Back

Europe > European Parliament

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC



AD ID

0003964

AD STATUS

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC

ORIGINATOR

European Parliament

TYPE

Regulations

AVAILABILITY

Free

SYNONYMS

European SOX

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-12-02T00:00:00-0800.

AD ID

0003964

AD STATUS

Free

ORIGINATOR

European Parliament

TYPE

Regulations

AVAILABILITY

SYNONYMS

European SOX

Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2024-12-02T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
76 Mandated Controls - bold    
49 Implied Controls - italic     805 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
930 Total
  • Audits and risk management
    428
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Statement of Compliance. CC ID 12499 Establish/Maintain Documentation Preventive
    Publish a Statement of Compliance for the organization's external requirements. CC ID 12350
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)]
    Communicate Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Rotate auditors, as necessary. CC ID 15589
    [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.]
    Audits and Risk Management Preventive
    Withdraw the approvals of auditors, as necessary. CC ID 17260
    [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1.
    Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2.
    Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.]
    Business Processes Preventive
    Define the qualification requirements for auditors. CC ID 17259
    [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a)
    Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3.
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d)
    {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1
    Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a)
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b)
    The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1
    In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.
    Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.
    Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.]
    Human Resources Management Preventive
    Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 Communicate Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings to interested personnel and affected parties. CC ID 01152
    [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.]
    Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683
    [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.]
    Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1.
    {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.]
    Establish Roles Preventive
    Define what constitutes a threat to independence. CC ID 16824
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Audits and Risk Management Preventive
    Mitigate the threats to an auditor's independence. CC ID 17282
    [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1
    In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Process or Activity Preventive
    Determine if requested services create a threat to independence. CC ID 16823
    [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)]
    Audits and Risk Management Detective
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include facility locations in the audit assertion's in scope system description. CC ID 17261 Establish/Maintain Documentation Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 Audits and Risk Management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952
    [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1]
    Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1.
    Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180
    [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)]
    Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Refrain from using audit evidence that is not sufficient. CC ID 17163 Audits and Risk Management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Communicate Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Human Resources Management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Process or Activity Preventive
    Create a schedule for the interviews. CC ID 16292 Process or Activity Preventive
    Identify interviewees. CC ID 16290 Process or Activity Preventive
    Conduct interviews, as necessary. CC ID 07188 Testing Detective
    Verify statements made by interviewees are correct. CC ID 16299 Behavior Detective
    Discuss unsolved questions with the interviewee. CC ID 16298 Process or Activity Detective
    Allow interviewee to respond to explanations. CC ID 16296 Process or Activity Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Process or Activity Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Behavior Detective
    Explain the testing results to the interviewee. CC ID 16291 Process or Activity Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)
    The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)]
    Establish/Maintain Documentation Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Establish/Maintain Documentation Preventive
    Include audit irregularities in the work papers. CC ID 16774 Establish/Maintain Documentation Preventive
    Include corrective actions in the work papers. CC ID 16771 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Establish/Maintain Documentation Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and Risk Management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and Risk Management Detective
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.]
    Audits and Risk Management Preventive
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Investigate Detective
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Establish/Maintain Documentation Detective
    Include the purpose in the audit report. CC ID 17263 Establish/Maintain Documentation Preventive
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and Risk Management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and Risk Management Preventive
    Include audit subject matter in the audit report. CC ID 14882 Establish/Maintain Documentation Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Establish/Maintain Documentation Preventive
    Identify the audit team members in the audit report. CC ID 15259 Human Resources Management Detective
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Establish/Maintain Documentation Preventive
    Include written agreements in the audit report. CC ID 17266 Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)]
    Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and Risk Management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and Risk Management Detective
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Establish/Maintain Documentation Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Establish/Maintain Documentation Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Establish/Maintain Documentation Preventive
    Include the cost of corrective action in the audit report. CC ID 17015 Audits and Risk Management Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Establish/Maintain Documentation Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Establish/Maintain Documentation Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Establish/Maintain Documentation Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Establish/Maintain Documentation Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Establish/Maintain Documentation Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and Risk Management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Establish/Maintain Documentation Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Establish/Maintain Documentation Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Establish/Maintain Documentation Corrective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Investigate Detective
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include the results of the business impact analysis in the audit report. CC ID 17208 Establish/Maintain Documentation Preventive
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897
    [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.]
    Establish/Maintain Documentation Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Human Resources Management Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963
    [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.]
    Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Evaluate the competency of auditors. CC ID 15253 Human Resources Management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Establish/Maintain Documentation Detective
