Back

Respond to questions or clarification requests regarding the audit.


CONTROL ID
08902
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Audit in scope audit items and compliance documents., CC ID: 06730

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Answering further questions following assessment activities from ASD or other Australian Government entities. (31., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • On completion of an IRAP assessment, complete the IRAP Assessment Feedback Form to assist in continually improving IRAP. (39.g., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The cloud provider has taken precautions for unscheduled audits. (Section 5.16 COM-02 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The assessment team should respond to specific questions or clarification requests made by cooperating companies and make recommendations for the risk assessment and Risk Management. (Supplement on Tin, Tantalum, and Tungsten App: B.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Cooperating companies may forward questions to or request clarification from the assessment team on the evidence that is generated by the traceability and chain of custody system. (Supplement on Tin, Tantalum, and Tungsten App: B.2(b)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Cooperating companies may forward questions to or request clarification from the assessment team on information on the suppliers. (Supplement on Tin, Tantalum, and Tungsten App: B.2(b)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • feedback from audit clients, auditees, auditors, technical experts and other relevant parties; (§ 5.6 ¶ 1(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • reporting of the results of the audit programme and review with the audit client and relevant interested parties, as appropriate. (§ 5.7 ¶ 2 Bullet 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • determine any areas of interest, concern or risks to the auditee in relation to the specific audit; (§ 6.2.2 ¶ 1(j), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee should be discussed and, if possible, resolved. If not resolved, this should be recorded. (§ 6.4.10 ¶ 8, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • feedback from interested parties; (§ 9.3 ¶ 2 d), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • feedback from interested parties; (§ 9.3.2 ¶ 1 e), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Before the audit commences, the auditee should be asked whether any ISMS audit evidence is unavailable for review by the audit team, e.g. because the evidence contains personally identifiable information or other confidential/sensitive information. The person responsible for managing the audit progr… (§ 6.2.3.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Inquiring of service organization management, those charged with governance, and others within the service organization who, in the service auditor's judgment, may have relevant information (¶ 2.115 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service organization uses a subservice organization, management is responsible for determining whether to carve out or include the subservice organization's controls within the scope of the examination. Management of a service organization may need assistance in understanding the differences … (¶ 2.12, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Before service organization management can fulfill those responsibilities, management may need clarification of certain matters from the service auditor. For example, management may have questions about whether certain processes are part of the system used to provide the services, whether a vendor i… (¶ 2.05, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition, the engagement partner should make sure that team members are informed of their responsibilities, including the objectives of the procedures that they are to perform and matters that may affect the nature, timing, and extent of such procedures. The engagement partner should also be sati… (¶ 2.41, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In such a situation, the service auditor should discuss the matter with service organization management. If service organization management is unwilling to revise the service commitments and system requirements to address the service auditor's concerns, the service auditor should consider the effect… (¶ 3.29, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is not required to disclose the identity of the subservice organization. However, that information is typically needed by report users (particularly user entities and business partners) who wish to obtain information about and perform procedures related to the service… (¶ 3.48, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .48 of AT-C section 205 requires the service auditor to inquire of management (and if different, the engaging party) about whether it is aware of any such events. If such events exist, the service auditor should apply appropriate procedures to obtain evidence regarding the events. For exam… (¶ 3.215, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • After obtaining information about an event, the service auditor determines whether the facts existed at the date of the report and, if so, whether persons who would attach importance to these facts are currently using, or likely to use, the SOC 2® report (which includes the description, management'… (¶ 3.217, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor believes that the service commitments and system requirements identified by management and stated in the description are not appropriate for the SOC 2® examination, the service auditor should discuss the matter with management. If management is unwilling to revise the descrip… (¶ 2.65, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .57 of AT-C section 205 indicates that if a material misstatement of fact or a material inconsistency exists (as described in paragraph 3.09), the service auditor should discuss the matter with service organization management. The service auditor would ordinarily request that management co… (¶ 4.101, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Before service organization management can fulfill those responsibilities, management may need clarification of certain matters from the service auditor. For example, management may have questions about whether certain processes are part of the system used to provide the services, whether a vendor i… (¶ 2.06, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management may request the service auditor's assistance when determining how to present the CSOCs in the description of the system. In this case, the service auditor may provide examples of CSOC disclosures made by others and make recommendations to improve the presentation of t… (¶ 2.21 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition, in accordance with paragraph .34 of AT-C section 105, the engagement partner should be satisfied that team members are informed of their responsibilities, including the objectives of the procedures that they are to perform and matters that may affect the nature, timing, and extent of su… (¶ 2.48, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • engagement team members have been directed to bring to the engagement partner's attention significant questions raised during the engagement so that their significance may be assessed. (AT-C Section 105.32 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Questions that have arisen in the course of applying the review procedures (AT-C Section 210.21 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Appropriate consultation being undertaken by the engagement team on difficult or contentious matters (AT-C Section 105.33 e., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • if one or more of the requested representations in paragraph .28 are not provided in writing by the responsible party, the practitioner should make inquiries of the responsible party about, and seek oral responses to, the matters in paragraph .28. (AT-C Section 215.32 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)