Audits and risk management

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a Statement of Compliance., CC ID: 12499
  • Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678
  • Establish, implement, and maintain an audit program., CC ID: 00684
  • Establish, implement, and maintain a risk management program., CC ID: 12051
  • Establish, implement, and maintain a compliance disclosure statement., CC ID: 15521


  • The organization should use a combination of the internal audit function and external auditors. The internal audit function and external auditors should coordinate their efforts. (¶ 6.1.3, ¶ 6.1.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • § 1(1) ¶ 5: Management of listed companies must conduct assessments of internal controls over financial reporting and it must be audited by certified public accountants. Practice Standard § III.4(2)[2].D: External auditors, when planning and conducting an Internal Control Audit, should determine … (§ 1(1) ¶ 5, Practice Standard § III.4(2)[2].D, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Audits should be conducted to ensure all security measures identified during security reviews have been implemented and are working correctly. (§ 2.9.6, Australian Government ICT Security Manual (ACSI 33))
  • Individual auditors or audit companies is required to conduct audits or reviews in accordance with applicable the auditing standards. (Sched 1 ¶ 40, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • The audit must be performed by an auditor or audit firm that has been approved by the Member State, is independent, and is in good repute. To gain approval by the Member State, the audit firm must meet the following requirements: the auditors in the firm each must be approved as auditors by the Memb… (Art 3.1, Art 3.4, Art 4, Art 5, Art 22.1, Art 26.1, EU 8th Directive (European SOX))
  • The auditors cannot be given instructions from the Board, the managing director, or the shareholders meeting on how to conduct the audit. (¶ III.5.1.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The risk management system should have responsibilities assigned to a function. This function should develop strategies for identifying, assessing, controlling, monitoring, and mitigating risk; design the risk assessment methodology; develop policies and procedures; and design and implement a risk r… (¶ 663(a), ¶ 745, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The Board of Directors should be responsible for approving and periodically reviewing the risk management framework. The framework should identify, assess, monitor, and control/mitigate risks. (¶ 12, ¶ 45, Principle 1, Principle 8, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • An independent and competent auditor should conduct an annual audit to assure that the financial statements represent the financial position and performance of the organization in a fair and true way. The Board should ensure the integrity of the organization's audit function and a system for risk ma… (§ V.C, § VI.D, OECD Principles of Corporate Governance, 2004)
  • An independent audit should be conducted on the business continuity management's competence and capability to identify actual and potential shortcomings. Audits, either internal or external, should be conducted by competent persons. An audit of the business continuity management program should verif… (§ 9.5.4 ¶ 2, § 9.5.5, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must plan, establish, implement, and maintain any audit programs and must take into account the business impact analysis, risk assessment, previous audit results, and control and mitigation measures. (§ 5.1.2, BS 25999-2, Business continuity management. Specification, 2007)
  • A key strategy for ensuring that the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to conduct internal/external audits of the plans. (§ 5.6 ¶ 2(i), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The formalization of the audit plan is fostered by the analysis and information gained from understanding the organization, assessing the risks, and inventorying the IT environment. The audit plan's objective is to determine where the auditor should focus his/her assurance and consulting work in ord… (§ 2.1 ¶ 5, § 3.1, § 3.3.8, § 4.4 ¶ 1, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The annual internal audit plan should include IT projects. Considerable value can be added to the project by internal auditors evaluating the IT and organizational aspects of IT-related projects. Internal auditors should consider how to incorporate IT project audits into the annual audit plan, the i… (§ 4, § 4.1, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Each layer's risks need to be considered and prioritized for an IT audit to be effective, along with allocating audit resources for each layer. If the audit plan does not include an audit for each environment's layer, the audit plan as a whole will not adequately address the organization's risk. Bec… (§ 3 (Consider Each Layer) ¶ 1, § 4.1, § 6.1 (Six Sources for Standards), § 8, App A.3 (Recommendations for Interfaces), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Auditors should do the following when planning a privacy audit: gain a comprehensive understanding of what personal data the organization has, how it is used, handled, and processed; identify the rules governing the data processing of the organization; interview individuals who are responsible for t… (§ 5.5 (Understanding Personal Data Processing), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization should conduct unannounced independent and competent compliance auditing. The system software for the telephone system should be inspected periodically via unannounced audits. The risk manager is responsible for identifying and addressing catastrophic risks to the organization. The … (Pg 1-I-A1, Pg 12-II-45, Pg 12-IV-7, Pg 15-IV-28, Protection of Assets Manual, ASIS International)
  • The organization shall consider the importance and status of the areas and processes and previous audit results when planning an audit program. The organization shall define the criteria, scope, methods, and frequency of the audits. The organization shall ensure the audit process is objective and im… (§ 8.2.2 ¶ 2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Compliance monitoring is important because it ensures that "records systems procedures and processes are being implemented according to the organizational policies and requirements and that they meet anticipated outcomes" There are three reasons for monitoring and auditing records systems: "to ensur… (§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Audits are an integral part of a self-assessment and their conduct should be governed by the following: mandatory internal and external audits when significant changes have occurred that affect the outsourced service providers ability to service the organization; mandatory internal audits when signi… (§ 7.16.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The audit requirements should be agreed on and planned to minimize business disruptions. The following guidelines should be used for auditing: Management should approve audit requirements; checks should only be read-only; needed resources should be identified; all access should be monitored and logg… (§ 15.3.1, ISO 27002 Code of practice for information security management, 2005)
