Back

Audit in scope audit items and compliance documents.


CONTROL ID
06730
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Accept the attestation engagement when all preconditions are met., CC ID: 13933

This Control has the following implementation support Control(s):
  • Collect all work papers for the audit and audit report into an engagement file., CC ID: 07001
  • Conduct onsite inspections, as necessary., CC ID: 16199
  • Identify hypothetical assumptions in forecasts and projections during an audit., CC ID: 13946
  • Audit policies, standards, and procedures., CC ID: 12927
  • Audit information systems, as necessary., CC ID: 13010
  • Determine the accurateness of the audit assertion's in scope system description., CC ID: 06979
  • Determine if the audit assertion's in scope procedures are accurately documented., CC ID: 06982
  • Determine if the audit assertion's in scope controls are reasonable., CC ID: 06980
  • Audit the in scope system according to the test plan using relevant evidence., CC ID: 07112
  • Establish and maintain work papers, as necessary., CC ID: 13891
  • Investigate the nature and causes of identified in scope control deviations., CC ID: 06986
  • Supervise interested personnel and affected parties participating in the audit., CC ID: 07150
  • Respond to questions or clarification requests regarding the audit., CC ID: 08902


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The communications authority may require audits to be performed for Critical database administrators to evaluate compliance with the provisions of part viii of this act. (§ 48(1), The Electronic Communications and Transactions Act, 2002)
  • A cyber inspector may conduct audits of Critical database administrators as defined in section 54. (§ 94(1)(d), The Electronic Communications and Transactions Act, 2002)
  • It is necessary to confirm the observance status with regard to items specified in the security policy, security standards, and other regulations, and to raise the awareness and level of security of all officers and employees (including outsourcee's staff) with regard to security policy. (C13.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • periodic audit; and (§ 10.(2)(c)(ii), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and (§ 10.(2)(b), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • Audit plays an important role to assess the effectiveness of the controls, risk management and governance process in the FI. The FI should ensure IT audit is performed to provide the board of directors and senior management an independent and objective opinion of the adequacy and effectiveness of th… (§ 15.1.1, Technology Risk Management Guidelines, January 2021)
  • Full system documentation review. (30.c., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The assessor should review the information security policy to ensure that policies have been identified or developed to protect processed, stored, or communicated information. (Control: 0799, Australian Government Information Security Manual: Controls)
  • The assessor must review the System Security Plan, the Security Risk Management Plan, the incident response plan, and the Standard Operating Procedures to ensure they are comprehensive and appropriate for their environment. (Control: 0800, Australian Government Information Security Manual: Controls)
  • The assessor must review the System Security Plan to ensure that all the relevant controls from this manual are included. (Control: 0802, Australian Government Information Security Manual: Controls)
  • The assessor must ensure a physical security certification has been awarded by an appropriate physical security Certification Authority. (Control: 0806, Australian Government Information Security Manual: Controls)
  • The physical security certification should be less than 5 years old when the audit is conducted. (Control: 0905, Australian Government Information Security Manual: Controls)
  • The organization should compare the stored configuration information against the current configuration information, as part of the audit schedule, to determine if a legitimate but incorrectly completed system modification or a compromise has occurred. (Control: 0386 Bullet 4, Australian Government Information Security Manual: Controls)
  • Material control weakness could be identified through a number of mechanisms. These include control testing, assurance activities, information security incidents (external and internal), vulnerability notification by software and hardware vendors and other forms of notification by third parties and … (90., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; (4.10 51(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • The implementation of the security safeguards should be evaluated at regular intervals by means of internal audits. These also serve the purpose of collecting and evaluating the experiences made in dayto-day practice. In addition to audits, it is also necessary to perform drills and awareness-raisin… (§ 7.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The maintenance of information security is also an important point for small and medium-sized organisations. Although the audits will be less extensive than in large organisations, they must not be omitted in any case. Within the context of the annual management assessment, the topmost management le… (§ 7.4 ¶ 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • In order to maintain the level of security, the security safeguards identified as being appropriate must be applied on the one hand and, on the other hand, the security concept must be updated continuously. Furthermore, security incidents must be detected in due time and quick and appropriate reacti… (§ 8.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Initiate the information security management system qualification and certification process. (7 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The verification under section 8a (3) of the BSI Act regarding compliance with the requirements under section 8a (1) of the BSI Act can be conducted as part of the audit of the annual financial statements. CI operators are to submit the relevant verification documents to the BSI on time, in accordan… (II.9.61, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The organization must regularly audit information assets and systems. (Mandatory Requirement 37, HMG Security Policy Framework, Version 6.0 May 2011)
  • Management uses a combination of different ongoing and separate evaluations, including system internal and external penetration testing, third-party independent verifications and certifications using established security control frameworks (NIST, COBIT, OWASP, etc.) and vendor and industry-specific,… (S7.5 Considers different types of ongoing and separate evaluations, Privacy Management Framework, Updated March 1, 2020)
