Back

Assign the audit to impartial auditors.


CONTROL ID
07118
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Define what constitutes a threat to independence., CC ID: 16824
  • Determine if requested services create a threat to independence., CC ID: 16823


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The audit of Critical database administrators may be performed by an independent auditor or cyber inspectors. (§ 48(2), The Electronic Communications and Transactions Act, 2002)
  • AIs should conduct periodic audits on the adequacy and compliance status of their controls on customer data protection. Such audits should be conducted by an independent party (such as the AI's internal audit function) with the necessary expertise, and any significant issues should be brought up to … (Annex H. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • independent assessment are performed by trusted assessors with the necessary expertise in the underlying financial services and/or electronic delivery channel, and who are independent from the parties that design, implement or operate the e-banking service. Moreover, the assessors should be able to … (§ 3.3.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • independent assessment is performed by trusted assessors with the necessary expertise in the underlying financial services and/or electronic delivery channel, and who are independent from the parties that design, implement or operate the e-banking service. Moreover, the assessors should be able to r… (§ 3.3.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and (§ 10.(2)(b), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • The assurance work needs to be performed by appropriately trained and independent information security experts/auditors. The strengths and weaknesses of critical internet-based applications, other critical systems and networks needs to be carried out before each initial implementation, and at least … (Critical components of information security 30) c) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Where the outsourced service is the internal audit function of an institution, there are additional issues that an institution should deliberate upon. One of these is the lack of independence or the appearance of impaired independence, when a service provider is handling multiple engagements for an … (5.12.1, Guidelines on Outsourcing)
  • Understand potential conflicts of interest. (39.d., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • This includes situations involving two parties that are related by corporate mergers, takeovers, subsidiaries or any other affiliation where they are ultimately owned by the same parent organisation, or where staff are employed by both parties. Customers should consider potential conflicts of intere… (47., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • Gateway providers must prepare all system documentation prior to an IRAP Assessment. The gateway providers may engage an IRAP Assessor to assist in the development of the documentation suite, however, the same Assessor cannot provide final IRAP Assessment services. To avoid conflicts of interests, a… (58., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The organization should ensure that the assessors who conduct the audits are not the System Owner or Certification Authority. (Control: 0902, Australian Government Information Security Manual: Controls)
  • Traditionally, assurance work has been executed by Internal Audit. However, given the specialist nature of this work, other appropriately trained and sufficiently independent (to avoid conflicts of interest) IT security experts could be used to complement such work. APRA envisages that any findings … (¶ 83, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The internal audit function should, following a risk-based approach, have the capacity to independently review and provide objective assurance of the compliance of all ICT and security-related activities and units of a financial institution with the financial institution's policies and procedures an… (3.3.1 11 ¶ 2, Final Report EBA Guidelines on ICT and security risk management)
  • A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to… (3.3.6 25, Final Report EBA Guidelines on ICT and security risk management)
  • The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities' audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as app… (Art. 6.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and (Art. 27.2.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • It is important that none of the audits are carried out by those individuals who were involved in the planning and design of the security objectives, because it is difficult to find one's own mistakes. Depending on the size of the organisation it might be useful to consult external auditors to avoid… (§ 7.4 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Audits and assessments of processes, IT systems and IT components, provided that they are completely or partially in the cloud provider's area of responsibility and are relevant to the development or operation of the cloud service, are carried out by independent third parties (e. g. certified public… (Section 5.16 COM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Information security reviews are carried out by an independent and competent body at regular intervals and in case of significant changes. (1.5.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • System audits are carried out by trained experts. (5.2.6 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • Organizations in the supply chain should have their due diligence practices audited by independent auditors. (Annex I ¶ 4, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organization should plan an independent third party audit of the smelter's or refiner's due diligence for supply chains of minerals from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 4: A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The audit team must be independent from the smelter or refiner, not have Conflicts of Interest, and not provided other services to the auditee company inside a 24 month period before the audit. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.3(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should ensure auditors are independent from the activities being assessed and free from Conflicts of Interest. (Supplement on Tin, Tantalum, and Tungsten App: A.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should verify auditors are independent from the activity being assessed and free from Conflicts of Interest. (Supplement on Gold Step 2: § I.C.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International gold traders, local gold exporters, and refiners should verify auditors are independent from the activity being assessed and free from Conflicts of Interest. (Supplement on Gold Step 2: § II.C.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The audit team must be independent from the refiner, not have Conflicts of Interest, and not furnished other services to the auditee company inside a 24 month period before the audit. (Supplement on Gold Step 4: A.3(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • An assurance provider conducting external assurance needs to demonstrate independence from the organization to reach and publish objective and impartial conclusions about the organization's sustainability reporting. (Guidance to 2-5-b-iii ¶ 1, GRI 2: General Disclosures, 2021)
  • Separate evaluations are performed periodically to provide objective feedback. (§ 3 Principle 16 Points of Focus: Objectively Evaluates, COSO Internal Control - Integrated Framework (2013))
