Management should develop an IT risk reporting process that assembles and reports IT risk information in a manner that is timely, complete, transparent, and relevant to management decisions. IT management should provide periodic reports based on risk to senior management or the board as well as to necessary stakeholders. Recipients of IT risk reports should have the authority and responsibility to act on the reported information, provide a credible challenge for information contained in the reports, and be held accountable for the outcomes. The reporting should be appropriate to the decisions the individual reviewing the report is responsible for influencing. This reporting should be defined in accordance with the institution's enterprise-wide risk management program. Additionally, reporting should trigger appropriate, timely, and reliable escalation procedures.
III.D.6 Quality Assurance and Quality Control
Appendix A: Examination Procedures