Audits and risk management

UCF ID: 00677

Control Type: IT Impact Zone

Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Define the roles and responsibilities, in a clear manner, of all personnel involved in the auditing process. [UCF Control ID 00678]

Verify that an internal audit program policy exists. [UCF Control ID 00684]

Establish and maintain the IT Governance risk assessment framework. [UCF Control ID 00685]

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 75; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Background; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 663(a), ¶ 745; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 2.1, Exam Tier II Obj A.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 4.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg E-3; FFIEC IT Examination Handbook – Information Security, Pg 89; FFIEC IT Examination Handbook – Management, Pg 3, Pg 15; FFIEC IT Examination Handbook – Operations, July 2004, Pg 5, Exam Tier I Obj 3.3; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 5, Exam Tier I Obj 3.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 25, Exam Tier II Obj 8.15; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3, Pg 4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21; Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007, § 240.13a-15(c), § 240.15d-15(c); Securities Exchange Act of 1934, § 78j-1(a); Responsible Care Security Code of Management Practices, American Chemistry Council, Pg 2, Pg 4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.e, § 2-3.a(11), § 3-5.b, § 5-1; Protection of Assets Manual, ASIS International, Pg 1-I-A1, Pg 12-II-45, Pg 12-IV-7, Pg 15-IV-28; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.250; The Standard of Good Practice for Information Security, SM2.2.3(d), CB5.4.2, CB5.4.3, CI5.5.2, CI5.5.3, NW4.5.2, NW4.5.3, SD2.3.2; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 15.3.1; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.15.3.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 15.3.1; EU 8th Directive (European SOX), Art 3.1, Art 3.4, Art 4, Art 5, Art 22.1, Art 26.1; OECD Principles of Corporate Governance, 2004, § V.C, § VI.D; Australian Government ICT Security Manual (ACSI 33), § 2.9.6; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 40; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 12, ¶ 45, Principle 1, Principle 8; PCAOB Auditing Standard No. 2, ¶ 13, ¶ 27, ¶ 28; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 6.1.3, ¶ 6.1.4; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.5.1.1; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1, § 6.1(WLAN security assessments); Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, Pg ES-2; BS 25999-1, Business continuity management. Code of practice, 2006, § 9.5.4 ¶ 2, § 9.5.5; BS 25999-2, Business continuity management. Specification, 2007, § 5.1.2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 7.16.3; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.6 ¶ 2(i); Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5, § 18(1); Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 403(b)(2)(H); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 43

Sarbanes Oxley Guidance

The organization's management should provide written representations to the auditor acknowledging responsibility for establishing and maintaining effective controls; stating that management has evaluated and assessed the effectiveness of the installed controls; stating that management did not use previous audit procedures as the basis of its assessment; stating a conclusion about the effectiveness of the controls on an "as of" date; stating that all identified deficiencies have been included in the evaluation; describing any fraud involving senior management or other employees; stating if previously identified deficiencies have been corrected and identifying any that have not been corrected; and stating if any changes have occurred since the "as of" date. [¶ 75, PCAOB Auditing Standard No. 5]

The assessment of the effectiveness of the internal controls over financial reporting should be based on a recognized framework developed by a body of experts. The audit should be planned and performed to identify any deficiencies that would indicate material weaknesses. The performance of an audit involves planning the audit, evaluating management's assessment of the internal controls over financial reporting, testing and evaluating the design and operating effectiveness of internal controls over financial reporting, and forming an opinion about the effectiveness of the internal controls. [¶ 13, ¶ 27, ¶ 28, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The organization should implement risk management processes to appropriately manage risks to systems. [Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The risk management system should have responsibilities assigned to a function. This function should develop strategies for identifying, assessing, controlling, monitoring, and mitigating risk; design the risk assessment methodology; develop policies and procedures; and design and implement a risk reporting system. The organization should periodically review the risk management process to ensure it is accurate and reasonable. [¶ 663(a), ¶ 745, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 2.1, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Exam Obj 4.1, FFIEC IT Examination Handbook – Development and Acquisition]

If the organization relies on service providers for wireless systems, effective risk management practices should be in place. [Pg E-3, FFIEC IT Examination Handbook – E-Banking, August 2003]

The auditing process compares current practices against the standards. Management should demonstrate that the standards they adopt are appropriate for the organization. [Pg 89, FFIEC IT Examination Handbook – Information Security]

The organization should identify, measure, monitor, and control risks with an effective risk management program. The risk management program should assess the organization's risk tolerance and how well the controls are functioning. The organization should plan for technology, assess technology risks, implement technology, and measure and monitor the risks associated with the technology. [Pg 3, Pg 15, FFIEC IT Examination Handbook – Management]

