Ensure IS Governance initiates prompt action to correct reported deficiencies

Status: Live

The organization will ensure that there are procedures in place to enable IS Governance to initiate prompt action to correct reported deficiencies. [UCF ID 01177]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.116; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § II.B.6; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 6, Obj 3; FFIEC IT Examination Handbook – Audit, August 2003, Pg 8, Exam Tier I Obj 6.1, Exam Tier I Obj 6.3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 8.7, Exam Tier II Obj 8.15; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 4.3; Securities Exchange Act of 1934, § 78j-1(b)(2); Federal Information System Controls Audit Manual (FISCAM), February 2009, SP-5.1; CobiT 4.1, ME2.3; ISF Security Audit of Networks, Further Issue 8 § 3.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 8.2; OMB Circular A-123 Management’s Responsibility for Internal Control, § V, App A § VI; Archer Control Table, ATCS-507

Sarbanes Oxley Guidance

If the auditor determines that management has not implemented controls for the significant risks, the auditor should notify the personnel in charge of governance. [§ 314.116, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Management should be responsible for correcting deficiencies in a timely and effective manner. Correcting these deficiencies should be a priority for the organization. Management should track all corrective actions and the resolution of the deficiencies. Management should appoint one employee to oversee the corrective action plan, require prompt resolution for all deficiencies, keep accurate records, and ensure any corrective actions are compliant with laws and regulations. [§ V, App A § VI, OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The audit function should review and verify the actions taken by management to correct any findings. [App A § II.B.6, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should ensure actions are taken to correct any identified deficiencies. [Pg 6, Obj 3, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The auditor should have the authority to require management to respond and take corrective action in a timely manner to any adverse findings. [Pg 8, Exam Tier I Obj 6.1, Exam Tier I Obj 6.3, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier II Obj 8.7, Exam Tier II Obj 8.15, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 4.3, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

NASD NYSE Guidance

If the public accounting firm, after notifying the audit committee of an illegal act, determines that the illegal act has a material effect on the financial statement, remedial action has not been taken in a timely manner by senior management, and failing to take remedial action will cause the auditor to not issue a standard report, the public accounting firm must directly report its conclusions to the Board of Directors expeditiously. [§ 78j-1(b)(2), Securities Exchange Act of 1934]

US Federal Security Guidance

[SP-5.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

ISO Guidance

The organization should define the procedures for taking corrective actions to fix known vulnerabilities. These procedures should identify the problems, determine corrective actions to take to ensure the problems do not recur, record the actions that were taken, and test the controls to ensure they are preventing the threats from occurring. [§ 8.2, ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

The organization is called upon to record information regarding all control exceptions and ensure that it leads to analysis of the underlying cause and to corrective action. Management should decide which exceptions should be communicated to the individual responsible for the function and which exceptions should be escalated. Management is also responsible to inform affected parties. [ME2.3, CobiT 4.1]

[Further Issue 8 § 3.2, ISF Security Audit of Networks]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of audit findings that have been resolved [UCF Control ID 01678]
    Report on the percentage of management actions in response to audit findings /recommendations that were implemented as agreed as to timeliness and completeness [UCF Control ID 02071]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.