Back

Disseminate and communicate management's choices for managing the organization as a part of internal reporting.


CONTROL ID
12412
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal reporting program., CC ID: 12409

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A regulated institution would typically develop a formalised IT security reporting framework that provides operational information and oversight across the various dimensions of the IT security risk management framework. The framework would incorporate clearly defined reporting and escalation thresh… (¶ 76, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity. (§ 3 Principle 6 Points of Focus: Internal Reporting Objectives - Reflects Management?s Choices, COSO Internal Control - Integrated Framework (2013))
  • the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; (§ 6.5.3.2 ¶ 1 b) 2), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; (§ 6.5.3.2 ¶ 1 c) 2), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; (§ 6.5.3.2 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • decisions, actions, performance and improvements; (§ 6.5.3.2 ¶ 1 b) 1), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. (CC3.1 ¶ 7 Bullet 1 Reflects Management's Choices, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The frequency of reporting should be commensurate with the severity and priority of the risk. Reporting should enable management to determine the types and amount of risk assumed by the organization, its ongoing appropriateness, and the suitability of existing risk responses. For example, changes in… (Reporting Frequency and Quality ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. (CC3.1 Reflects Management's Choices, Trust Services Criteria)
  • Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. (CC3.1 ¶ 7 Bullet 1 Reflects Management's Choices, Trust Services Criteria, (includes March 2020 updates))