  • The organization should plan an independent third party audit of the refiner's due diligence for supply chains of gold from conflict-affected and high-risk areas. (Supplement on Gold Step 4: A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Auditors should review samples of all documentation, including documentation on supply chain internal controls, risk assessments, Risk Management strategies, information disclosed to downstream companies, contractual provisions with suppliers, and communications with suppliers. (Supplement on Gold Step 4: A.4(c), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Audits must be conducted in accordance with International Standards Organization/International Electrotechnical Commission 17021:2011. (¶ 1, Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • Re-audits must be conducted to maintain compliance status. (§ A(I) Audit period and re-audit frequency ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • Re-audits must be conducted inside of 1 year of the previous audit. (§ A(I) Audit period and re-audit frequency ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The smelter must process non-compliant material and a re-audit must be conducted inside of 3 months of finding the non-conforming material. (§ A(I) Non-conforming material detection, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • Partially processed and by-product materials from the smelting and refining process are not considered secondary materials and, if they are not able to be tracked to the ore source of origin or were not produced by a conflict-free smelter program compliant smelter, the producing smelter must be audi… (§ B(III)(6) ¶ 1, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The corrective action plan must be verified by conducting a verification audit to verify the disposition of nonconforming gold-bearing materials and changes to the internal management system. (§ D ¶ 3(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The organization should seek external assurance to assess the quality and credibility of its process of determining material topics. See section 5.2 in GRI 1 for more information on seeking external assurance. (§ 1. Step 4. Testing the material topics ¶ 3, GRI 3: Material Topics 2021)
  • The inspector should review the user's specifications, data, reports, acceptance criteria, and other documentation for all phases of the project. (¶ 4.9, Good Practices For Computerized systems In Regulated GXP Environments)
  • The inspectors must study the organization's evidence not only in relation to the technology aspects but also the identified gxp risks. (¶ 23.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The inspectors should consider all parts of annex 11 (located in table 4 of paragraph 24), in particular items 1, 2, 3, 4, 5, and 7, and the "principle". (¶ 23.12, Good Practices For Computerized systems In Regulated GXP Environments)
  • An audit should be performed before purchasing a product and periodically thereafter to prevent the purchase, acceptance, use, and delivery of fraudulent or counterfeit parts. (App B § B.1.3.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The organization shall conduct internal audits at planned intervals. (§ 4.2.11 ¶ 1, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization shall conduct internal audits to determine if the quality management system conforms to the requirements of this standard. (§ 4.2.11 ¶ 1.a, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization shall conduct internal audits to determine if the quality management system is effectively implemented and maintained. (§ 4.2.11 ¶ 1.b, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Security audit fieldwork should include reviewing audit material gathered (e.g., to help to determine the current state of business applications, Information Systems and networks, and how they are deployed and used). (SI.01.03.03a, The Standard of Good Practice for Information Security)
  • The selection and performance of security tests should be based on examining the validity of transactional data (e.g., input and output validation and reconciliation and recording of events processed by critical business applications). (SI.01.03.04d, The Standard of Good Practice for Information Security)
  • The selection and performance of security tests should be based on examining security controls that protect the software, hardware, and network infrastructure. (SI.01.03.04g, The Standard of Good Practice for Information Security)
  • Security audit fieldwork should include reviewing audit material gathered (e.g., to help to determine the current state of business applications, Information Systems and networks, and how they are deployed and used). (SI.01.03.03a, The Standard of Good Practice for Information Security, 2013)
  • The selection and performance of security tests should be based on examining the validity of transactional data (e.g., input and output validation and reconciliation and recording of events processed by critical business applications). (SI.01.03.04d, The Standard of Good Practice for Information Security, 2013)
  • The selection and performance of security tests should be based on examining security controls that protect the software, hardware, and network infrastructure. (SI.01.03.04g, The Standard of Good Practice for Information Security, 2013)
  • Independent reviews and assessments shall be performed at least annually, or at planned intervals, to ensure that the organization addresses any nonconformities of established policies, procedures, and known contractual, statutory, or regulatory compliance obligations. (AAC-02, Cloud Controls Matrix, v3.0)
  • Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit. (A&A-04, Cloud Controls Matrix, v4.0)
