Ensure the audit report is complete and includes the scope and work performed.

UCF ID: 01145
Control Type: Actionable Reports or Measurements
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

PCAOB Auditing Standard No. 3, ¶ 5, ¶ 13; PCAOB Auditing Standard No. 5, ¶ 78 thru ¶ 81, ¶ 85; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.122; SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, § 318.77; FFIEC IT Examination Handbook – Audit, August 2003, Pg 6, Pg 12, Exam Tier I Obj 1.2, Exam Tier I Obj 9.6; FFIEC IT Examination Handbook – Management, Pg 26, Exam Obj 5.4; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 8.7, Exam Tier II Obj 10.10; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 14; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.2; Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007, § 210.2-02(f); Securities Exchange Act of 1934, § 78j-1(k), § 78q(i)(3)(A)(ii)(III); American Express Data Security Standard (DSS), § 1a; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.255(a)(6); EU 8th Directive (European SOX), Art 22.3, Art 28; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 7.2.3; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ V.4.1, ¶ V.4.3; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 11, Sched 1 ¶ 41, Sched 1 ¶ 42, Sched 1 ¶ 45, Sched 1 ¶ 95, Sched 2A ¶ 4, Sched 2A ¶ 5, Sched 7 ¶ 1; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(9); PCAOB Auditing Standard No. 2, ¶ 21, ¶ 207; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.5.1.2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.14.6.2; Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5, § 19(1); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 43

Sarbanes Oxley Guidance

The auditor's report should show that the audit complied with the applicable standards, supports the auditor's conclusions, and the accounting records agree with the financial statements. The auditor should submit an engagement completion document that identifies all significant findings and provides any information necessary to understand the identified findings, including cross references to other documentation. [¶ 5, ¶ 13, PCAOB Auditing Standard No. 3]

The auditor must prepare a written report for management and the audit committee identifying all material weaknesses found during the audit. Any identified deficiencies considered to be significant deficiencies should be included in the written report. If the oversight of external financial reporting and internal control over financial reporting is deemed to be ineffective, the auditor should report this in writing to the Board of Directors. The following is required in the auditor's report: a statement that management is responsible for maintaining and assessing the effectiveness of internal control over financial reporting; a statement that the auditor's responsibility is to make his/her opinion on the organization's internal control over financial reporting based on his/her audit findings; a definition of internal control over financial reporting; a statement that the audit was conducted in accordance with the appropriate standards; a statement that the audit included obtaining an understanding of the controls, assessing risks, and testing and evaluating the design and operational effectiveness of the controls; a paragraph stating that controls may not prevent or detect misstatements and the effectiveness may diminish over time due to changes in conditions and the degree of compliance to policies and procedures; the auditor's opinion; signature of the auditor's firm; the city and state where the auditor's office resides; and the date of the audit report. Further, the title of the report must include the word "independent." [¶ 78 thru ¶ 81, ¶ 85, PCAOB Auditing Standard No. 5]

The auditor should document the audit team meetings on susceptibility of the process to error and/or fraud; the risk assessment procedures; the identified risks and their controls; the audit test results; the responses to correct the assessed risks; and the use of test results from previous audits on the effectiveness of controls. The meeting documentation should include the date of the meeting, what was discussed, who participated, and the decisions reached. [§ 314.122, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The auditor should document the audit results; the nature of further audit procedures; and the conclusions about the effectiveness of controls obtained from a previous audit. [§ 318.77, SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained]

The auditor should report to management and the audit committee that the audit could not be completed satisfactorily, if he/she concludes that management did not fulfill its responsibilities. The auditor should also report all significant deficiencies and material weaknesses identified during the audit. [¶ 21, ¶ 207, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

Written audit reports should be used to inform the Board of Directors and senior management on the organization's compliance with the policies and procedures. The report should state if the controls are effective, describe any deficiencies, and recommend corrective actions. [Pg 6, Pg 12, Exam Tier I Obj 1.2, Exam Tier I Obj 9.6, FFIEC IT Examination Handbook – Audit, August 2003]

