Back

Review the audit program scope as it relates to the organization's profile.


CONTROL ID
01159
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Assess the quality of the audit program in regards to the staff and their qualifications., CC ID: 01150

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The purpose, authority, and responsibility of the internal audit function should be formally defined by the Board of Directors. (¶ 4.1.2, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Standard § II.2(2): Management should determine a reasonable scope of assessment based on the degree of quantitative and qualitative impact when assessing the effectiveness of internal control for the following: presentation and disclosure of financial statements; the businesses and operations that… (Standard § II.2(2), Practice Standard § II.2(2)[2].A, Practice Standard § II.2(2)[2].B, Practice Standard § II.3(3)[5].B.a, Practice Standard § III.3(2)[1], Practice Standard § III.3(2)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The audit committee must discuss the nature and scope of the audit with the auditors before the audit starts. (§ II(D)(10), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • A financial institution's management body should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the financial insti… (3.3.6 26, Final Report EBA Guidelines on ICT and security risk management)
  • A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to… (3.3.6 25, Final Report EBA Guidelines on ICT and security risk management)
  • The scope and frequency of the audit program should be appropriate to the risk exposure of the organization. (¶ 16, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • A key step of putting together an auditing process includes reviewing the scope of the existing audit plan or program. The scope should be clearly defined with a description of what corporate governance, compliance or other issues are to be audited and what areas and departments of the organization … (Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The scope of the audit should be clearly described in order to properly determine the organizational accountability. (§ 4.7 ¶ 8, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The first step in developing an audit plan is to define the audit activity's scope and coverage and then identify materiality measures and risk indicators using data from the various business systems. The scale and scope of analytical review procedures in conventional audits are limited by the type … (§ 5 (Development of the Audit Plan) ¶ 2, § 5 (Support to Individual Auditing) ¶ 3, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The review scope, depth, approach, and frequency will depend on the risk assessment results and the availability of resources. There are two methods that can be used to determine the review scope of application controls: business process scoping method and single application scoping method. The busi… (§ 4 (Business Process Method), § 4 (Single Application Method), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The scope, criteria, methods, and frequency of audits must be defined. (§ 4.5.5 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The audit client should ensure that the audit programme objectives are established to direct the planning and conducting of audits and should ensure the audit programme is implemented effectively. Audit programme objectives should be consistent with the audit client's strategic direction and support… (§ 5.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • evaluation of the achievement of the objectives for each audit within the audit programme; (§ 5.5.6 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • whether schedules are being met and audit programme objectives are being achieved; (§ 5.6 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme and the audit client should review the audit programme to assess whether its objectives have been achieved. Lessons learned from the audit programme review should be used as inputs for the improvement of the programme. (§ 5.7 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • results and trends from audit programme monitoring; (§ 5.7 ¶ 3(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • evolving needs and expectations of relevant interested parties; (§ 5.7 ¶ 3(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the audit scope, including identification of the organization and its functions, as well as processes to be audited; (§ 6.3.2.2 ¶ 2(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in performing audits, including auditors and audit team leaders. Competence should be evaluated regularly through a process that considers personal behaviour and … (§ 7.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Service providers should ensure the scope includes alternate sites, perimeter physical protection, physical security and environmental control equipment, ICT equipment and facilities, telecommunications equipment and facilities, power supply, fire and smoke protection, and water/liquid protection. (§ 6.14.6.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • As both the external and the internal issues will change over time, the issues and their influence on the scope, constraints and requirements of the ISMS should be reviewed regularly. (§ 4.1 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly. (Ques. AT207, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly, including determining if the control objectives are reasonable. (Ques. AT207 Item 1, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly, including determining if the complementary user entity controls are adequately described. (Ques. AT207 Item 3, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly, including determining if the identified controls in the system description were implemented. (Ques. AT207 Item 2, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly, including determining if the services furnished by a subservice organization are adequately described and if the inclusive meth… (Ques. AT207 Item 4, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor should accept or continue an engagement only if the preliminary knowledge indicates that the scope and system description will not be limited. (¶ 2.03.c.iii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • AT-C section 205 does not include requirements for the service auditor to perform procedures to determine whether management has a reasonable basis for its assertion. However, because of the relationship between (a) the evaluation of the suitability of design of controls and, in a type 2 examination… (¶ 2.51, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The circumstances of the particular examination (¶ 2.93 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the parties making the request have an appropriate business need or reasonable basis for requesting the information (for example, the specified parties are required to maintain and monitor controls that either encompass or are dependent on controls that are the subject of an examination and,… (¶ 1.53 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • AT-C section 205 does not include specific requirements for the service auditor to perform procedures to determine whether management has a reasonable basis for its assertion. Because of the relationship between (a) the evaluation of the suitability of design of controls and, in a type 2 examination… (¶ 2.59, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should accept or continue an audit on controls only if his or her preliminary knowledge of the audit indicates that the scope and description is not limited to make the audit not useful. (¶ .09.b.iii, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for stating the control objectives in the system's description, and, identifying who requires the objective, if required by law, regulation, or … (¶ .09.c.iv, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should read management's system description and evaluate whether the parts of the description that are included in the scope are presented fairly, including whether services furnished by another organization are adequately described and if the inclusive method or carve-out method… (¶ .19.d, SSAE No. 16 Reporting on Controls at a Service Organization)
  • services performed by a subservice organization, if any, are adequately described, including whether the carve-out method or the inclusive method has been used in relation to them. (AT-C Section 320.25 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The organization audits all remote maintenance sessions, and appropriate organizational personnel review the audit logs of the remote sessions. (COMS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Audit coverage of the business continuity program; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Scope of BCM-related audit activities. (II.B Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluate the audit coverage of business continuity, whether through a general controls audit, during audits of business lines, or as a stand-alone business continuity audit. Audit coverage should include the following: (App A Objective 3:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Review the strategic plan for IT activities. Determine whether the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the previous examination that affect (or any planned changes that may affect) the institution's organizatio… (App A Objective 4:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review board resolutions and audit charter to determine the authority and mission of the IT audit function. (TIER I OBJECTIVES AND PROCEDURES Objective 2:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Evaluate the scope of the auditor's work as it relates to the institution's size, the nature and extent of its activities, and the institution's risk profile. (TIER I OBJECTIVES AND PROCEDURES Objective 9:3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Each audit work program should list the required resources, the audit procedures to be performed, the extent of the testing, and what the conclusions will be based on. Examiners should decide if the audit function is appropriate for the size and complexity of the organization. (Pg 11, Pg 15, Exam Tier I Obj 9.3, FFIEC IT Examination Handbook - Audit, August 2003)
  • Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. (Exam Tier I Obj 1.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 2.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The audits are adequate in scope and performed by independent and qualified personnel. (App A Tier 2 Objectives and Procedures H.7 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The IT audit program should cover the design and implementation of retail payment products; internal data centers; alternate sites; and network infrastructure. It should also ensure the organization is managing third-party risk. (Pg 32, Exam Tier II Obj 8.7, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Review the internal and external audit function to determine if the scope and frequency of audit review for the funds transfer area is adequate. Review: ▪ Whether internal auditors have expertise or training in funds transfer operations and controls. ▪ The frequency and scope of internal and ext… (Exam Tier II Obj 2.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Bank management should provide auditors with adequate information regarding standards, policies, procedures, applications, and systems. (¶ 43, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • The auditor should only form an opinion on the effectiveness of internal control over financial reporting if no restrictions have been put on the scope of the auditor's work. (¶ 74, PCAOB Auditing Standard No. 5)