The audit committee must review any findings from internal investigations involving suspected fraud and/or failure of internal controls and report these findings to the Board of Directors. (§ II(D)(9), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
The independent audit and/or expert assessment on the service provider and its sub-contractors may be performed by the institution's internal or external auditors, the service provider's external auditors or by agents appointed by the institution. The appointed persons should possess the requisite k… (5.9.6, Guidelines on Outsourcing)
produce objective and accurate IRAP assessments in line with the ASD IRAP assessment Reporting Guide (IRAP Membership Maintaining IRAP assessor membership IRAP assessment requirements ¶ 1 Bullet 2, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
enables the reviewer of the report to make an informed risk-based decision about the system's suitability for their security needs and risk appetite. (30.g.vi., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
The audit report must be reliable and understandable and must include any statements or disclosures required by the applicable auditing standards. The audit report must be signed by either the director of the audit firm, the lead auditor, or the individual auditor before it is officially submitted t… (Sched 1 ¶ 11, Sched 1 ¶ 41, Sched 1 ¶ 42, Sched 1 ¶ 45, Sched 1 ¶ 95, Sched 2A ¶ 4, Sched 2A ¶ 5, Sched 7 ¶ 1, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the authority, designated in accordance with paragraph 9 or 10, a summary of the relevant findings, the remediation plans and the documen… (Art. 26.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Within a reasonable period following completion of the audit, a report is prepared. (5.2.6 Requirements (should) Bullet 4, Information Security Assessment, Version 5.1)
The auditor must review the Board's statement on internal controls and issue a special auditor's report in the corporate governance report. (¶ III.5.1.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
The organizational department overseeing and supporting due diligence should oversee and verify the audits. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.2(a)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The ability of auditors to conduct the audit in conformance with the audit program should be periodically reviewed and monitored by an industry program or institutionalized mechanism. (Supplement on Gold Step 4: A.3(c), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The organization should oversee the audit program by periodically reviewing and monitoring the ability of auditors to conduct the audit. (Supplement on Gold Step 4: B.3, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The organization must be prepared to provide audit reports to American Express or allow American Express audits. (§ 1a, American Express Data Security Standard (DSS))
The audit report will vary based on the type of review and the stage when the audit team becomes involved. When determining the format that works best for the organization, the type of review should be carefully considered. (§ 4.3 (Project Audit Reports), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
After a privacy audit has been completed, the client should receive an audit report. Some challenges of reporting the audit results are getting everyone involved; developing an understandable, common language for describing risks; and ensuring internal legal counsel has reviewed the plan and draft r… (§ 5.7 ¶ 1, § 5.7 ¶ 3, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be communicated to the auditee and the individual(s) managing the audit programme. (§ 6.5.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
Service providers should ensure that an audit report is produced after each review. The report should include the scope and objectives, the procedures that were used, the findings and results, corrective actions that will be taken, deviations, and the supporting rationale for any future reviews and … (§ 6.14.6.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
After the audit, the Privacy Commissioner must provide a report to the audited organization with the findings and any recommendations. (§ 19(1), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
The service auditor's report shall not include a type 1 opinion and a type 2 opinion. (¶ 1.32, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor's type 2 report should include the criteria to evaluate if the system description is fairly presented. (¶ 4.02.c.iii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor's type 2 report should include the applicable trust services criteria to evaluate if the controls are operating effectively and suitably designed. (¶ 4.02.c.iv, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor should not reference any used work of the internal audit function in the service auditor's opinion, since the service auditor has sole responsibility for the opinion in the service auditor's report. (¶ 4.09, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
The service auditor's responsibilities in a SOC 2® examination include forming an opinion and issuing a report expressing that opinion. A type 2 report includes the service auditor's opinion about whether (1) the description presents the system that was designed and implemented throughout the perio… (¶ 4.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
When engaged by the service organization, the service auditor provides the report to management of the service organization, and management distributes the report to the parties to whom use of the report is restricted. A service auditor is not responsible for controlling a client's distribution of a… (¶ 4.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The service auditor's report, including each of the reporting elements for a type 2 report identified in paragraph 4.31, and any modifications to the report that the service auditor determines are necessary in the circumstances (¶ 4.02 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
When using the work of an other practitioner, paragraph .A57 of AT-C section 205 clarifies that the service auditor is responsible for directing, supervising, and performing the engagement in compliance with professional standards, applicable regulatory and legal requirements, and the firm's policie… (¶ 2.158, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