    Determine the effectiveness of risk control measures. CC ID 06601
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish, implement, and maintain a disclosure report. CC ID 15521
    [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.]
    Establish/Maintain Documentation Preventive
    Include goals and targets in the disclosure report. CC ID 16339
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Establish/Maintain Documentation Preventive
    Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 Establish/Maintain Documentation Preventive
    Include a description of assurance processes in the disclosure report. CC ID 16031
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Establish/Maintain Documentation Preventive
    Include how material topics are managed in the disclosure report. CC ID 15657 Establish/Maintain Documentation Preventive
    Include disclosures for each material topic in the disclosure report. CC ID 15658 Establish/Maintain Documentation Preventive
    Include a description of how the organization manages training and education in the disclosure report. CC ID 15875
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)]
    Establish/Maintain Documentation Preventive
    Include a description of professional development programs in the disclosure report. CC ID 15880 Establish/Maintain Documentation Preventive
    Include a description of professional development assistance in the disclosure report. CC ID 15879 Establish/Maintain Documentation Preventive
    Include a description of transition assistance programs in the disclosure report. CC ID 15878 Establish/Maintain Documentation Preventive
    Include the governance structure in the disclosure report. CC ID 15840
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)]
    Establish/Maintain Documentation Preventive
    Include stakeholder representation in the disclosure report. CC ID 15847 Establish/Maintain Documentation Preventive
    Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 Establish/Maintain Documentation Preventive
    Include the ownership structure in the disclosure report. CC ID 15822
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)]
    Establish/Maintain Documentation Preventive
    Include the shareholding structure in the disclosure report. CC ID 16093 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.]
    Communicate Preventive
  • Harmonization Methods and Manual of Style
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Harmonization Methods and Manual of Style CC ID 06095 IT Impact Zone IT Impact Zone
    Structure the language of compliance documents. CC ID 06098 Establish/Maintain Documentation Preventive
    Standardize word usage. CC ID 06104 Establish/Maintain Documentation Preventive
    Write policies and instructions using clear and conspicuous language. CC ID 16286
    [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Establish/Maintain Documentation Preventive
  • Human Resources management
    149
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign board committees, as necessary. CC ID 14787 Human Resources Management Preventive
    Define and assign audit committees, as necessary. CC ID 14788
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1
    Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d)
    The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Train all personnel and third parties, as necessary. CC ID 00785
    [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.]
    Behavior Preventive
    Provide new hires limited network access to complete computer-based training. CC ID 17008 Training Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268
    [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.]
    Human Resources Management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Establish/Maintain Documentation Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Establish/Maintain Documentation Preventive
    Submit applications for professional certification. CC ID 16192 Training Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1]
    Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423 Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Approve training plans, as necessary. CC ID 17193 Training Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 Training Preventive
    Designate training facilities in the training plan. CC ID 16200 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the security awareness program. CC ID 12801 Human Resources Management Preventive
    Include insider threats in the security awareness program. CC ID 16963 Training Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the security awareness program. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include cloud security in the security awareness program. CC ID 13039 Training Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 Training Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Include media protection in the security awareness program. CC ID 16368 Training Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include identity and access management in the security awareness program. CC ID 17013 Training Preventive
    Include the encryption process in the security awareness program. CC ID 17014 Training Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include physical security in the security awareness program. CC ID 16369 Training Preventive
    Include data management in the security awareness program. CC ID 17010 Training Preventive
    Include e-mail and electronic messaging in the security awareness program. CC ID 17012 Training Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Training Preventive
    Include social networking in the security awareness program. CC ID 17011 Training Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Establish/Maintain Documentation Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e)
    The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.]
    Establish/Maintain Documentation Preventive
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Establish/Maintain Documentation Preventive
    Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 Monitor and Evaluate Occurrences Preventive
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)]
    Communicate Preventive
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1.
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Human Resources Management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Communicate Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Behavior Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Behavior Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Behavior Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Behavior Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources Management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources Management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Behavior Preventive
  • Leadership and high level objectives
    203
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain communication protocols. CC ID 12245 Establish/Maintain Documentation Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Actionable Reports or Measurements Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Communicate Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923
    [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.]
    Communicate Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Communicate Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Establish/Maintain Documentation Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Establish/Maintain Documentation Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Establish/Maintain Documentation Preventive
    Request extensions for submissions to governing bodies, as necessary. CC ID 16955 Process or Activity Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)]
    Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h)
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Establish/Maintain Documentation Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Communicate Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Communicate Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Monitor and Evaluate Occurrences Preventive
    Include records management in the quality management system. CC ID 15055 Establish/Maintain Documentation Preventive
    Include risk management in the quality management system. CC ID 15054 Establish/Maintain Documentation Preventive