The organization should implement a risk management program that identifies, measures, controls, and monitors risk to the organization. [Pg 5, Exam Tier I Obj 3.3, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should establish and maintain a risk management process for all outsourced arrangements. The risk management process should include ensuring effective risk management practices are used by the Board of Directors and senior management; ensuring outsourcing agreements are prudent with regard to risk and consistent with the business objectives; implementing controls for all identified risks; monitoring for changes in risk; and documenting roles, responsibilities, procedures, and reporting mechanisms. [Pg 5, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should establish risk management systems appropriate for the size and complexity of the organization. The systems should be able to evaluate risk exposure and the effectiveness of current controls. [Pg 25, Exam Tier II Obj 8.15, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Examiners should focus on the risks associated with technology management, data integrity, information confidentiality, service availability, and financial stability when conducting the IT examination. [Pg 3, Pg 4, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization's risk management policy should include the identification, measurement, mitigation, and management of risks related to the organization's activities. [Pg 21, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The Board of Directors should be responsible for approving and periodically reviewing the risk management framework. The framework should identify, assess, monitor, and control/mitigate risks. [¶ 12, ¶ 45, Principle 1, Principle 8, BIS Sound Practices for the Management and Supervision of Operational Risk]

NASD NYSE Guidance

Management must evaluate the effectiveness of the organization's internal control over financial reporting. The framework used for the evaluation should be based on a suitable and recognizable framework developed by a group that has followed due-process procedures. [§ 240.13a-15(c), § 240.15d-15(c), Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007]

Audits of financial statements must include procedures to detect illegal acts that "would have a direct and material effect" on financial statement amounts and procedures to identify related party transactions, as well an evaluation of the organization to determine if it can continue operating throughout the upcoming fiscal year. [§ 78j-1(a), Securities Exchange Act of 1934]

US Federal Security Guidance

Chemical industry organizations should implement an organization-wide, risk-based security management program. Audits should be conducted to assess the security programs to ensure it is implemented correctly and any corrective actions needed are taken to correct the situation(s). [Pg 2, Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council]

A formal risk management program should be used for each system that handles classified or unclassified-sensitive information. The risk management process should determine the most effective controls against deliberate or inadvertent disclosure of information, denial of service, alteration of data, and misuse. The accreditation process should 1) ensure the risk management process has goals and objectives; 2) include a definition of the operational mode; 3) include a risk management review to identify all risks and countermeasures; 4) include the countermeasures needed to be implemented to counter the identified risks; 5) include a certification test to ensure the security features support the security plan; and 6) include a security guide explaining each individual's security responsibilities. [§ 1-5.e, § 2-3.a(11), § 3-5.b, § 5-1, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Authorized Department of Homeland Security officials may inspect and audit the facility for compliance with the requirements. The officials will give the facility 24-hours notice before an audit or inspection. [§ 27.250, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

Implement audits to identify and manage technology-related risks. [¶ 43, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

US Federal Privacy Guidance

Federal agencies may not enter into a contract with a data broker in order to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department adopts regulations that specify methods for the enforcement and independent oversight of existing or planned policies, procedures, or guidelines. [§ 403(b)(2)(H), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]

NIST Guidance

The wireless security policy should include the scope and frequency of WLAN security assessments/audits. The audit should check the security posture of the IEEE 802.11 WLAN and should determine what corrective actions need to be taken to address rogue or misconfigured devices that are identified and to ensure the WLAN remains secure. [§ 6.1(WLAN security assessments), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1]

The organization's risk management practices should include handheld devices. [Pg ES-2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

ISO Guidance

The audit requirements should be agreed on and planned to minimize business disruptions. The following guidelines should be used for auditing: Management should approve audit requirements; checks should only be read-only; needed resources should be identified; all access should be monitored and logged; and the auditor should be independent of the processes being audited. [§ 15.3.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

All auditing of operational systems should be properly planned prior to implementation. This will prevent the potential disruption of the system from the auditing activities. [Annex A.15.3.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

The audit requirements should be agreed on and planned to minimize business disruptions. The following guidelines should be used for auditing: Management should approve audit requirements; checks should only be read-only; needed resources should be identified; all access should be monitored and logged; and the auditor should be independent of the processes being audited. [§ 15.3.1, ISO/IEC 27002 Code of practice for information security management, 2005]