provide this information in summary form in the description of tests of controls and results. (¶ 4.28 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Table 4-3 presents the requirements for an alert paragraph from paragraphs .64â.65 of AT-C section 205. The service auditor's report should include each of those elements in the alert paragraph. (¶ 4.34, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The auditor should document the audit results; the nature of further audit procedures; and the conclusions about the effectiveness of controls obtained from a previous audit. (§ 318.77, SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained)
When using the work of an other practitioner, paragraph .A59 of AT-C section 105 clarifies that the service auditor is responsible for directing, supervising, and performing the engagement in compliance with professional standards, applicable regulatory and legal requirements, and the firm's policie… (¶ 2.174, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The service auditor's responsibilities in a SOC 2 examination include forming an opinion and issuing a report expressing that opinion. A type 2 report includes the service auditor's opinion about whether (a) the description presents the system that was designed and implemented throughout the period … (¶ 4.01, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
When management has included disclosures about how the system components, including processes and controls, addressed requirements of a process or control framework and how the implemented controls met these requirements, the service auditor would consider the adequacy of those disclosures based on … (¶ 3.260, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The service auditor's report, including each of the reporting elements for a type 2 report identified in paragraph 4.35, and any modifications to the report that the service auditor determines are necessary in the circumstances (¶ 4.04 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Table 4-3 presents the requirements for an alert paragraph from paragraph .65 of AT-C section 205. The service auditor's report should include each of those elements in the alert paragraph. (¶ 4.37, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
When engaged by the service organization, the service auditor provides the report to management of the service organization, and management distributes the report to the parties to whom use of the report is restricted. A service auditor is not responsible for controlling a client's distribution of a… (¶ 4.97, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The service auditor should prepare the documentation so that an experienced service auditor who has no previous connection to the audit can understand the evidence that was gathered and the results of the procedures that were performed. (¶ .44.b, SSAE No. 16 Reporting on Controls at a Service Organization)
The service auditor should prepare the documentation so that an experienced service auditor who has no previous connection to the audit can understand the significant issues or findings that arose, the conclusions that were reached, and the professional judgments made to reach the conclusions. (¶ .44.c, SSAE No. 16 Reporting on Controls at a Service Organization)
enable the issuance of a practitioner's report that is appropriate in the circumstances. (AT-C Section 105.32 a.ii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
Each year, not later than such date established by the Director, the head of each agency shall submit to the Director the results of the evaluation required under this section. (§ 3555(e)(1), Federal Information Security Modernization Act of 2014)
Quality audit results and reaudit(s) reports shall be made and reviewed by the management personnel responsible for the matters being audited. The dates and results of these quality audits and reaudits shall be documented. (§ 820.22, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
Forward audit reports to examiners working on related work programs, and (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:2. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
Complete (TIER I OBJECTIVES AND PROCEDURES Objective 9:6. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
Constructive (TIER I OBJECTIVES AND PROCEDURES Objective 9:6. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
Written audit reports should be used to inform the Board of Directors and senior management on the organization's compliance with the policies and procedures. The report should state if the controls are effective, describe any deficiencies, and recommend corrective actions. (Pg 6, Pg 12, Exam Tier I Obj 1.2, Exam Tier I Obj 9.6, FFIEC IT Examination Handbook - Audit, August 2003)
Management should review all internal and external audit results. (Pg 26, Exam Obj 5.4, FFIEC IT Examination Handbook - Management)
Obtain and review internal and external audit reports to ensure they provide an adequate appraisal of the funds transfer function to management. (Exam Tier II Obj 2.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Provide technical summary of findings in accordance with established reporting procedures. (T0075, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Provide technical summary of findings in accordance with established reporting procedures. (T0075, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The auditor should report to management and the audit committee that the audit could not be completed satisfactorily, if he/she concludes that management did not fulfill its responsibilities. The auditor should also report all significant deficiencies and material weaknesses identified during the au… (¶ 21, ¶ 207, PCAOB Auditing Standard No. 2)
The auditor's report should show that the audit complied with the applicable standards, supports the auditor's conclusions, and the accounting records agree with the financial statements. The auditor should submit an engagement completion document that identifies all significant findings and provide… (¶ 5, ¶ 13, PCAOB Auditing Standard No. 3)
All public accounting firms that submit or prepare accounting reports that contain management's assessment of the effectiveness of the internal control over financial reporting must also state the accountant's opinion. The attestation report on internal control over financial reporting must be dated… (§ 210.2-02(f), 17 CFR Parts 210, 228, 229 and 240, Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule)
