Back

Investigate the nature and causes of identified in scope control deviations.


CONTROL ID
06986
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Identify control exceptions, and analyse and identify their underlying root causes. Escalate control exceptions and report to stakeholders appropriately. Institute necessary corrective action. (ME2.3 Control Exceptions, CobiT, Version 4.1)
  • Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. Identify any deviations from the plan. Assess the impact of deviations on the project and overall programme, and report results to key stakeholders. Recommend, implement and monitor remedial… (PO10.13 Project Performance Measurement, Reporting and Monitoring, CobiT, Version 4.1)
  • The selection and performance of security tests should be based on examining how the critical business applications, Information Systems, and network devices handle processing errors, data in unexpected formats, and whether the errors are logged for further investigation (i.e., error handling). (SI.01.03.04e, The Standard of Good Practice for Information Security)
  • The selection and performance of security tests should be based on examining how the critical business applications, Information Systems, and network devices handle processing errors, data in unexpected formats, and whether the errors are logged for further investigation (i.e., error handling). (SI.01.03.04e, The Standard of Good Practice for Information Security, 2013)
  • The service auditor should investigate the nature and causes of identified deviations. (¶ 3.82, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should investigate the nature and causes of identified deviations and determine if additional testing is needed to reach a conclusion about if the controls operated effectively throughout the named time period. (¶ 3.82.b, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Paragraph .45 of AT-C section 205 also requires the service auditor to accumulate description misstatements or deficiencies identified during the engagement, other than those that are clearly trivial. In addition, the service auditor should accumulate deviations that have not been determined to rise… (¶ 3.188, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Effect of deviations. Identified deviations may affect the service organization's ability to mitigate threats or vulnerabilities to the system. For example, the service auditor may question service organization management's assertion that a control is operating effectively when procedures performed … (¶ 3.163 Bullet 9, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor determines whether the effects of identified deviations, individually or in the aggregate, are material with respect to the operating effectiveness of controls based on a consideration of materiality, as discussed beginning in paragraph 3.161. If the effects of identified deviati… (¶ 3.160, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether identified deviations are within the expected rate of deviation and are acceptable or whether they constitute a deficiency (¶ 3.185 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the results of procedures, the service auditor investigates the nature and cause of any identified description misstatements and deficiencies or deviations in the effectiveness of controls and determines the following: (¶ 3.185, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • additional testing of the control or other controls is necessary to determine whether the controls were effective throughout the period (If the service auditor is unable to apply additional procedures to the selected items, the service auditor should consider the reasons for this limitation and conc… (¶ 3.185 Bullet 5 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the results of tests of controls and the significance of deviations noted, the service auditor should accumulate instances in which controls did not operate effectively. Generally, if controls are not operating effectively to provide reasonable assurance that one or more service comm… (¶ 3.157, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .45 of AT-C section 205 requires the service auditor to accumulate description misstatements or deficiencies identified during the engagement, other than those that are clearly trivial. In addition, the service auditor should accumulate deviations that have not been determined to rise to t… (¶ 3.70, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When determining the type of modified opinion to be issued, the service auditor evaluates whether identified (a) description misstatements (including omissions) or (b) deficiencies or deviations in the suitability of the design and operating effectiveness of the controls are material. Materiality co… (¶ 4.46, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When determining whether to modify the service auditor's report, the service auditor considers the individual and aggregate effect of identified misstatements in the description of the service organization's system and identified deficiencies or deviations in the suitability of the design and operat… (¶ 4.50, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor also considers the potential effect on the description of deficiencies or deviations in the suitability of the design or operating effectiveness of controls. If the service auditor determines that the effects of identified description misstatements, individually or in the aggrega… (¶ 3.71, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In reviewing internal audit reports, the service auditor evaluates exceptions identified by the members of the entity's internal audit function to determine whether those exceptions require the service auditor to alter the nature, timing, and extent of the service auditor's procedures. The service a… (¶ 3.172, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activi… (¶ 3.154, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service or… (¶ 3.61, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Any material deficiencies identified in the portion of the original period that is included in the extended or modified period would be included in the report on the extended or modified period, even if they were corrected during the extended or modified period. The service auditor considers the sta… (¶ 2.88, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Any material deficiencies identified in the portion of the original period that is included in the extended or modified period would be included in the report on the extended or modified period, even if they were corrected during the extended or modified period. The service auditor needs to consider… (¶ 2.93, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • During a walk-through, the service auditor may inquire about instances during the period in which controls did not operate as described or designed. In addition, the service auditor may inquire about variations in the process for different types of events or transactions. For example, the service or… (¶ 3.52, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .46 of AT-C section 205, the service auditor should accumulate and evaluate identified deviations to determine whether the deviations are indicative of a control deficiency. Once that determination is made, the service auditor considers the significance of the deficiency… (¶ 3.182, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In reviewing internal audit reports, the service auditor evaluates exceptions identified by the members of the entity's internal audit function to determine whether those exceptions require the service auditor to alter the nature, timing, and extent of the service auditor's procedures. The service a… (¶ 3.203, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature and materiality of misstatements that the control is intended to prevent, or detect and correct (¶ 3.126 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Throughout the course of the examination, the service auditor may perform procedures other than direct tests of operating effectiveness (for example, reviewing results from internal audit reports or other control reports issued by the service organization, or reading other information received from … (¶ 3.186, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Effect of deviations. Identified deviations may affect the service organization's ability to mitigate threats or vulnerabilities to the system. For example, the service auditor may question service organization management's assertion that a control is operating effectively when procedures performed … (¶ 3.190 Bullet 9, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether identified deviations are within the expected rate of deviation and are acceptable or whether they constitute a deficiency (¶ 3.217 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • additional testing of the control or other controls is necessary to determine whether the controls were effective throughout the period (If the service auditor is unable to apply additional procedures to the selected items, the service auditor would consider the reasons for this limitation and concl… (¶ 3.217 Bullet 5 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluating the results of procedures involves investigating the nature and cause of any identified description misstatements and deficiencies or deviations in the design or effectiveness of controls and determining the following: (¶ 3.217, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When determining the type of modified opinion to be issued, the service auditor evaluates whether identified (a) description misstatements (including omissions) or (b) deviations in the suitability of the design and operating effectiveness of the controls are material. (¶ 4.51, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should investigate the nature and causes of identified deviations to determine if additional testing is required to reach a conclusion about the operational effectiveness of the control. (¶ .26.b, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should investigate the nature and causes of identified control deviations. (¶ 26, SSAE No. 16 Reporting on Controls at a Service Organization)
  • inquire of the responsible party about such differences and (AT-C Section 210.20 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The service auditor should investigate the nature and cause of any deviations identified and should determine whether (AT-C Section 320.32, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • A description of the inherent limitations of controls, including that projecting to the future any evaluation of the fairness of the presentation of management's description of the service organization's system or conclusions about the suitability of the design or operating effectiveness of the cont… (AT-C Section 320.40 j., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Resolution of root causes rather than just specific audit deficiencies; (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Sets KPI benchmarks to achieve and analyzes deviations from those benchmarks. (App A Objective 17:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The production system is free from security compromises and provides information on the nature and extent of compromises as feasible, should they occur. (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 1 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)