Back

Include risks and opportunities in the audit program.


CONTROL ID
15236
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • System audits are planned taking into account any security risks they might cause (e.g. disturbances). (5.2.6 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • risks and opportunities associated with the audit programme (see 5.3) and the actions to address them; (§ 5.1 ¶ 11(b), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • There are risks and opportunities related to the context of the auditee that can be associated with an audit programme and can affect the achievement of its objectives. The individual(s) managing the audit programme should identify and present to the audit client the risks and opportunities consider… (§ 5.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensure the conduct of audits in accordance with the audit programme, managing all operational risks, opportunities and issues (i.e. unexpected events), as they arise during the deployment of the programme; (§ 5.5.1 ¶ 2(g), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • information needed for evaluating and addressing identified risks and opportunities to the achievement of the audit objectives; (§ 5.5.5 ¶ 3(h), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • identification of areas and opportunities for improvement; (§ 5.7 ¶ 2 Bullet 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • request access to relevant information for planning purposes including information on the risks and opportunities the organization has identified and how they are addressed; (§ 6.2.2 ¶ 1(d), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Only information that can be subject to some degree of verification should be accepted as audit evidence. Where the degree of verification is low the auditor should use their professional judgement to determine the degree of reliance that can be placed on it as evidence. Audit evidence leading to au… (§ 6.4.7 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The degree of detail should take into account the effectiveness of the management system in achieving the auditee's objectives, including consideration of its context and risks and opportunities. (§ 6.4.10 ¶ 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; (§ 6.4.3.3 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • risks and opportunities; (§ 9.3 ¶ 2 b) 3), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Description of the procedures implemented by the service organization may include information about the service organization's risk assessment process and disclosure of significant risks identified by that process. These disclosures may assist user entities in identifying risks related to their use … (¶ 3.37, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • All TSPs that the Agencies supervise receive an examination sufficient in scope to assign or update the URSIT during each examination cycle. The number and frequency of supervisory activities conducted during the examination cycle varies depending on the risk profile of the TSP as established by the… (Frequency of Examinations ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Well-planned, properly structured audit programs are essential to strong risk management and effective internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of… (Audit and Internal Controls ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • The Agencies' IT examination process is based on the concept of ongoing, risk-based supervision. This includes the identification and selection of TSPs warranting interagency supervision and the development of a risk-based supervisory strategy for each of these entities. This approach provides for e… (Risk-Based Supervision ¶ 1, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)