Review the scope of the audit program as it relates to the organization's profile.

UCF ID: 01159
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Assess the quality of the audit function with regard to staff, qualifications, policies, procedures, and processes. [UCF Control ID 01150]

There are no supporting controls.

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 74; FFIEC IT Examination Handbook – Audit, August 2003, Pg 11, Pg 15, Exam Tier I Obj 9.3; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 1.5; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 2.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32, Exam Tier II Obj 8.7; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 5.3 Process; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 6; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(10); BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 16; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 4.1.2; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.5.5 ¶ 2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.14.6.3; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 43

Sarbanes Oxley Guidance

The auditor should only form an opinion on the effectiveness of internal control over financial reporting if no restrictions have been put on the scope of the auditor's work. [¶ 74, PCAOB Auditing Standard No. 5]

Banking and Finance Guidance

Each audit work program should list the required resources, the audit procedures to be performed, the extent of the testing, and what the conclusions will be based on. Examiners should decide if the audit function is appropriate for the size and complexity of the organization. [Pg 11, Pg 15, Exam Tier I Obj 9.3, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 1.5, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Obj 2.5, FFIEC IT Examination Handbook – E-Banking, August 2003]

The IT audit program should cover the design and implementation of retail payment products; internal data centers; alternate sites; and network infrastructure. It should also ensure the organization is managing third-party risk. [Pg 32, Exam Tier II Obj 8.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The scope and frequency of the audit program should be appropriate to the risk exposure of the organization. [¶ 16, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

Bank management should provide auditors with adequate information regarding standards, policies, procedures, applications, and systems. [¶ 43, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

ISO Guidance

The scope and criteria used for the audit program should be documented and defined. [§ 6, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Service providers should ensure the scope includes alternate sites, perimeter physical protection, physical security and environmental control equipment, ICT equipment and facilities, telecommunications equipment and facilities, power supply, fire and smoke protection, and water/liquid protection. [§ 6.14.6.3, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

A key step of putting together an auditing process includes reviewing the scope of the existing audit plan or program. The scope should be clearly defined with a description of what corporate governance, compliance or other issues are to be audited and what areas and departments of the organization are to be audited. [Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The scope, criteria, methods, and frequency of audits must be defined. [§ 4.5.5 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

Other European and African Guidance

The purpose, authority, and responsibility of the internal audit function should be formally defined by the Board of Directors. [¶ 4.1.2, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

The audit committee must discuss the nature and scope of the audit with the auditors before the audit starts. [§ II(D)(10), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.