    Include data management procedures in the quality management system. CC ID 15052 Establish/Maintain Documentation Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Establish/Maintain Documentation Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Include resource management in the quality management system. CC ID 15026
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Establish/Maintain Documentation Preventive
    Include communication protocols in the quality management system. CC ID 15025 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Establish/Maintain Documentation Preventive
    Include technical specifications in the quality management system. CC ID 15021 Establish/Maintain Documentation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)]
    Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)]
    Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b)
    The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Establish/Maintain Documentation Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Communicate Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Business Processes Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Business Processes Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Business Processes Preventive
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Investigate Detective
    Attach the required information to each funds transfer. CC ID 16756 Business Processes Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Business Processes Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Business Processes Preventive
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Testing Preventive
    Include communication protocols in the financial management program. CC ID 16763 Establish/Maintain Documentation Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Process or Activity Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Process or Activity Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Business Processes Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Business Processes Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Establish/Maintain Documentation Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Process or Activity Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642
    [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Establish/Maintain Documentation Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Establish/Maintain Documentation Preventive
    Supplement financial resources, as necessary. CC ID 16685 Business Processes Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Establish/Maintain Documentation Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Establish/Maintain Documentation Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Establish/Maintain Documentation Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Testing Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Business Processes Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Business Processes Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Testing Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Testing Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Process or Activity Detective
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Testing Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Communicate Preventive
    Identify and document the financial resources available for use. CC ID 16643 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Establish/Maintain Documentation Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Business Processes Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Establish/Maintain Documentation Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Establish/Maintain Documentation Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Establish/Maintain Documentation Preventive
    Include required information in the capital restoration plan. CC ID 16609 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Establish/Maintain Documentation Preventive
    Include investment information in approval requests for investments. CC ID 16590 Business Processes Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Establish/Maintain Documentation Preventive
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Process or Activity Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Establish/Maintain Documentation Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Establish/Maintain Documentation Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Establish/Maintain Documentation Preventive
    Include pricing structures in the lending policy. CC ID 16724 Establish/Maintain Documentation Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Establish/Maintain Documentation Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Establish/Maintain Documentation Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Establish/Maintain Documentation Preventive
    Include loan requirements in the lending policy. CC ID 16706 Establish/Maintain Documentation Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Establish/Maintain Documentation Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Establish/Maintain Documentation Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Establish/Maintain Documentation Preventive
    Include geographic areas in the lending policy. CC ID 16691 Establish/Maintain Documentation Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Establish/Maintain Documentation Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Establish/Maintain Documentation Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Establish/Maintain Documentation Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Establish/Maintain Documentation Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Establish/Maintain Documentation Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Establish/Maintain Documentation Preventive
    Include approval requirements in the lending policy. CC ID 16615 Establish/Maintain Documentation Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Establish/Maintain Documentation Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Establish/Maintain Documentation Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Establish/Maintain Documentation Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Establish/Maintain Documentation Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Establish/Maintain Documentation Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Establish/Maintain Documentation Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Establish/Maintain Documentation Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Establish/Maintain Documentation Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Establish/Maintain Documentation Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Establish/Maintain Documentation Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Establish/Maintain Documentation Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Process or Activity Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Establish/Maintain Documentation Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Establish/Maintain Documentation Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Establish/Maintain Documentation Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Establish/Maintain Documentation Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Establish/Maintain Documentation Preventive
    Include collections in the loan administration procedures. CC ID 16701 Establish/Maintain Documentation Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Establish/Maintain Documentation Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Establish/Maintain Documentation Preventive
    Review and approve lending policies. CC ID 16607 Business Processes Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Establish/Maintain Documentation Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Business Processes Preventive
    Include valuation models in the margin system. CC ID 16663 Data and Information Management Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Data and Information Management Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Data and Information Management Preventive
    Validate the margin system on a regular basis. CC ID 16660 Testing Detective
    Assess the properties of the margin model used in the margin system. CC ID 16658 Process or Activity Detective
    Monitor the performance of the margin system. CC ID 16655 Monitor and Evaluate Occurrences Detective
    Analyze the performance of the margin system. CC ID 16654 Process or Activity Detective
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Business Processes Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Establish/Maintain Documentation Preventive
