Back

Establish and maintain organizational audit reports.


CONTROL ID
06731
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Determine what disclosures are required in the audit report., CC ID: 14888
  • Include the justification for not following the applicable requirements in the audit report., CC ID: 16822
  • Include a statement that the applicable requirements were not followed in the audit report., CC ID: 16821
  • Include audit subject matter in the audit report., CC ID: 14882
  • Include an other-matter paragraph in the audit report., CC ID: 14901
  • Identify the audit team members in the audit report., CC ID: 15259
  • Include that the auditee did not provide comments in the audit report., CC ID: 16849
  • Write the audit report using clear and conspicuous language., CC ID: 13948
  • Identify the participants from the organization being audited in the audit report., CC ID: 15258
  • Include how in scope controls meet external requirements in the audit report., CC ID: 16450
  • Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report., CC ID: 14915
  • Include recommended corrective actions in the audit report., CC ID: 16197
  • Include risks and opportunities in the audit report., CC ID: 16196
  • Include the description of tests of controls and results in the audit report., CC ID: 14898
  • Include subsequent events related to the audit assertion or audit subject matter in the audit report., CC ID: 16773
  • Include the organization's audit assertion of the in scope system in the audit report., CC ID: 07005
  • Include an emphasis-of-matter paragraph in the audit report., CC ID: 14890
  • Include the organization's in scope system description in the audit report., CC ID: 11626
  • Include the scope and work performed in the audit report., CC ID: 11621
  • Resolve disputes before creating the audit summary., CC ID: 08964
  • Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion., CC ID: 13975
  • Refrain from including scope limitations from changed attestation engagements in the audit report., CC ID: 13983
  • Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion., CC ID: 13974
  • Include deficiencies and non-compliance in the audit report., CC ID: 14879
  • Include an audit opinion in the audit report., CC ID: 07017
  • Include items that were excluded from the audit report in the audit report., CC ID: 07007
  • Include the organization's privacy practices in the audit report., CC ID: 07029
  • Include items that pertain to third parties in the audit report., CC ID: 07008
  • Refrain from including reference to procedures performed in previous attestation engagements in the audit report., CC ID: 13970
  • Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary., CC ID: 13969
  • Include any of the organization's use of compensating controls that were not audited in the audit report., CC ID: 07009
  • Include the pass or fail test status of all in scope controls in the audit report., CC ID: 07016
  • Modify the audit opinion in the audit report under defined conditions., CC ID: 13937
  • Disclose any audit irregularities in the audit report., CC ID: 06995
  • Include the written signature of the auditor's organization in the audit report., CC ID: 13897
  • Include a statement that additional reports are being submitted in the audit report., CC ID: 16848
  • Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list., CC ID: 07117
  • Review the issues of non-compliance from past audit reports., CC ID: 01148


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The communications authority shall notify the critical Database Administrator, in writing, the audit report findings, when an audit reveals a critical Database Administrator has violated any provisions. (§ 49(1)(a), The Electronic Communications and Transactions Act, 2002)
  • In addition, after completion of maintenance and inspection, details and results of the maintenance and inspection should be identified. (P51.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers: (Control: ISM-1563; Revision: 1, Australian Government Information Security Manual, June 2023)
  • At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers: (Control: ISM-1563; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Production of a security assessment report that: (30.g., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The assessor must develop a compliance report for the Certification Authority that outlines the areas of noncompliance, along with suggested remediation actions. (Control: 1140, Australian Government Information Security Manual: Controls)
  • For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authori… (Art. 19.1. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The management level must regularly check the performance and assess the security process (management assessment). If required (e.g. if a number of security incidents occur or there are significant changes to the framework conditions), corresponding audits and assessments must be performed between t… (§ 4.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The interfaces between the two roles should be clearly defined and documented. In addition, direct reporting paths to the management level should be available on all sides. There should also be consideration as to whether conflicting issues should also be notified to the auditing department. (§ 4.4 Subsection 5 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Results of audits and data protection checks (see also General Data Protection Regulation [DSGVO]) (§ 5.2.1 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The cloud provider draws up regular reports on the performed audits, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical safeguards for the secure configuration and monitoring of the management console (both the self- service of the cu… (Section 5.6 RB-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Are results of these audits reported to management, documented and retained? (Performance evaluation ¶ 5, ISO 22301: Self-assessment questionnaire)
  • The results of conducted reviews are documented and reported to the management of the organization. (1.5.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • Where pooled audits lead to common, shared findings, the PRA expects each participating firm to assess what these findings mean for it individually, and whether they require any follow-up on their part. (§ 8.14, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization must produce an annual report on the state of all aspects of protective security. (Mandatory Requirement 6.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • Auditors should develop conclusions based on if the smelter or refiner conforms with this guidance on the due diligence for responsible supply chains of minerals from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organizational department overseeing and supporting due diligence should publish the audit report with regard to business confidentiality and competitive concerns. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.2(a)(iii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Auditors should include recommendations in the audit report for the refiner to improve their due diligence practices. (Supplement on Gold Step 4: A.4(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Auditors should prepare the audit summary report for publication. (Supplement on Gold Step 4: A.4(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should publish summary audit reports with regard to business confidentiality and competitive concerns. (Supplement on Gold Step 4: B.4, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Refiners should publish the summary audit reports with regard taken for business confidentiality and competitive concerns. (Supplement on Gold Step 5: A.2(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The auditor and the auditee must have a closing meeting where the audit findings and conclusions will be presented. (Auditor must provide the following for the audit period: (12), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditor must prepare an audit summary report and provide a copy to the auditee and the conflict-free smelter audit review committee. (Auditee and Auditor must provide the following after the audit period: (14), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditor must prepare a summary report. (§ C(10), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Regulated users should be able to justify and defend their procedures, protocols, standards, records, and acceptance criteria. (¶ 4.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • Perform procedures, evaluate results against criteria, make relevant recommendations, and report results and conclusions. (OCEG GRC Capability Model, v. 3.0, R2.2 Perform Assurance Assessment, OCEG GRC Capability Model, v 3.0)
