Back

Define and assign the external auditor's roles and responsibilities.


CONTROL ID
00683
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678

This Control has the following implementation support Control(s):
  • Engage auditors who have adequate knowledge of the subject matter., CC ID: 07102
  • Retain copies of external auditor outsourcing contracts and engagement letters., CC ID: 01188
  • Question external auditors about how audits were conducted and what is in the audit reports., CC ID: 04587
  • Disseminate and communicate with the organization about any missing audit documentation., CC ID: 06992


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The audit committee should recommend to the Board of Directors the appointment of any external auditors. (¶ 6.1.1, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • It is recognised that the internal audit function of some AIs may find it difficult to build up in-house technology audit expertise. In these circumstances, technology audit support may be supplemented by external specialists or internal technology auditors of other offices of the same banking group… (2.4.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Standard § I.4(4): The examination and assessment of the design and operation of internal controls are the responsibility of the internal auditors. As part of their monitoring function, they will prompt remedial action. Standard § III.1: The objective of an Internal Control Audit by external audit… (Standard § I.4(4), Standard § III.1, Standard § III.2 ¶ 1, Standard § III.4(5), Practice Standard § I.4(3), Practice Standard § II.3(1)[2], Practice Standard § III.2, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O91.1: The organization should use independent system auditors to conduct audits and evaluations of computer systems operations, development, and modification and report the results to top management. O91.2: The organization should use external specialized organizations as an option for system audit… (O91.1, O91.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The audit committee should meet with the external auditors at least annually. (¶ 11.5, CODE OF CORPORATE GOVERNANCE 2005)
  • Before outsourcing the internal audit function to external auditors, an institution should satisfy itself that the external auditor would be in compliance with the relevant auditor independence standards of the Singapore accounting profession. (5.12.2, Guidelines on Outsourcing)
  • An auditor or audit firm that conducts the audits of financial reports must state to the directors of the organization, in writing, that it has maintained its independence and professional conduct. The declaration must be given to the directors when the audit report is submitted and must be signed b… (Sched 1 ¶ 93, Sched 1 ¶ 95, Sched 1 ¶ 96, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • To maintain its independence, auditors and audit firms must not be involved in the decision-making process of the organization being audited and not have a direct or indirect relationship (financial, employment, business, non-auditing services, etc.) with the organization. When an auditor or audit f… (Art 22, Art 23.3, Art 38, Art 42, EU 8th Directive (European SOX))
  • In order to maintain the level of security, the security safeguards identified as being appropriate must be applied on the one hand and, on the other hand, the security concept must be updated continuously. Furthermore, security incidents must be detected in due time and quick and appropriate reacti… (§ 8.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The auditor must submit a report to the audit committee stating any relationships between the auditor and the organization. He/she must note the other services he/she performed over the last year and if any other services are contracted for the next year. The auditor must attend a Supervisory Board … (¶ 7.2.1, ¶ 7.2.4, German Corporate Governance Code ("The Code"), June 6, 2008)
  • External auditors are required to report any irregularities they discover in the financial reports to the audit committee. The external auditor must attend the annual meeting to answer any questions from shareholders. (¶ III.5.5, ¶ V.2.1, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • External auditors should exercise due professional care when conducting an audit. (§ V.D, OECD Principles of Corporate Governance, 2004)
  • External audits are required for most organizations on an annual basis. The internal audit department and audit committee should consider and include the following topics: the external auditor's responsibilities to understand and evaluate the IT system and related IT controls during financial audits… (§ 7.3.2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • External auditors need to know which major projects are underway, since IT and technology-related projects may have a critical impact on operations and financial statements. They should be concerned with projects that could have a major impact on revenue generation, financial statement reporting, ma… (§ 4.4, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Security audits should be complemented by reviews carried out by independent external parties. (SI.01.01.03i, The Standard of Good Practice for Information Security)
  • Security audits should be complemented by reviews carried out by independent external parties. (SI.01.01.03i, The Standard of Good Practice for Information Security, 2013)