    Determine the amount of assets to be held in escrow. CC ID 16575 Investigate Detective
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Communicate Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Establish/Maintain Documentation Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Establish/Maintain Documentation Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Establish/Maintain Documentation Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Establish/Maintain Documentation Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Data and Information Management Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Data and Information Management Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Data and Information Management Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Data and Information Management Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Data and Information Management Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Data and Information Management Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Data and Information Management Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Data and Information Management Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Data and Information Management Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Data and Information Management Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Establish/Maintain Documentation Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Establish/Maintain Documentation Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Establish/Maintain Documentation Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Establish/Maintain Documentation Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Establish/Maintain Documentation Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Establish/Maintain Documentation Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Establish/Maintain Documentation Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Establish/Maintain Documentation Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Establish/Maintain Documentation Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Establish/Maintain Documentation Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Establish/Maintain Documentation Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Establish/Maintain Documentation Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Establish/Maintain Documentation Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Establish/Maintain Documentation Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Establish/Maintain Documentation Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Establish/Maintain Documentation Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Establish/Maintain Documentation Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Establish/Maintain Documentation Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Establish/Maintain Documentation Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Establish/Maintain Documentation Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Establish/Maintain Documentation Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Establish/Maintain Documentation Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Communicate Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)]
    Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Communicate Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Establish/Maintain Documentation Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Establish/Maintain Documentation Preventive
    Include material contingencies in the financial statement. CC ID 16596 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Establish/Maintain Documentation Preventive
    Include assets and liabilities in the call report. CC ID 16729 Establish/Maintain Documentation Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Communicate Preventive
  • Monitoring and measurement
    22
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1
    If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2.
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.]
    Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
  • Operational management
    19
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a registration database. CC ID 15048
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.
    Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1
    Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Data and Information Management Preventive
    Grant registration after competence and integrity is verified. CC ID 16802
    [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1
    {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2]
    Behavior Detective
    Implement access restrictions for information in the registration database. CC ID 17235 Data and Information Management Preventive
    Include registration numbers in the registration database. CC ID 17272
    [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)]
    Data and Information Management Preventive
    Include electronic signatures in the registration database. CC ID 17281
    [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1]
    Data and Information Management Preventive
    Include other registrations in the registration database. CC ID 17274
    [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)]
    Data and Information Management Preventive
    Include the owners and shareholders in the registration database. CC ID 17273
    [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)]
    Data and Information Management Preventive
    Include contact details in the registration database. CC ID 15109
    [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3.
    As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d)
    As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g)
    As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)]
    Establish/Maintain Documentation Preventive
    Include personal data in the registration database, as necessary. CC ID 15108 Establish/Maintain Documentation Preventive
    Publish the registration information in the registration database in an official language. CC ID 17280
    [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1.
    Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1]
    Data and Information Management Preventive
    Make the registration database available to the public. CC ID 15107
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Communicate Preventive
    Maintain non-public information in a protected area in the registration database. CC ID 17237 Data and Information Management Preventive
    Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 Business Processes Preventive
    Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 Data and Information Management Preventive
    Update registration information upon changes. CC ID 17275
    [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1]
    Data and Information Management Preventive
    Maintain the accuracy of registry information published in registration databases. CC ID 16402 Data and Information Management Preventive
    Maintain ease of use for information in the registration database. CC ID 17239
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Data and Information Management Preventive
    Include all required information in the registration database. CC ID 15106
    [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c)
    As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e)
    {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2.
    {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2.
    As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b)
    {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.]
    Data and Information Management Preventive
  • Privacy protection for information and data
    105
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Notify the supervisory authority. CC ID 00472
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.]
    Behavior Preventive
    Establish, implement, and maintain approval applications. CC ID 16778
    [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1]
    Establish/Maintain Documentation Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Business Processes Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Communicate Preventive
    Include required information in the approval application. CC ID 16628 Establish/Maintain Documentation Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Business Processes Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Process or Activity Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Respond to questions about submissions in a timely manner. CC ID 16930 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675
