Back

Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures.


CONTROL ID
06966
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Permit assessment teams to conduct audits, as necessary., CC ID: 16430
  • Provide auditors access to affected parties during the audit, as necessary., CC ID: 07187
  • Solve any access problems auditors encounter during the audit., CC ID: 08959
  • Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit., CC ID: 08960


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Access to data by the HKMA's examiners and the AI's internal and external auditors should not be impeded by the outsourcing. AIs should ensure that the outsourcing agreement with the service provider contains a clause which allows for supervisory inspection or review of the operations and controls o… (2.8.2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • Provide relevant documentation and evidence of technical configurations to the IRAP assessor in a timely manner. (39.c., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. (4.13.3 90, Final Report on EBA Guidelines on outsourcing arrangements)
  • For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related op… (4.13.3 88, Final Report on EBA Guidelines on outsourcing arrangements)
  • Audit information and quality system information about software developers or suppliers and implemented systems should be available to inspectors. (¶ 3.4, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduc… (Art. 42.6., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Prepare the organization for the basic security check by stipulating a main contact person for every module used in the modeling phase. (4.5.1 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Prepare the organization for the basic security check by agreeing to appointments for interviews. (4.5.1 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Prepare the organization for the basic security check by assembling teams for the interviews. (4.5.1 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Auditors should review samples of all documentation, including documentation on supply chain internal controls, risk assessments, Risk Management strategies, contractual provisions with suppliers, and communications with suppliers. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Local mineral exporters should allow the auditors access to all company sites, all documentation, and all records for supply chain due diligence. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.1(a)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International concentrate traders and mineral reprocessors should allow the auditors access to all company sites, all documentation, and all records for supply chain due diligence. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.1(b)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Smelters and refiners should allow the auditors access to all company sites, all documentation, and all records for supply chain due diligence. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.1(c)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Smelters and refiners should facilitate contact with the sample of suppliers that the audit team has selected. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.1(c)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Local exporters should help the assessment team gain access to all upstream intermediaries, transporters, and consolidators. (Supplement on Tin, Tantalum, and Tungsten App: B.1(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Local exporters should allow the assessment team access to all organization sites, export documentation, and books, records, or other evidence of procurement practices, fees, taxes, and royalty payments. (Supplement on Tin, Tantalum, and Tungsten App: B.1(3), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Local exporters should allow the assessment team access to all information collected and maintained during the due diligence process, including payments to public security forces, private security forces, and non-state armed groups. (Supplement on Tin, Tantalum, and Tungsten App: B.1(4), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International concentrate traders and mineral reprocessors should allow the assessment team access to sites it owns in other countries where leakages in the supply chain are known or likely to exist or where relabeling or trans-shipment is likely for minerals from conflict-affected and high-risk are… (Supplement on Tin, Tantalum, and Tungsten App: B.2(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International concentrate traders and mineral reprocessors should allow the assessment team access to export documentation and books, records, or other evidence of procurement practices, fees, taxes, and royalty payments. (Supplement on Tin, Tantalum, and Tungsten App: B.2(3), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International concentrate traders and mineral reprocessors should allow the assessment team access to all information collected and maintained during the due diligence process, including payments to public security forces, private security forces, and non-state armed groups. (Supplement on Tin, Tantalum, and Tungsten App: B.2(4), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Smelters and refiners should allow the assessment team access to export documentation and books, records, or other evidence of procurement practices, fees, taxes, and royalty payments. (Supplement on Tin, Tantalum, and Tungsten App: B.3(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Smelters and refiners should allow the assessment team access to all information collected and maintained during the due diligence process. (Supplement on Tin, Tantalum, and Tungsten App: B.3(3), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should provide the assessment team access to the mines, intermediaries, consolidators, and transporters in its control or influence. (Supplement on Gold Step 2: § I.C.2(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should allow the assessment team access to sites it owns in other countries where leakages in the supply chain are known or likely to exist or where relabeling or trans-shipment is likely for gold from conflict-affected and high-risk areas. (Supplement on Gold Step 2: § I.C.2(d)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should provide the assessment team access to export documentation, and books, records, or other evidence of procurement practices, fees, taxes, and royalty payments. (Supplement on