  • The IT auditor should determine if the countermeasures adequately protect the data and if they have been implemented correctly. If they have been implemented correctly, the system should be allowed to operate. (§ 6.1.2, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • External auditors provide a unique, independent, and objective view of the organization's financial objectives. They should report on any deficiencies that they have identified, along with recommendations for improving them. (Pg 98, Pg 99, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Verify that the practitioner in charge of the engagement has an understanding of the role of the organization's quality control system. (Ques. AT411 Item 1, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor must either accept or continue the engagement. (¶ 2.02 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor must read the system description and gain an understanding of the system. (¶ 2.02 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should accept or continue an engagement only if the preliminary engagement knowledge indicates that the criteria for use will be suitable and available to the report's intended users. (¶ 2.03.c.i, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should request that management include omitted criteria and controls in the system description, and, if management refuses, the service auditor should disclaim an opinion or withdraw from the engagement. (¶ 4.24, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should withdraw from the engagement or disclaim an opinion, if management refuses to provide representations to reaffirm its assertion or representations that it has furnished all of the information and access that was agreed to. (¶ 3.96, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor is not required to stay informed of subsequent events before the date of the service auditor's report. If the service auditor becomes aware of conditions that might have affected management's assertion and the service auditor's report, the service auditor should evaluate this inf… (¶ 3.102, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • As previously stated, the service auditor is required to establish, prior to acceptance of the SOC 2® examination, an understanding with service organization management about its responsibilities and those of the service auditor. This section provides an overview of management's responsibilities. B… (¶ 2.03, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assume responsibility for the work of the other practitioner (¶ 2.155(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The responsibilities of the service auditor (¶ 2.71(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be… (¶ 2.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the respective roles and responsibilities of the service auditor and the specialist; (¶ 2.160(c)(ii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor identifies or suspects noncompliance with laws or regulations that are not relevant to the subject matters of the SOC 2® examination, the service auditor should determine whether he or she has a responsibility to report the identified or suspected noncompliance to parties oth… (¶ 3.194, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When engaged by the service organization, the service auditor provides the report to management of the service organization, and management distributes the report to the parties to whom use of the report is restricted. A service auditor is not responsible for controlling a client's distribution of a… (¶ 4.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2® examination.) (¶ 2.32(d), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Prior to accepting a SOC 2® examination, AT-C section 105, Concepts Common to All Attestation Engagements, requires the service auditor to determine that certain preconditions are met. Among other things, those preconditions require the service auditor to determine whether the engagement team meets… (¶ 2.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted b… (¶ 2.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 2.147, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 3.169, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. Because the service auditor has sole responsibility for expressing an opinion on the description, on the suitability of design of controls and, in a type 2 examination, … (¶ 2.145, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The audit team should meet to discuss the organization's chances of having material misstatements of financial statements. The lead auditor should decide who needs to be involved in the discussion; not all members of the team need to be involved. The objective is for the team to gain an understandin… (§ 314.14 thru § 314.21, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • In accordance with paragraph .29 of AT-C section 105, the service auditor should accept a SOC 2 examination only when the service auditor has reached a common understanding with service organization management about the terms of the engagement. Paragraph .08 of AT-C section 205 indicates that these … (¶ 2.03, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .35 of AT-C section 105 states that the engagement partner should take responsibility for the overall quality of the attestation engagement, including matters such as client acceptance and continuance, compliance with professional standards, and maintenance of appropriate documentation, am… (¶ 1.98, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has reached a common understanding with the engaging party of the terms of the engagement, including the service auditor's reporting responsibilities. (Chapter 4 discusses reporting in a SOC 2 examination.) (¶ 2.38 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Agreeing on the terms of the engagement with service organization management, including establishing an understanding about the responsibilities of management and the service auditor (see paragraph 2.76) (¶ 2.36 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As a member of the engagement team, the engagement partner also needs to have appropriate competence and capabilities to issue an appropriate service auditor's report based on the engagement's particular circumstances. In accordance with paragraph .35 of AT-C section 105, the engagement partner also… (¶ 2.50, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The responsibilities of the service auditor (¶ 2.77 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Ascertain the