  • There should be a repeatable and consistent Process for performing security audits of target environments, which includes reporting the results of the security audit. (SI.01.01.05c, The Standard of Good Practice for Information Security)
  • Analysis performed as part of security monitoring arrangements should be presented in a standard format (e.g., security dashboards, cockpits, or balanced scorecards). (SI.02.01.02b, The Standard of Good Practice for Information Security)
  • The security audit plan should include details about reporting mechanisms (e.g., report, briefing, and / or presentation) and reporting lines (e.g., who works for whom). (SI.01.02.06b, The Standard of Good Practice for Information Security)
  • Conducting the fieldwork for a security audit should involve documenting audit findings. (SI.01.03.01d, The Standard of Good Practice for Information Security)
  • The results of security audits should be reported to stakeholders, which involves producing the security audit report. (SI.01.04.01b, The Standard of Good Practice for Information Security)
  • The results of security audits should be reported to stakeholders, which involves presenting findings and recommendations to stakeholders. (SI.01.04.01c, The Standard of Good Practice for Information Security)
  • A security audit report should be produced, which highlights good practice (e.g., use of information risk assessments, effective incident management, or continued security awareness campaigns). (SI.01.04.04e, The Standard of Good Practice for Information Security)
  • The security audit report should be presented to relevant individuals (e.g., Information Security specialists, business owners, executive management, and developers). (SI.01.04.05c, The Standard of Good Practice for Information Security)
  • The security audit report should be made available to executive management (typically in the form of a written report). (SI.01.04.05d, The Standard of Good Practice for Information Security)
  • There should be a repeatable and consistent Process for performing security audits of target environments, which includes reporting the results of the security audit. (SI.01.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Analysis performed as part of security monitoring arrangements should be presented in a standard format (e.g., security dashboards, cockpits, or balanced scorecards). (SI.02.01.02b, The Standard of Good Practice for Information Security, 2013)
  • The security audit plan should include details about reporting mechanisms (e.g., report, briefing, and / or presentation) and reporting lines (e.g., who works for whom). (SI.01.02.06b, The Standard of Good Practice for Information Security, 2013)
  • Conducting the fieldwork for a security audit should involve documenting audit findings. (SI.01.03.01d, The Standard of Good Practice for Information Security, 2013)
  • The results of security audits should be reported to stakeholders, which involves producing the security audit report. (SI.01.04.01b, The Standard of Good Practice for Information Security, 2013)
  • The results of security audits should be reported to stakeholders, which involves presenting findings and recommendations to stakeholders. (SI.01.04.01c, The Standard of Good Practice for Information Security, 2013)
  • A security audit report should be produced, which highlights good practice (e.g., use of information risk assessments, effective incident management, or continued security awareness campaigns). (SI.01.04.04e, The Standard of Good Practice for Information Security, 2013)
  • The security audit report should be presented to relevant individuals (e.g., Information Security specialists, business owners, executive management, and developers). (SI.01.04.05c, The Standard of Good Practice for Information Security, 2013)
  • The security audit report should be made available to executive management (typically in the form of a written report). (SI.01.04.05d, The Standard of Good Practice for Information Security, 2013)
  • Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence. (A&A-05, Cloud Controls Matrix, v4.0)
  • The organization shall establish, implement and maintain (an) internal audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting of its internal audits. (§ 9.2.2 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • audit reporting output as required and to whom it is to be distributed; (§ 5.5.5 ¶ 4 Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the audit report topics; (§ 6.3.2.2 ¶ 3 Bullet 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • achievement of audit objectives, coverage of audit scope and fulfilment of audit criteria; (§ 6.4.9.2 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team leader should report the audit conclusions in accordance with the audit programme. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include or refer to the following: (§ 6.5.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit objectives; (§ 6.5.1 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) should take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 3 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • retain documented information as evidence of the implementation of the audit programme and the audit results. (§ 9.2 ¶ 3 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Internal audit results and management review results, including nonconformities, concerns, and identified actions, shall be recorded. (§ 4.5.4.1 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previou… (§ 9.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results; (§ 9.2.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • retain documented information as evidence of the audit programme(s) and the audit results. (§ 9.2 ¶ 2 g), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting. (§ 9.2.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • retain documented information as evidence of the implementation of the audit programme and the audit results. (§ 9.2.2 ¶ 1 f), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • retain documented information as evidence of the implementation of the audit programme and the audit results. (9.2.2 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits… (9.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 e), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • retain documented information as evidence of the results of the implementation of the audit programme and the audit results. (Section 9.2.2 ¶ 1(e), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (Section 9.2.2 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ (e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration: (§ 9.2.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. (§ 9.2.2 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • An audit programme defines the structure and responsibilities for planning, conducting, reporting and following up on individual audit activities. As such it should ensure that audits conducted are appropriate, have the right scope, minimize the impact on the operations of the organization and maint… (§ 9.