Assess the quality of the audit function

Status: Live

The organization will assess the quality of the IT audit function regarding audit staff and IT qualifications, and IT audit policies, procedures, and processes. [UCF ID 01150]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 7; The Sarbanes-Oxley Act of 2002, § 103(a)(2)(B); Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § II.B.7; FFIEC IT Examination Handbook – Audit, August 2003, Pg 9, Pg 11, Pg 12, Exam Tier I Obj 1.4; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 22; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 3.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 4.1; Securities Exchange Act of 1934, § 78j-1(j); The Standard of Good Practice for Information Security, SM7.1.2(b), CB5.4.4(c), CI5.5.4(c), NW4.5.4(c), SD2.3.4(c); EU 8th Directive (European SOX), Art 29, Art 43, Art 45.3; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 95; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(6), § II(D)(7); CODE OF CORPORATE GOVERNANCE 2005, ¶ 13.4; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.2.5.1; Archer Control Table, ATCS-495

Sarbanes Oxley Guidance

The auditor should design the testing of controls to accomplish the objectives of both the audit of internal control over financial reporting and the audit of the financial statements simultaneously when an integrated audit is being performed. [¶ 7, PCAOB Auditing Standard No. 5]

The organization must develop quality control standards for issuing audit reports, including monitoring ethics and independence, consulting within the firm on auditing questions, supervising all audit work, hiring and training personnel, conducting internal inspections, and accepting and continuing engagements. [§ 103(a)(2)(B), The Sarbanes-Oxley Act of 2002]

Banking and Finance Guidance

The audit committee or Board of Directors should review the effectiveness of the internal audit function. [App A § II.B.7, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The audit mission statement should state the purpose, objectives, structure, and responsibilities of all personnel involved in the auditing process. The organization should ensure the auditor's education and experience are consistent with the job responsibilities. Audit management should ensure all audit staff members are trained appropriately and should develop a continuing education program. [Pg 9, Pg 11, Pg 12, Exam Tier I Obj 1.4, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should ensure the internal and/or external auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. [Pg 22, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

[Exam Tier I Obj 3.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

It is unlawful for a public accounting firm to provide audit services to an organization, if the lead audit partner has performed audit services for the organization in each of the last 5 fiscal years. [§ 78j-1(j), Securities Exchange Act of 1934]

General Guidance

Security audits and reviews should be conducted by personnel who are experienced and who have appropriate technical skills and knowledge of information security. [SM7.1.2(b), CB5.4.4(c), CI5.5.4(c), NW4.5.4(c), SD2.3.4(c), The Standard of Good Practice for Information Security]

EU Guidance

All auditors and audit firms are subject to a quality assurance program. The quality assurance program must be independent of the auditors and audit firms; be subject to public oversight; have funding that is free from undue influence; be accomplished by persons with appropriate education and training; ensure the reviewers have no conflicts of interest with the auditors or audit firms; include a report on reviewer findings; assess compliance with the auditing standards; ensure reviews take place at least every 6 years; ensure the quality assurance system results are published annually; and ensure review recommendations are followed up by the auditor or audit firm in a reasonable period of time. For auditors or audit firms that audit public-interest organizations, the quality assurance review must be accomplished at least every 3 years. Third-country auditors and audit firms are subject to the quality assurance program of the Member State. [Art 29, Art 43, Art 45.3, EU 8th Directive (European SOX)]

Other European and African Guidance

The nomination committee must evaluate the audit work of each nominated auditor before selecting an auditor. [¶ III.2.5.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The auditor or auditing team must not have conflicts of interest when performing an audit. A conflict of interest exists if the auditor or audit team is not capable of impartial and objective judgment and/or a relationship exists between the auditor or audit team and the organization being audited. [Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee must review the performance of the internal auditors and the adequacy of the internal audit function, including structure, staffing, and frequency of audits. [§ II(D)(6), § II(D)(7), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

The audit committee should ensure, at least annually, that the audit function is adequate. [¶ 13.4, CODE OF CORPORATE GOVERNANCE 2005]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.