    [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2]
    Communicate Corrective
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)]
    Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545 Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Behavior Preventive
    Respond to data access requests in an official language. CC ID 17176 Communicate Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133
    [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Communicate Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Data and Information Management Preventive
    Review personal data disclosure requests. CC ID 07129 Data and Information Management Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Communicate Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2
    The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1]
    Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)]
    Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600
    [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)]
    Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444
    [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)]
    Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Communicate Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide data at a cost that is not excessive. CC ID 00430 Data and Information Management Preventive
    Provide records or data in a reasonable manner. CC ID 00431 Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360
    [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1.
    Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1
    The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)]
    Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Notify the public and other agencies after a penalty becomes final. CC ID 06217
    [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.]
    Behavior Preventive
Common Controls and
mandates by Type
76 Mandated Controls - bold    
49 Implied Controls - italic     805 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
930 Total
  • Actionable Reports or Measurements
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Leadership and high level objectives Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)]
    Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Corrective
  • Audits and Risk Management
    70
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Rotate auditors, as necessary. CC ID 15589
    [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.]
    Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Audits and risk management Preventive
    Define what constitutes a threat to independence. CC ID 16824
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Audits and risk management Preventive
    Determine if requested services create a threat to independence. CC ID 16823
    [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)]
    Audits and risk management Detective
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Detective
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Preventive
    Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952
    [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1]
    Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1.
    Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Preventive
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Refrain from using audit evidence that is not sufficient. CC ID 17163 Audits and risk management Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.]
    Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Detective
    Include the cost of corrective action in the audit report. CC ID 17015 Audits and risk management Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
  • Behavior
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1
    If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2.
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Monitoring and measurement Corrective
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.]
    Human Resources management Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1]
    Human Resources management Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Preventive
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Preventive
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Corrective
    Conduct crime prevention training. CC ID 06350 Human Resources management Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Preventive
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Preventive
    Grant registration after competence and integrity is verified. CC ID 16802
    [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1
    {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2]
    Operational management Detective
    Notify the supervisory authority. CC ID 00472
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.]
    Privacy protection for information and data Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the public and other agencies after a penalty becomes final. CC ID 06217
    [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.]
    Privacy protection for information and data Preventive
  • Business Processes
    40
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a reporting methodology program. CC ID 02072 Leadership and high level objectives Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h)
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Leadership and high level objectives Detective
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Corrective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Preventive
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Preventive
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Preventive
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Preventive
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Preventive
    Withdraw the approvals of auditors, as necessary. CC ID 17260
    [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1.
    Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2.
    Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.]
    Audits and risk management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Preventive
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Corrective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Human Resources management Preventive
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Corrective
    Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 Operational management Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
  • Communicate
    40
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923
    [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.]
    Leadership and high level objectives Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Preventive
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.]
    Monitoring and measurement Preventive
    Publish a Statement of Compliance for the organization's external requirements. CC ID 12350
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)]
    Audits and risk management Preventive
    Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 Audits and risk management Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Preventive
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Preventive
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Preventive
    Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.]
    Audits and risk management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Preventive
    Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 Human Resources management Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Preventive
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)]
    Human Resources management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Preventive
    Make the registration database available to the public. CC ID 15107
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Operational management Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Preventive
    Respond to questions about submissions in a timely manner. CC ID 16930 Privacy protection for information and data Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675
    [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2]
    Privacy protection for information and data Corrective
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Preventive
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Privacy protection for information and data Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Privacy protection for information and data Preventive
  • Configuration
