Board of directors and senior management

Status: Live

The composition of the audit committee will be appropriate considering the organizational type and will comply with all applicable laws and regulations. [UCF ID 00679]

Supporting and supported controls

This control directly supports:

    Clearly define the roles and responsibilities of all involved in the auditing process [UCF Control ID 00678]

This control has the following supporting controls:

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 93; PCAOB Auditing Standard No. 5, ¶ 25; The Sarbanes-Oxley Act of 2002, § 56; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Exposure Limits; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 4; FFIEC IT Examination Handbook – Audit, August 2003, Pg 3 thru Pg 5, Exam Tier I Obj 2.4, Exam Tier I Obj 3.1; FFIEC IT Examination Handbook – Management, Pg 10; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Q 3.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, App A.3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 22; Securities Exchange Act of 1934, § 78j-1(i)(1), § 78j-1(m)(3); Federal Information Security Management Act of 2002 (FISMA), § 3545(a)(2)(A) thru § 3545(a)(2)(C); CobiT 4.1, PO3.5; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 4.3.1; EU 8th Directive (European SOX), Art 24, Art 41; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 4.3.1; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § C.3.1; Smith Guidance on Audit Committees, UK FRC, January 2003, ¶ 2.1; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 33; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 5.3.2; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ III.5.4, ¶ III.5.6 thru ¶ III.5.8; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 96, Sched 1 ¶ 100; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(A), § II(D)(1) thru § II(D)(3); CODE OF CORPORATE GOVERNANCE 2005, ¶ 10.2, ¶ 11.1 thru ¶ 11.4, ¶ 11.6; PCAOB Auditing Standard No. 2, ¶ 56; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 2.1.15, ¶ 2.7.5, ¶ 2.7.9, ¶ 6.1.5, ¶ 6.3.1, ¶ 6.3.2, ¶ 6.3.5; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ I.2.2, ¶ III.1.3.1, ¶ III.3.1.4, ¶ III.3.8.2 thru ¶ III.3.8.4; Archer Control Table, ATCS-004, ATCS-028

Sarbanes Oxley Guidance

Senior management should be directly responsible for all of the organization's activities. The Chief Executive Officer should have ownership responsibility for enterprise risk management. [Pg 93, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should determine if the Board of Directors or the audit committee has oversight responsibility over financial reporting and internal controls. [¶ 25, PCAOB Auditing Standard No. 5]

All auditing and non-auditing services must be pre approved by the audit committee. One or more members of the audit committee, who are independent directors of the Board of Directors, may be delegated to grant pre approvals. Each member of the audit committee must be a member of the Board of Directors. [§ 56, The Sarbanes-Oxley Act of 2002]

The Board of Directors should evaluate the performance and effectiveness of the audit committee, and the auditor should assess the audit committee's effectiveness. [¶ 56, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The Board of Directors or a committee should be responsible for reviewing and approving the organization's risk exposure limits at least annually. For high-risk activities, the exposure limits should be reviewed more frequently. [Exposure Limits, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

[Obj 4, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The Board of Directors and senior management should be responsible for ensuring the internal controls of the organization are operating effectively, providing sufficient resources to the internal audit function, and hiring outside auditors, if necessary, to conduct audits. The Board of Directors should meet with the auditors to discuss findings and should be trained about IT risks and controls. [Pg 3 thru Pg 5, Exam Tier I Obj 2.4, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Audit, August 2003]

The Board of Directors and senior management should ensure there is cooperation between management and the IT audit function. [Pg 10, FFIEC IT Examination Handbook – Management]

[Exam Tier I Q 3.1, FFIEC IT Examination Handbook – Operations, July 2004]

The Board of Directors and senior management should be aware of the risks associated with outsourcing agreements to ensure there are effective risk management procedures in place. [Pg 5, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The Board of Directors should ensure the audit program tests the internal controls, policies, and procedures of the organization. [Pg 32, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[App A.3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The Board of Directors should oversee the implementation of policies, risk management strategy, controls, external and internal audits, and management information systems. [Pg 22, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

The audit committee must pre approve all audit and non-audit services provided to the organization. Each member of the audit committee must be a member of the Board of Directors and should be independent. An individual is independent if he/she does not accept any compensatory fees from the organization and is not affiliated with the organization or any subsidiary. [§ 78j-1(i)(1), § 78j-1(m)(3), Securities Exchange Act of 1934]

US Federal Security Guidance

[§ 3545(a)(2)(A) thru § 3545(a)(2)(C), Federal Information Security Management Act of 2002 (FISMA)]

