Review the scope of the audit program

Status: Live

The organization will evaluate the scope of the auditor’s work as it relates to the institution’s size, the nature and extent of its activities, and the institution’s risk profile. [UCF ID 01159]

Supporting and supported controls

This control directly supports:

Assess the quality of the audit function [UCF Control ID 01150]

There are no supporting controls.

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 74; FFIEC IT Examination Handbook – Audit, August 2003, Pg 11, Pg 15, Exam Tier I Obj 9.3; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 1.5; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 2.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32, Exam Tier II Obj 8.7; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 2.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 5.3 Process; ISO 27001:2005, Information Security Management Systems - Requirements, § 6; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § II(D)(10); BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 16; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 4.1.2; Archer Control Table, ATCS-507

Sarbanes Oxley Guidance

The auditor should only form an opinion on the effectiveness of internal control over financial reporting if no restrictions have been put on the scope of the auditor's work. [¶ 74, PCAOB Auditing Standard No. 5]

Banking and Finance Guidance

Each audit work program should list the required resources, the audit procedures to be performed, the extent of the testing, and what the conclusions will be based on. Examiners should decide if the audit function is appropriate for the size and complexity of the organization. [Pg 11, Pg 15, Exam Tier I Obj 9.3, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 1.5, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Obj 2.5, FFIEC IT Examination Handbook – E-Banking, August 2003]

The IT audit program should cover the design and implementation of retail payment products; internal data centers; alternate sites; and network infrastructure. It should also ensure the organization is managing third-party risk. [Pg 32, Exam Tier II Obj 8.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The scope and frequency of the audit program should be appropriate to the risk exposure of the organization. [¶ 16, BIS Sound Practices for the Management and Supervision of Operational Risk]

ISO Guidance

The scope and criteria used for the audit program should be documented and defined. [§ 6, ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

A key step of putting together an auditing process includes reviewing the scope of the existing audit plan or program. The scope should be clearly defined with a description of what corporate governance, compliance or other issues are to be audited and what areas and departments of the organization are to be audited. [Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Other European and African Guidance

The purpose, authority, and responsibility of the internal audit function should be formally defined by the Board of Directors. [¶ 4.1.2, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

The audit committee must discuss the nature and scope of the audit with the auditors before the audit starts. [§ II(D)(10), Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]