Back

Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function.


CONTROL ID
00679
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678

This Control has the following implementation support Control(s):
  • Assign the Board of Directors to address audit findings., CC ID: 12396
  • Assign the internal audit staff to be independent from business units reporting to the Board of Directors., CC ID: 01184


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should have an audit committee. The majority of the audit committee should be independent, non-executive directors who are financially literate. The chair of the audit committee should be an independent, non-executive director and should not be the chair of the Board of Directors. T… (¶ 2.1.15, ¶ 2.7.5, ¶ 2.7.9, ¶ 6.1.5, ¶ 6.3.1, ¶ 6.3.2, ¶ 6.3.5, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • AIs should conduct periodic audits on the adequacy and compliance status of their controls on customer data protection. Such audits should be conducted by an independent party (such as the AI's internal audit function) with the necessary expertise, and any significant issues should be brought up to … (Annex H. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Standard § II.2(1): Policies and procedures for the design and operation of internal control over financial reporting must be developed, recorded, and maintained by management. Practice Standard § II.3(4)[1].C.b: Company-level control deficiencies are very likely to have material impacts on inter… (Standard § II.2(1), Practice Standard § II.3(4)[1].C.b, Practice Standard § II.3(4)[1].C.e, Practice Standard § III.4(1)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The audit committee must have at least 3 members, 2/3 of which must be independent directors. The audit committee members must be financially literate, and 1 member must have accounting or financial management experience. The audit committee is required to oversee the organization's financial report… (§ II(A), § II(D)(1) thru § II(D)(3), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • Management should provide an assessment of the organization's performance and prospects to the Board on a monthly basis. The audit committee should be made up of 3 non-executive directors, with a majority of them being independent and at least 2 of the members having financial or accounting experien… (¶ 10.2, ¶ 11.1 thru ¶ 11.4, ¶ 11.6, CODE OF CORPORATE GOVERNANCE 2005)
  • The Board of Directors must appoint an auditor for the organization within 1 month of becoming a registered company. When a vacancy occurs that is not caused by the removal of the auditor, the Board of Directors has 1 month to appoint a new auditor. (Sched 1 ¶ 96, Sched 1 ¶ 100, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial insti… (3.3.6 26, Final Report EBA Guidelines on ICT and security risk management)
  • The owners, shareholders, administrative bodies, management bodies, and supervisory bodies must not interfere with the audit in any way that might compromise the independence of the auditor or audit firm. Each public-interest organization is required to have an audit committee. At least 1 member of … (Art 24, Art 41, EU 8th Directive (European SOX))
  • An audit committee must be formed by the supervisory committee. The chairperson of the audit committee must have accounting and internal control experience and specialist knowledge and must not be a former Management Board member. (¶ 5.3.2, German Corporate Governance Code ("The Code"), June 6, 2008)
  • The Board of Directors must be made up of at least 3 members and a maximum of 9 members. The Board of Directors must appoint a managing director and meet privately with the auditor(s) at least annually. If possible, all members of the Board of Directors must attend the annual meeting. An audit commi… (¶ I.2.2, ¶ III.1.3.1, ¶ III.3.1.4, ¶ III.3.8.2 thru ¶ III.3.8.4, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The audit committee must not be chaired by a former member of the Management Board or the chairperson of the Supervisory Board and must have at least 1 financial expert. The audit committee must supervise the Management Board activities that deal with internal risk management and control systems, th… (¶ III.5.4, ¶ III.5.6 thru ¶ III.5.8, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • The audit committee should consist of at least 3 independent, non-executive directors, 2 if the organization is a smaller company. At least 1 member of the committee should have recent and relevant financial experience. (§ C.3.1, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • (¶ 2.1, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • (¶ 33, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • Is the Board of Directors responsible for overseeing technology risk? (Table Row I.22, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The audit plan should be presented to senior management and the audit committee board members by the internal audit department, especially significant interim changes, resource requirements, and potential implications of resource limitations. The IT component of the IT audit plan also should be disc… (§ 6.9, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Support from the audit committee and senior management should be obtained after the objectives of continuous auditing are defined. Management must fully support the continuous auditing initiative, not simply be aware of it. Management must be informed of all pre-conditions for the continuous auditin… (§ 6 (Obtain Management Support), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • During the process of preparing the review program, a meeting should be held with management. During the meeting, the following should be discussed: any of management's concerns about risk; the internal auditing's risk