Gold Step 2: § I.C.2(d)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International gold traders, local gold exporters, and refiners should provide the assessment team access to the mines, intermediaries, consolidators, and transporters in its control or influence. (Supplement on Gold Step 2: § II.C.2(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International gold traders, local gold exporters, and refiners should allow the assessment team access to sites it owns in other countries where leakages in the supply chain are known or likely to exist or where relabeling or trans-shipment is likely for gold from conflict-affected and high-risk are… (Supplement on Gold Step 2: § II.C.2(d)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International gold traders, local gold exporters, and refiners should provide the assessment team access to export documentation, and books, records, or other evidence of procurement practices, fees, taxes, and royalty payments. (Supplement on Gold Step 2: § II.C.2(d)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Refiners should make information from the due diligence process available to auditors. (Supplement on Gold Step 3: § I.B.6, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should allow the auditors access to all company sites, all documentation, and all records for supply chain due diligence. (Supplement on Gold Step 4: B.5(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The auditee must provide a copy of its tin/tungsten/tantalum procurement policy to the auditor. (Auditee must provide the following for the audit period: (2), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee must complete and provide the line item summary (total amount of tin/tungsten/tantalum) to the auditor 14 calendar days before the start of the audit. (Auditee must provide the following for the audit period: (3), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee will furnish the auditor with a list of the total estimated tin/tungsten/tantalum inventory at the beginning and the end of the audit period. (Auditee must provide the following for the audit period: (3)(i), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee must furnish the auditor with a detailed monthly total tin/tungsten/tantalum sales and toll quantity. (Auditee must provide the following for the audit period: (3)(ii), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee must have the tracking and recordkeeping information that is validated by the Organization for Economic Cooperation and Development guidance compliance audit available for the auditor. (Auditor must provide the following for the audit period: (9), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee may request the trader or other company in the supply chain provide documentation directly to the conflict-free smelter program auditor when the auditee is having difficulty collecting the documentation due to business confidentiality concerns. (§ A(II) ¶ 2, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The smelter must furnish credible information showing that the amount of material it purchases is plausible for the mine or mine site that it is purchased from. (§ B(III)(2), Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
  • The refinery must furnish the auditor with a copy of its policy related to gold-bearing materials. (§ C(2), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The refinery must furnish the auditor with a list of the current gold inventory. (§ C(3)(a), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The refinery must furnish the auditor with the total gold product sales volume. (§ C(3)(b), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The refinery must furnish the auditor with a list of all gold-bearing materials received during the audit period. (§ C(3)(c), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The regulated user have the ultimate responsibility to ensure the gxp inspectors have the documented validation evidence available for review. (¶ 4.11, Good Practices For Computerized systems In Regulated GXP Environments)
  • The inspectors may want to see that system descriptions are available and documented evidence exists to show that the legacy system has been tested against the user requirement specifications and other specifications. (¶ 16.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • National competent authority inspectors would need to have the decryption keys readily available or have the data decrypted under the inspectors supervision in order to access encrypted gxp data. (¶ 19.4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Standard Operating Procedures, the controls, and records to ensure gxp compliance needs to be made available to the inspector at the inspection site, if it is kept at a site other than the inspection site. (¶ 23.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • Conducting the fieldwork for a security audit should involve collecting background material, to help understand business processes and application(s), the operating environment and the technical characteristics associated with supporting system(s), and network(s). (SI.01.03.01a, The Standard of Good Practice for Information Security)
  • Background material to support security audits should be gathered, which includes audit-related material (e.g., audit scope documents and working papers, risk assessment reports, risk treatment measures, threat lists, and previous security audits and findings). (SI.01.03.02a, The Standard of Good Practice for Information Security)
  • Background material to support security audits should be gathered, which includes business-related material (e.g., relating to business processes, legal and regulatory requirements, transactions, users, external parties, policies and procedures, management reports, asset inventories, and Business Co… (SI.01.03.02b, The Standard of Good Practice for Information Security)
  • Background material to support security audits should be gathered, which includes information-related material (e.g., information classification scheme, incidents / events, transaction data, and standing data). (SI.01.03.02c, The Standard of Good Practice for Information Security)
  • Background material to support security audits should be gathered, which includes technology-related material (e.g., application settings, Access Control, security and network diagrams, device inventories, data storage details, and cryptography). (SI.01.03.02d, The Standard of Good Practice for Information Security)
