Assess the quality of audit planning and scheduling criteria

Status: Live

The organization will assess audit planning and scheduling criteria, including risk analysis, for selection, scope, and frequency of audits, for a well defined definition and timely audit cycle. [UCF ID 01156]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 9, ¶ 20; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.19, § 314.121; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 165, ¶ 666(e); FFIEC IT Examination Handbook – Audit, August 2003, Pg 11, Exam Tier I Obj 8.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.1; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ V.3.1; PCAOB Auditing Standard No. 2, ¶ 39, ¶ 104; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 4.2.3, ¶ 4.2.4; Archer Control Table, ATCS-663

Sarbanes Oxley Guidance

An integrated audit should be planned by evaluating how the following will affect the auditor's procedures and if the following are important to the company's financial statements and internal control over financial reporting: knowledge gained by the auditor during previous audits; laws, economic conditions, and technological changes that affect the organization's industry; the operating characteristics and structure of the organization; any recent changes in the organization or its operations; the auditor's preliminary judgments about material weaknesses and the effectiveness of the internal control over financial reporting; previous control deficiencies reported to the audit committee; public information that is relevant to the examination; knowledge about risks related to the company; and the complexity of the organization's operations. The auditor should use the same materiality concepts when planning the audit of internal control over financial reporting that he/she uses when planning the audit of the organization's financial statements. [¶ 9, ¶ 20, PCAOB Auditing Standard No. 5]

The planning and performance of the audit should be completed with professional skepticism. If the auditor is performing test procedures that contradict the reason for which the test was based, the auditor should modify the audit procedures that were planned to be executed. [§ 314.19, § 314.121, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

During the planning process, the auditor should assess his/her knowledge of the organization based on previous work he/she has performed for the organization; matters that affect the organization's industry; matters about the organization's business; recent changes in the organization; previous control deficiencies; legal matters; and preliminary judgments about risk, materiality, and the effectiveness of internal controls, as well as identify the number of business locations, to determine what to examine. The auditor should test the effectiveness of the controls on an annual basis. [¶ 39, ¶ 104, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The risk management process should be reviewed at least annually and should address the integration of risk measures into daily risk management; the accuracy of volatility assumptions; the validation of significant changes to the risk measurement process; and the verification of the timeliness, reliability, and consistency of the data sources used to execute the internal models. Internal and/or external auditors should periodically review the risk management and measurement systems. [¶ 165, ¶ 666(e), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

An audit plan should be developed and should describe the goals, schedules, and staffing needs. The audit plan should cover at least 12 months and be approved annually by the audit committee. The frequency of audits should be based on the results of risk assessments. [Pg 11, Exam Tier I Obj 8.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

Auditors should evaluate the retail payment system for overall risk and, based on the evaluation, develop a schedule of audits. [Pg 32, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Other European and African Guidance

The external auditor and the audit committee must participate in determining the work schedule of the internal auditor. [¶ V.3.1, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The internal audit plan should be based on the risk assessment and be approved by the audit committee. [¶ 4.2.3, ¶ 4.2.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of information security audits conducted in compliance with the approved internal/external audit program and schedule [UCF Control ID 02070]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.