Back

Establish, implement, and maintain an audit program.


CONTROL ID
00684
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Audits and risk management, CC ID: 00677

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain audit policies., CC ID: 13166
  • Assign the audit to impartial auditors., CC ID: 07118
  • Exercise due professional care during the planning and performance of the audit., CC ID: 07119
  • Include resource requirements in the audit program., CC ID: 15237
  • Include risks and opportunities in the audit program., CC ID: 15236
  • Include provisions for legislative plurality and legislative domain in the audit program., CC ID: 06959
  • Establish and maintain audit terms., CC ID: 13880
  • Establish, implement, and maintain agreed upon procedures that are in scope for the audit., CC ID: 13893
  • Establish, implement, and maintain an in scope system description., CC ID: 14873
  • Hold an opening meeting with interested personnel and affected parties prior to an audit., CC ID: 15256
  • Identify personnel who should attend the closing meeting., CC ID: 15261
  • Confirm audit requirements during the opening meeting., CC ID: 15255
  • Include discussions about how particular situations will be handled in the opening meeting., CC ID: 15254
  • Include agreement to the audit scope and audit terms in the audit program., CC ID: 06965
  • Hold a closing meeting following an audit to present audit findings and conclusions., CC ID: 15248
  • Include materiality levels in the audit terms., CC ID: 01238
  • Schedule attestation engagement meetings with interested personnel and affected parties, as necessary., CC ID: 15263
  • Refrain from performing an attestation engagement under defined conditions., CC ID: 13952
  • Accept the attestation engagement when all preconditions are met., CC ID: 13933
  • Establish, implement, and maintain a practitioner’s report on agreed-upon procedures., CC ID: 13894
  • Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures., CC ID: 06966
  • Establish and maintain a practitioner's examination report on pro forma financial information., CC ID: 13968
  • Establish and maintain organizational audit reports., CC ID: 06731
  • Notify interested personnel and affected parties after bribes are offered during the audit., CC ID: 08872
  • Submit an audit report that is complete., CC ID: 01145
  • Implement a corrective action plan in response to the audit report., CC ID: 06777
  • Assess the quality of the audit program in regards to the staff and their qualifications., CC ID: 01150
  • Assess the quality of the audit program in regards to its documentation., CC ID: 11622


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should implement an internal audit function. The internal audit function should ensure that the processes used by management adequately identify and monitor risks; the internal control systems are operating effectively; a process exists for feedback; and the Board of Directors recei… (¶ 4.1.1, ¶ 4.2.2, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • IC-1 “General Risk Management Controls” sets out the general objective and the importance of independence and expertise of AIs’ internal audit function. As regards technology audits, AIs are expected to assess periodically their technology risk management process and IT controls. To ensure ade… (2.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • External auditors must comply with this guidelines standards and the general standards under the "Audit Standards" and "Quality Control Standards for audit" when conducting an Internal Control Audit. (Standard § III.2 ¶ 3, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The audit committee should ensure that the internal audit function is staffed appropriately and has adequate resources to carry out its duties. (¶ 13.3, CODE OF CORPORATE GOVERNANCE 2005)
  • An IT audit plan, comprising auditable IT areas for the coming year, should be developed. The IT audit plan should be approved by the FI’s Audit Committee. (§ 14.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A comprehensive set of auditable areas for technology risk should be identified so that an effective risk assessment could be performed during audit planning. Auditable areas should include all IT operations, functions and processes. (§ 15.1.2, Technology Risk Management Guidelines, January 2021)
  • All systems must have an audit conducted as part of the certification process. (Control: 1141, Australian Government Information Security Manual: Controls)
  • The configuration baseline should be compared against the actual configuration on a regular basis to ensure no changes have been made to the system without proper approval. (§ 3.5.19, § 3.7.29, Australian Government ICT Security Manual (ACSI 33))
  • The audit program should "cover all aspects of records keeping; specify performance indicators used to analyze efficiency and effectiveness; assign responsibility for the conduct and reporting of the audit; specify methods for collecting information; specify the period and frequency of reviews; and … (§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The nature of the audit, the degree to which the auditor was involved in the audit process, and the responsibility level of the auditor in relation to the audit must be examined to determine the significance of the audit work. (Sched 1 ¶ 63, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. (4.10 50, Final Report on EBA Guidelines on outsourcing arrangements)
