Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function., CC ID: 00679
Define and assign the internal audit manager's roles and responsibilities., CC ID: 00680
Define and assign the internal audit staff's roles and responsibilities., CC ID: 00681
Define and assign the external auditor's roles and responsibilities., CC ID: 00683
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
in addition, the AI should clearly specify the accountability of the management and staff of its second line of defense (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defense, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
the senior management designate which function(s) (e.g. the main business line sponsoring the e-banking service, the risk management function or the internal audit function) to be responsible for the quality of, and undertaking proper follow-up actions arising from e-banking independent assessment. … (§ 3.3.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
the senior management designate which function(s) (e.g. the main business line sponsoring the e-banking service, the risk management function or the internal audit function) to be responsible for the quality of, and undertaking proper follow-up actions arising from e-banking independent assessment. … (§ 3.3.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
in addition, the AI should clearly specify the accountability of the management and staff of its second line of defence (e.g. risk management function, compliance function) in evaluating the adequacy of the risk management controls implemented by the first line of defence, as well as the role of the… (§ 3.2.1(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
independent assessment is performed by trusted assessors with the necessary expertise in the underlying financial services and/or electronic delivery channel, and who are independent from the parties that design, implement or operate the e-banking service. Moreover, the assessors should be able to r… (§ 3.3.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
Standard § I.2(5).3: The organizational activities and all components of internal controls that are being assessed must be sufficiently understood, in advance, by the assessors.
Standard § I.4(3): The performance of the Directors and Officers must be audited by the corporate auditors or the audit … (Standard § I.2(5).3, Standard § I.4(3), Standard § II.2(1), Practice Standard § I.4(3), Practice Standard § I.4(5), Practice Standard § II.3(4)[1].C.c, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
When using a cloud service for a specified system, it is necessary to allocate staff with expertise, including that of technologies adopted by the cloud servicer provider, in order to effectively audit and monitor the cloud service provider. However, in case such staffing is difficult at a financial… (C24.5. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The CEO and CFO must accept responsibility for establishing and maintaining internal controls and must evaluate the effectiveness of internal control systems. (§ V, Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
The Financial Reporting Council is required to provide oversight of the auditing standards; monitor auditor independence; appoint members to the audit and accounting board; approve and monitor the audit and accounting board's budget, business plan, and staffing level; give feedback to the audit and … (Sched 1 ¶ 14, Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
Each Member States must designate 1 or more competent authorities who are responsible for approving auditors and audit firms. The competent authority must establish procedures for approving auditors who have already been approved by another Member State. The competent authority may be a professional… (Art 3.2, Art 6, Art 11, Art 14, Art 44, EU 8th Directive (European SOX))
The organization must have at least 1 auditor. The auditor's responsibility is to examine the organization's accounting practices and review the way the managing director and Board of Directors are managing the organization. At least 1 auditor must attend the annual meeting to answer questions from … (¶ I.2.2, ¶ III.1.3.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
The audit committee's responsibilities should be in writing and include monitoring financial statement integrity; reviewing significant financial findings; reviewing the internal controls and risk management systems; monitoring and reviewing the internal audit function; making recommendations to the… (§ C.3.2, § C.3.4 thru § C.3.6, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
It is recommended that an organization defines role accountabilities, responsibilities and authority. (Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
The audit committee's role involves the oversight of financial issues, risk management, ethics, and internal control assessment. Each of these duties involves a strong element of IT control and calls for an understanding of financial management; an understanding of the reliance on IT of financial pr… (§ 7.1.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
The effectiveness and efficiency of audits are affected by the assigned resources. The skills needed for performing a particular IT audit should be matched with the appropriate IT auditor. (§ 6.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
Internal auditors independence may be impaired, if they assume part of the responsibility for developing and implementing privacy programs. Third-party experts may be required due to the need for sufficient legal and technical expertise. (§ 5.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
Prior to producing the security audit report, the findings and recommendations should be assigned to named individuals who are responsible for completing identified actions in an agreed timescale. (SI.01.04.03b, The Standard of Good Practice for Information Security)
Prior to producing the security audit report, the findings and recommendations should be assigned to named individuals who are responsible for completing identified actions in an agreed timescale. (SI.01.04.03b, The Standard of Good Practice for Information Security, 2013)
The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. (§ 9.2.2 ¶ 1, ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
criteria for selecting audit team members; (§ 5.1 ¶ 11(h), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
ensuring the selection of audit teams and the overall competence for the auditing activities by assigning roles, responsibilities and authorities, and supporting leadership, as appropriate; (§ 5.4.1 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the establishment of audit objectives, scope(s) and criteria of the audits, determining audit methods and selecting the audit team; (§ 5.4.1 ¶ 1(d) Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
complexity of the audit; (§ 5.5.4 ¶ 4(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
