Audits and risk management

Status: Live

The organization will develop, disseminate, and review: 1) a formal standard for audits and risk management that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00677]

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 75; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Background; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 663(a), ¶ 745; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 2.1, Exam Tier II Obj A.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 4.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg E-3; FFIEC IT Examination Handbook – Information Security, Pg 89; FFIEC IT Examination Handbook – Management, Pg 3, Pg 15; FFIEC IT Examination Handbook – Operations, July 2004, Pg 5, Exam Tier I Obj 3.3; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 5, Exam Tier I Obj 3.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 25, Exam Tier II Obj 8.15; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3, Pg 4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 21; Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007, § 240.13a-15(c), § 240.15d-15(c); Securities Exchange Act of 1934, § 78j-1(a); Responsible Care Security Code of Management Practices, American Chemistry Council, Pg 2, Pg 4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.e, § 2-3.a(11), § 3-5.b, § 5-1; Protection of Assets Manual, ASIS International, Pg 1-I-A1, Pg 12-II-45, Pg 12-IV-7, Pg 15-IV-28; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.250; The Standard of Good Practice for Information Security, SM2.2.3(d), CB5.4.2, CB5.4.3, CI5.5.2, CI5.5.3, NW4.5.2, NW4.5.3, SD2.3.2; ISO 17799:2005 Code of Practice for Information Security Management, § 15.3.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.15.3.1; ISO/IEC 27002-2005 Code of practice for information security management, § 15.3.1; EU 8th Directive (European SOX), Art 3.1, Art 3.4, Art 4, Art 5, Art 22.1, Art 26.1; OECD Principles of Corporate Governance, 2004, § V.C, § VI.D; Australian Government ICT Security Manual (ACSI 33), § 2.9.6; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 40; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 12, ¶ 45, Principle 1, Principle 8; PCAOB Auditing Standard No. 2, ¶ 13, ¶ 27, ¶ 28; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 6.1.3, ¶ 6.1.4; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.5.1.1; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.1; Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008, Pg ES-2; Archer Control Table, ATCS-007, ATCS-013, ATCS-124

Sarbanes Oxley Guidance

The organization's management should provide written representations to the auditor acknowledging responsibility for establishing and maintaining effective controls; stating that management has evaluated and assessed the effectiveness of the installed controls; stating that management did not use previous audit procedures as the basis of its assessment; stating a conclusion about the effectiveness of the controls on an "as of" date; stating that all identified deficiencies have been included in the evaluation; describing any fraud involving senior management or other employees; stating if previously identified deficiencies have been corrected and identifying any that have not been corrected; and stating if any changes have occurred since the "as of" date. [¶ 75, PCAOB Auditing Standard No. 5]

The assessment of the effectiveness of the internal controls over financial reporting should be based on a recognized framework developed by a body of experts. The audit should be planned and performed to identify any deficiencies that would indicate material weaknesses. The performance of an audit involves planning the audit, evaluating management's assessment of the internal controls over financial reporting, testing and evaluating the design and operating effectiveness of internal controls over financial reporting, and forming an opinion about the effectiveness of the internal controls. [¶ 13, ¶ 27, ¶ 28, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The organization should implement risk management processes to appropriately manage risks to systems. [Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The risk management system should have responsibilities assigned to a function. This function should develop strategies for identifying, assessing, controlling, monitoring, and mitigating risk; design the risk assessment methodology; develop policies and procedures; and design and implement a risk reporting system. The organization should periodically review the risk management process to ensure it is accurate and reasonable. [¶ 663(a), ¶ 745, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 2.1, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Exam Obj 4.1, FFIEC IT Examination Handbook – Development and Acquisition]

If the organization relies on service providers for wireless systems, effective risk management practices should be in place. [Pg E-3, FFIEC IT Examination Handbook – E-Banking, August 2003]

The auditing process compares current practices against the standards. Management should demonstrate that the standards they adopt are appropriate for the organization. [Pg 89, FFIEC IT Examination Handbook – Information Security]

The organization should identify, measure, monitor, and control risks with an effective risk management program. The risk management program should assess the organization's risk tolerance and how well the controls are functioning. The organization should plan for technology, assess technology risks, implement technology, and measure and monitor the risks associated with the technology. [Pg 3, Pg 15, FFIEC IT Examination Handbook – Management]

The organization should implement a risk management program that identifies, measures, controls, and monitors risk to the organization. [Pg 5, Exam Tier I Obj 3.3, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should establish and maintain a risk management process for all outsourced arrangements. The risk management process should include ensuring effective risk management practices are used by the Board of Directors and senior management; ensuring outsourcing agreements are prudent with regard to risk and consistent with the business objectives; implementing controls for all identified risks; monitoring for changes in risk; and documenting roles, responsibilities, procedures, and reporting mechanisms. [Pg 5, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should establish risk management systems appropriate for the size and complexity of the organization. The systems should be able to evaluate risk exposure and the effectiveness of current controls. [Pg 25, Exam Tier II Obj 8.15, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Examiners should focus on the risks associated with technology management, data integrity, information confidentiality, service availability, and financial stability when conducting the IT examination. [Pg 3, Pg 4, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The organization's risk management policy should include the identification, measurement, mitigation, and management of risks related to the organization's activities. [Pg 21, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The Board of Directors should be responsible for approving and periodically reviewing the risk management framework. The framework should identify, assess, monitor, and control/mitigate risks. [¶ 12, ¶ 45, Principle 1, Principle 8, BIS Sound Practices for the Management and Supervision of Operational Risk]

