The auditor gave OFIs re: vendor management, that each vendor should have the CIA assigned. CIA is available in risk register but not with vendors