  • Conducting the fieldwork for a security audit should involve collecting background material, to help understand business processes and application(s), the operating environment and the technical characteristics associated with supporting system(s), and network(s). (SI.01.03.01a, The Standard of Good Practice for Information Security, 2013)
  • Background material to support security audits should be gathered, which includes audit-related material (e.g., audit scope documents and working papers, risk assessment reports, risk treatment measures, threat lists, and previous security audits and findings). (SI.01.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Background material to support security audits should be gathered, which includes business-related material (e.g., relating to business processes, legal and regulatory requirements, transactions, users, external parties, policies and procedures, management reports, asset inventories, and Business Co… (SI.01.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Background material to support security audits should be gathered, which includes information-related material (e.g., information classification scheme, incidents / events, transaction data, and standing data). (SI.01.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Background material to support security audits should be gathered, which includes technology-related material (e.g., application settings, Access Control, security and network diagrams, device inventories, data storage details, and cryptography). (SI.01.03.02d, The Standard of Good Practice for Information Security, 2013)
  • determine and ensure provision of all necessary resources; (§ 5.4.1 ¶ 1(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the availability of necessary documented information, as determined during the establishment of the audit programme (see A.5); (§ 5.4.4 ¶ 1(i), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • provide necessary individual and overall resources to the audit teams (see 5.4.4); (§ 5.5.1 ¶ 2(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit processes and associated method; (§ 5.5.5 ¶ 3(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • contact details of the auditee, the locations, time frame and duration of the audit activities to be conducted; (§ 5.5.5 ¶ 3(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • resources necessary to conduct the audit; (§ 5.5.5 ¶ 3(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, activities, functions or locations and, as appropriate, authority for decision-making. Such assignments should take into account the impartiality and objectiv… (§ 6.3.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • determine any location-specific arrangements for access, health and safety, security, confidentiality or other; (§ 6.2.2 ¶ 1(h), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Where necessary, care should be taken to ensure that the auditors have obtained the necessary security clearance to access documented information or other information required for audit activities (including but not limited to confidential or sensitive information). (§ 6.2.2.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Components shall provide programmatic access to audit records by either using an application programming interface (API) or sending the audit records to a centralized system (10.3.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Verify that management agreed to the engagement terms by acknowledging and accepting responsibility for providing the service auditor with unrestricted access to personnel. (Ques. AT201 Item 3 Dash 6.c, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor may gather information about the matters in paragraph 2.04 by talking with the previous service auditor about the reasons for changing the service auditor and any disagreements between the auditor and organization. (¶ 2.05, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with access to all required information. (¶ 2.13.e.i, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with any information the service auditor requests for the examination. (¶ 2.13.e.ii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should normally accept or continue an engagement only if management accepts and acknowledges responsibility for providing the service auditor with unrestricted access to organizational personnel. (¶ 2.13.e.iii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • access to additional information that he or she may request; and (¶ 2.43(e)(ii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • access to all information relevant to the measurement, evaluation, or disclosure of the subject matter; (¶ 2.43(e)(i), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Access to all information, such as records, documentation, service level agreements, and internal audit or other reports, that subservice management is aware of and that is relevant to the description of the subservice organization's system and assertion (paragraph .25biii(1) of AT-C section 205) (¶ 2.101 Bullet 5 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Access to additional information that the service auditor may request from subservice management for the examination (paragraph .25biii(2) of AT-C section 205) (¶ 2.101 Bullet 5 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Access to additional information that the service auditor may request from management for the examination (paragraph .25biii(2) of AT-C section 105) (¶ 2.26 Bullet 8 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Coordination between the service auditor and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management's assertion pertains. It is important that the service auditor inform the internal audit function of significant matter… (¶ 2.150, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor makes inquiries of internal audit personnel and reads information about the internal audit function stated in the description. Ordinarily, the service auditor also requests and reads… (¶ 2.136, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The Committee of Sponsoring Organizations of the Treadway Commission defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting,… (¶ 2.58, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Access to all information, such as records, documentation, service level agreements, and internal audit or other reports, that management is aware of and that are relevant to the description of the service organization's system and assertion (paragraph .25biii(1) of AT-C section 105) (¶ 2.26 Bullet 8 