Status: Live
The organization will review past audit reports and BIAs for outstanding issues, previous problems, or high-risk areas with insufficient coverage related to IT. [UCF ID 01148]
Supporting and supported controls
This control directly supports:
- • Conducting a Business Impact Analysis [UCF Control ID 01147]
There are no supporting controls.
Authority documents complied with:
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.11; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 1; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 1.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.1; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 1.1, Exam Tier II Obj L.2; FFIEC IT Examination Handbook – Management, Exam Obj 1.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 1.1; CobiT 4.1, PO1.3; The Standard of Good Practice for Information Security, SM3.4.5(d), CB5.3.4(d), CI5.4.5(d), NW4.4.5(d), SD3.5.5(d); Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.5.3; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.3(b); OMB Circular A-123 Management’s Responsibility for Internal Control, § II.B
Sarbanes Oxley Guidance
When the auditor uses past audit reports to gain information about the organization and its environment, he/she should determine if any changes have been made that could affect the previous conditions. [§ 314.11, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]
Risks previously identified by auditors and management reviews should be reviewed when identifying current risks. [§ II.B, OMB Circular A-123 Management’s Responsibility for Internal Control]
Banking and Finance Guidance
[Obj 1, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Audit, August 2003]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
[Exam Obj 1.1, FFIEC IT Examination Handbook – Development and Acquisition]
[Obj 1.1, FFIEC IT Examination Handbook – E-Banking, August 2003]
[Exam Tier I Obj 1.1, Exam Tier II Obj L.2, FFIEC IT Examination Handbook – Information Security]
[Exam Obj 1.1, FFIEC IT Examination Handbook – Management]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Operations, July 2004]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
ISO Guidance
The organization should regularly review the results of security audits to ensure their effectiveness. [§ 4.2.3(b), ISO 27001:2005, Information Security Management Systems - Requirements]
General Guidance
The organization is called upon to assess the performance of the existing plans and information systems. In order to do that, the organization can turn to reviewing past audit reports as a solid source of historical information. [PO1.3, CobiT 4.1]
Previous risk analyses should be reviewed when performing a risk analysis. [SM3.4.5(d), CB5.3.4(d), CI5.4.5(d), NW4.4.5(d), SD3.5.5(d), The Standard of Good Practice for Information Security]
[Ch 5.5.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.