Review past audit reports for general adequacy

Status: Live

The organization will ensure that IS Governance assesses the adequacy of policies, practices, and procedures regarding the format, content, distribution of reports and work papers, resolution of audit findings, and security of materials. [UCF ID 01155]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Review past audit reports for specific program steps and calculations as necessary [UCF Control ID 01160]
    Review past audit reports for accurate and consistent weakness and risk reporting [UCF Control ID 01161]
    Review past audit reports for constructiveness and timeliness [UCF Control ID 01162]

Authority documents complied with:

The Sarbanes-Oxley Act of 2002, § 103(a)(2)(A)(ii); FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 7.2; FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj B.1; ISO 27001:2005, Information Security Management Systems - Requirements, § 6; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 91

Sarbanes Oxley Guidance

The organization must provide a second review or an independent review and approval of the audit report. [§ 103(a)(2)(A)(ii), The Sarbanes-Oxley Act of 2002]

Banking and Finance Guidance

[Exam Tier I Obj 7.2, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier II Obj B.1, FFIEC IT Examination Handbook – Information Security]

ISO Guidance

The previous audit reports should be taken into consideration when planning the audit program for the organization. [§ 6, ISO 27001:2005, Information Security Management Systems - Requirements]

Asia and Pacific Rim Guidance

The audit report must include the amount paid for non-audit services provided by the auditor and a statement by the directors of the organization that the non-audit services provided by the auditor did not compromise the auditor's independence, along with the reasons the directors believe the auditor's independence was not compromised. [Sched 1 ¶ 91, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of information security requirements from applicable laws and regulations that are included in the internal/external audit program and schedule [UCF Control ID 02069]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.