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
  • Data and Information Management
    75
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Preventive
    Establish, implement, and maintain a registration database. CC ID 15048
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.
    Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1
    Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Operational management Preventive
    Implement access restrictions for information in the registration database. CC ID 17235 Operational management Preventive
    Include registration numbers in the registration database. CC ID 17272
    [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)]
    Operational management Preventive
    Include electronic signatures in the registration database. CC ID 17281
    [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1]
    Operational management Preventive
    Include other registrations in the registration database. CC ID 17274
    [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)]
    Operational management Preventive
    Include the owners and shareholders in the registration database. CC ID 17273
    [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)]
    Operational management Preventive
    Publish the registration information in the registration database in an official language. CC ID 17280
    [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1.
    Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1]
    Operational management Preventive
    Maintain non-public information in a protected area in the registration database. CC ID 17237 Operational management Preventive
    Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 Operational management Preventive
    Update registration information upon changes. CC ID 17275
    [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1]
    Operational management Preventive
    Maintain the accuracy of registry information published in registration databases. CC ID 16402 Operational management Preventive
    Maintain ease of use for information in the registration database. CC ID 17239
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Operational management Preventive
    Include all required information in the registration database. CC ID 15106
    [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c)
    As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e)
    {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2.
    {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2.
    As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b)
    {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.]
    Operational management Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Preventive
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)]
    Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600
    [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)]
    Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444
    [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)]
    Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Preventive
    Provide data at a cost that is not excessive. CC ID 00430 Privacy protection for information and data Preventive
    Provide records or data in a reasonable manner. CC ID 00431 Privacy protection for information and data Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360
    [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1.
    Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1
    The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)]
    Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
  • Establish Roles
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)]
    Audits and risk management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Audits and risk management Preventive
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Preventive
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683
    [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.]
    Audits and risk management Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1.
    {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.]
    Audits and risk management Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    473
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain communication protocols. CC ID 12245 Leadership and high level objectives Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Leadership and high level objectives Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)]
    Leadership and high level objectives Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Leadership and high level objectives Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Preventive
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Preventive
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Preventive
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Preventive
    Include resource management in the quality management system. CC ID 15026
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Leadership and high level objectives Preventive
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Preventive
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)]
    Leadership and high level objectives Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Preventive
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Preventive
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b)
    The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Preventive
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642
    [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Leadership and high level objectives Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Preventive
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Preventive
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Preventive
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Preventive
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Preventive
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Preventive
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Preventive
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Leadership and high level objectives Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)]
    Leadership and high level objectives Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Preventive
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Preventive
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a Statement of Compliance. CC ID 12499 Audits and risk management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Audits and risk management Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)]
    Audits and risk management Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Preventive
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Preventive
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Preventive
    Include facility locations in the audit assertion's in scope system description. CC ID 17261 Audits and risk management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Preventive
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Preventive
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Corrective
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180
    [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)]
    Audits and risk management Preventive
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Preventive
    Establish and maintain work papers, as necessary. CC ID 13891
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)
    The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)]
    Audits and risk management Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Preventive
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Preventive
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Preventive
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Detective
    Include the purpose in the audit report. CC ID 17263 Audits and risk management Preventive
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Preventive
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Preventive
    Include written agreements in the audit report. CC ID 17266 Audits and risk management Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Preventive
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Preventive
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Preventive
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Detective
    Review past audit reports. CC ID 01155
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)]
    Audits and risk management Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Detective
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Corrective
