Back

Review the relevance of information supporting internal controls.


CONTROL ID
12420
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • assume information assets have an unknown and possibly reduced level of information security control. This is typically referred to as the principle of 'never trust, always identify'; (Attachment A 1(g)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • the ICT risks are within the scope of institution-wide risk management and internal control frameworks. (Title 2 2.4 30.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Manage information to be secure, relevant, reliable, and available when needed. (OCEG GRC Capability Model, v 3.0, A5.7 Develop the Information Management Structure, OCEG GRC Capability Model, v 3.0)
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, and verifiable and retained. Information is reviewed to assess its relevance in supporting the internal control components. (§ 3 Principle 13 Points of Focus: Maintains Quality throughout Processing, COSO Internal Control - Integrated Framework (2013))
  • The entity uses information and reports that are complete, accurate, current, and valid in the operation of controls. (CC2.1 ¶ 4 Bullet 4 Uses Information That Is Complete and Accurate, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity's objectives. (CC2.1 ¶ 3 Bullet 1 Identifies Information Requirements, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 ¶ 3 Bullet 4 Maintains Quality Throughout Processing, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The service auditor identifies the information produced by the service organization while performing procedures to assess the design, implementation, and operating effectiveness of controls within the system. When assessing the information produced, the service auditor should consider the reliabilit… (¶ 3.125, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the service auditor should obtain an understanding of internal control, which, in the case of a SOC 2® examination, focuses on obtaining an understanding of controls over the preparation of the descript… (¶ 2.121, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Determining the nature and extent of evidence needed to assess the reliability of information produced by the service organization is a matter of professional judgment. The service auditor may obtain evidence about the reliability of such information when testing controls or may develop specific pro… (¶ 3.129, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The degree to which the effectiveness of the control depends on the completeness and accuracy of the information (¶ 3.126 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The source and reliability of the available information (¶ 4.09 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the information used in the operation of the controls is reliable. For example, the operation of a control may rely on configuration parameters of the comparison of the data to another set of data that is expected to be complete and accurate. (¶ 3.84 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The persuasiveness of the evidence (¶ 4.09 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The source and reliability of the available information (¶ 4.12 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In obtaining an understanding of the subject matter in accordance with paragraph .14, the practitioner should obtain an understanding of internal control over the preparation of the subject matter relevant to the engagement. This includes evaluating the design of those controls relevant to the subje… (AT-C Section 205.15, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • When designing and performing procedures, the practitioner should consider the relevance and reliability of the information to be used as evidence. If (AT-C Section 205.23, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 Maintains Quality Throughout Processing, Trust Services Criteria)
  • A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity's objectives. (CC2.1 Identifies Information Requirements, Trust Services Criteria)
  • A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity's objectives. (CC2.1 ¶ 2 Bullet 1 Identifies Information Requirements, Trust Services Criteria, (includes March 2020 updates))
  • Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. (CC2.1 ¶ 2 Bullet 4 Maintains Quality Throughout Processing, Trust Services Criteria, (includes March 2020 updates))
  • Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and (§ 164.306(d)(3)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Review the financial institution's risk and control assessments for comments relating to retail payment systems. Review the following risk assessments: (App A Tier 1 Objectives and Procedures Objective 2:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Comments related to controls over Remote Deposit Capture (RDC). (App A Tier 1 Objectives and Procedures Objective 2:2 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identification of the existing management process that will be used to implement and monitor proposed actions. Those proposed actions that will be discussed with OMB as part of the annual Strategic Review must be identified (See OMB Circular No. A-11, Section 270), as well as proposed actions to be … (Section II (B7) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)