Back

Collect all work papers for the audit and audit report into an engagement file.


CONTROL ID
07001
CONTROL TYPE
Actionable Reports or Measurements
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

This Control has the following implementation support Control(s):
  • Document any after the fact changes to the engagement file., CC ID: 07002
  • Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow., CC ID: 07179
  • Disclose work papers in the engagement file in compliance with legal requirements., CC ID: 07180
  • Archive the engagement file and all work papers for the period prescribed by law or contract., CC ID: 10038


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall retain documented information as evidence of the implementation of the audit programme and the audit results. (§ 9.2.2 ¶ 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The audit team members should collect and review the information relevant to their audit assignments and prepare documented information for the audit, using any appropriate media. The documented information for the audit can include but is not limited to: (§ 6.3.4 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • retain documented information as evidence of the implementation of the audit programme and the audit results. (§ 9.2 ¶ 3 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results; (§ 9.2.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • retain documented information as evidence of the audit programme(s) and the audit results. (§ 9.2 ¶ 2 g), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • retain documented information as evidence of the implementation of the audit programme and the audit results. (9.2.2 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 e), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • retain documented information as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ (e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ 4, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The results of the procedures performed and the evidence obtained (¶ 3.222(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor should gather the engagement documentation into an engagement file in a timely basis, no later than 60 days after the service auditor's report release date. (¶ .49, SSAE No. 16 Reporting on Controls at a Service Organization)
  • the results of the procedures performed and the evidence obtained. (AT-C Section 205.87 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should assemble the engagement documentation in an engagement file and complete the administrative process of assembling the final engagement file no later than 60 days following the practitioner's report release date. (AT-C Section 105.35, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Appropriate engagement documentation being maintained to provide evidence of achievement of the practitioner's objectives and that the engagement was performed in accordance with the attestation standards and relevant legal and regulatory requirements (AT-C Section 105.33 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the results of the procedures performed and the review evidence obtained. (AT-C Section 210.62 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the specified parties' agreement on the procedures. (AT-C Section 215.43 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the results of the procedures performed and the evidence obtained. (AT-C Section 215.43 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Organize and document your work papers to ensure clear support for significant findings and conclusions. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Organize work papers to ensure clear support for significant findings by examination objective. (App A Objective 11.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Organize work papers to ensure clear support for significant findings by examination objective. (App A Objective 14:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Organize work papers to ensure clear support for significant findings by examination objective. (AppE.7 Objective 7:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The practitioner should prepare and maintain attest documentation, the form and content of which should be designed to meet the circumstances of the particular attest engagement. (AT 101.100, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • Attest documentation serves mainly to (a) provide the principal support for the practitioner's report, including the representation regarding observance of the standards of fieldwork, which is implicit in the reference in the report to attestation standards. (B) aid the practitioner in the conduct a… (AT 101.101, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • Examples of attest documentation are work programs, analyses, memoranda, letters of confirmation and representation, abstracts or copies of entity documents, and schedules or commentaries prepared or obtained by the practitioner. (AT 101.102, Public Company Accounting Oversight Board Attestation Standards, Section 101)