Status: Live
Auditors will be responsible for operating a system of internal controls or will actually perform operational duties or activities in order to properly understand and test them. [UCF ID 01187]
Supporting and supported controls
This control directly supports:
- • Internal IT Audit Staff [UCF Control ID 00681]
There are no supporting controls.
Authority documents complied with:
PCAOB Auditing Standard No. 5, ¶ 17; FFIEC IT Examination Handbook – Audit, August 2003, Pg 6, Exam Tier I Obj 5.2; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 23; Securities Exchange Act of 1934, § 78m(b)(2)(B); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AT-3.3; CODE OF CORPORATE GOVERNANCE 2005, ¶ 13.2; BIS Sound Practices for the Management and Supervision of Operational Risk, Principle 2; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.3.7.1; Archer Control Table, ATCS-577
Sarbanes Oxley Guidance
The auditor may use work that was performed by internal auditors to provide evidence on the effectiveness of internal control over financial reporting. [¶ 17, PCAOB Auditing Standard No. 5]
Banking and Finance Guidance
Internal auditors should perform operational and system development audits to ensure internal controls are implemented, policies and procedures are effective, and the staff are following the policies and procedures. [Pg 6, Exam Tier I Obj 5.2, FFIEC IT Examination Handbook – Audit, August 2003]
The organization should periodically perform "around-the-computer" and "through-the-computer" audits. "Around-the-computer" techniques include spot-checking computer calculations, reviewing source input to ensure required approval was received prior to changes being made, developing data controls, reviewing exception reports, sampling rejected items to determine why they did not process, and assessing controls periodically. "Through-the-computer" audit techniques allow the auditor to use computer software programs to check and test the data. [Pg 23, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
The internal audit staff should be competent and appropriately trained. [Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk]
NASD NYSE Guidance
The organization must maintain internal accounting controls that provide reasonable assurances that transactions are completed in accordance with management's authorization; ensure all transactions are recorded to maintain asset accountability and to permit financial statements to be prepared in accordance with generally accepted accounting principles; ensure asset access is only permitted with management's authorization; and ensure the current assets are compared with the recorded assets at regular intervals and any differences are corrected. [§ 78m(b)(2)(B), Securities Exchange Act of 1934]
NIST Guidance
The security training materials for the Internal IT Audit Staff should be reviewed to ensure that appropriate procedures necessary to perform their operational duties are included. [AT-3.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
Other European and African Guidance
The internal controls must be monitored. The Board of Directors must be kept informed of the monitoring on a regular basis and evaluate how well the internal controls are functioning. [¶ III.3.7.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]
Asia and Pacific Rim Guidance
The standards that are set by professional organizations, such as those for the Standards for the Professional Practice of Internal Auditing set by The Institute of Internal Auditors, should be met or exceeded by the internal auditor. [¶ 13.2, CODE OF CORPORATE GOVERNANCE 2005]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of individuals with access to security software who are trained and authorized security administrators [UCF Control ID 01691]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.