Clearly define the roles and responsibilities of all involved in the auditing process

Status: Live

The organization will ensure that all roles and responsibilities for audit and risk management are properly assigned. [UCF ID 00678]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 18; The Sarbanes-Oxley Act of 2002, § 201(g); AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, ¶ 2; FFIEC IT Examination Handbook – Audit, August 2003, Pg 9; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 10, Pg 15 thru Pg 17; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 20; Securities Exchange Act of 1934, § 78j-1(i)(3); Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308; Federal Information Security Management Act of 2002 (FISMA), § 3544(a)(2)(D); GAO/PCIE Financial Audit Manual (FAM), § 100.26; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 5.3 Process; The Standard of Good Practice for Information Security, SM3.2.2(f), CB5.3.2, CI5.4.3, NW4.4.3; EU 8th Directive (European SOX), Art 3.2, Art 6, Art 11, Art 14, Art 44; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § C.3.2, § C.3.4 thru § C.3.6; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 14, Sched 1 ¶ 95; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § V; PCAOB Auditing Standard No. 2, ¶ 20; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ I.2.2, ¶ III.1.3.1

Sarbanes Oxley Guidance

The auditor should evaluate the objectivity and competence of any individual who performed any previous audit that the current auditor is going to use as a basis for his/her audit. The higher the level of competence and objectivity, the more of the work the auditor may use. [¶ 18, PCAOB Auditing Standard No. 5]

Public accounting firms that perform audits for the organization cannot provide non-audit services, because they cannot work on both ends for the same organization. These non-audit services include bookkeeping, financial information systems design, actuarial services, internal audit outsourcing services, appraisal services, and/or legal services. The audit committee is responsible for the compensation, oversight, and appointment of public accounting firms. [§ 201(g), The Sarbanes-Oxley Act of 2002]

[¶ 2, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Management should accept responsibility for and evaluate the effectiveness of internal controls over financial reporting, provide sufficient documentation to support its evaluation, and produce a written assessment of the effectiveness of the internal controls over financial reporting in order for an auditor to satisfactorily complete an audit. [¶ 20, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

Auditing personnel should have the appropriate information systems knowledge to be able to determine and report the root cause of any deficiencies. [Pg 9, FFIEC IT Examination Handbook – Audit, August 2003]

The examiner-in-charge (EIC) is responsible for the IT examination. His/her responsibilities include developing the scope of and strategy for the examination; coordinating all activities with the appropriate organizations; scheduling the examinations; coordinating onsite visits; supervising the examination team; reviewing findings and recommendations; and writing the final report. The agency-in-charge (AIC) should assist the examiners by coordinating reviews between organizations; ensuring examinations are conducted on service providers in accordance with appropriate policy; ensuring appropriate staffing of the examination team; enforcing compliance by service providers; and reviewing and distributing the final report. [Pg 10, Pg 15 thru Pg 17, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

Management should designate specific personnel to monitor the operations, system administration, applications support, and security administrators' actions that are associated with the funds transfer system. [Pg 20, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

The audit committee may delegate to one or more members of the Board of Directors the authority to grant pre approvals. [§ 78j-1(i)(3), Securities Exchange Act of 1934]

Healthcare and Life Science Guidance

It is the responsibility for management to create an audit function for IT. [§ 164.308, Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

US Federal Security Guidance

The organization must perform “periodic testing and evaluating information security controls and techniques to ensure that they are effectively implemented.” In addition, each year an “independent evaluation of the information security program must be performed” to determine the programs effectiveness. This will include: “testing the effectiveness of information security procedures, policies, and practices”; a compliance assessment; and an evaluation of information security relating to national security systems. This testing will be performed by an independent auditor. [§ 3544(a)(2)(D), Federal Information Security Management Act of 2002 (FISMA)]