Management should review all internal and external audit results. [Pg 26, Exam Obj 5.4, FFIEC IT Examination Handbook – Management]

[Exam Tier II Obj 8.7, Exam Tier II Obj 10.10, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The final examination report should be completed within 45 days of leaving the service provider's site. The supervisory office has an additional 15 days to review, revise, and approve the report and issue it to the appropriate organizations. [Pg 14, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

[Exam Tier II Obj 2.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

All public accounting firms that submit or prepare accounting reports that contain management's assessment of the effectiveness of the internal control over financial reporting must also state the accountant's opinion. The attestation report on internal control over financial reporting must be dated, manually signed, identify the covered period, and indicate that the accountant has audited the effectiveness of the internal control over financial reporting. [§ 210.2-02(f), Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule, June 2007]

The public accounting firm must report to the audit committee, in a timely manner, the accounting policies and procedures it will use, alternative processes that have been discussed with management and the process preferred by the auditor, and other written communications between the auditor and management of the organization. The organization must provide to the Securities and Exchange Commission an independent auditor's report stating the organization's compliance with its internal risk management and internal control objectives. [§ 78j-1(k), § 78q(i)(3)(A)(ii)(III), Securities Exchange Act of 1934]

Payment Card Guidance

The organization must be prepared to provide audit reports to American Express or allow American Express audits. [§ 1a, American Express Data Security Standard (DSS)]

US Federal Security Guidance

The audit of the Site Security Plan and the Security Vulnerability Assessment must include the date of the audit; the individuals involved in conducting the audit; the results of the audit; and a certified letter stating the date the audit was conducted. Audit reports must be kept for at least 3 years. [§ 27.255(a)(6), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

Auditors should consult with bank management during the planning process to ensure that technology-related systems are audited thoroughly and in a cost-effective manner. [¶ 43, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

ISO Guidance

Service providers should ensure that an audit report is produced after each review. The report should include the scope and objectives, the procedures that were used, the findings and results, corrective actions that will be taken, deviations, and the supporting rationale for any future reviews and actions. [§ 6.14.6.2, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

EU Guidance

Auditors and audit firms must document in the audit working papers all threats to their independence and any safeguards used to mitigate the threats. The audit report must be signed by the auditor who performed the audit. [Art 22.3, Art 28, EU 8th Directive (European SOX)]

UK and Canadian Guidance

After the audit, the Privacy Commissioner must provide a report to the audited organization with the findings and any recommendations. [§ 19(1), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5]

Other European and African Guidance

The auditor must note in the Auditor's Report any facts that show that the Management Board and/or the Supervisory Board have made any misstatements with respect to the Code. [¶ 7.2.3, German Corporate Governance Code ("The Code"), June 6, 2008]

The external auditor is required to attend Supervisory Board meetings at which the annual accounts are discussed, approved, or adopted. The external auditor's report must contain any matters he/she wants the Management Board and Supervisory Board to know about the audit of the annual accounts. [¶ V.4.1, ¶ V.4.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The auditor must review the Board's statement on internal controls and issue a special auditor's report in the corporate governance report. [¶ III.5.1.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The audit report must be reliable and understandable and must include any statements or disclosures required by the applicable auditing standards. The audit report must be signed by either the director of the audit firm, the lead auditor, or the individual auditor before it is officially submitted to the organization. The auditor is required to include his/her opinion on whether any additional information from the financial report is necessary for a true and fair view of the organization's financial position in the auditor's report. The disclosure document must be written in a clear, concise, and effective manner. [Sched 1 ¶ 11, Sched 1 ¶ 41, Sched 1 ¶ 42, Sched 1 ¶ 45, Sched 1 ¶ 95, Sched 2A ¶ 4, Sched 2A ¶ 5, Sched 7 ¶ 1, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee must review any findings from internal investigations involving suspected fraud and/or failure of internal controls and report these findings to the Board of Directors. [§ II(D)(9), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.