Back

Establish, implement, and maintain agreed upon procedures that are in scope for the audit.


CONTROL ID
13893
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • establish all relevant processes including processes for: (§ 5.4.1 ¶ 1(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit methods (see A.1); (§ 5.4.4 ¶ 1(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • select audit methods (see A.1); (§ 5.5.1 ¶ 2(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The individual(s) managing the audit programme should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope and criteria. (§ 5.5.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit methods to be employed; (§ 5.1 ¶ 11(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the establishment of audit objectives, scope(s) and criteria of the audits, determining audit methods and selecting the audit team; (§ 5.4.1 ¶ 1(d) Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Audits can be performed on-site, remotely or as a combination. The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities. (§ 5.5.3 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Where two or more auditing organizations conduct a joint audit of the same auditee, the individuals managing the different audit programmes should agree on the audit methods and consider implications for resourcing and planning the audit. If an auditee operates two or more management systems of diff… (§ 5.5.3 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • audit processes and associated method; (§ 5.5.5 ¶ 3(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the appropriate sampling techniques (see A.6); (§ 6.3.2.1 ¶ 3(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • alternative or new auditing methods; (§ 5.7 ¶ 3(e), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Where, when and how to access audit information is crucial to the audit. This is independent of where the information is created, used and/or stored. Based on these issues, the audit methods need to be determined (see Table A.1). The audit can use a mixture of methods. Also, audit circumstances may … (§ 6.4.5 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • coordination with other audit activities, in case of a joint audit. (§ 6.3.2.2 ¶ 3 Bullet 9, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • For combined audits, particular attention should be given to the interactions between operational processes and any competing objectives and priorities of the different management systems. (§ 6.3.2.1 ¶ 5, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient audit evidence; (§ 6.3.2.2 ¶ 2(f), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team should confer periodically to exchange information, assess audit progress and reassign work between the audit team members, as needed. (§ 6.4.4 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit team should meet as needed to review the audit findings at appropriate stages during the audit. (§ 6.4.8 ¶ 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • discuss audit follow-up, as applicable. (§ 6.4.9.1 ¶ 1(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The effectiveness of the implemented controls should be examined within the scope of internal audits. An audit programme should be designed to ensure coverage of all necessary controls and should include evaluation of the effectiveness of selected controls over time. Key controls (according to the a… (§ 9.2 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • When a SOC 2 report identifies controls that are not operating effectively, management generally takes steps to remediate the control deficiencies. Management may wish to provide customers and business partners with information about the improvements made to their controls before the next SOC 2 repo… (¶ 3.80, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Services provided by an insured financial institution, or by its subsidiary, to one class or more of insured financial institutions are examined by the Agency responsible for supervising the servicing institution. The primary regulatory Agency seeks input from other interested Agencies and performs … (B ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Responsibility for the examination of independent TSPs is based on the class of insured financial institution being serviced. If more than one class of insured institution is serviced, the examination is conducted jointly, and on a rotated basis, as agreed to among the federal financial institution … (E ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • For TSPs that do not have designated CPC teams, the examiners assigned by the AICs are responsible for the supervision and oversight of the TSPs. These examiners carry out their responsibilities in collaboration with examiners from participating Agencies. (Central Point of Contact ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • As part of the supervision of a TSP, examiners can conduct interim supervisory reviews or unscheduled site or service examinations for areas of evolving supervisory interest or concern. The number and frequency of interim supervisory reviews conducted during an examination cycle are based on the lev… (Frequency of Examinations ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)