  • § 7.2.1: The organization should select or develop a risk management approach that addresses impact criteria, risk evaluation criteria, and risk acceptance criteria. The organization should determine if it has the necessary resources to conduct the risk assessment, develop a risk treatment plan, de… (§ 7.2.1, § 7.2.4, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • The Privacy Commissioner may audit personal management practices, upon reasonable notice and at reasonable times, if he/she has reasonable grounds to believe that the organization is violating a provision of Division 1 or is not following the recommendations of Schedule 1, and may summon and enforce… (§ 18(1), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • Chemical industry organizations should implement an organization-wide, risk-based security management program. Audits should be conducted to assess the security programs to ensure it is implemented correctly and any corrective actions needed are taken to correct the situation(s). (Pg 2, Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • A formal risk management program should be used for each system that handles classified or unclassified-sensitive information. The risk management process should determine the most effective controls against deliberate or inadvertent disclosure of information, denial of service, alteration of data, … (§ 1-5.e, § 2-3.a(11), § 3-5.b, § 5-1, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 422.504(e): A Medicare Advantage (MA) organization must agree: (1) that the Department of Health and Human Services (HHS), the Comptroller General, or their designee may evaluate by inspection, audit, or other means: (a) the timeliness, appropriateness, and quality of the services provided to Med… (§ 422.504(e), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • Periodic reviews of selected information resources management activities must be implemented to "ascertain the efficiency and effectiveness of information technology in improving the performance of the executive agency and the accomplishment of missions of the executive agency." (§ 5113(b)(4), Clinger-Cohen Act (Information Technology Management Reform Act))
  • Federal agencies may not enter into a contract with a data broker in order to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department adopt… (§ 403(b)(2)(H), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Audits of financial statements must include procedures to detect illegal acts that "would have a direct and material effect" on financial statement amounts and procedures to identify related party transactions, as well an evaluation of the organization to determine if it can continue operating throu… (§ 78j-1(a), Securities Exchange Act of 1934)
  • Authorized Department of Homeland Security officials may inspect and audit the facility for compliance with the requirements. The officials will give the facility 24-hours notice before an audit or inspection. (§ 27.250, 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • Exam Tier I Obj 2.1 Review board resolutions and audit charter to determine the authority and mission of the IT audit function. Exam Tier II Obj A.1 Determine whether audit procedures for management adequately consider ▪ The ability of management to plan for and initiate new activities or products… (Exam Tier I Obj 2.1, Exam Tier II Obj A.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Assess the risks identified in other objectives and evaluate the adequacy of risk management programs regarding: ▪ Risk identification and assessment procedures; ▪ Risk reporting and monitoring procedures; and ▪ Risk acceptance, mitigation, and transfer strategies. (Exam Obj 4.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • If the organization relies on service providers for wireless systems, effective risk management practices should be in place. (Pg E-3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should identify, measure, monitor, and control risks with an effective risk management program. The risk management program should assess the organization's risk tolerance and how well the controls are functioning. The organization should plan for technology, assess technology risks… (Pg 3, Pg 15, FFIEC IT Examination Handbook - Management)
  • The organization should implement a risk management program that identifies, measures, controls, and monitors risk to the organization. (Pg 5, Exam Tier I Obj 3.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should establish and maintain a risk management process for all outsourced arrangements. The risk management process should include ensuring effective risk management practices are used by the Board of Directors and senior management; ensuring outsourcing agreements are prudent with… (Pg 5, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization should establish risk management systems appropriate for the size and complexity of the organization. The systems should be able to evaluate risk exposure and the effectiveness of current controls. (Pg 25, Exam Tier II Obj 8.15, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Examiners should focus on the risks associated with technology management, data integrity, information confidentiality, service availability, and financial stability when conducting the IT examination. (Pg 3, Pg 4, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization's risk management policy should include the identification, measurement, mitigation, and management of risks related to the organization's activities. (Pg 21, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Calls for annual evaluations of information security programs and practice. (SP-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Calls for Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to corre… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The wireless security policy should include the scope and frequency of WLAN security assessments/audits. The audit should check the security posture of the IEEE 802.11 WLAN and should determine what corrective actions need to be taken to address rogue or misconfigured devices that are identified and… (§ 6.1(WLAN security assessments), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • The organization's risk management practices should include handheld devices. (Pg ES-2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The organization should implement risk management processes to appropriately manage risks to systems. (Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • Implement audits to identify and manage technology-related risks. (¶ 43, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • The assessment of the effectiveness of the internal controls over financial reporting should be based on a recognized framework developed by a body of experts. The audit should be planned and performed to identify any deficiencies that would indicate material weaknesses. The performance of an audit … (¶ 13, ¶ 27, ¶ 28, PCAOB Auditing Standard No. 2)
  • The organization's management should provide written representations to the auditor acknowledging responsibility for establishing and maintaining effective controls; stating that management has evaluated and assessed the effectiveness of the installed controls; stating that management did not use pr… (¶ 75, PCAOB Auditing Standard No. 5)
  • Management must evaluate the effectiveness of the organization's internal control over financial reporting. The framework used for the evaluation should be based on a suitable and recognizable framework developed by a group that has followed due-process procedures. (§ 240.13a-15(c), § 240.15d-15(c), 17 CFR Parts 210, 228, 229 and 240, Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule)