Back

Assess the quality of the audit program in regards to the staff and their qualifications.


CONTROL ID
01150
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Evaluate the competency of auditors., CC ID: 15253
  • Review the audit program scope as it relates to the organization's profile., CC ID: 01159


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • independent assessment is performed by trusted assessors with the necessary expertise in the underlying financial services and/or electronic delivery channel, and who are independent from the parties that design, implement or operate the e-banking service. Moreover, the assessors should be able to r… (§ 3.3.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The audit committee must review the performance of the internal auditors and the adequacy of the internal audit function, including structure, staffing, and frequency of audits. (§ II(D)(6), § II(D)(7), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • The audit committee should ensure, at least annually, that the audit function is adequate. (¶ 13.4, CODE OF CORPORATE GOVERNANCE 2005)
  • The auditor or auditing team must not have conflicts of interest when performing an audit. A conflict of interest exists if the auditor or audit team is not capable of impartial and objective judgment and/or a relationship exists between the auditor or audit team and the organization being audited. (Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • Competent authorities should consider whether the Internal Audit Function is effective with regards to auditing the applicable ICT risk control framework, by reviewing whether: (Title 3 3.3.3 51., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • All auditors and audit firms are subject to a quality assurance program. The quality assurance program must be independent of the auditors and audit firms; be subject to public oversight; have funding that is free from undue influence; be accomplished by persons with appropriate education and traini… (Art 29, Art 43, Art 45.3, EU 8th Directive (European SOX))
  • The nomination committee must evaluate the audit work of each nominated auditor before selecting an auditor. (¶ III.2.5.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • verify that whoever is performing the audit has appropriate expertise, qualifications, and skills; and (§ 8.11 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • The auditing or certifying party and the person at the firm responsible for reviewing the certificate or report should have appropriate expertise, qualifications, and skills. (Table 8 Column 2 Row 3 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The selection of auditors and how audits are conducted must ensure objectivity and impartiality in the auditing process. (§ 5.1.4, BS 25999-2, Business continuity management. Specification, 2007)
  • For most organizations, a reasonable target for defining audit subjects is two to three technical auditors for a three- to four-week duration. This will be enough to provide different auditor perspectives and experiences. IT audit plan priorities should be periodically reassessed and reported to the… (§ 4.7 ¶ 4, § 6.8, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The status and importance of the areas and processes being audited must be considered when planning an audit. Selecting auditors and conducting the audits must be objective and impartial and the auditors must not audit their own work. (§ 4.5.5 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • evaluating auditors; (§ 5.4.1 ¶ 1(d) Bullet 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should have the necessary competence to manage the programme and its associated risks and opportunities and external and internal issues effectively and efficiently, including knowledge of: (§ 5.4.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensure the audit teams have the necessary competence (see 5.5.4); (§ 5.5.1 ¶ 2(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit principles (see Clause 4), methods and processes (see A.1 and A.2); (§ 5.4.2 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • management system standards, other relevant standards and reference/guidance documents (§ 5.4.2 ¶ 1(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • identification of the competence needed to achieve the objectives of the audit; (§ 5.5.4 ¶ 3 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the performance of the audit team members including the audit team leader and the technical experts; (§ 5.6 ¶ 1(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the ability of the audit teams to implement the audit plan; (§ 5.6 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • review of the continual professional development of auditors, in accordance with (§ 5.7 ¶ 2 Bullet 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in performing audits, including auditors and audit team leaders. Competence should be evaluated regularly through a process that considers personal behaviour and … (§ 7.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The evaluation of auditor competence should be planned, implemented and documented to provide an outcome that is objective, consistent, fair and reliable. The evaluation process should include four main steps, as follows: (§ 7.1 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • establish the evaluation criteria; (§ 7.1 ¶ 2(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ongoing performance evaluation of auditors. (§ 7.1 ¶ 3 Bullet 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should establish suitable mechanisms for the continual evaluation of the performance of the auditors and audit team leaders. (§ 7.6 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; (§ 6.4.3.3 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; (§ 6.4.3.3 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); (§ 6.4.3.3 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. (§ 6.4.3.3 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identify competence requirements for its auditors; (§ 9.2 Guidance ¶ 7(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Verify the service auditor obtained an understanding of the internal audit function's responsibilities and activities to determine if they are likely to be relevant to the engagement. (Ques. AT221, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor used adequate procedures when using the work of the internal audit function. (Ques. AT222, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify all engagement personnel have an appropriate mix of expertise or experience and technical training. (Ques. AT409, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify that the practitioner in charge of the engagement possesses the skills, knowledge, and competencies to fulfill their responsibilities. (Ques. AT411, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the practitioner in charge of the engagement has an understanding of the performance, supervision, and reporting aspects of the engagement. (Ques. AT411 Item 2, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the practitioner in charge of the engagement has an understanding of the skills indicating a sound professional judgment. (Ques. AT411 Item 5, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the internal personnel and external personnel that are consulted and the personnel conducting the research has an appropriate level of competence, judgment, knowledge, and authority. (Ques. AT419 Item 3, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor should determine if the work of the internal audit function is likely to be adequate for the engagement by evaluating the technical competence and objectivity of the internal audit function team members, if the service auditor intends to use their work or internal audit personnel… (¶ 2.21.a, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should determine if the work of the internal audit function is likely to be adequate for the engagement by evaluating the likelihood that effective communication will occur between the internal audit function and the service auditor, if the service auditor intends to use their wo… (¶ 2.21.c, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should evaluate and perform procedures on the work of the internal audit function to determine whether it was performed by personnel who have adequate technical training and proficiency, to determine if it is adequate for the service auditor's purposes. (¶ 3.79.a, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Obtain an understanding of the other practitioner's professional competence. (The service auditor may make inquiries about the other practitioner to the other practitioner's professional organization or to other practitioners, inquire about whether the other practitioner is subject to regulatory ove… (¶ 2.156(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtain an understanding of the influences and pressures on management and other appropriate parties within the entity. (¶ 2.92(f), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may also discuss with the service auditor's specialist any safeguards applicable to the specialist and evaluate whether the safeguards are adequate to reduce known threats to independence to an acceptable level. There may be some circumstances in which safeguards cannot reduce su… (¶ 2.163, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the service auditor's specialist is subject to the service auditor's firm's quality control policies and procedures, such as involvement in the firm's recruitment and training programs (¶ 2.165(e), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • is satisfied that those persons who are performing the engagement collectively have the appropriate competence and capabilities. (See paragraph 2.41.) (¶ 2.32(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.139(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtain an understanding of the specialist's field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialist's work and to evaluate the adequacy of that work. (¶ 2.160(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field o… (¶ 3.178, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The level of competence of the internal audit function or the individual internal auditors providing direct assistance (¶ 2.139(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations and evidence in general, and (¶ 3.210 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • consider whether those making the representations can be expected to be well informed on the particular matters. (¶ 3.205(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor should determine the appropriate person or persons within the service organization's management or governance structure with whom to interact, including considering which person or persons have the appropriate responsibilities for and knowledge of the matters concerned. In additi… (¶ 3.198, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • has no reason to believe that relevant ethical requirements, including independence, will not be satisfied. (¶ 2.32(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, he or she will be better able to plan the nature, timing, and ext… (¶ 2.161, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the internal audit function is free of any conflicting responsibilities (for example, having managerial or operational duties or responsibilities that are outside of the internal audit function) (¶ 2.141(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor makes inquiries of internal audit personnel and reads information about the internal audit function stated in the description. Ordinarily, the service auditor also requests and reads… (¶ 2.136, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating competence, the service auditor should consider the attainment and maintenance of knowledge and skills of the internal audit function at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality, particularly as it relates to the… (¶ 2.140, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The adequacy of resources relative to the size of the entity (¶ 2.140(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Based on an evaluation of the preceding factors, it is up to the service auditor to determine whether the risks to the quality of the work of the internal audit function or the individual, when using direct assistance, are too significant and whether it is appropriate to use any of the work of the f… (¶ 2.144, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the parties understand the nature and subject matter of the engagement and have experience in using the information in such reports (¶ 1.53 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets… (¶ 2.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Technical training and proficiency of individuals (¶ 2.140(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted b… (¶ 2.