This Control directly supports the implied Control(s):
Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678
This Control has the following implementation support Control(s):
Review the external auditors involvement in assessing Information Technology controls., CC ID: 01204
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The accreditation authority shall check the regularity and extent of audits by an independent body at an Authentication Service provider before accrediting their authentication products or authentication services. (§ 30(2)(e), The Electronic Communications and Transactions Act, 2002)
Standard § III.3(7): The scope and degree of coordination between the external auditors and the corporate auditors or audit committee should be determined by the external auditors to ensure effective and efficient audits are conducted.
Practice Standard § III.4(5): The scope and degree of coordina… (Standard § III.3(7), Practice Standard § III.4(5), Practice Standard § III.4(6)[1], Practice Standard § III.4(6)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
An institution should ensure that independent audits and/or expert assessments of all its outsourcing arrangements are conducted. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourc… (5.9.5, Guidelines on Outsourcing)
Upon request of the cloud customer, the cloud provider provides information of the results, impacts and risks of these audits and assessments in an appropriate form. The cloud provider commits their subcontractors to such audits, asks for the submission of the audit reports in the same intervals and… (Section 5.15 SPN-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Does the organization use third party auditors? (Table Row II.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
The information security categorization of the external supplier should be used to determine who will perform the assessment (e.g., an independent specialist or external auditor). (CF.16.01.07a, The Standard of Good Practice for Information Security)
The information security categorization of the external supplier should be used to determine who will perform the assessment (e.g., an independent specialist or external auditor). (CF.16.01.08a, The Standard of Good Practice for Information Security, 2013)
Verify that the service auditor only accepted or continued an engagement when certain conditions existed. (Ques. AT201, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organizat… (¶ 2.98, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Because of the additional complexities involved with the use of the inclusive method, both the service organization and the subservice organization ought to agree on the use of the inclusive approach before it is selected for the examination. In addition, to facilitate the process, service organizat… (¶ 2.102, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
The audit committee is directly responsible for appointing, compensating, and overseeing the work of public accounting firms hired to audit the organization. (§ 78j-1(m)(2), Securities Exchange Act of 1934)
The Board of Directors should ensure the outsourced audit function operates effectively and complies with all regulations. (Pg 20, Pg 23, Exam Tier I Obj 11.7, FFIEC IT Examination Handbook - Audit, August 2003)
Examination of companies in the Multi-Regional Data Processing Servicers (MDPS) program is administered by the Agencies. The Agencies determine which TSPs are subject to examination under the MDPS program. Generally, Agency-In-Charge (AIC) responsibilities for an MDPS company are rotated among the A… (E ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
Services provided by a financial institution holding company, or by its non-bank subsidiary, to one class or more of insured financial institution are examined by the Agency responsible for supervising the servicing entity. The primary regulatory Agency seeks input from other interested Agencies and… (C ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
¶ 40 Bank management should ensure necessary controls are in place to manage risks associated with outsourcing and external alliances. Management should ensure that vendors have the necessary expertise, experience, and financial strength to fulfill their obligations. They also should ensure that th… (¶ 40, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