  • Audit activities must be planned and agreed upon in advance by stakeholders. (CO-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Independent reviews and assessments shall be performed at least annually, or at planned intervals, to ensure the organization is compliant with policies, procedures, standards and applicable regulatory requirements. (CO-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Responsible parties should conduct independent audits to ensure the integration requirements are met and verified. (§ 4.3.3.3, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • A compliance audit of the security assurance procedures and quality procedures shall be a criterion in the selection process. (§ 4.5.4.2.2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 3 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the environmental management system: (§ 9.2.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The relevant management system documented information of the auditee should be reviewed in order to: (§ 6.3.1¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas of concern, such as deficiencies, omissions or conflicts. (§ 6.3.1¶ 1 Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The organization should conduct audits at least at planned intervals to provide information on whether the compliance management system: (§ 9.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Management shall ensure Information Security audits are conducted. (§ 6.6.1 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • the organization’s own requirements for its BCMS, (§ 9.2 ¶ 1 a) 1), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the requirements of this International Standard, and (§ 9.2 ¶ 1 a) 2), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • is effectively implemented and maintained. (§ 9.2 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the organization's own requirements for its BCMS; (§ 9.2.1 ¶ 1 a) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the requirements of this document; (§ 9.2.1 ¶ 1 a) 2), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; (§ 9.2 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the requirements of this document; (§ 9.2.1 ¶ 1 a) bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the compliance management system: (§ 9.2.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • is effectively implemented and maintained. (§ 9.2.1 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the OH&S management system: (§ 9.2.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the requirements of this International Standard; (9.2.1 ¶ 1(a)(2), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the requirements of this document; (§ 9.2.1 a) 2), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the compliance management system: (§ 9.2.1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall conduct internal audits at planned intervals to provide information to assist in the determination on whether the IT asset management system: (Section 9.2.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the requirements of this document; and (Section 9.2.1 ¶ 1(a) bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the organization's own requirements for its IT asset management system; (Section 9.2.1 ¶ 1(a) bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • is effectively implemented and maintained. (Section 9.2.1 ¶ 1(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the organization's own requirements for its SMS; (§ 9.2.1 ¶ 1(a)(1), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • the requirements of this document; (§ 9.2.1 ¶ 1(a)(2), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • is effectively implemented and maintained. (§ 9.2.1 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 3 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: (§ 9.2.1 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The extent and frequency of internal audits should be based on the size and nature of the organization as well as on the nature, functionality, complexity and the level of maturity of the ISMS (risk-based auditing). (§ 9.2 Guidance ¶ 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The controller shall be obliged to conduct necessary inspections, or have them conducted in his own institution or organization, with the aim of implementing the provisions of this Law. (Art 12(3), Turkish Law on The Protection of Personal Data no. 6698)
  • An independent audit function assesses compliance with applicable laws and regulations. (GV.AU-1.4, CRI Profile, v1.2)
  • An independent audit function assesses compliance with internal controls and applicable laws and regulations. (GV.AU-1, CRI Profile, v1.2)
  • An independent audit function assesses compliance with applicable laws and regulations. (GV.AU-1.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization should periodically conduct independent audits of the security controls with internal auditors or external auditors. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Although service organization management may describe the system controls in the description, it also might refer to a table of controls presented in a separate section of the SOC 2® report. If the description refers to a table of controls, the table is considered part of the description; therefore… (¶ 3.31, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Ordinarily, if management refuses to provide a written assertion, the service auditor is required to withdraw from the engagement. However, if the service auditor is required by law or regulation to accept or continue an engagement to report on controls at a service organization and management refus… (¶ 4.66, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the inclusive method is used to present the services and controls performed by a subservice organization, the service auditor also performs these procedures with respect to the controls at the subservice organization. (¶ 3.81 ¶ 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The Committee of Sponsoring Organizations of the Treadway Commission defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting,… (¶ 2.58, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • A service organization may engage the service auditor to examine and report on subject matters in addition to the description of the service organization's system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable… (¶ 1.50, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In the type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description based on the applicable trust services criteria. The service auditor performs procedures (known as tests of controls) to obtain evidence about the operating effectiveness of con… (¶ 3.107, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Generally, such other information is presented in a separate section of the report entitled, "Other Information Provided by the Service Organization." Information in this section is not covered by the service auditor's report; however, the service auditor is required to perform the procedures outlin… (¶ 4.