  • A qualified independent third party may perform the audits. (App B § B.1.3.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The auditor selection and audits shall ensure objectivity and impartiality. (§ 4.2.11 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Auditors shall not audit their own work. (§ 4.2.11 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Perform independent audit and assurance assessments according to risk-based plans and policies. (A&A-03, Cloud Controls Matrix, v4.0)
  • Compliance audits should be conducted in accordance with international or national standards by approved auditors. (§ 4.5.4.2.2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 3 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The individual(s) managing the audit programme should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit. (§ 5.1 ¶ 8, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensuring objectivity and impartiality to avoid any conflict of interest of the audit process; (§ 5.5.4 ¶ 4(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, activities, functions or locations and, as appropriate, authority for decision-making. Such assignments should take into account the impartiality and objectiv… (§ 6.3.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2 ¶ 3 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Auditors shall not audit their own work and their selection shall ensure objectivity and impartiality. (§ 4.5.4.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previou… (§ 9.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; (§ 9.2 ¶ 2 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; (§ 4.3.2 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself direct… (§ 6.4.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 3 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 1 c), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (9.2.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (Section 9.2.2 ¶ 1(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; (§ 9.2.2 ¶ 3 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Separate evaluations are performed periodically to provide objective feedback. (CC4.1 ¶ 3 Bullet 7 Objectively Evaluates, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization has an independent audit function. (GV.AU-1.1, CRI Profile, v1.2)
  • The organization has an independent audit function. (GV.AU-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. (2.100.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • Members often serve multiple interests in many different capacities and must demonstrate their objectivity in varying circumstances. Members in public practice render attest, tax, and management advisory services. Other members prepare financial statements in the employment of others, perform intern… (0.300.050.03, AICPA Code of Professional Conduct, August 31, 2016)
  • For a member in public practice, the maintenance of objectivity and independence requires a continuing assessment of client relationships and public responsibility. Such a member who provides auditing and other attestation services should be independent in fact and appearance. In providing all other… (0.300.050.04, AICPA Code of Professional Conduct, August 31, 2016)
  • Although members not in public practice cannot maintain the appearance of independence, they nevertheless have the responsibility to maintain objectivity in rendering professional services. Members employed by others to prepare financial statements or to perform auditing, tax, or consulting services… (0.300.050.05, AICPA Code of Professional Conduct, August 31, 2016)
  • In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. (1.100.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • The public interest aspect of members' services requires that such services be consistent with acceptable professional behavior for members. Integrity requires that service and the public trust not be subordinated to personal gain and advantage. Objectivity and independence require that members be f… (0.300.070.02, AICPA Code of Professional Conduct, August 31, 2016)
  • A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council. (1.200.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • Integrity also requires a member to observe the principles of objectivity and independence and of due care. (0.300.040.05, AICPA Code of Professional Conduct, August 31, 2016)
  • Independence, as defined by the AICPA Code of Professional Conduct, is required for examination-level engagements to report on controls at a service organization. The independence assessment process may address matters such as scope of services, fee arrangements, firm and individual financial relati… (¶ 2.35, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor is independent in accordance with the AICPA Code of Professional Conduct. (See paragraph 2.36.) (¶ 2.43(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.36 also applies to the other practitioner.) (¶ 2.156(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When performing engagements in which independence is required in accordance with the attestation standards, the service auditor needs to be independent with respect to the responsible party (or parties), as defined in those standards. If the service organization uses a subservice organization, and m… (¶ 2.37, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2® examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field o… (¶ 3.178, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating objectivity, the service auditor should consider whether the internal audit function as a whole or, when using individuals for direct assistance, the individual performs tasks without allowing bias, conflict of interest, or undue influence of others to override professional judgments… (¶ 2.141, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted b… (¶ 2.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the objectivity of the service auditor's external specialist, the service auditor may inquire of management (or the engaging party, if different) about any known interests or relationships (such as financial interests, business and personal relationships, and provision of other servi… (¶ 2.162, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The AICPA Code of Professional Conduct provides guidance and rules that apply to all members in the performance of their professional responsibilities. The code includes the fundamental principles that govern the performance of all professional services performed by CPAs and, among other things, cal… (¶ 1.95, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The "Independence Rule" (ET sec. 1.200.001) of the AICPA Code of Professional Conduct establishes independence requirements for attestation engagements. The "Independence Standards for Engagements Performed in Accordance With Statements on Standards for Attestation Engagements" subtopic (ET sec. 1.2… (¶ 2.42, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When performing engagements in accordance with the attestation standards, in which independence is required, the service auditor needs to be independent with respect to the responsible party (or parties), as defined in those standards. If the service organization uses a subservice organization, and … (¶ 2.43, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor is independent in accordance with the attestation standards. (See paragraph 2.41.) (¶ 2.51 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Independence, as defined by the AICPA Code of Professional Conduct (code), is required for examination-level engagements to report on controls at a service organization. The independence assessment process addresses matters such as scope of services, fee arrangements, firm and individual financial r… (¶ 2.41, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When evaluating