Back

Establish, implement, and maintain an external reporting program.


CONTROL ID
12876
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Include reporting to governing bodies in the external reporting plan., CC ID: 12923


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The licensed corporation should designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, who have the knowledge, expertise and authority to access all of the Regulatory Records kept with an EDSP at any time, and who can ensure that the SFC has effective acc… (7.(g), Circular to Licensed Corporations - Use of external electronic data storage)
  • A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information… (Article 45-3(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Under CPS 234, an APRA-regulated entity must notify APRA of information security control weaknesses meeting specified criteria. An APRA-regulated entity would typically escalate material control weaknesses to the relevant governing bodies or individuals and formulate a remediation strategy. (89., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to their intragroup outsourcing arrangements to the whole firm or group. (§ 3.18 Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • A practical approach to external communication, targeting all interested parties, should be adopted in accordance with organization policy. (§ 7.4.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the stakeholder requirements for recording financial and non-financial information relevant to IT asset management, and for reporting on it both internally and externally. (Section 4.2 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Requesting that senior management (and the engaging party, if different) consult with an appropriately qualified third party, such as the service organization's legal counsel or a regulator (¶ 3.191 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Communicating with third parties (such as a regulator) (¶ 3.191 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may be precluded from reporting such incidents to parties outside the service organization because of the service auditor's professional duty to maintain the confidentiality of client information. However, the service auditor's legal responsibilities may vary by jurisdiction and,… (¶ 3.195, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Every insurer required to file an audited financial report pursuant to this regulation that has annual direct written and assumed premiums, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of $500,000,000 or more shall prepare a report of the insure… (Section 17.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Extensions of the June 1 filing date may be granted by the commissioner for thirty-day periods upon a showing by the insurer and its independent certified public accountant of the reasons for requesting an extension and determination by the commissioner of good cause for an extension. The request fo… (Section 4.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • An insurer with direct written and assumed premium, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, less than $500,000,000 may make application to the commissioner for a waiver from the Section 14 requirements based upon hardship. The insurer shall… (Section 14.I., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • To exercise the election of the controlling person to designate the audit committee for purposes of this regulation, the ultimate controlling person shall provide written notice to the commissioners of the affected insurers. Notification shall be made timely prior to the issuance of the statutory au… (Section 14.F., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The insurer shall file, with its annual statement filing, the approval for relief from Subsection L(1) with the states that it is licensed in or doing business in and the NAIC. If the nondomestic state accepts electronic filing with the NAIC, the insurer shall file the approval in an electronic form… (Section 7.L.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The lead (or coordinating) audit partner (having primary responsibility for the audit) may not act in that capacity for more than five (5) consecutive years. The person shall be disqualified from acting in that or a similar capacity for the same company or its insurance subsidiaries or affiliates fo… (Section 7.D.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The insurer shall file, with its annual statement filing, the approval for relief from Subsection D(1) with the states that it is licensed in or doing business in and with the NAIC. If the nondomestic state accepts electronic filing with the NAIC, the insurer shall file the approval in an electronic… (Section 7.D.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • TIMING AND FORM OF REPORTING.—The information required to be reported under this subsection shall be reported regularly (but not less often than monthly) and in such form and manner as the Secretary prescribes. Such information shall first be required to be reported on a date specified by the Secr… (§ 1128E(b)(4), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • GENERAL PURPOSE.—Not later than January 1, 1997, the Secretary shall establish a national health care fraud and abuse data collection program for the reporting of final adverse actions (not including settlements in which no findings of liability have been made) against health care providers, suppl… (§ 1128E(a), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)