nature, timing, and extent of resources necessary to perform the engagement, including the use of other service auditor's or service auditor's specialists. (¶ 2.97 i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. In accordance with paragraph .40 of AT-C section 205, because the service auditor has sole responsibility for expressing an opinion on the description, the suitability o… (¶ 2.161, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • To prevent undue use of the internal audit function in obtaining evidence, paragraph .40 of AT-C section 205 also notes that the service auditor should use less of the work of the internal audit function and perform more of the work directly when more judgment is involved in planning and performing … (¶ 2.162, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • planning and performing relevant procedures or (¶ 2.162 a.i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • evaluating the evidence obtained. (¶ 2.162 a.ii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the higher the assessed risk of material misstatement. (¶ 2.162 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the less the internal audit function's organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors. (¶ 2.162 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the lower the level of competence of the internal audit function. (¶ 2.162 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Assume responsibility for the work of the other practitioner (¶ 2.171 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the respective roles and responsibilities of the service auditor and the specialist; (¶ 2.176 c.ii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Be involved in the work of the other practitioner, if assuming responsibility for the work of the other practitioner. (¶ 2.172 d., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The scope of a SOC 2+ examination also includes the evaluation of controls against additional criteria. In accordance with paragraph .08 of ATC section 205, the written agreement with the client about the terms of the engagement should identify the additional criteria in addition to management's and… (¶ 2.188, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The responsibility to report on the description of the system, the suitability of design of controls, and in a type 2 examination, the operating effectiveness of controls rests solely with the service auditor and cannot be shared with the internal audit function. Therefore, the judgments about the s… (¶ 3.206, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should determine who to interact with in the organization's governance structure or management structure when required to ask, communicate, or request representations from based on their responsibilities and knowledge of the matter. (¶ .08, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should accept or continue an audit on controls only if his or her preliminary knowledge of the audit indicates the criteria is suitable and available to the users and their auditors. (¶ .09.b.i, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should accept or continue an audit on controls only if his or her preliminary knowledge of the audit indicates that he or she will have sufficient access to the needed evidence. (¶ .09.b.ii, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing a written representation at the end of the audit. (¶ .09.c.vi(4), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should accept or continue an audit of controls only if he or she has the competence and capabilities. (¶ .09.a, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should accept or continue an audit on controls only if his or her preliminary knowledge of the audit indicates that the scope and description is not limited to make the audit not useful. (¶ .09.b.iii, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and accepts and acknowledges responsibility for identifying risks that threaten the control objectives from being achieved and to design, implement, and document controls that provide reas… (¶ .09.c.v, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing the service auditor with access to all information that is relevant to the system's description and assertion. (¶ .09.c.vi(1), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing the service auditor with any requested information for conducting the audit. (¶ .09.c.vi(2), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing service auditors with unrestricted access to the personnel needed to obtain audit evidence from. (¶ .09.c.vi(3), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing a written assertion to provide to the user entities. (¶ .09.c.vii, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should have an understanding of the system, including the controls that are included in the scope of the audit. (¶ .18, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should withdraw from the audit or disclaim an opinion if management refuses to provide the representations identified in paragraphs .36.a and .36.b. (¶ .39 ¶ 2, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor is not required to stay informed of events after the date of the service auditor's report. If the service auditor became aware of conditions that existed at the time of the report that might have affected the assertion and the report, this information should be evaluated as descr… (¶ .43, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The responsibilities of the responsible party and the responsibilities of the engaging party, if different (AT-C Section 205.08 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Reviews being performed in accordance with the firm's review policies and procedures and reviewing the engagement documentation on or before the date of the practitioner's report (AT-C Section 105.33 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The responsibilities of the responsible party and the responsibilities of the engaging party, if different (AT-C Section 210.09 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The accountant shall furnish the insurer in connection with, and for inclusion in, the filing of the annual audited financial report, a letter stating: (Section 12. ¶ 1., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The lead (or coordinating) audit partner (having primary responsibility for the audit) may not act in that capacity for more than five (5) consecutive years. The person shall be disqualified from acting in that or a similar capacity for the same company or its insurance subsidiaries or affiliates fo… (Section 7.D.