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Access to all information, such as records, documentation, service-level agreements, and internal audit or other reports, that management is aware of and that is relevant to the engagement (¶ 2.32 Bullet 7 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Access to additional information that the service auditor may request from management for purposes of the engagement (¶ 2.32 Bullet 7 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • access to all information relevant to the engagement; (¶ 2.51 e.i., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • access to additional information that the service auditor may request; and (¶ 2.51 e.ii., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Based on the requirements in paragraph .27 of AT-C section 205, when obtaining an understanding of the internal audit function's responsibilities and activities, the service auditor should make inquiries of internal audit personnel and read information about the internal audit function stated in the… (¶ 2.152, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Coordination between the service auditor and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management's assertion pertains. It is important that the service auditor inform the internal audit function of significant matter… (¶ 2.166, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's procedures for evaluating whether the description is in accordance with the description criteria begin with obtaining and reading the description of the service organization's system and evaluating whether it presents the system that was designed and implemented based on the se… (¶ 3.20, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing the service auditor with access to all information that is relevant to the system's description and assertion. (¶ .09.c.vi(1), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing the service auditor with any requested information for conducting the audit. (¶ .09.c.vi(2), SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should continue or accept an audit on controls only if management agrees to the audit terms and acknowledges and accepts responsibility for providing service auditors with unrestricted access to the personnel needed to obtain audit evidence from. (¶ .09.c.vi(3), SSAE No. 16 Reporting on Controls at a Service Organization)
  • access to all information of which the responsible party is aware that is relevant to the measurement, evaluation, or disclosure of the subject matter; (AT-C Section 105.25 b.iii(1), SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • unrestricted access to persons within the appropriate party(ies) from whom the practitioner determines it necessary to obtain evidence. (AT-C Section 105.25 b.iii(3), SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • access to additional information that the practitioner may request from the responsible party for the purpose of the engagement; and (AT-C Section 105.25 b.iii(2), SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The insurer required to furnish the annual audited financial report shall require the independent certified public accountant to report, in writing, within five (5) business days to the board of directors or its audit committee any determination by the independent certified public accountant that th… (Section 10.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Financial statements furnished pursuant to Section 5 shall be examined by the independent certified public accountant. The audit of the insurer's financial statements shall be conducted in accordance with generally accepted auditing standards. In accordance with AU Section 319 of the Professional St… (Section 9. ¶ 1., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The audit committee of an insurer or group of insurers shall be responsible for overseeing the insurer's Internal audit function and granting the person or persons performing the function suitable authority and resources to fulfill their responsibilities if required by Section 15 of this regulation. (Section 14.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • EXISTING EVALUATIONS.—The evaluation required by this section may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the applicable agency. (§ 3555(d), Federal Information Security Modernization Act of 2014)
  • ASSESSMENT TECHNICAL ASSISTANCE.—The Comptroller General may provide technical assistance to an Inspector General or the head of an agency, as applicable, to assist the Inspector General or head of an agency in carrying out the duties under this section, including by testing information security c… (§ 3555(i), Federal Information Security Modernization Act of 2014)
  • A covered entity or business associate must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrat… (§ 160.310(c)(1), 45 CFR Part 160 - General Administrative Requirements)
  • The organization should provide investigators with useful and reasonable access to records during an inspection. (§ III.C.4 ¶ 1, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • The copies of the electronic records for the investigator should be supplied to them in a common portable format, when they are stored in the common portable format. (§ III.C.4 ¶ 2 Bullet 1, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • The organization should use conversion or export methods to convert records into a more common format to give to the inspector, when the records are not stored in a common format. (§ III.C.4 ¶ 2 Bullet 2, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • The SASR program is not limited, however, to the review of shared application packages. The Agencies also use SASRs to support interagency safety and soundness initiatives when focusing on higher-risk applications in larger financial institutions. A SASR can evaluate financial institutions' software… (Shared Application Software Review Program ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity, ranging from low-margin sectors that cannot easily increase investment with intervention, to those where the marginal costs of improving cybersecurity can be absorbed. In some sectors, regulation … (STRATEGIC OBJECTIVE 1.1 Subsection 3 ¶ 1, National Cybersecurity Strategy)
  • When analyzing contractual clauses, documents or global corporate rules submitted to the national authority for approval, supplementary information or due diligences performed for verification of the processing operations may be required, when necessary. (Art. 35 § 2, Brazilian Law No. 13709, of August 14, 2018)