project health, execution risks) • Post-Implementation Review Reports

• Risk Assessments (focused on application level risks) • Vendor Risk Management Documentation (security posture of third-party software) • Application Security Policies/Standards (if available—like SDLC security policies, code review processes) • Third-party Security Assessments or Penetration Test Results • Change Management Documentation (as it relates to secure deployments) • Training Records (for developers/security staff involved in secure coding practices)

• Escalation Documentation (for change-related risks/issues)

• Key Performance Indicators (KPIs) and Metrics • Status Reports and Dashboards (also fits here) • Post-Implementation Review Reports (outcomes vs. objectives) • Budget Tracking Reports (performance against financial plan) • Lessons Learned Documentation • Internal Audit Reports (performance related findings)

• Internal Audit Reports (focused on change management effectiveness) • Communication Protocols (related to change notifications/escalations)

Board/Management Oversight

Measuring Performance

Project Management

Change Control

Application Security

Decision Factor DA.1.

Decision Factor DA.2.

Decision Factor DA.3.

Decision Factor DA.4.

Decision Factor DA.5.

Internal Use Only

Development & Acquisition Governance & Oversight

Governance Practices Clearly define responsibilities, enhance transparency, and facilitate effective oversight and informed decision-making.

Strategic Alignment Ensure IT solutions strategically align and actively support business objectives and organizational needs.

Effective Communication Board and IT management oversight committees provide transparency, accountability, and timely decisions through clear communication of project statuses, risks, and milestones to stakeholders. Policies, Standards & Procedures Comprehensive, Board-approved policies and standards foster consistency, efficiency, and reliability, significantly reducing risks of project failures and operational disruptions.

Qualified Personnel Assign qualified individuals to oversee security, audit processes, and testing activities within technology projects.

System Lifecycle Management Establish robust lifecycle management practices to proactively identify and replace aging systems approaching end-of-life.