Provides detail on the roles and responsibilities of every person involved in the audit function:
• The assistant director is the top person responsible for the day to day conduct of the audit.
• The audit director is the senior manager responsible for the technical quality of the financial statement audit.
• The reviewer is the senior manger responsible for the quality of the auditors reports.
• The statistician is the person the auditor consults for technical expertise in areas such as audit sampling, audit sample evaluation, and selecting entity field locations to visit.
• The data extraction specialist is the person with technical expertise in extracting data from agency records.
• The technical accounting and auditing expert advises on accounting and auditing professional matters and related national issues, and reviews reports on financial statements and reports that contain opinions on financial information.
• The office of general counsel provides assistance to the auditor in (1) identifying provisions in laws and regulations to test, (2) identifying budget restrictions, and (3) identifying and resolving legal issues encountered.
• The special investigator unit investigates specific allegations involving conflict-of-interest and ethics matters, contract procurement irregularities, official misconduct and abuse, and fraud in federal programs or activities.
• Finally, the internal auditor is ultimately responsible for assessing inherent and control risk, and assessing the effectiveness of IS controls requires a person with IS audit technical skills. [§ 100.26, GAO/PCIE Financial Audit Manual (FAM)]

General Guidance

It is recommended that an organization defines role accountabilities, responsibilities and authority. [Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

System and data owners should be involved in all security audits/reviews of their data or systems. The risk analysis should involve the application owner, network owner, or installation owner and IT specialist, user representatives, risk analysis specialist, and information security specialist. [SM3.2.2(f), CB5.3.2, CI5.4.3, NW4.4.3, The Standard of Good Practice for Information Security]

EU Guidance

Each Member States must designate 1 or more competent authorities who are responsible for approving auditors and audit firms. The competent authority must establish procedures for approving auditors who have already been approved by another Member State. The competent authority may be a professional association, if it is subject to public oversight. To qualify as a Member State auditor, an auditor must have completed a course of instruction at a university, have had practical training, and have passed a professional competence examination. If a auditor has not met the above requirements, he/she may be approved if he/she has been in the business for 15 years and passed the professional competence exam or been in the business for 7 years, undergone practical training, and passed the professional competence exam. Member States may approve third-country auditors, those not members of the European Union, if they provide proof they meet the requirements of the 8th Company Law Directive. [Art 3.2, Art 6, Art 11, Art 14, Art 44, EU 8th Directive (European SOX)]

UK and Canadian Guidance

The audit committee's responsibilities should be in writing and include monitoring financial statement integrity; reviewing significant financial findings; reviewing the internal controls and risk management systems; monitoring and reviewing the internal audit function; making recommendations to the Board about the hiring, rehiring, firing, and remuneration of external auditors; reviewing and monitoring external auditors' independence; reviewing the effectiveness of the audit process; developing and implementing policy for non-audit services by external auditors; identifying matters that require action and making recommendations for the steps to be taken; monitoring and reviewing the internal audit activities' effectiveness; and reviewing the procedures the staff uses to report financial improprieties and other matters. [§ C.3.2, § C.3.4 thru § C.3.6, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

Other European and African Guidance

The organization must have at least 1 auditor. The auditor's responsibility is to examine the organization's accounting practices and review the way the managing director and Board of Directors are managing the organization. At least 1 auditor must attend the annual meeting to answer questions from the shareholders. [¶ I.2.2, ¶ III.1.3.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The Financial Reporting Council is required to provide oversight of the auditing standards; monitor auditor independence; appoint members to the audit and accounting board; approve and monitor the audit and accounting board's budget, business plan, and staffing level; give feedback to the audit and accounting board on its policies and procedures; monitor and assess the adequacy of the systems and processes used for quality assurance reviews of audits and disciplinary actions; monitor and assess the responses and actions taken to correct any findings of the quality assurance reviews; monitor compliance to regulations; and promote and monitor the adequacy of business and professional ethics training. The lead auditor must be a registered auditor and is responsible for the conduct of the audit. The review auditor must be a registered auditor and is responsible for reviewing the conduct of the audit. [Sched 1 ¶ 14, Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The CEO and CFO must accept responsibility for establishing and maintaining internal controls and must evaluate the effectiveness of internal control systems. [§ V, Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

Metrics

The metrics associated with this control are as follows:


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.