  • monitoring, auditing and testing; (Art. 16.1(d), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • If the organization does not have an internal audit function, it must evaluate the need for it annually. (¶ III.3.7.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • If the organization does not have an internal audit function, the audit committee should evaluate, on an annual basis, if the organization needs the audit function and make a recommendation to the Board. (§ C.3.5, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • (¶ 42 thru ¶ 47, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • The internal auditing process should include an independent review of the risk measurement system. Internal audit must review the organization's rating system and operations at least annually. The internal audit should review the organization's adherence to applicable minimum requirements and docume… (¶ 165, ¶ 443, ¶ 620(f), ¶ 744, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The Board of Directors should ensure that an effective and comprehensive internal audit program be established. The internal audit should verify that procedures and policies are implemented effectively. (¶ 16, Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Auditors should prepare an audit plan and all working documents before starting onsite investigations. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(c), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies are recommended to participate and support independent third party audits of the refiner's due diligence procedures. (Supplement on Gold Step 4: B.6(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should implement an internal audit program. (§ VI.D, OECD Principles of Corporate Governance, 2004)
  • Has senior management established a security auditing process? (Table Row II.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The audit process should review the responsibilities for the business continuity management policy. (§ 5.2.2 ¶ 3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must ensure internal audits are performed at planned intervals to determine if the business continuity management system conforms to the business continuity management arrangements and the requirements of this standard, is implemented properly and maintained, and is effective in mee… (§ 5.1.1, BS 25999-2, Business continuity management. Specification, 2007)
  • A good audit plan is expected to include: identification of the type of audit to be carried out identification of audit objectives identification of the standard audit framework to be used a clear definition of the scope of the audit a definition of the audit approach identification of audit evaluat… (Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The creation of the IT audit plan should be part of the cyclical strategic planning process and should follow the classical management cycle of "plan, do, check, and act." The key enabler for implementing the strategic planning process is the IT audit plan and the IT audit plan delineates how the or… (§ 6.1 ¶ 3, § 6.2 ¶ 2, § 6.4, § 6.5, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Management and the Board of Directors can be aided by internal auditing. Internal auditing can understand organizational objectives; assist in the identification of risks from changes and determine if they are consistent with the risk appetite of the organization; assist in deciding on risk manageme… (§ 2.5 ¶ 3, Table 2, Table 3, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • Assurance services are provided by internal auditing when they perform objective examinations of evidence to provide independent assessments of management control frameworks and practices, risk management strategies and practices, and information used for decision making and reporting. Organizations… (§ 4 (Continuous Assurance) ¶ 4, § 5 ¶ 5, § 6 (Define Audit Requirements), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The organization should define an approach to the IT audit and create work plans specific to the particular environment being audited. (§ 4.1 ¶ 1, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Internal auditors should consider the following when evaluating an organization's privacy framework: the laws and regulations for all jurisdictions where business is conducted; internal privacy guidelines and policies; privacy policies for customers and the public; the legal and information security… (§ 5.1 ¶ 1, § 5.4 (Legal and Organizational Risks) ¶ 5, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The following are 10 questions a Chief Audit Executive should ask to determine the level of maturity of the organization's vulnerability management practice: "1) What percent of total systems are monitored or scanned? 2) How many unique vulnerabilities exist in your enterprise? 3) What percent of sy… (§ 5.2 Table 3, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • See Appendix B for a sample audit program. (App B, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Internal auditors need to document the identity and entitlement processes and the repositories and life cycle components and evaluate the identity and access management (IAM) activity controls during an IAM audit. The first step is to determine if an IAM program exists by asking the following questi… (§ 4, § 4.1, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • A documented procedure shall be established to define the requirements and responsibilities for planning and conducting audits, maintaining the records, and reporting the results. (§ 4.2.11 ¶ 3, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization must ensure internal organizational resilience management system audits are conducted at planned and non-planned intervals. The audit will determine if the organizational resilience management system's controls, processes, control objectives, and procedures meet relevant legislation… (§ 4.5.5 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business environments (e.g., business administration offices, trading floors, call centres, warehouses, and retail environments). (SI.01.01.01a, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business processes (e.g., processing high value transactions, manufacturing goods, handling medical records). (SI.01.01.01b, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business applications (including those under development). (SI.01.01.01c, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including Information Systems and networks that support critical business processes. (SI.01.01.01d, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including specialist systems that are important to the organization (e.g., systems that support or enable the organization's critical infrastructure, such as Superv… (SI.01.01.01e, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including key enterprise-wide security activities (e.g., managing a security architecture, running awareness programs, or monitoring security arrangements). (SI.01.01.01f, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (SI.01.01.01g, The Standard of Good Practice for Information Security)
