Back

Exercise due professional care during the planning and performance of the audit.


CONTROL ID
07119
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • adhere to the IRAP Policy and Procedures and behave professionally and ethically when representing ASD (IRAP Membership Maintaining IRAP assessor membership Personal qualities ¶ 1 Bullet 1, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • ASD expects all IRAP assessors to provide quality services to clients. All IRAP assessments are expected to uphold the quality outlined in the IRAP Assessment Reporting Guidelines. (32., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. (4.13.3 96, Final Report on EBA Guidelines on outsourcing arrangements)
  • Auditors must commit to truthful and accurate reporting and upholding the highest professional ethical standards and exercise "due professional care". (Supplement on Tin, Tantalum, and Tungsten App: A.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Auditors must commit to truthful and accurate reporting and upholding the highest professional ethical standards and exercise "due professional care". (Supplement on Gold Step 2: § I.C.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Auditors must commit to truthful and accurate reporting and upholding the highest professional ethical standards and exercise "due professional care". (Supplement on Gold Step 2: § II.C.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The auditee shall not offer or accept bribes for gaining undue or improper Advantage. (¶ 1, Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The audit program shall be planned. (§ 4.2.11 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. (§ 9.2.2 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the delivery of planned internal audit programmes and whether these provide management with relevant information about how well the EMS is performing, including the identification of improvement opportunities, and (§ 5.5 ¶ 2 Bullet 4, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • information security and confidentiality requirements. (§ 5.1 ¶ 6 Bullet 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit. (§ 5.1 ¶ 8, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Once the audit programme has been established (see 5.4.3) and related resources have been determined (se e 5.4.4) it is necessary to implement the operational planning and the coordination of all the activities within the programme. (§ 5.5.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the ability of the audit team members to work and interact effectively with the representatives of the auditee and relevant interested parties; (§ 5.5.4 ¶ 4(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensure the conduct of audits in accordance with the audit programme, managing all operational risks, opportunities and issues (i.e. unexpected events), as they arise during the deployment of the programme; (§ 5.5.1 ¶ 2(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The feasibility of the audit should be determined to provide reasonable confidence that the audit objectives can be achieved. (§ 6.2.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • adequate time and resources for conducting the audit. (§ 6.2.3 ¶ 2(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit programme and the documented information provided by the auditee. (§ 6.3.2.1 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The scale and content of the audit planning can differ, for example, between initial and subsequent audits, as well as between internal and external audits. Audit planning should be sufficiently flexible to permit changes which can become necessary as the audit activities progress. (§ 6.3.2.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • matters related to confidentiality and information security; (§ 6.3.2.2 ¶ 3 Bullet 6, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) should take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2 ¶ 3 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; (§ 9.2 ¶ 3 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall - plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previou… (§ 9.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. (A.12.7.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. (§ 9.2.2 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits… (9.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. (§ 9.2.2 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. (§ 12.7.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The audit team leader should be aware that risks to the auditee can result from the presence of the audit team members. The audit team's presence can influence information security and present a source of additional risk to the auditee's information, e.g. confidential or sensitive records or system … (§ 6.3.2.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Before the audit commences, the auditee should be asked whether any ISMS audit evidence is unavailable for review by the audit team, e.g. because the evidence contains personally identifiable information or other confidential/sensitive information. The person responsible for managing the audit progr… (§ 6.2.3.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity (¶ 2.31(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An understanding of professional standards and the ability to apply professional skepticism and judgment in the examination (¶ 2.40 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • To prevent undue use of the internal audit function in obtaining evidence, the service auditor uses less of the work of the internal audit function and performs more of the work directly when more judgment is involved in planning and performing relevant procedures or in evaluating the evidence obtai… (¶ 2.146, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be… (¶ 2.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the higher the assessed risk of material misstatement. (¶ 2.146(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the lower the level of competence of the internal audit function. (¶ 2.146(d), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may also discuss with the service auditor's specialist any safeguards applicable to the specialist and evaluate whether the safeguards are adequate to reduce known threats to independence to an acceptable level. There may be some circumstances in which safeguards cannot reduce su… (¶ 2.163, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor uses professional judgment in performing procedures to evaluate the work performed by the members of the entity's internal audit function. As discussed in chapter 2, the service auditor is responsible for determining the work to be performed and obtaining sufficient appropriate e… (¶ 3.170, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When using the work of the internal audit function, paragraph .40 of AT-C section 205 requires the service auditor to perform sufficient procedures, including reperformance, on the body of work of the internal audit function that the service auditor plans to use in order to evaluate whether such wor… (¶ 3.167, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining the nature and extent of evidence needed to assess the reliability of information produced by the service organization is a matter of professional judgment. The service auditor may obtain evidence about the reliability of such information when testing controls or may develop specific pro… (¶ 3.129, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The activities performed or to be performed by the internal audit function as they relate to the SOC 2® examination (¶ 2.134(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Consider the factors that, in the service auditor's professional judgment, are significant in directing the engagement team's efforts. (¶ 2.92(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • evaluating the evidence obtained. (¶ 2.146(a)(ii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .A15 of AT-C section 205 states that materiality in an attestation engagement is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of each of those factors when considering materiality in a particular engagement is a matter… (¶ 3.05, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether sufficient appropriate evidence has been obtained on which to base the service auditor's opinion is a matter of professional judgment. The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: (¶ 4.09, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Before service organization management can fulfill those responsibilities, management may need clarification of certain matters from the service auditor. For example, management may have questions about whether certain processes are part of the system used to provide the services, whether a vendor i… (¶ 2.05, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The nature of the work performed (¶ 2.149 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The activities performed or to be performed by the internal audit function as it relates to the service organization (¶ 2.112(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor's professional judgment about the pervasiveness of the effects or possible effects of the matter on the subject matter of the engagement (¶ 4.45(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Emphasizing to the engagement team the need to maintain professional skepticism (¶ 3.03 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating whether the description is presented in accordance with the description criteria, the service auditor should consider the implementation guidance for each criterion in supplement A. The implementation guidance presents factors to consider when making judgments about the nature and ex… (¶ 3.21, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Nevertheless, effective entity-level controls, particularly those designed and implemented to meet the control environment criteria, may enable the service auditor to place greater confidence in the processes and controls the service organization has designed, implemented, and operated to provide re… (¶ 2.128, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • planning and performing relevant procedures or (¶ 2.146(a)(i), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the less the internal audit function's organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors. (¶ 2.146(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor's consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs of the broad range of report users as a group. In this context, it is reasonable for the service auditor to assume that report u… (¶ 2.107, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 2.147, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, th… (¶ 3.134, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 3.169, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. Because the service auditor has sole responsibility for expressing an opinion on the description, on the suitability of design of controls and, in a type 2 examination, … (¶ 2.145, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As previously discussed, applying the description criteria requires judgment. One of those judgments involves the informational needs of report users. For most SOC 2® reports, there is a broad range of specified parties. Therefore, the description is intended to meet the common informational needs … (¶ 3.72, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Before service organization management can fulfill those responsibilities, management may need clarification of certain matters from the service auditor. For example, management may have questions about whether certain processes are part of the system used to provide the services, whether a vendor i… (¶ 2.06, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Additionally, paragraph .36 of AT-C section 105 states that the engagement partner should remain alert, through observation and making inquiries as necessary, for evidence of noncompliance with relevant ethical requirements by members of the engagement team. If matters come to the engagement partner… (¶ 1.99, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • An understanding of professional standards and the ability to apply professional skepticism and judgment in the examination (¶ 2.47 Bullet 8, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity. (¶ 2.37 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reviews being performed in accordance with the firm's review policies and procedures and reviewing the engagement documentation on or before the date of the service auditor's report (¶ 2.50 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Consider the factors that, in the service auditor's professional judgment, are significant in directing the engagement team's efforts. (¶ 2.97 c., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for its assertion about the description, suitability of design of controls and, in a type 2 engagement, operating effectiveness of controls stated therein. Furthermore, because management's assertion generally addresses the… (¶ 2.58, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent to which the service auditor plans to use the work of the internal audit function is a matter of professional judgment. In accordance with paragraph .40 of AT-C section 205, because the service auditor has sole responsibility for expressing an opinion on the description, the suitability o… (¶ 2.161, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .A19 of AT-C section 205 states that materiality in an attestation engagement is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of each of those factors when considering materiality in a particular engagement is a matter… (¶ 3.08, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Emphasizing to the engagement team the need to maintain professional skepticism (¶ 3.05 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering factors such as the following: (¶ 3.149, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determining the nature and extent of evidence needed to assess the reliability of information produced by the service organization is a matter of professional judgment. The service auditor may obtain evidence about the reliability of such information when testing controls or may develop and perform … (¶ 3.143, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor uses professional judgment in performing procedures to evaluate the work performed by the members of the entity's internal audit function. As discussed in chapter 2, the service auditor is responsible for determining the work to be performed and obtaining sufficient appropriate e… (¶ 3.201, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's professional judgment about the pervasiveness of the effects or possible effects of the matter on the subject matter of the engagement (¶ 4.50 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Additionally, paragraphs .89–.90 of AT-C section 205 discuss the service auditor's responsibilities for preparing and maintaining documentation that is appropriate to an examination. The service auditor's documentation in a SOC 2 examination is the principal record of attestation procedures applie… (¶ 3.252, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Whether sufficient appropriate evidence has been obtained on which to base the service auditor's opinion is a matter of professional judgment. The service auditor's professional judgment regarding what constitutes appropriate sufficient evidence is influenced by factors such as the following: (¶ 4.12, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • consider the factors that, in the practitioner's professional judgment, are significant in directing the engagement team's efforts; (AT-C Section 205.12 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • When using the work of the internal audit function, the practitioner should perform sufficient procedures on the body of work of the internal audit function as a whole that the practitioner plans to use to determine its adequacy for the purpose of the examination engagement, including reperforming s… (AT-C Section 205.40, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • In applying the attestation guidance included in an other attestation publication, the practitioner should, exercising professional judgment, assess the relevance and appropriateness of such guidance to the circumstances of the attestation engagement. (AT-C Section 105.22, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should plan and perform an attestation engagement with professional skepticism. (AT-C Section 105.43, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should exercise professional judgment in planning and performing an attestation engagement. (AT-C Section 105.45, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should apply professional judgment in determining the specific nature, timing, and extent of review procedures. Based on (AT-C Section 210.16, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should obtain an understanding of relevant portions of internal control over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. In planning the examination, such knowledge should be used to identify types of potential … (AT-C Section 315.15, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The activities performed, or to be performed, by the internal audit function as it relates to the service organization (AT-C Section 320.21 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Financial statements furnished pursuant to Section 5 shall be examined by the independent certified public accountant. The audit of the insurer's financial statements shall be conducted in accordance with generally accepted auditing standards. In accordance with AU Section 319 of the Professional St… (Section 9. ¶ 1., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Due professional care shall be exercised in the planning and performance of the engagement. (AT 101.39, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • Due professional care imposes a responsibility on each practitioner involved with the engagement to observe each of the attestation standards. (AT 101.40, Public Company Accounting Oversight Board Attestation Standards, Section 101)