whether the audit is a combined or joint audit; (§ 5.5.4 ¶ 4(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the selected audit methods; (§ 5.5.4 ¶ 4(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
type and complexity of the processes to be audited. (§ 5.5.4 ¶ 4(h), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Where appropriate, the individual(s) managing the audit programme should consult the team leader on the composition of the audit team. (§ 5.5.4 ¶ 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
composition of the audit team; (§ 5.5.5 ¶ 3(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the relevant external/internal issues, such as the language of the audit, and the auditee's social and cultural characteristics. These issues may be addressed either by the auditor's own skills or through the support of a technical expert, also considering the need for interpreters; (§ 5.5.4 ¶ 4(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Where a joint audit is conducted, it is important to reach agreement among the organizations conducting the audits, before the audit commences, on the specific responsibilities of each party, particularly with regard to the authority of the team leader appointed for the audit. (§ 5.5.5 ¶ 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The responsibility for conducting the audit should remain with the assigned audit team leader (see 5.5.5) until the audit is completed (see 6.6). (§ 6.2.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the composition of the audit team and its overall competence; (§ 6.3.2.1 ¶ 3(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, activities, functions or locations and, as appropriate, authority for decision-making. Such assignments should take into account the impartiality and objectiv… (§ 6.3.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the roles and responsibilities of the audit team members, as well as guides and observers or interpreters; (§ 6.3.2.2 ¶ 2(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Audit team meetings should be held, as appropriate, by the audit team leader in order to allocate work assignments and decide possible changes. Changes to the work assignments can be made as the audit progresses in order to ensure the achievement of the audit objectives. (§ 6.3.3 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The closing meeting should be chaired by the audit team leader and attended by the management of the auditee and include, as applicable: (§ 6.4.10 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
The audit team should confer periodically to exchange information, assess audit progress and reassign work between the audit team members, as needed. (§ 6.4.4 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
plan and organize the work effectively; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
perform the audit within the agreed time schedule; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
prioritize and focus on matters of significance; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
communicate effectively, orally and in writing (either personally, or through the use of interpreters); (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
collect information through effective interviewing, listening, observing and reviewing documented information, including records and data; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 6, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
understand the appropriateness and consequences of using sampling techniques for auditing; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 7, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
understand and consider technical experts' opinions; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 8, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
audit a process from start to finish, including the interrelations with other processes and different functions, where appropriate; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 9, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
verify the relevance and accuracy of collected information; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 10, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 11, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
assess those factors that may affect the reliability of the audit findings and conclusions; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 12, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
document audit activities and audit findings, and prepare reports; (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 13, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
maintain the confidentiality and security of information. (§ 7.2.3.2 ¶ 1(a) ¶ 2 Bullet 14, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Audit teams should have the collective discipline and sector-specific competence appropriate for auditing the particular types of management systems and sectors. (§ 7.2.3.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
management system requirements and principles, and their application; (§ 7.2.3.3 ¶ 2(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
fundamentals of the discipline(s) and sector(s) related to the management systems standards as applied by the auditee; (§ 7.2.3.3 ¶ 2(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
plan the audit and assign audit tasks according to the specific competence of individual audit team members (§ 7.2.3.4 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Audit team leaders should understand the requirements of each of the management system standards being audited and recognize the limits of their competence in each of the disciplines. (§ 7.2.3.5 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) should take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 3 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
The documented procedures for planning and conducting audits, reporting results, and maintaining the audit records shall include the authorities and responsibilities. (§ 4.5.4.2 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The audit programme, including any schedule, shall be based on the results of risk assessments of the organizationâs activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requiremen… (§ 9.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); (§ 6.4.3.3 ¶ 1 d), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The organization shall plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting. (§ 9.2.2 ¶ 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits… (9.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 a), ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (Section 9.2.2 ¶ 1(a), ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: (§ 9.2.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. (§ 9.2.2 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
the persons responsible for implementing the plan. (§ 9.2 Guidance ¶ 15(l), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The system description should identify any parts of the personal information lifecycle for which the subservice organization has responsibility, when the carve-out method is used. (¶ 3.29 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