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Any material deficiencies identified in the portion of the original period that is included in the extended or modified period would be included in the report on the extended or modified period, even if they were corrected during the extended or modified period. The service auditor considers the sta… (¶ 2.88, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The SOC 2 examination discussed in this guide is an assertion-based examination. Accordingly, the service auditor performs the examination under AT-C section 205, Assertion-Based Examination Engagements, which supplements the requirements and guidance in AT-C section 105, Concepts Common to All Atte… (¶ 1.17, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If a service organization has a more formal preparation process, understanding the service organization's preparation process and controls may assist the service auditor in (¶ 2.115, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When a SOC 2 report identifies controls that are not operating effectively, management generally takes steps to remediate the control deficiencies. Management may wish to provide customers and business partners with information about the improvements made to their controls before the next SOC 2 repo… (¶ 3.80, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .84 of AT-C section 205 states that, if service organization management is both the responsible party and the engaging party and refuses to provide a written assertion, the service auditor is required to withdraw from the engagement. However, if the service auditor is required by law or re… (¶ 4.73, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Generally, such other information is presented in a separate section of the report entitled "Other Information Provided by the Service Organization." Information in this section is not covered by the service auditor's report; however, the service auditor is required to perform the procedures outline… (¶ 4.102, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will assume the control is material for the purposes of the SOC 2 examin… (¶ 3.190 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When management has described the relevant periodic controls in the description, these same factors may inform the service auditor's evaluation of the description, including whether the controls discussed in the description are suitably designed and implemented. (¶ 3.177 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should assess the suitability of the criteria for evaluating if controls operated effectively by determining if the criteria includes whether the controls were consistently applied as designed and manual controls were applied by personnel with appropriate authority and competence… (¶ .16, SSAE No. 16 Reporting on Controls at a Service Organization)
  • perform the engagement in accordance with professional standards and applicable legal and regulatory requirements and (AT-C Section 105.32 a.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 ¶ 4 Bullet 1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria, (includes March 2020 updates))
  • Function – The insurer or group of insurers shall establish an internal audit function providing independent, objective and reasonable assurance to the Audit committee and insurer management regarding the insurer's governance, risk management and internal controls. This assurance shall be provided… (Section 15.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The criminal justice information services audit unit shall conduct a triennial audit of each criminal justice information services systems agency to verify compliance with regulations, statutes, and policies. (§ 5.11.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice information services systems agency shall audit all criminal justice agencies and noncriminal justice agencies that have direct access to the state system at least every 3 years to verify compliance with statutes, regulations, and policies. (§ 5.11.2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. (§ 5.11 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Internal audit, independent reviews, and certifications. (App A Objective 2:1f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Auditability. (App A Objective 12:4c Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with appl… (II.D Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management directly audits the service provider's operations and controls, employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently detailed copies of audit reports from the technology service provider. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 13:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • The board of directors should ensure that an effective internal audit function for the financial institution's payment systems is in place. The audit program should test the quality of retail payment systems internal controls and compliance with laws, regulations, management policies, procedures, an… (Audit, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Examination of companies in the Multi-Regional Data Processing Servicers (MDPS) program is administered by the Agencies. The Agencies determine which TSPs are subject to examination under the MDPS program. Generally, Agency-In-Charge (AIC) responsibilities for an MDPS company are rotated among the A… (E ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • As part of the supervision of a TSP, examiners can conduct interim supervisory reviews or unscheduled site or service examinations for areas of evolving supervisory interest or concern. The number and frequency of interim supervisory reviews conducted during an examination cycle are based on the lev… (Frequency of Examinations ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Regular testing of financial institution controls for critical systems. Processes should be in place for regular audit and testing of security controls and configurations commensurate with the risk of the operations supported by the cloud service. These processes can include the audit and testing of… (Risk Management Audit and Controls Assessment Bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Review or conduct audits of information technology (IT) programs and projects. (T0223, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review or conduct audits of information technology (IT) programs and projects. (T0223, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Audits and verifies provenance activities performed by [Assignment: Organization-defined individuals granted access to the creation, maintenance, or monitoring of provenance]; and (PV-3 1), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A bank should periodically conduct independent Risk Management reviews to determine if the bank's processes align with its strategy and effectively manages third party risk. ("Risk Management Life Cycle" ¶ "Independent reviews:", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)