objectivity, the service auditor would generally consider whether the internal audit function as a whole or, when using individuals for direct assistance, the individual performs tasks without allowing bias, conflict of interest, or undue influence of others to override professional … (¶ 2.157, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The objectivity and competence of internal auditors are important considerations when determining whether to use their work and, if so, the nature and extent to which their work may be used. However, as noted in paragraph .A50 of AT-C section 205, a high degree of objectivity cannot compensate for a… (¶ 2.159, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.41 also applies to the other practitioner.) (¶ 2.172 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluate whether the specialist has the necessary competence, capabilities, and objectivity for the service auditor's purposes. In the case of a specialist, the evaluation of objectivity should include inquiry regarding interests and relationships that may create a threat to the objectivity of the s… (¶ 2.176 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When evaluating the objectivity of the service auditor's external specialist, the service auditor may inquire of service organization management (or the engaging party, if different) about any known interests or relationships (such as financial interests, business and personal relationships, and pro… (¶ 2.178, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Evaluating the competence, capabilities, and objectivity of the specialist (¶ 3.145 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Chapter 2 discusses the service auditor's responsibilities when a service auditor's specialist will be used in the SOC 2 examination. Those responsibilities include (a) evaluating the specialist's competence, capabilities, and objectivity; (b) obtaining an understanding of the specialist's field of … (¶ 3.209, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The practitioner must be independent when performing an attestation engagement in accordance with the attestation standards unless the practitioner is required by law or regulation to accept the engagement and report on the subject matter or assertion. (AT-C Section 105.24, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • obtain an understanding of whether the other practitioner understands and will comply with the ethical requirements that are relevant to the engagement and, in particular, is independent. (AT-C Section 105.31 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Separate evaluations are performed periodically to provide objective feedback. (CC4.1 Objectively Evaluates, Trust Services Criteria)
  • Separate evaluations are performed periodically to provide objective feedback. (CC4.1 ¶ 3 Bullet 7 Objectively Evaluates, Trust Services Criteria, (includes March 2020 updates))
  • The commissioner shall not recognize as a qualified independent certified public accountant, nor accept an annual audited financial report, prepared in whole or in part by an accountant who provides to an insurer, contemporaneously with the audit, the following non-audit services: (Section 7.G.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Has either directly or indirectly entered into an agreement of indemnity or release from liability (collectively referred to as indemnification) with respect to the audit of the insurer. (Section 7.A.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The commissioner shall not recognize an independent certified public accountant as qualified for a particular insurer if a member of the board, president, chief executive officer, controller, chief financial officer, chief accounting officer, or any person serving in an equivalent position for that … (Section 7.L.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Independence – In order to ensure that internal auditors remain objective, the internal audit function must be organizationally independent. Specifically, the internal audit function will not defer ultimate judgment on audit matters to others, and shall appoint an individual to head the internal a… (Section 15.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • for each agency to which paragraph (1) does not apply, the head of the agency shall engage an independent external auditor to perform the evaluation. (§ 3555(b)(2), Federal Information Security Modernization Act of 2014)
  • for each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency; and (§ 3555(b)(1), Federal Information Security Modernization Act of 2014)
  • All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJIS Division. All results of the inquiry and audit… (§ 5.11.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • All agencies having access to CJI shall permit an inspection team to conduct an appropriate inquiry and audit of any alleged security violations. The inspection team shall be appointed by the APB and shall include at least one representative of the CJIS Division. All results of the inquiry and audit… (§ 5.11.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Determine whether the board or management validates that the auditor is qualified to carry out the review and is independent of the business continuity or related functions. (App A Objective 3:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Independence of auditor from the AIO functions and activities being reviewed. (App A Objective 2:11c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Independence of AIO-related audits or other reviews. (II.D Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Audits performed by independent internal departments or third parties. (App A Objective 10.3.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management directly audits the service provider's operations and controls, employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently detailed copies of audit reports from the technology service provider. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 13:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • The independence and competence of the party performing the audit. (App A Tier 2 Objectives and Procedures H.15 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Examination of companies in the Multi-Regional Data Processing Servicers (MDPS) program is administered by the Agencies. The Agencies determine which TSPs are subject to examination under the MDPS program. Generally, Agency-In-Charge (AIC) responsibilities for an MDPS company are rotated among the A… (E ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Senior management should ensure that the third party Risk Management process has periodic independent reviews conducted by the bank's internal auditor or an independent third party. ("Independent Reviews" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • In all matters relating to the engagement, an independence in mental attitude shall be maintained by the practitioner. (AT 101.35, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • The practitioner should maintain the intellectual honesty and impartiality necessary to reach an unbiased conclusion about the subject matter or the assertion. (AT 101.36, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • Independence in mental attitude presumes an undeviating concern for an unbiased conclusion about the subject matter or an assertion no matter what the subject matter or the assertion may be. (AT 101.37, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • The profession has established, through the AICPA's code of professional conduct, precepts to guard against the presumption of loss of independence. (AT 101.38, Public Company Accounting Oversight Board Attestation Standards, Section 101)