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The statement of privacy practices should be attached to or included in the description, when the audit report addresses the privacy principle. (¶ 1.17, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should include the description of the scope and the related opinion on the additional subject matter in separate paragraphs of the service auditor's report. (¶ 1.40, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor may include any additional tests and the detailed results in a separate attachment to the service auditor report. (¶ 1.40, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor must prepare the service auditor's report with all the items listed in paragraph 4.02 and change it, as necessary. (¶ 4.01 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The part of the service auditor's report that describes the control tests and results should include a description of the internal auditor's work and the service auditor's procedures, if the work was used in performing the tests. (¶ 4.10, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should consider the individual and aggregate effect of identified deviations in the system description and the suitability and operating effectiveness during the named time period, when determining whether to change the service auditor's report. (¶ 4.14, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor's report, including each of the reporting elements for a type 2 report identified in paragraph 4.31, and any modifications to the report that the service auditor determines are necessary in the circumstances (¶ 4.02 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If, after using professional judgment, the service auditor believes there is reasonable justification to change the terms of the engagement from those originally contemplated, the service auditor would issue an appropriate report on the service organization's system. The attestation standards do not… (¶ 2.77, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.142, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When the service auditor has been engaged to perform a type 1 examination, certain of the elements in table 4-3 would be tailored to refer specifically to the subject matters addressed in that examination. For instance, among other things, all references to management's assertion and the service aud… (¶ 4.107, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management may decide to provide users with certain information in the SOC 2 report that supports users' understanding of how the controls implemented by the service organization address the requirements of a process or control framework. If management considers such disclosures to be supplemental t… (¶ 1.65, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If, after using professional judgment, the service auditor believes there is reasonable justification to change the terms of the engagement from those originally agreed on, the service auditor may continue with the engagement and issue an appropriate report on the service organization's system. Para… (¶ 2.82, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.158, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the service auditor has been engaged to perform a type 1 examination, certain of the elements in table 4-3 would be tailored to refer specifically to the subject matters addressed in that examination. For instance, among other things, all references to management's assertion and the service aud… (¶ 4.110, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • For type 2 reports, the part of the service auditor's report that describes the control tests and results should include a description of the internal audit function's work if the work was used in performing the tests. (¶ .34, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should document the conclusions reached on the evaluation of the adequacy of the internal audit function's work and the procedures performed on that work, if the service auditor uses the work of the internal audit function. (¶ .46, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The practitioner's report should be in writing. (AT-C Section 205.61, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • If the practitioner concludes, based on the practitioner's professional judgment, that there is reasonable justification to change the terms of the engagement from the original level of service that the practitioner was engaged to perform to a lower level of service, for example, from an examination… (AT-C Section 105.30, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should prepare engagement documentation on a timely basis. (AT-C Section 105.34, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the engagement partner should take responsibility for discussing with the engagement quality control reviewer significant findings or issues arising during the engagement, including those identified during the engagement quality control review, and not release the practitioner's report until complet… (AT-C Section 105.42 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner's report should be in writing. (AT-C Section 210.44, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner's conclusion on the subject matter or assertion should be clearly separated from any paragraphs emphasizing matters related to the subject matter or any other reporting responsibilities. (AT-C Section 210.56, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should report all findings from application of the agreed-upon procedures. Any agreed-upon materiality limits should be described in the practitioner's report. (AT-C Section 215.26, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner's report should be in writing. (AT-C Section 215.33, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The responsible entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results. (§ R4.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJIS Division. All results of the inquiry and audit… (§ 5.11.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. (App A Objective 1:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Document conclusions in a memorandum to the EIC that provides report-ready comments for all relevant sections of the report of examination and guidance to future examiners. (App A Objective 14:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Document examination conclusions, including a proposed audit component rating, in a memorandum to the EIC that provides report-ready comments for all relevant sections of the report of examination. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Organize examination work papers to ensure clear support for significant findings and conclusions. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:8, FFIEC IT Examination Handbook - Audit, April 2012)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Services provided by an insured financial institution, or by its subsidiary, to one class or more of insured financial institutions are examined by the Agency responsible for supervising the servicing institution. The primary regulatory Agency seeks input from other interested Agencies and performs … (B ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions. (T0188, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions. (T0188, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Auditors should follow the guidance for citing deficiencies in the examination reports and supervisory findings and recommend appropriate actions. ("Supervisory Reviews of Third-Party Relationships" ¶ 2 Bullet 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)