Back

Assess the quality of the audit program in regards to its documentation.


CONTROL ID
11622
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain the audit plan., CC ID: 01156
  • Establish, implement, and maintain an audit schedule for the audit program., CC ID: 13158


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Management must assess the internal controls over financial reporting. To accomplish this, management must first assess internal controls that have a material impact on the overall consolidated financial report, and based on these results, assess the internal controls of the business processes. This… (Standard § II.3(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Data transfer logs are fully audited at least monthly. (Security Control: 0660; Revision: 7, Australian Government Information Security Manual, March 2021)
  • Data transfer logs are partially audited at least monthly. (Security Control: 1294; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Up-to-date information. (Table 8 Column 2 Row 2 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Auditors should adopt the audit methodologies and practices best suited to the needed work. For example, a systems-based audit approach may be best for Sarbanes-Oxley requirements, using audit software may be required for fraud investigations, and a risk-based approach would be most likely for annua… (§ 10.1 ¶ 5, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The Chief Audit Executive (CAE) is encouraged to use the standard that makes the most sense for the organization and is acceptable to IT management. When a standard is already in place, the CAE should audit against that standard. The CAE also has the responsibility to assess the overall sufficiency … (§ 6.1 (Policies, Standards, and Procedures) ¶ 5, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The objectives of the security audit should be defined, which take into account the threats and security controls associated with related business environments (e.g., business administration offices, trading floors, call centres, warehouses, and retail environments). (SI.01.02.03a, The Standard of Good Practice for Information Security)
  • The objectives of the security audit should be defined, which take into account the threats and security controls associated with related business environments (e.g., business administration offices, trading floors, call centres, warehouses, and retail environments). (SI.01.02.03a, The Standard of Good Practice for Information Security, 2013)
  • ensure relevant documented information regarding the auditing activities is properly managed and maintained (see 5.5.7); (§ 5.5.1 ¶ 2(h), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should ensure that audit records are generated, managed and maintained to demonstrate the implementation of the audit programme. Processes should be established to ensure that any information security and confidentiality needs associated with the audit … (§ 5.5.7 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • sufficiency and adequacy of documented information in the whole audit process. (§ 5.6 ¶ 1(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • sufficient and appropriate information for planning and conducting the audit; (§ 6.2.3 ¶ 2(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit programme records; (§ 5.7 ¶ 3(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The documented information should include, but not be limited to: management system documents and records, as well as previous audit reports. The review should take into account the context of the auditee's organization, including its size, nature and complexity, and its related risks and opportunit… (§ 6.3.1¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • conformity with audit programme processes and relevant documented information; (§ 5.7 ¶ 3(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • An audit programme defines the structure and responsibilities for planning, conducting, reporting and following up on individual audit activities. As such it should ensure that audits conducted are appropriate, have the right scope, minimize the impact on the operations of the organization and maint… (§ 9.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity (¶ 2.31(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the nature, timing, and extent of communication between the service auditor and the specialist, including the form of any report or documentation to be provided by the specialist; and (¶ 2.160(c)(iii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.139(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Designing, implementing, and documenting controls that are suitably designed and operating effectively to provide reasonable assurance that the service commitments and system requirements will be achieved based on the applicable trust services criteria (¶ 2.26 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition to controls that the service organization expects at the subservice organization, there may be activities that a subservice organization expects the service organization, as a user entity, to perform for the subservice organization's controls to be effective. When the subservice organiza… (¶ 2.24, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The application by the internal audit function of a systematic and disciplined approach, including quality control (¶ 2.139(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Based on paragraph .60 of AT-C section 205, the service auditor should evaluate whether the description is misleading within the context of the engagement based on the evidence obtained. Paragraph .A73 of AT-C section 205 states that, when making this evaluation, the service auditor may consider whe… (¶ 3.64, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.142, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may determine, however, that the examination can be performed more effectively or efficiently by using the work of the internal audit function or obtaining direct assistance from internal audit function personnel. The phrase "using the work of the internal audit function" usually… (¶ 2.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function's approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider m… (¶ 2.158, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.155 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .61 of AT-C section 205, the service auditor should evaluate whether the description is misleading within the context of the engagement based on the evidence obtained. Paragraph .A79 of AT-C section 205 states that, when making this evaluation, the service auditor may co… (¶ 3.218, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the likelihood of material misstatement due to the particular characteristics of the subject matter and (AT-C Section 205.22 a.i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • when using the work of the internal audit function, the application by the internal audit function of a systematic and disciplined approach, including quality control. (AT-C Section 205.39 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the nature, timing, and extent of communication between the practitioner and that specialist, including the form of any report or documentation to be provided by that specialist; and (AT-C Section 205.36 c.iii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Documentation of audit findings (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:11 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the compliance function has involvement in the institution's review oversight process, and assess the adequacy of its involvement. (App A Objective 6:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the institution's IT audit standards manual and/or IT-related sections of the institution's general audit manual. Assess the adequacy of policies, practices, and procedures covering the format and content of reports, distribution of reports, resolution of audit findings, format and contents o… (TIER I OBJECTIVES AND PROCEDURES Objective 7:2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review the audit program to ensure all functions of the FTS are covered. Consider: ▪ Payment order origination (funds transfer requests). ▪ Message testing. ▪ Customer agreements. ▪ Payment processing and accounting. ▪ Personnel policies. ▪ Physical and data security. ▪ Contingency pla… (Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The auditor should design the testing of controls to accomplish the objectives of both the audit of internal control over financial reporting and the audit of the financial statements simultaneously when an integrated audit is being performed. (¶ 7, PCAOB Auditing Standard No. 5)