NASD NYSE Guidance

Management must evaluate the effectiveness of the organization's internal control over financial reporting. The framework used for the evaluation should be based on a suitable and recognizable framework developed by a group that has followed due-process procedures. [§ 240.13a-15(c), § 240.15d-15(c), Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007]

Audits of financial statements must include procedures to detect illegal acts that "would have a direct and material effect" on financial statement amounts and procedures to identify related party transactions, as well an evaluation of the organization to determine if it can continue operating throughout the upcoming fiscal year. [§ 78j-1(a), Securities Exchange Act of 1934]

US Federal Security Guidance

Chemical industry organizations should implement an organization-wide, risk-based security management program. Audits should be conducted to assess the security programs to ensure it is implemented correctly and any corrective actions needed are taken to correct the situation(s). [Pg 2, Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council]

A formal risk management program should be used for each system that handles classified or unclassified-sensitive information. The risk management process should determine the most effective controls against deliberate or inadvertent disclosure of information, denial of service, alteration of data, and misuse. The accreditation process should 1) ensure the risk management process has goals and objectives; 2) include a definition of the operational mode; 3) include a risk management review to identify all risks and countermeasures; 4) include the countermeasures needed to be implemented to counter the identified risks; 5) include a certification test to ensure the security features support the security plan; and 6) include a security guide explaining each individual's security responsibilities. [§ 1-5.e, § 2-3.a(11), § 3-5.b, § 5-1, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization should conduct unannounced independent and competent compliance auditing. The system software for the telephone system should be inspected periodically via unannounced audits. The risk manager is responsible for identifying and addressing catastrophic risks to the organization. The organization should have all of its accounts audited, on a regular basis, by a CPA firm or a disinterested employee. [Pg 1-I-A1, Pg 12-II-45, Pg 12-IV-7, Pg 15-IV-28, Protection of Assets Manual, ASIS International]

Authorized Department of Homeland Security officials may inspect and audit the facility for compliance with the requirements. The officials will give the facility 24-hours notice before an audit or inspection. [§ 27.250, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

NIST Guidance

The wireless security policy should include the scope and frequency of WLAN security assessments/audits. The audit should check the security posture of the IEEE 802.11 WLAN and should determine what corrective actions need to be taken to ensure the WLAN remains secure. [§ 6.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

The organization's risk management practices should include handheld devices. [Pg ES-2, Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008]

ISO Guidance

The audit requirements should be agreed on and planned to minimize business disruptions. The following guidelines should be used for auditing: Management should approve audit requirements; checks should only be read-only; needed resources should be identified; all access should be monitored and logged; and the auditor should be independent of the processes being audited. [§ 15.3.1, ISO 17799:2005 Code of Practice for Information Security Management]

All auditing of operational systems should be properly planned prior to implementation. This will prevent the potential disruption of the system from the auditing activities. [Annex A.15.3.1, ISO 27001:2005, Information Security Management Systems - Requirements]

The audit requirements should be agreed on and planned to minimize business disruptions. The following guidelines should be used for auditing: Management should approve audit requirements; checks should only be read-only; needed resources should be identified; all access should be monitored and logged; and the auditor should be independent of the processes being audited. [§ 15.3.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The security audit/review should assess the business risks and the status of application, network, and system development activities' information security requirements. The information security function should provide support for all security audits. [SM2.2.3(d), CB5.4.2, CB5.4.3, CI5.5.2, CI5.5.3, NW4.5.2, NW4.5.3, SD2.3.2, The Standard of Good Practice for Information Security]

EU Guidance

The audit must be performed by an auditor or audit firm that has been approved by the Member State, is independent, and is in good repute. To gain approval by the Member State, the audit firm must meet the following requirements: the auditors in the firm each must be approved as auditors by the Member State and meet the Member State's requirements; the majority of the voting rights for the organization must be held by the audit firm; and a majority, up to a maximum of 75%, of the management or administrative body of the organization must be an approved audit firm. The Member State may withdraw its approval of audit firms or auditors, if their good repute has been compromised or the audit firm does not meet the requirements. The audit must be in compliance with international auditing standards. [Art 3.1, Art 3.4, Art 4, Art 5, Art 22.1, Art 26.1, EU 8th Directive (European SOX)]

An independent and competent auditor should conduct an annual audit to assure that the financial statements represent the financial position and performance of the organization in a fair and true way. The Board should ensure the integrity of the organization's audit function and a system for risk management is in place. [§ V.C, § VI.D, OECD Principles of Corporate Governance, 2004]

Other European and African Guidance

The organization should use a combination of the internal audit function and external auditors. The internal audit function and external auditors should coordinate their efforts. [¶ 6.1.3, ¶ 6.1.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

The auditors cannot be given instructions from the Board, the managing director, or the shareholders meeting on how to conduct the audit. [¶ III.5.1.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

Audits should be conducted to ensure all security measures identified during security reviews have been implemented and are working correctly. [§ 2.9.6, Australian Government ICT Security Manual (ACSI 33)]

Individual auditors or audit companies is required to conduct audits or reviews in accordance with applicable the auditing standards. [Sched 1 ¶ 40, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.