General Guidance

The organization should establish an IT architecture board to provide architecture guidelines and advice on their application and to verify compliance. This entity directs IT architecture design ensuring it enables the business strategy and considers regulatory compliance and continuity requirements. This is related/linked to the information architecture. [PO3.5, CobiT 4.1]

[Ch 4.3.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

EU Guidance

The owners, shareholders, administrative bodies, management bodies, and supervisory bodies must not interfere with the audit in any way that might compromise the independence of the auditor or audit firm. Each public-interest organization is required to have an audit committee. At least 1 member of the committee must be independent and have accounting and/or auditing competence. The audit committee must monitor the financial reporting process; monitor the auditing of the annual accounts; monitor the effectiveness of the internal controls; monitor the internal audit; monitor the risk management systems; monitor and review the independence of the auditor or audit firm; and recommend the appointment of the auditor or audit firm. [Art 24, Art 41, EU 8th Directive (European SOX)]

UK and Canadian Guidance

[§ 4.3.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

The audit committee should consist of at least 3 independent, non-executive directors, 2 if the organization is a smaller company. At least 1 member of the committee should have recent and relevant financial experience. [§ C.3.1, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

[¶ 2.1, Smith Guidance on Audit Committees, UK FRC, January 2003]

[¶ 33, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Other European and African Guidance

An audit committee must be formed by the supervisory committee. The chairperson of the audit committee must have accounting and internal control experience and specialist knowledge and must not be a former Management Board member. [¶ 5.3.2, German Corporate Governance Code ("The Code"), June 6, 2008]

The audit committee must not be chaired by a former member of the Management Board or the chairperson of the Supervisory Board and must have at least 1 financial expert. The audit committee must supervise the Management Board activities that deal with internal risk management and control systems, the enforcement of legislation and regulations, the code of conduct, the compliance of internal and external auditors' recommendations, the internal audit department, the external auditor relationship, and the information and communication technology. The audit committee must decide when the Chief Executive Officer, Chief Financial Officer, and internal and external auditor should attend the audit committee meetings. [¶ III.5.4, ¶ III.5.6 thru ¶ III.5.8, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The organization should have an audit committee. The majority of the audit committee should be independent, non-executive directors who are financially literate. The chair of the audit committee should be an independent, non-executive director and should not be the chair of the Board of Directors. The audit committee should set the requirements for using the external auditor's firm for non-auditing services. The members of the Board of Directors and the chair of the audit committee should attend the annual meeting to answer questions from shareholders. [¶ 2.1.15, ¶ 2.7.5, ¶ 2.7.9, ¶ 6.1.5, ¶ 6.3.1, ¶ 6.3.2, ¶ 6.3.5, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

The Board of Directors must be made up of at least 3 members and a maximum of 9 members. The Board of Directors must appoint a managing director and meet privately with the auditor(s) at least annually. If possible, all members of the Board of Directors must attend the annual meeting. An audit committee must be established by the Board, consist of at least 3 directors, and be independent. The audit committee is responsible for the organization's financial reports; regularly meeting with the auditor(s) to coordinate the external and internal audits; staying informed of the audit scope; developing guidelines on what other services external auditors may provide to the organization; evaluating the auditor's work; and assisting the nomination committee in determining auditor's fees. [¶ I.2.2, ¶ III.1.3.1, ¶ III.3.1.4, ¶ III.3.8.2 thru ¶ III.3.8.4, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The Board of Directors must appoint an auditor for the organization within 1 month of becoming a registered company. When a vacancy occurs that is not caused by the removal of the auditor, the Board of Directors has 1 month to appoint a new auditor. [Sched 1 ¶ 96, Sched 1 ¶ 100, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee must have at least 3 members, 2/3 of which must be independent directors. The audit committee members must be financially literate, and 1 member must have accounting or financial management experience. The audit committee is required to oversee the organization's financial reporting process; recommend the appointment, reappointment, or removal of the auditor; and approve payments for other services provided by the auditor. [§ II(A), § II(D)(1) thru § II(D)(3), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

Management should provide an assessment of the organization's performance and prospects to the Board on a monthly basis. The audit committee should be made up of 3 non-executive directors, with a majority of them being independent and at least 2 of the members having financial or accounting experience. The responsibilities of the audit committee include reviewing the results of the audit; ensuring the objectivity and the independence of the external auditors (at least annually); reviewing the internal controls; reviewing the internal audit function's effectiveness; and recommending appointments, reappointments, and removals of external auditors to the Board. [¶ 10.2, ¶ 11.1 thru ¶ 11.4, ¶ 11.6, CODE OF CORPORATE GOVERNANCE 2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of information security requirements from applicable laws and regulations that are included in the internal/external audit program and schedule [UCF Control ID 02069]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.