Back

Audit the in scope system according to the test plan using relevant evidence.


CONTROL ID
07112
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

This Control has the following implementation support Control(s):
  • Implement procedures that collect sufficient audit evidence., CC ID: 07153
  • Provide transactional walkthrough procedures for external auditors., CC ID: 00672
  • Establish, implement, and maintain interview procedures., CC ID: 16282
  • Withdraw from the audit, when defined conditions exist., CC ID: 13885


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. (4.13.3 90, Final Report on EBA Guidelines on outsourcing arrangements)
  • Perform the target/actual state comparison by verifying the answers based on random samples of the object. (4.5.2 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The organization should implement auditing in accordance with the audit scope, principles, criteria, and activities in this supplement. (Supplement on Tin, Tantalum, and Tungsten Step 4: B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should implement auditing in accordance with the audit scope, principles, criteria, and activities in this supplement. (Supplement on Gold Step 4: B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The gxp inspector will consider the potential risks that are identified and documented by the regulated user, from the automated system to the data integrity or product/material quality, to assess the fitness for the purpose of the system. (¶ 4.5, Good Practices For Computerized systems In Regulated GXP Environments)
  • The inspectors should examine the system as it is being used and look at printouts from the system and archives to ensure there is correlation between the current version of the system and the furnished documentation for validation work, Configuration Management, Change Control evidence, accuracy, r… (¶ 23.14, Good Practices For Computerized systems In Regulated GXP Environments)
  • Perform procedures, evaluate results against criteria, make relevant recommendations, and report results and conclusions. (OCEG GRC Capability Model, v. 3.0, R2.2 Perform Assurance Assessment, OCEG GRC Capability Model, v 3.0)
  • Management varies the scope and frequency of separate evaluations depending on risk. (§ 3 Principle 16 Points of Focus: Adjusts Scope and Frequency, COSO Internal Control - Integrated Framework (2013))
  • The service provider shall conduct internal audits at planned intervals. (§ 4.5.4.2 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal aud… (§ 5.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requiremen… (§ 9.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: (§ 9.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system: (9.2.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall conduct internal audits at planned intervals to provide information on whether the SMS: (§ 9.2.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • the organization's own requirements for its information security management system; (§ 9.2.1 ¶ 1 a) 1), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the requirements of this document; (§ 9.2.1 ¶ 1 a) 2), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Management varies the scope and frequency of separate evaluations depending on risk. (CC4.1 ¶ 3 Bullet 6 Adjusts Scope and Frequency, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The service auditor may perform tests of controls at interim dates, at the end of the examination period, or after the examination period if the tests relate to controls that were in operation during the period but do not leave evidence until after the end of the period. Performing procedures at an … (¶ 3.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In accordance with paragraph .47 of AT-C section 205, the service auditor should consider all relevant evidence, which may include conducting both a quantitative analysis (for example, rates of deviations in testing a control using a sample-based testing strategy) and qualitative analysis of identif… (¶ 3.216, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Management varies the scope and frequency of separate evaluations depending on risk. (CC4.1 Adjusts Scope and Frequency, Trust Services Criteria)
  • Management varies the scope and frequency of separate evaluations depending on risk. (CC4.1 ¶ 3 Bullet 6 Adjusts Scope and Frequency, Trust Services Criteria, (includes March 2020 updates))
  • Sufficient evidence shall be obtained to provide a reasonable basis for the conclusion that is expressed in the report. (AT 101.51, Public Company Accounting Oversight Board Attestation Standards, Section 101)