Assess the quality of the audit planning and scheduling criteria.

UCF ID: 01156
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Assess the quality of the audit function with regard to staff, qualifications, policies, procedures, and processes. [UCF Control ID 01150]

There are no supporting controls.

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 9, ¶ 20; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.19, § 314.121; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 165, ¶ 666(e); FFIEC IT Examination Handbook – Audit, August 2003, Pg 11, Exam Tier I Obj 8.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.1; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ V.3.1; PCAOB Auditing Standard No. 2, ¶ 39, ¶ 104; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 4.2.3, ¶ 4.2.4; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.5.5 ¶ 2, § 4.5.5 ¶ 3; BS 25999-2, Business continuity management. Specification, 2007, § 5.1.3; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.14.6.4

Sarbanes Oxley Guidance

An integrated audit should be planned by evaluating how the following will affect the auditor's procedures and if the following are important to the company's financial statements and internal control over financial reporting: knowledge gained by the auditor during previous audits; laws, economic conditions, and technological changes that affect the organization's industry; the operating characteristics and structure of the organization; any recent changes in the organization or its operations; the auditor's preliminary judgments about material weaknesses and the effectiveness of the internal control over financial reporting; previous control deficiencies reported to the audit committee; public information that is relevant to the examination; knowledge about risks related to the company; and the complexity of the organization's operations. The auditor should use the same materiality concepts when planning the audit of internal control over financial reporting that he/she uses when planning the audit of the organization's financial statements. [¶ 9, ¶ 20, PCAOB Auditing Standard No. 5]

The planning and performance of the audit should be completed with professional skepticism. If the auditor is performing test procedures that contradict the reason for which the test was based, the auditor should modify the audit procedures that were planned to be executed. [§ 314.19, § 314.121, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

During the planning process, the auditor should assess his/her knowledge of the organization based on previous work he/she has performed for the organization; matters that affect the organization's industry; matters about the organization's business; recent changes in the organization; previous control deficiencies; legal matters; and preliminary judgments about risk, materiality, and the effectiveness of internal controls, as well as identify the number of business locations, to determine what to examine. The auditor should test the effectiveness of the controls on an annual basis. [¶ 39, ¶ 104, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The risk management process should be reviewed at least annually and should address the integration of risk measures into daily risk management; the accuracy of volatility assumptions; the validation of significant changes to the risk measurement process; and the verification of the timeliness, reliability, and consistency of the data sources used to execute the internal models. Internal and/or external auditors should periodically review the risk management and measurement systems. [¶ 165, ¶ 666(e), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

An audit plan should be developed and should describe the goals, schedules, and staffing needs. The audit plan should cover at least 12 months and be approved annually by the audit committee. The frequency of audits should be based on the results of risk assessments. [Pg 11, Exam Tier I Obj 8.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

Auditors should evaluate the retail payment system for overall risk and, based on the evaluation, develop a schedule of audits. [Pg 32, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

ISO Guidance

Service providers should ensure that physical facilities and equipment are reviewed whenever significant changes occur in the organizational requirements. [§ 6.14.6.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The status and importance of the areas and processes being audited must be considered when planning an audit, and the scope, criteria, methods, and timing must be defined. Selecting auditors and conducting the audits must be objective and impartial, and auditors must not audit their own work. The auditing procedures must be documented and contain responsibilities and requirements for planning and conducting audits, reporting results, and maintaining records. [§ 4.5.5 ¶ 2, § 4.5.5 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

UK and Canadian Guidance

The organization must establish, implement, and maintain audit procedures that address the competencies, requirements, and responsibilities for the planning and conducting of audits, reporting of results, and retaining of associated records; and determining the audit scope, frequency, criteria, and methods. [§ 5.1.3, BS 25999-2, Business continuity management. Specification, 2007]

Other European and African Guidance

The external auditor and the audit committee must participate in determining the work schedule of the internal auditor. [¶ V.3.1, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The internal audit plan should be based on the risk assessment and be approved by the audit committee. [¶ 4.2.3, ¶ 4.2.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of information security audits conducted in compliance with the approved internal/external audit program and schedule. [UCF Control ID 02070]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.