and control assessment; any previously reported issues; how to communicate any co… (§ 5 (Planning) ¶ 3, § 5 (Planning) ¶ 4, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. (§ 6.4.3.3 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Senior management should be directly responsible for all of the organization's activities. The Chief Executive Officer should have ownership responsibility for enterprise risk management. (Pg 93, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Management of the service organization must determine which type of engagement to perform, what principle(s) to look at, the scope, and if any subservice organizations will be included or carved out of the description and service auditor's report. (¶ 2.01 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Each member of the audit committee shall be a member of the board of directors of the insurer or a member of the board of directors of an entity elected pursuant to Subsection F and Section 3C. (Section 14.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Interview management to determine the organization's supervision of compliance requirements to the Bank Secrecy Act (BSA). (Obj 4, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Interview management to determine the organization's internal controls for compliance. (Obj 4, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Interview management to determine the organization's training program. (Obj 4, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Interview management to determine the organization's implementation of manual or automated monitoring and reporting systems. (Obj 4, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The audit committee must pre approve all audit and non-audit services provided to the organization. Each member of the audit committee must be a member of the Board of Directors and should be independent. An individual is independent if he/she does not accept any compensatory fees from the organizat… (§ 78j-1(i)(1), § 78j-1(m)(3), Securities Exchange Act of 1934)
  • Quality audit results and reaudit(s) reports shall be made and reviewed by the management personnel responsible for the matters being audited. The dates and results of these quality audits and reaudits shall be documented. (§ 820.22, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJIS Division. All results of the inquiry and audit… (§ 5.11.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Review the membership list of board, steering committee, and/or relevant management committees established to review IT activities. Determine whether board, senior management, lines of business, audit, and IT personnel are represented appropriately, and whether regular meetings are held and minutes … (App A Objective 2:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Management's role in IT audit activities; (TIER I OBJECTIVES AND PROCEDURES Objective 1:2. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine the credentials of the board of directors or its audit committee related to their ability to oversee the IT audit function. (TIER I OBJECTIVES AND PROCEDURES Objective 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • State that outsourcing vendors will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of institution management or an employee and, if applicable, they are subject to professional or regulatory independence guidance. (TIER I OBJECTIVES AND PROCEDURES Objective 11:2. Bullet 11, FFIEC IT Examination Handbook - Audit, April 2012)
  • The Board of Directors and senior management should be responsible for ensuring the internal controls of the organization are operating effectively, providing sufficient resources to the internal audit function, and hiring outside auditors, if necessary, to conduct audits. The Board of Directors sho… (Pg 3 thru Pg 5, Exam Tier I Obj 2.4, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The Board of Directors and senior management should ensure there is cooperation between management and the IT audit function. (Pg 10, FFIEC IT Examination Handbook - Management)
  • Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate management's risk assessment process. (Exam Tier I Q 3.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The Board of Directors and senior management should be aware of the risks associated with outsourcing agreements to ensure there are effective risk management procedures in place. (Pg 5, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The Board of Directors should ensure the audit program tests the internal controls, policies, and procedures of the organization. (Pg 32, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • (App A.3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The Board of Directors should oversee the implementation of policies, risk management strategy, controls, external and internal audits, and management information systems. (Pg 22, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The Board of Directors or a committee should be responsible for reviewing and approving the organization's risk exposure limits at least annually. For high-risk activities, the exposure limits should be reviewed more frequently. (Exposure Limits, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • The bank should involve the board of directors and senior management in decision-making throughout the planning process. (¶ 24, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • The Board of Directors should evaluate the performance and effectiveness of the audit committee, and the auditor should assess the audit committee's effectiveness. (¶ 56, PCAOB Auditing Standard No. 2)
  • The auditor should determine if the Board of Directors or the audit committee has oversight responsibility over financial reporting and internal controls. (¶ 25, PCAOB Auditing Standard No. 5)