Review past responses to audit reports

Status: Live

The organization will review management's response to issues raised since the last examination, considering the adequacy and timing of corrective action, resolution of root causes, and outstanding issues. [UCF ID 01149]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Ensure IS Governance initiates prompt action to correct reported deficiencies [UCF Control ID 01177]

Authority documents complied with:

Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 1 (Controls); FFIEC IT Examination Handbook – Audit, August 2003, Pg 6, Pg 8, Pg 12, Exam Tier I Obj 1.3, Exam Tier I Obj 6.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 1.2; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 1.2; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.6; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 1.2; FFIEC IT Examination Handbook – Management, Exam Obj 1.2; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.2; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 1.2; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 1.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32, Exam Tier I Obj 1.4, Exam Tier II Obj 2.3; Federal Information System Controls Audit Manual (FISCAM), February 2009, SP-1, SP-5.2; CobiT 4.1, ME3.2; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(8); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 22; PCAOB Auditing Standard No. 2, ¶ 140; Archer Control Table, ATCS-020

Sarbanes Oxley Guidance

All of the organization's deficiencies should be corrected if it is cost beneficial. A plan should be developed to correct these deficiencies in a timely manner and to track the status of the deficiencies. [Pg 22, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Any significant deficiency that remains uncorrected after a prolonged period of time after it has been communicated to management and the audit committee should be re-identified as a significant deficiency to be placed on the radar for corrective action and should, in the meantime, be considered as a strong indicator that a material weakness exists. [¶ 140, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

[Obj 1 (Controls), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The auditors should conduct follow-up audits to verify the effectiveness of the corrective actions that have been taken. The internal auditors should periodically discuss their findings and recommendations with the Board of Directors or audit committee. [Pg 6, Pg 8, Pg 12, Exam Tier I Obj 1.3, Exam Tier I Obj 6.2, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Exam Obj 1.2, FFIEC IT Examination Handbook – Development and Acquisition]

[Obj 1.6, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Information Security]

[Exam Obj 1.2, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier I Obj 1.2, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[Exam Tier I Obj 1.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The effectiveness of audit procedures should be reviewed to ensure management has taken action to correct any deficiencies. [Pg 32, Exam Tier I Obj 1.4, Exam Tier II Obj 2.3, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

[SP-1, SP-5.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

General Guidance

The organization is called upon to review and optimize IT policies, standards and procedures to ensure that legal and regulatory requirements are covered efficiently. [ME3.2, CobiT 4.1]

Asia and Pacific Rim Guidance

The audit committee must discuss with the internal auditors any significant findings and follow up on the correction process. [§ II(D)(8), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of audit findings that have been resolved [UCF Control ID 01678]
    Report on the percentage of management actions in response to audit findings /recommendations that were implemented as agreed as to timeliness and completeness [UCF Control ID 02071]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.