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Evaluate the specialist's competence, capabilities, and objectivity. (¶ 2.160(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the organizational status of the internal audit function, including the function's authority and accountability, supports the ability of the function to be free from bias, conflict of interest, or undue influence of others (for example, whether the internal audit function reports to those ch… (¶ 2.141(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may determine, however, that the examination can be performed more effectively or efficiently by using the work of the internal audit function or obtaining direct assistance from internal audit function personnel. The phrase "using the work of the internal audit function" usually… (¶ 2.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether internal auditors are members of relevant professional bodies or have certifications that oblige them to comply with the relevant professional standards, including continuing professional education requirements (¶ 2.140(e), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .35 of AT-C section 105 states that the engagement partner should take responsibility for the overall quality of the attestation engagement, including matters such as client acceptance and continuance, compliance with professional standards, and maintenance of appropriate documentation, am… (¶ 1.98, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has no reason to believe that relevant ethical requirements, including independence, will not be satisfied. (¶ 2.38 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Obtain an understanding of the influences and pressures on service organization management and other appropriate parties within the entity. (¶ 2.97 f., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Assess the effect on the engagement of using the work of an internal audit function or obtaining direct assistance from internal audit function personnel. (¶ 2.97 j., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • is satisfied that those persons who are performing the engagement collectively have the appropriate competence and capabilities. (See paragraph 2.46.) (¶ 2.38 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Based on the requirements in paragraph .27 of AT-C section 205, when obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor should make inquiries of internal audit personnel and read information about the internal audit function stated in the… (¶ 2.152, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The level of competence of the internal audit function or the individual internal auditors providing direct assistance (¶ 2.155 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When evaluating competence, the service auditor would generally consider the attainment and maintenance of knowledge and skills of the internal audit function at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality, particularly as it relat… (¶ 2.156, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Technical training and proficiency of individuals (¶ 2.156 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether internal auditors are members of relevant professional bodies or have certifications that oblige them to comply with the relevant professional standards, including continuing professional education requirements (¶ 2.156 e., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether the organizational status of the internal audit function, including the function's authority and accountability, supports the ability of the function to be free from bias, conflict of interest, or undue influence of others (for example, whether the internal audit function reports to those ch… (¶ 2.157 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether the internal audit function is free of any conflicting responsibilities (for example, having managerial or operational duties or responsibilities that are outside of the internal audit function) (¶ 2.157 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The objectivity and competence of internal auditors are important considerations when determining whether to use their work and, if so, the nature and extent to which their work may be used. However, as noted in paragraph .A50 of AT-C section 205, a high degree of objectivity cannot compensate for a… (¶ 2.159, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Based on an evaluation of the preceding factors, it is up to the service auditor to determine whether the risks to the quality of the work of the internal audit function or the individual, when using direct assistance, are too significant and whether it is appropriate to use any of the work of the f… (¶ 2.160, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluate whether the specialist has the necessary competence, capabilities, and objectivity for the service auditor's purposes. In the case of a specialist, the evaluation of objectivity should include inquiry regarding interests and relationships that may create a threat to the objectivity of the s… (¶ 2.176 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • By communicating with the service auditor's specialist about these matters early in the engagement, the service auditor will be in a better position to plan the scope and timing of the specialist's work on the engagement. In addition, the service auditor will be better able to plan the nature, timin… (¶ 2.177, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to obtaining an understanding of the service organization's system, including its internal controls, as described earlier, in accordance with paragraph .16 of AT-C section 205, the service auditor should inquire of service organization management regarding whether it has used any special… (¶ 2.111, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.155 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluating the competence, capabilities, and objectivity of the specialist (¶ 3.145 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluating the appropriateness of that specialist's work as evidence regarding the operation of the service organization's controls (¶ 3.145 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • It is up to the service auditor to determine the appropriate person or persons within the service organization's management or governance structure with whom to interact, including considering which person or persons have the appropriate responsibilities for and knowledge of the matters concerned. I… (¶ 