Audits are an integral part of a self-assessment and their conduct should be governed by the following: mandatory internal and external audits when significant changes have occurred that affect the outsourced service providers ability to service the organization; mandatory internal audits when significant changes occur in organizational requirements; mandatory internal audits when significant changes are made due to resolving a security incident; external auditors having formal qualifications in the ICT disaster recovery field; and a summary of the latest external audit results and they should be available upon request by organizations. All assessments should have a clearly defined, documented, and approved program and cycle. Assessment results should be kept for at least three years or the period as required by legal and regulatory requirements. [§ 7.16.3, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should conduct unannounced independent and competent compliance auditing. The system software for the telephone system should be inspected periodically via unannounced audits. The risk manager is responsible for identifying and addressing catastrophic risks to the organization. The organization should have all of its accounts audited, on a regular basis, by a CPA firm or a disinterested employee. [Pg 1-I-A1, Pg 12-II-45, Pg 12-IV-7, Pg 15-IV-28, Protection of Assets Manual, ASIS International]

The security audit/review should assess the business risks and the status of application, network, and system development activities' information security requirements. The information security function should provide support for all security audits. [SM2.2.3(d), CB5.4.2, CB5.4.3, CI5.5.2, CI5.5.3, NW4.5.2, NW4.5.3, SD2.3.2, The Standard of Good Practice for Information Security]

EU Guidance

The audit must be performed by an auditor or audit firm that has been approved by the Member State, is independent, and is in good repute. To gain approval by the Member State, the audit firm must meet the following requirements: the auditors in the firm each must be approved as auditors by the Member State and meet the Member State's requirements; the majority of the voting rights for the organization must be held by the audit firm; and a majority, up to a maximum of 75%, of the management or administrative body of the organization must be an approved audit firm. The Member State may withdraw its approval of audit firms or auditors, if their good repute has been compromised or the audit firm does not meet the requirements. The audit must be in compliance with international auditing standards. [Art 3.1, Art 3.4, Art 4, Art 5, Art 22.1, Art 26.1, EU 8th Directive (European SOX)]

An independent and competent auditor should conduct an annual audit to assure that the financial statements represent the financial position and performance of the organization in a fair and true way. The Board should ensure the integrity of the organization's audit function and a system for risk management is in place. [§ V.C, § VI.D, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

An independent audit should be conducted on the business continuity management's competence and capability to identify actual and potential shortcomings. Audits, either internal or external, should be conducted by competent persons. An audit of the business continuity management program should verify that: all key services and products are identified and included in the strategy; the policy, framework, strategies, and plans reflect the requirements and priorities; the competence and capability are effective and permits the management, command, control, and coordination of an incident; solutions are up-to-date and appropriate to the risk level; maintenance and test programs are effectively implemented; strategies and plans have incorporated the improvements that were identified during tests and incidents; an ongoing training and awareness program has been established; procedures are communicated to appropriate personnel; the staff understands their roles and responsibilities; and change control processes are being used and they are effective. [§ 9.5.4 ¶ 2, § 9.5.5, BS 25999-1, Business continuity management. Code of practice, 2006]

The organization must plan, establish, implement, and maintain any audit programs and must take into account the business impact analysis, risk assessment, previous audit results, and control and mitigation measures. [§ 5.1.2, BS 25999-2, Business continuity management. Specification, 2007]

A key strategy for ensuring that the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to conduct internal/external audits of the plans. [§ 5.6 ¶ 2(i), PAS 77 IT Service Continuity Management. Code of Practice, 2006]

The Privacy Commissioner may audit personal management practices, upon reasonable notice and at reasonable times, if he/she has reasonable grounds to believe that the organization is violating a provision of Division 1 or is not following the recommendations of Schedule 1, and may summon and enforce the appearance of persons before the Privacy Commissioner for that purpose and compel them to give written or oral evidence under oath and to provide records and things the Privacy Commissioner believes necessary for the audit in the same way and to the same extent as would a superior court of record; administer oaths; receive and accept evidence and information, whether under oath, by affidavit, or otherwise, as the Privacy Commissioner sees fit, even if it would not be admissible in court; enter any premises at a reasonable time, other than a residence, that is occupied by the organization to ensure the organization's security requirements relating to the premises have been implemented; talk privately with any person in any entered premises and make any inquiries the Privacy Commissioner sees fit; and examine or obtain copies of or extracts from records that are found in an entered premise that include matter relevant to the audit. [§ 18(1), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5]

Other European and African Guidance

The organization should use a combination of the internal audit function and external auditors. The internal audit function and external auditors should coordinate their efforts. [¶ 6.1.3, ¶ 6.1.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

The auditors cannot be given instructions from the Board, the managing director, or the shareholders meeting on how to conduct the audit. [¶ III.5.1.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

Audits should be conducted to ensure all security measures identified during security reviews have been implemented and are working correctly. [§ 2.9.6, Australian Government ICT Security Manual (ACSI 33)]

Individual auditors or audit companies is required to conduct audits or reviews in accordance with applicable the auditing standards. [Sched 1 ¶ 40, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]