As previously stated, the service auditor is required to establish, prior to acceptance of the SOC 2® examination, an understanding with service organization management about its responsibilities and those of the service auditor. This section provides an overview of management's responsibilities. B… (¶ 2.03, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
the respective roles and responsibilities of the service auditor and the specialist; (¶ 2.160(c)(ii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The nature of the internal audit function's responsibilities and how the internal audit function fits into the service organization's organizational structure (¶ 2.134(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The responsibilities of the responsible party and the responsibilities of the engaging party, if different (¶ 2.71(d), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
providing each entity's description and (¶ 2.98 Bullet 4 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
integrating the descriptions (¶ 2.98 Bullet 4 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Unless the subservice organization is also an engaging party (which is not the case in most SOC 2® examinations in which the inclusive method is used), subservice organization management is not responsible for complying with any of the requirements in AT-C sections 105 or 205 that relate to an enga… (¶ 2.102, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The responsibility to report on the description of the system, the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls rests solely with the service auditor and cannot be shared with the internal audit function. Therefore, the judgments about the … (¶ 3.175, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Prior to engaging a service auditor to perform a SOC 2® examination, service organization management is responsible for making a variety of decisions that affect the nature, timing, and extent of procedures to be performed in a SOC 2® examination, including the following: (¶ 2.04, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The representatives of the subservice organization and the service organization and who will be responsible for (¶ 2.98 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
For a SOC 3® examination, service organization management's responsibilities are substantially the same as those for a SOC 2® examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the … (¶ 2.167, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
In a SOC 2 examination, service organization management is the responsible party. However, in certain situations there may be other responsible parties. As the responsible party, service organization management prepares the description of the service organization's system that is included in the SOC… (¶ 1.18, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
In accordance with paragraph .29 of AT-C section 105, the service auditor should accept a SOC 2 examination only when the service auditor has reached a common understanding with service organization management about the terms of the engagement. Paragraph .08 of AT-C section 205 indicates that these … (¶ 2.03, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Agreeing on the terms of the engagement with service organization management, including establishing an understanding about the responsibilities of management and the service auditor (see paragraph 2.76) (¶ 2.36 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
preparation of the description of the service organization's system in accordance with the description criteria and (¶ 2.51 b.i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
suitability of design of controls and the operating effectiveness of controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. (¶ 2.51 b.ii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The responsibilities of the responsible party and the responsibilities of the engaging party, if different (¶ 2.77 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The representatives of the subservice organization and the service organization and who will be responsible for (¶ 2.102 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
providing each entity's description and (¶ 2.102 Bullet 4 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
integrating the descriptions (¶ 2.102 Bullet 4 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
As stated in chapter 1, service organization management is responsible for identifying and achieving the service commitments it makes to user entities as well as for the requirements of the system that will enable the service organization to achieve them. Management is also responsible for designing… (¶ 2.66, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
the respective roles and responsibilities of the service auditor and the specialist; (¶ 2.176 c.ii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The scope of a SOC 2+ examination also includes the evaluation of controls against additional criteria. In accordance with paragraph .08 of ATC section 205, the written agreement with the client about the terms of the engagement should identify the additional criteria in addition to management's and… (¶ 2.188, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Trust services criterion CC2.3 states, The entity communicates with external parties regarding matters affecting the functioning of internal control, which would include communication of user responsibilities. Because user responsibilities are frequently voluminous, it is often impractical to commun… (¶ 3.56, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The responsibilities of the responsible party and the responsibilities of the engaging party, if different (AT-C Section 205.08 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
the respective roles and responsibilities of the practitioner and that specialist; (AT-C Section 205.36 c.ii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The engagement partner should take responsibility for the overall quality on each attestation engagement. This includes responsibility for the following: (AT-C Section 105.33, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The responsible party is a party other than the practitioner and takes responsibility for the subject matter. (AT-C Section 105.25 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The responsibilities of the practitioner (AT-C Section 210.09 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The responsibilities of the responsible party and the responsibilities of the engaging party, if different (AT-C Section 210.09 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The specified parties take responsibility for the sufficiency of the agreed-upon procedures for their purposes. (AT-C Section 215.10 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Acknowledgment by the specified parties of their responsibility for the sufficiency of the procedures (AT-C Section 215.14 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The nature of the internal audit function's responsibilities and how the internal audit function fits in the service organization's organizational structure (AT-C Section 320.21 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The audit committee of an insurer or group of insurers shall be responsible for overseeing the insurer's Internal audit function and granting the person or persons performing the function suitable authority and resources to fulfill their responsibilities if required by Section 15 of this regulation. (Section 14.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