3.229, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • consider whether those making the representations can be expected to be well informed on the particular matters. (¶ 3.235 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations and evidence in general, and (¶ 3.240 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should determine if the internal audit function's work is likely to be adequate for the audit by evaluating the objectivity and technical competence of the internal audit function, if the service auditor intends to use their work. (¶ .29.a, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should determine if the internal audit function's work is likely to be adequate for the audit by evaluating whether effective communications will occur, including constraints or restrictions by the organization, if the service auditor is likely to use their work. (¶ .29.c, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should evaluate whether the work of the internal audit function was performed by personnel with adequate proficiency and technical training to determine if the work is adequate for the service auditor's purpose. (¶ .32.a, SSAE No. 16 Reporting on Controls at a Service Organization)
  • Evaluate whether the practitioner's specialist has the necessary competence, capabilities, and objectivity for the practitioner's purposes. In the case of a practitioner's external specialist, the evaluation of objectivity should include inquiry regarding interests and relationships that may create … (AT-C Section 205.36 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • determine the nature, scope, and objectives of that specialist's work for the practitioner's purposes and (AT-C Section 205.36 b.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the level of competence of the internal audit function or the individual internal auditors providing direct assistance; (AT-C Section 205.39 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Whether that specialist is subject to the practitioner's firm's quality control policies and procedures (AT-C Section 205.38 e., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function or for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors and the rel… (AT-C Section 205.39 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • obtain an understanding of the other practitioner's professional competence. (AT-C Section 105.31 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • perform the engagement in accordance with professional standards and applicable legal and regulatory requirements and (AT-C Section 105.32 a.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should consider the reasonableness and consistency of the responsible party's responses in light of the results of other review procedures and the practitioner's knowledge of the subject matter, criteria, and responsible party. (AT-C Section 210.22, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • consider whether those making the representations can be expected to be well informed on the particular matters. (AT-C Section 210.36 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect, if any, on the engagement; and (AT-C Section 215.31 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • It is unlawful for a public accounting firm to provide audit services to an organization, if the lead audit partner has performed audit services for the organization in each of the last 5 fiscal years. (§ 78j-1(j), Securities Exchange Act of 1934)
  • Qualifications, training, and experience of auditor (or independent reviewer) in reviewing the functions and activities of AIO. (App A Objective 2:11b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Qualifications of auditors reviewing AIO functions and activities. (II.D Action Summary ¶ 2 Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Loss or addition of key personnel. (App A Objective 1:3 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider: (TIER I OBJECTIVES AND PROCEDURES Objective 4:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Assess the quality of the IT audit function. Consider: (TIER I OBJECTIVES AND PROCEDURES Objective 1:4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine if directors responsible for audit oversight have appropriate level of experience and knowledge of IT and related risks; and (TIER I OBJECTIVES AND PROCEDURES Objective 3:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine if the composition of the audit committee is appropriate considering entity type and complies with all applicable laws and regulations. Note - If the institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for institu… (TIER I OBJECTIVES AND PROCEDURES Objective 3:2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine the qualifications of the IT audit staff and its continued development through training and continuing education. (TIER I OBJECTIVES AND PROCEDURES Objective 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • The audit mission statement should state the purpose, objectives, structure, and responsibilities of all personnel involved in the auditing process. The organization should ensure the auditor's education and experience are consistent with the job responsibilities. Audit management should ensure all … (Pg 9, Pg 11, Pg 12, Exam Tier I Obj 1.4, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should ensure the internal and/or external auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. (Pg 22, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The audits are adequate in scope and performed by independent and qualified personnel. (App A Tier 2 Objectives and Procedures H.7 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate retail payment system business line staff. Consider: • Adequacy and quality of staff resources, including certifications such as an Accredited ACH Professional (AAP). • Effectiveness of policies and procedures outlining department duties, including job descriptions. (Exam Tier I Obj 3.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Is the staffing sufficient in the internal audit department? (IT - Audit Program Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization must specify the auditor's qualifications in the audit program. (SG.AU-12 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The bank should conduct quality assurance reviews whenever it engages in a significant combination with another institution or acquires another business. (¶ 44, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)