  • Security audits should consider the information security requirements of target environments (i.e., the need to protect the confidentiality, integrity, and availability of business information). (SI.01.01.02b, The Standard of Good Practice for Information Security)
  • Security audits should be conducted frequently and thoroughly (in terms of scope and extent) to provide assurance that security controls function as required. (SI.01.01.03e, The Standard of Good Practice for Information Security)
  • Security audits should be supplemented by the use of automated software tools. (SI.01.01.03g, The Standard of Good Practice for Information Security)
  • There should be a repeatable and consistent process for performing security audits of target environments, which includes conducting fieldwork (e.g., collecting relevant background material, performing security audit tests, and recording the results of the tests). (SI.01.01.05b, The Standard of Good Practice for Information Security)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business environments (e.g., business administration offices, trading floors, call centres, warehouses, and retail environments). (SI.01.01.01a, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business processes (e.g., processing high value transactions, manufacturing goods, handling medical records). (SI.01.01.01b, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including business applications (including those under development). (SI.01.01.01c, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including Information Systems and networks that support critical business processes. (SI.01.01.01d, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including specialist systems that are important to the organization (e.g., systems that support or enable the organization's critical infrastructure, such as Superv… (SI.01.01.01e, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including key enterprise-wide security activities (e.g., managing a security architecture, running awareness programs, or monitoring security arrangements). (SI.01.01.01f, The Standard of Good Practice for Information Security, 2013)
  • Independent security audits should be performed regularly for target environments that are critical to the success of the organization, including office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (SI.01.01.01g, The Standard of Good Practice for Information Security, 2013)
  • Security audits should consider the information security requirements of target environments (i.e., the need to protect the confidentiality, integrity, and availability of business information). (SI.01.01.02b, The Standard of Good Practice for Information Security, 2013)
  • Security audits should be conducted frequently and thoroughly (in terms of scope and extent) to provide assurance that security controls function as required. (SI.01.01.03e, The Standard of Good Practice for Information Security, 2013)
  • Security audits should be supplemented by the use of automated software tools. (SI.01.01.03g, The Standard of Good Practice for Information Security, 2013)
  • There should be a repeatable and consistent process for performing security audits of target environments, which includes conducting fieldwork (e.g., collecting relevant background material, performing security audit tests, and recording the results of the tests). (SI.01.01.05b, The Standard of Good Practice for Information Security, 2013)
  • Security audits should include a focus on the use of special access privileges and any suspicious behaviour associated with related user accounts. (SI.01.01.02c, The Standard of Good Practice for Information Security, 2013)
  • Audit plans, activities, and operational action items focusing on data duplication, access, and data boundary limitations shall be designed to minimize the risk of business process disruption. Audit activities must be planned and agreed upon in advance by stakeholders. (AAC-01, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually. (A&A-01, Cloud Controls Matrix, v4.0)
  • The organization shall perform internal audits at planned intervals. These audits shall determine if the quality management system conforms to the plans, the ISO requirements, the organization's quality management system requirements, and if the system is being effectively implemented and maintained… (§ 8.2.2 ¶ 1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. (§ 9.2.2 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should establish an internal audit programme to direct the planning and conduct of internal audits and to identify the audits needed to achieve the audit programme objectives. The audit programme, and the frequency of internal audits, should be based on the nature of the organizatio… (9.2 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Internal auditing should be conducted to ensure that the organization is in compliance with its policies and procedures. (§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • The internal audits should "take place regularly at intervals agreed and set down in the organization's records management policy." (§ 5.1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • An audit programme should be established which can include audits addressing one or more management system standards or other requirements, conducted either separately or in combination (combined audit). (§ 5.