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • If the host country prohibits onsite examinations, the U.S. bank should hire external auditors to conduct the examination. (Pg 31, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The annual evaluation required by this section for agencies that have an Inspector General must be performed by the Inspector General or an independent external auditor and, if an agency does not have an Inspector General, the agency head must hire an independent external auditor to perform the eval… (§ 3545(b), Federal Information Security Management Act of 2002, Deprecated)
  • only by an entity designated by the agency head; and (§ 3555(c)(1), Federal Information Security Modernization Act of 2014)
  • Public accounting firms that perform audits for an organization are prohibited from performing non-audit services, such as bookkeeping, actuarial services, internal audit outsourcing, financial information systems design and implementation, and valuation or appraisal services, or providing investmen… (§ 78j-1(g), § 78j-1(h), Securities Exchange Act of 1934)
  • All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJIS Division. All results of the inquiry and audit… (§ 5.11.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • External auditors should review the general controls and the application controls used by the organization. General controls include documentation procedures, physical access to equipment and data, and controls that affect the overall information systems operations. Application controls include cont… (Pg 7, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should ensure the external auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. (Pg 22, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • (App A.1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • Based on an annual schedule approved by either the Agencies or the Agencies' district/ regional offices, the Agencies select an AIC for each examined TSP. (Agency-In-Charge ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Technology service centers operated by an insured financial institution or its subsidiary are examined by the Agency responsible for the supervision of the financial institution. (A ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Services provided by an insured financial institution, or by its subsidiary, to one class or more of insured financial institutions are examined by the Agency responsible for supervising the servicing institution. The primary regulatory Agency seeks input from other interested Agencies and performs … (B ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Where there is only one controlling owner, or where one controlling owner has claim to materially greater ownership interests relative to the others, the Agency supervising that owner has the discretion to retain primary examination responsibility with regard to any interagency examination work. (D ¶ 1 Bullet 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Responsibility for the examination of independent TSPs is based on the class of insured financial institution being serviced. If more than one class of insured institution is serviced, the examination is conducted jointly, and on a rotated basis, as agreed to among the federal financial institution … (E ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Some examinations of sites or specific supervisory activities of a TSP may have an examiner, who is not a member of the CPC team, assigned as Examiner-In-Charge (EIC). In these situations, the EIC conducts the assignment under the direction of the CPC team and is responsible to the Lead CPC for the … (Examiner-In-Charge of Site or Activity ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • If there is one or more controlling owner, primary examination responsibility falls to the Agency(s) supervising the controlling owner(s). (D ¶ 1 Bullet 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Examinations of independent TSPs that are not part of the MDPS program are administered by the Agencies' regional/district management under the guidelines in this booklet. (E ¶ 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • The Agencies are responsible for the administration, coordination, oversight, and implementation of the supervisory program for the largest, systemically important TSPs: the MDPS program. The program represents a cooperative arrangement among the Agencies for the achievement of shared and consistent… (MDPS Program ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Implement audits to identify and manage technology-related risks. Auditors provide an important control mechanism for detecting deficiencies and managing risks in the implementation of technology. They should be qualified to assess the specific risks that arise from specific uses of technology. Bank… (¶ 43, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Auditors should have technical training, be proficient and independent, and exercise due professional care, including professional skepticism. To be independent, an auditor should not act as management or an employee of the client, audit his or her own work, or have conflicting or mutual interests w… (¶ 30 thru ¶ 36, PCAOB Auditing Standard No. 2)
  • The auditor should have proficiency, technical training, and independence and should exercise "due professional care." (¶ 4, PCAOB Auditing Standard No. 5)