The audit committee shall be directly responsible for the appointment, compensation and oversight of the work of any accountant (including resolution of disagreements between management and the accountant regarding financial reporting) for the purpose of preparing or issuing the audited financial re… (Section 14.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
Every insurer required to file an annual audited financial report pursuant to this regulation shall designate a group of individuals as constituting its audit committee, as defined in Section 3. The audit committee of an entity that controls an insurer may be deemed to be the insurer's audit committ… (Section 4.D., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
Function â The insurer or group of insurers shall establish an internal audit function providing independent, objective and reasonable assurance to the Audit committee and insurer management regarding the insurer's governance, risk management and internal controls. This assurance shall be provided… (Section 15.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
The organization must perform "periodic testing and evaluating information security controls and techniques to ensure that they are effectively implemented." In addition, each year an "independent evaluation of the information security program must be performed" to determine the programs effectivene… (§ 3544(a)(2)(D), § 3545, Federal Information Security Management Act of 2002, Deprecated)
The audit committee may delegate to one or more members of the Board of Directors the authority to grant pre approvals. (§ 78j-1(i)(3), Securities Exchange Act of 1934)
Quality audits shall be conducted by individuals who do not have any direct responsibility for what is being audited. (§ 820.22, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
The federal bureau of investigation criminal justice information services division information security officer shall help develop audit compliance guidelines. (§ 3.2.10(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The inspection team shall be appointed by the criminal justice information services advisory policy board and include at least 1 representative from the criminal justice information services division. (§ 5.11.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Review the membership list of board, steering committee, and/or relevant management committees established to review IT activities. Determine whether board, senior management, lines of business, audit, and IT personnel are represented appropriately, and whether regular meetings are held and minutes … (App A Objective 2:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
Review board resolutions and audit charter to determine the authority and mission of the IT audit function. (TIER I OBJECTIVES AND PROCEDURES Objective 2:1, FFIEC IT Examination Handbook - Audit, April 2012)
Auditing personnel should have the appropriate information systems knowledge to be able to determine and report the root cause of any deficiencies. (Pg 9, FFIEC IT Examination Handbook - Audit, August 2003)
The examiner-in-charge (EIC) is responsible for the IT examination. His/her responsibilities include developing the scope of and strategy for the examination; coordinating all activities with the appropriate organizations; scheduling the examinations; coordinating onsite visits; supervising the exam… (Pg 10, Pg 15 thru Pg 17, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
Examination responsibility is determined based on the class/type of servicer as well as the class/type of insured financial institution(s) being serviced. (Examination Responsibility ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
Examination of companies in the Multi-Regional Data Processing Servicers (MDPS) program is administered by the Agencies. The Agencies determine which TSPs are subject to examination under the MDPS program. Generally, Agency-In-Charge (AIC) responsibilities for an MDPS company are rotated among the A… (E ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
Responsibility for the examination of independent TSPs is based on the class of insured financial institution being serviced. If more than one class of insured institution is serviced, the examination is conducted jointly, and on a rotated basis, as agreed to among the federal financial institution … (E ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
Management should designate specific personnel to monitor the operations, system administration, applications support, and security administrators' actions that are associated with the funds transfer system. (Pg 20, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Provides detail on the roles and responsibilities of every person involved in the audit function:
⢠The assistant director is the top person responsible for the day to day conduct of the audit.
⢠The audit director is the senior manager responsible for the technical quality of the financial stat… (§ 100.26, GAO/PCIE Financial Audit Manual (FAM))
Communicate the organization's decisions on audits and reviews to all personnel. (§ 4.15.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
The security auditor should understand the system and the operating practices. (SG.AU-12 Supplemental Guidance 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security auditor should understand the risk that is involved in the audit. (SG.AU-12 Supplemental Guidance 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security auditor should understand cyber security and the smart grid information system's policy and procedures. (SG.AU-12 Supplemental Guidance 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Management should accept responsibility for and evaluate the effectiveness of internal controls over financial reporting, provide sufficient documentation to support its evaluation, and produce a written assessment of the effectiveness of the internal controls over financial reporting in order for a… (¶ 20, PCAOB Auditing Standard No. 2)
The auditor should evaluate the objectivity and competence of any individual who performed any previous audit that the current auditor is going to use as a basis for his/her audit. The higher the level of competence and objectivity, the more of the work the auditor may use. (¶ 18, PCAOB Auditing Standard No. 5)