Back

Supervise interested personnel and affected parties participating in the audit.


CONTROL ID
07150
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

This Control has the following implementation support Control(s):
  • Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit., CC ID: 07151


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • System audits are coordinated with the operator and users of the IT systems. (5.2.6 Requirements (must) Bullet 3, Information Security Assessment, Version 5.1)
  • Auditors-in-training may be included in the audit team, but should participate under the direction and guidance of an auditor. (§ 5.5.4 ¶ 7, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • For observers, any arrangements for access, health and safety, environmental, security and confidentiality should be managed between the audit client and the auditee. (§ 6.4.2 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Guides and observers may accompany the audit team with approvals from the audit team leader, audit client and/or auditee, if required. They should not influence or interfere with the conduct of the audit. If this cannot be assured, the audit team leader should have the right to deny observers from b… (§ 6.4.2 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Due care requires a member to plan and supervise adequately any professional activity for which he or she is responsible. (0.300.060.06, AICPA Code of Professional Conduct, August 31, 2016)
  • Planning and Supervision. Adequately plan and supervise the performance of professional services. (2.300.001.01 c., AICPA Code of Professional Conduct, August 31, 2016)
  • Planning and Supervision. Adequately plan and supervise the performance of professional services. (1.300.001.01 c., AICPA Code of Professional Conduct, August 31, 2016)
  • When planning the SOC 2® examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be… (¶ 2.91, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Although the service auditor is not precluded from using work that the internal audit function has already performed, coordination of activities between the service auditor and the internal audit function is likely to be most effective when appropriate interaction occurs before the internal audit fu… (¶ 2.151, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When using internal auditors to provide direct assistance, paragraph .42 of AT-C section 205 requires the service auditor to direct, supervise, and review the work of the internal auditors. The service auditor fulfills that responsibility by (a) informing the internal auditors of their responsibilit… (¶ 3.176, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Providing more supervision (¶ 3.03 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the work of the internal audit function has been used in tests of controls to obtain evidence, the section of the SOC 2® report in which the service auditor describes the tests of controls and results should include a description of the internal auditor's work and of the service auditor's proced… (¶ 4.24, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.142, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Regardless of whether management's specialist is considered a subservice organization, management is responsible for oversight of the specialist's work. (¶ 2.12 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Providing more supervision (¶ 3.05 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.158, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Although the service auditor is not precluded from using work that the internal audit function has already performed, coordination of activities between the service auditor and the internal audit function is likely to be most effective when appropriate interaction occurs before the internal audit fu… (¶ 2.167, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the work of the internal audit function has been used in tests of controls to obtain evidence, the service auditor may elect to identify which testing procedures presented in the tests of controls section were performed by the internal audit function and describe the service auditor's procedures … (¶ 4.26, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When using internal auditors to provide direct assistance, paragraph .43 of AT-C section 205 states that the service auditor should direct, supervise, and review the work of the internal auditors. The service auditor fulfills that responsibility by (a) informing the internal auditors of their respon… (¶ 3.207, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When using internal auditors to provide direct assistance to the practitioner, the practitioner should direct, supervise, and review the work of the internal auditors. (AT-C Section 205.42, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • a practitioner's external specialist when the work of that specialist is to be used and (AT-C Section 105.32 b.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • an other practitioner, when the work of that practitioner is to be used. (AT-C Section 105.32 b.ii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Determine whether the directors ensure that the institution effectively manages any outsourced internal audit function. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:7, FFIEC IT Examination Handbook - Audit, April 2012)
  • Develop and implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity require… (T0301, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity require… (T0301, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Supervision involves directing the efforts of assistants who participate in accomplishing the objectives of the attest engagement and determining whether those objectives were accomplished. (AT 101.48, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • The work performed by each assistant should be reviewed to determine whether it was adequately performed and to evaluate whether the results are consistent with the conclusion to be presented in the practitioner's report. (AT 101.50, Public Company Accounting Oversight Board Attestation Standards, Section 101)