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The extent of an audit programme should be based on the size and nature of the auditee, as well as on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management system(s) to be audited. (§ 5.1 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • In the case of multiple locations/sites (e.g. different countries), or where important functions are outsourced and managed under the leadership of another organization, particular attention should be paid to the design, planning and validation of the audit programme. (§ 5.1 ¶ 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • organizational objectives; (§ 5.1 ¶ 6 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should request its approval by the audit client. (§ 5.4.1 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • objectives for the audit programme; (§ 5.1 ¶ 11(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit types, such as internal or external; (§ 5.1 ¶ 11(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit client should ensure that the audit programme objectives are established to direct the planning and conducting of audits and should ensure the audit programme is implemented effectively. Audit programme objectives should be consistent with the audit client's strategic direction and support… (§ 5.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • monitor, review and improve the audit programme; (§ 5.4.1 ¶ 1(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Each individual audit should be based on defined audit objectives, scope and criteria. These should be consistent with the overall audit programme objectives. (§ 5.5.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • review the audit programme in order to identify opportunities for its improvement (see 5.7). (§ 5.5.1 ¶ 2(j), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • In the event of any changes to the audit objectives, scope or criteria, the audit programme should be modified if necessary and communicated to interested parties, for approval if appropriate. (§ 5.5.2 ¶ 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The implementation of the audit programme should be monitored and measured on an ongoing basis (se e 5.6) to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify needs for changes and possible opportunities for improvements (see 5.7). (§ 5.1 ¶ 13, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • review of the overall implementation of the audit programme; (§ 5.7 ¶ 2 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • application of changes to the audit programme if necessary; (§ 5.7 ¶ 2 Bullet 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme and the audit client should review the audit programme to assess whether its objectives have been achieved. Lessons learned from the audit programme review should be used as inputs for the improvement of the programme. (§ 5.7 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the auditee. (§ 6.2.3 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • opportunities to improve the effectiveness and efficiency of the audit activities; (§ 6.3.2.1 ¶ 3(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many instances, e.g. internal audits in a small organization, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit. (§ 6.4.3 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • gather information to understand the auditee's operations and to prepare audit activities and applicable audit work documents (see 6.3.4), e.g. on processes, functions; (§ 6.3.1¶ 1 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The degree of detail should take into account the effectiveness of the management system in achieving the auditee's objectives, including consideration of its context and risks and opportunities. (§ 6.4.10 ¶ 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) should take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 3 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall plan an audit program. (§ 4.5.4.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previou… (§ 9.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Service providers should ensure periodic audit reviews are performed for each physical facility and all equipment and that qualified internal or external personnel conduct the audit reviews. (§ 6.14.6.1, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting. (§ 9.2.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits… (9.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (Section 9.2.2 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: (§ 9.2.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • An audit programme defines the structure and responsibilities for planning, conducting, reporting and following up on individual audit activities. As such it should ensure that audits conducted are appropriate, have the right scope, minimize the impact on the operations of the organization and maint… (§ 9.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization should perform audits of the system periodically with either internal or external auditors. (ID 8.2.6, AICPA/CICA Privacy Framework)
  • The service auditor should adapt and apply the requirements of paragraph .27 of au section 322, when the service auditor uses the internal audit function to provide direct assistance. (¶ 4.10, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should notify the internal auditors of their responsibilities; the procedure's objectives; and matters that may affect the timing, nature, and extent of the audit procedures, when the internal audit function is providing direct assistance to the service auditor. (¶ 3.81 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Planning is a cumulative and iterative process that occurs throughout the engagement. Accordingly, the service auditor may need to revise the overall strategy and engagement plan based on unexpected events, changes in conditions, or evidence obtained that contradicts information previously considere… (¶ 2.95, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be… (¶ 2.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Establishing an overall strategy for the examination (¶ 2.172 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .11 of AT-C section 205 requires a service auditor to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the service auditor ordinarily … (¶ 2.92, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) (¶ 2.30 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.142, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related … (¶ 3.163 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor should adapt and apply the requirements of paragraph .27 of au section 322, when the service auditor uses direct assistance from personnel of the internal audit function. (¶ .35, SSAE No. 16 Reporting on Controls at a Service Organization)
