search:
               

Status: Live

The organization will ensure that IS Governance reviews a sample of the IT-related audit reports and work papers for specific audit ratings, completeness, and compliance with board and audit committee-approved standards. [UCF ID 01146]

Supporting and supported controls

This control directly supports:

• Audit Reporting [UCF Control ID 01145]

This control has the following supporting controls:

• Review past audit reports for general adequacy [UCF Control ID 01155]
• Review past audit reports for correlation between internal and external audit groups [UCF Control ID 01158]

Authority documents complied with:

PCAOB Auditing Standard No. 3, ¶ 3; SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, § 318.40, § 318.64; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § II.B.5; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 6, Pg 31, Obj 1, Obj 2 (Controls); FFIEC IT Examination Handbook – Audit, August 2003, Pg 12, Exam Tier I Obj 9.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.6; FFIEC IT Examination Handbook – Management, Exam Obj 8.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 3.2; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 22, Exam Tier I Obj 4.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 17, App A.2; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32, Exam Tier I Obj 1.1, Exam Tier I Obj 4.2; Securities Exchange Act of 1934, § 78j-1(b)(1); Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.13.3; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(4), § II(D)(5); BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 29; PCAOB Auditing Standard No. 2, ¶ 128; Archer Control Table, ATCS-005

Sarbanes Oxley Guidance

Working papers should be reviewed by the members of the audit team and possibly other reviewers. These reviewers could include new members of the audit team, supervisors, other auditors, internal and external teams, and others designated by the audit committee. The supervisors should review the working papers to determine how the team came up with the conclusions. The auditor should review any previous work. The internal and external teams should assess the audit quality and compliance with rules. [¶ 3, PCAOB Auditing Standard No. 3]

If the auditor plans to use previous test results on the effectiveness of internal controls, the auditor should determine if any changes have occurred in the controls since the last audit. The auditor should not use results from previous audits for substantive procedures, because they provide no evidence for the current auditing period. [§ 318.40, § 318.64, SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained]

The auditor should review all internal audit reports from the previous year and should evaluate the deficiencies identified in the reports. [¶ 128, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The audit reports should document all tests that were performed, the findings of the tests, and any corrective actions that need to be taken. [App A § II.B.5, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The audit findings should be reported to the Board of Directors and senior management. Senior management should review audit reports related to internal controls and anti-money laundering for all foreign branches and offices. [Pg 6, Pg 31, Obj 1, Obj 2 (Controls), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The audit program should have documented requirements for work paper documentation and retention. The work papers should be well organized, clearly written, and contain evidence of the tasks performed and the conclusions reached. [Pg 12, Exam Tier I Obj 9.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Obj 1.6, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Obj 8.1, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 3.2, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should review the results of internal and external audits to ensure the service provider's internal controls and security controls are implemented effectively. [Pg 22, Exam Tier I Obj 4.5, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The lead examiner should review all work papers to ensure the findings are accurate and well documented. [Pg 17, App A.2, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

Audit procedures should be reviewed to ensure the audit work papers document adherence to the audit procedures. [Pg 32, Exam Tier I Obj 1.1, Exam Tier I Obj 4.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The timeliness and accuracy of reporting systems should be regularly verified by management. The reports should be used to improve risk management performance and to develop new policies, procedures, and practices. [¶ 29, BIS Sound Practices for the Management and Supervision of Operational Risk]

NASD NYSE Guidance

If the public accounting firm identifies or becomes aware of illegal acts during an audit, the organization must investigate the act to determine if it occurred, and if it did occur, the organization must determine the possible effects of the illegal act on the financial statements. [§ 78j-1(b)(1), Securities Exchange Act of 1934]

General Guidance

[Ch 5.13.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Asia and Pacific Rim Guidance

The audit committee, with management, must review the annual and quarterly financial statements before submission to the Board of Directors. [§ II(D)(4), § II(D)(5), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of required internal and external audits completed and reviewed [UCF Control ID 01677]
• Report on the percentage of information security audits conducted in compliance with the approved internal/external audit program and schedule [UCF Control ID 02070]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.