  • All insurers shall have an annual audit by an independent certified public accountant and shall file an audited financial report with the commissioner on or before June 1 for the year ended December 31 immediately preceding. The commissioner may require an insurer to file an audited financial report… (Section 4.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Function – The insurer or group of insurers shall establish an internal audit function providing independent, objective and reasonable assurance to the Audit committee and insurer management regarding the insurer's governance, risk management and internal controls. This assurance shall be provided… (Section 15.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Are audits performed to ensure compliance with any legal requirements? (§ L.2, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Are audits performed to ensure compliance with any regulatory requirements? (§ L.2, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Are audits performed to ensure compliance with any industry requirements? (§ L.2, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a cloud computing audit program to address client audit requirements and assessment requirements? (§ V.1.18, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing audit program have program documentation describing audit capabilities and roles and responsibilities? (§ V.1.18.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization must initiate a management review or audit of all Medicare systems security controls, including interconnected systems, and applications that process sensitive information at least every 3 years and whenever a significant change occurs. (CSR 1.9.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The internal and/or external auditors should test transactions in all areas of the organization and verify the adequacy of employees' knowledge of regulations, the completeness of training programs, the integrity and effectiveness of controls, and the process of identifying suspicious activities. (Pg 6, Pg 86, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Each organization with an appointed Inspector General under the Inspector General Act of 1978 should be annually evaluated by the Inspector General or an independent external auditor. Which of these two will conduct the audit is determined by the Inspector General. If the organization does not have … (§ 3545, Federal Information Security Management Act of 2002)
  • The organization must develop auditing standards that include preparing and maintaining audit work papers for not less than 7 years, providing a second review and obtaining approval of the audit report, and describing the scope of the auditor's internal control tests. (§ 40, The Sarbanes-Oxley Act of 2002 (SOX), Deprecated)
  • A medical device manufacturer shall develop procedures for quality audits. The audits shall be conducted to ensure the quality system complies with the quality system requirements and to determine quality system effectiveness. (§ 820.22, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The criminal justice information services systems agency shall establish a process, in coordination with the state identification bureau, to audit all noncriminal justice agencies who have access to criminal justice information on a periodic basis. (§ 5.11.2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are appli… (§ 5.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • An internal or external auditor should review the Security Administrator's actions to ensure system security is properly maintained. (Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with appl… (II.D Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Testing and evaluations through a combination of self-assessments, penetration tests, vulnerability assessments, and audits with appropriate coverage, depth, and independence. (App A Objective 10.1.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should ascertain that the information security program is operating securely, as expected, and reaching intended goals by doing the following: - Testing and evaluating through self-assessments, tests, and audits with appropriate coverage, depth, and independence. - Aligning personnel sk… (IV.A Assurance and Testing, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should develop and follow a formal internal audit program consisting of policies and procedures that govern the internal audit function, including IT audit. (Internal Audit Program, FFIEC IT Examination Handbook - Audit, April 2012)
  • The board of directors should establish an effective risk-based audit function. (Risk Assessment and Risk-Based Auditing, FFIEC IT Examination Handbook - Audit, April 2012)
  • Policies and procedures for conducting audits should be developed and approved by the Board of Directors. The audit program should include the purpose, objectives, and responsibilities of all involved personnel; risk assessments to analyze the risks; an audit plan for a 12-month period that describe… (Pg 4, Pg 11, Pg 12, FFIEC IT Examination Handbook - Audit, August 2003)
  • The internal and/or external auditor should review the organization's continuity plan at least annually. (Pg 4, Exam Tier I Obj 4.7, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • For organizations offering e-banking services, the audit program should be expanded. The scope should now include the entire e-banking process and the organization should ensure the personnel involved in the audit have the expertise to evaluate the threats to an open network. The audit program shoul… (Pg 21, Pg A-2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • An internal and external audit program should exist to ensure the internal controls are adequate. Independent audits should be conducted to verify that controls exist and are functioning correctly. (Pg 14, Pg 27, FFIEC IT Examination Handbook - Management)
  • The audit function should review the control self-assessments for accuracy and quality and may use them to plan the scope of any necessary audit work. (Pg 41, FFIEC IT Examination Handbook - Operations, July 2004)
  • The board of directors should ensure that an effective internal audit function for the financial institution's payment systems is in place. The audit program should test the quality of retail payment systems internal controls and compliance with laws, regulations, management policies, procedures, an… (Audit, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Auditors should review the accounting controls, assess the effectiveness of procedures, and validate the internal control environment of the organization. (Pg 32, Exam Tier II Obj 8.7, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Organizational audits should be used to verify the effectiveness of the control environment and identify deficiencies that need to be corrected. (Pg 32, Exam Tier II Obj 2.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Is a great source for defining the scope of an audit – even if their definition is for a review of control objectives in support of financial statements. Drawing from the first part of their overall audit planning strategy material, there are four steps to consider (the numbering of these steps is… (App VI.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • One of the keys to a quality audit is planning. The explicitly point out that "planning requires the involvement of senior members of the audit team." They also point out that scoping and planning is an iterative process performed throughout the audit. The example they use is that findings from the … (§ 210, GAO/PCIE Financial Audit Manual (FAM))
  • The IRS requires organizations that use Federal Tax Information (FTI) to conduct internal inspections to ensure required safeguards are implemented and maintained. The internal inspection should be conducted by a function other than the one using the FTI. All local offices that receive FTI should be… (§ 6.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union have implemented policies and procedures describing how and when independent reviews of Information Technology related areas will be performed? (IT - Audit Program Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.4.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure an audit and accountability policy and procedure is documented, disseminated, reviewed, and updated; the audit and accountability policies and procedures are continuously applied; and specific responsibilities and actions are defined … (AU-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establish an internal privacy audit program (T0898, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement an Audit and Accountability security policy. (SG.AU-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct periodic audits of the smart grid Information System to identify security concerns, verify security compromises are not present, and provide information on compromises. (SG.AU-14 Supplemental Guidance 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct periodic audits of the smart grid Information System to verify the availability and reliability of the system to support safe operation. (SG.AU-14 Supplemental Guidance 6, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, document, disseminate, review, and update a formal, documented Audit and Accountability policy that addresses purpose, responsibilities, roles, scope, management commitment, compliance, and coordination among organizational entities. (App F § AU-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should specify, in the Audit and Accountability policy, the permitted actions for each system process, role, and/or user. (App F § AU-6(7), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, disseminate, review, and update formal, documented procedures to implement the Audit and Accountability policy and its associated controls. (App F § AU-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Establish an internal privacy audit program (T0898, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (AU-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. (AU-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (AU-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. (AU-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (AU-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. (AU-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (AU-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. (AU-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The annual audit should include verifying that the organization has established an exposure limit, reviewing its exposure periodically, and monitoring entries relative to the exposure limit. (Exposure Limits, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • The auditor should plan and perform an audit to provide reasonable assurance that material weaknesses do not exist in the internal control over financial reporting process. The auditor should evaluate all evidence obtained from all sources to form an opinion on the effectiveness of internal control … (¶ 3, ¶ 71, PCAOB Auditing Standard No. 5)
  • Attest documentation should be sufficient to (a) enable members of the engagement team with supervision and review responsibilities to understand the nature, timing, extent, and results of attest procedures performed, and the information obtained and (b) indicate the engagement team member(s) who pe… (AT 101.103, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • The organization shall perform an audit or independent review of each application's security controls at least once every 3 years. (§ A.3.b.3, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)