    Include the results of the business impact analysis in the audit report. CC ID 17208 Audits and risk management Preventive
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Preventive
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Corrective
    Include the written signature of the auditor's organization in the audit report. CC ID 13897
    [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.]
    Audits and risk management Preventive
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Detective
    Accept the audit report. CC ID 07025 Audits and risk management Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Corrective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963
    [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.]
    Audits and risk management Preventive
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Preventive
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Preventive
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Detective
    Establish, implement, and maintain a disclosure report. CC ID 15521
    [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.]
    Audits and risk management Preventive
    Include goals and targets in the disclosure report. CC ID 16339
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Audits and risk management Preventive
    Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 Audits and risk management Preventive
    Include a description of assurance processes in the disclosure report. CC ID 16031
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Audits and risk management Preventive
    Include how material topics are managed in the disclosure report. CC ID 15657 Audits and risk management Preventive
    Include disclosures for each material topic in the disclosure report. CC ID 15658 Audits and risk management Preventive
    Include a description of how the organization manages training and education in the disclosure report. CC ID 15875
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)]
    Audits and risk management Preventive
    Include a description of professional development programs in the disclosure report. CC ID 15880 Audits and risk management Preventive
    Include a description of professional development assistance in the disclosure report. CC ID 15879 Audits and risk management Preventive
    Include a description of transition assistance programs in the disclosure report. CC ID 15878 Audits and risk management Preventive
    Include the governance structure in the disclosure report. CC ID 15840
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)]
    Audits and risk management Preventive
    Include stakeholder representation in the disclosure report. CC ID 15847 Audits and risk management Preventive
    Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 Audits and risk management Preventive
    Include the ownership structure in the disclosure report. CC ID 15822
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)]
    Audits and risk management Preventive
    Include the shareholding structure in the disclosure report. CC ID 16093 Audits and risk management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Preventive
    Document the security clearance procedure results. CC ID 01635 Human Resources management Detective
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Preventive
    Document all training in a training record. CC ID 01423 Human Resources management Detective
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Preventive
    Document security awareness requirements. CC ID 12146 Human Resources management Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Preventive
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Preventive
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Preventive
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Preventive
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Human Resources management Preventive
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e)
    The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.]
    Human Resources management Preventive
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Human Resources management Preventive
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Human Resources management Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Preventive
    Include contact details in the registration database. CC ID 15109
    [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3.
    As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d)
    As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g)
    As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)]
    Operational management Preventive
    Include personal data in the registration database, as necessary. CC ID 15108 Operational management Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain approval applications. CC ID 16778
    [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1]
    Privacy protection for information and data Preventive
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)]
    Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133
    [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2
    The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1]
    Privacy protection for information and data Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.]
    Privacy protection for information and data Preventive
    Structure the language of compliance documents. CC ID 06098 Harmonization Methods and Manual of Style Preventive
    Standardize word usage. CC ID 06104 Harmonization Methods and Manual of Style Preventive
    Write policies and instructions using clear and conspicuous language. CC ID 16286
    [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Harmonization Methods and Manual of Style Preventive
  • Human Resources Management
    34
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Preventive
    Define the qualification requirements for auditors. CC ID 17259
    [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a)
    Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3.
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d)
    {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1
    Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a)
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b)
    The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1
    In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.
    Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.
    Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.]
    Audits and risk management Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Audits and risk management Corrective
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Preventive
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Detective
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Preventive
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Preventive
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Detective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Preventive
    Define and assign audit committees, as necessary. CC ID 14788
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1
    Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources management Preventive
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Detective
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources management Preventive
    Support certification programs as viable training programs. CC ID 13268
    [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.]
    Human Resources management Preventive
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Preventive
    Include ethical culture in the security awareness program. CC ID 12801 Human Resources management Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Preventive
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1.
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Human Resources management Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
  • IT Impact Zone
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Harmonization Methods and Manual of Style CC ID 06095 Harmonization Methods and Manual of Style IT Impact Zone
  • Investigate
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Detective
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Detective
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Detective
    Audit information systems, as necessary. CC ID 13010 Audits and risk management Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Detective
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Detective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Detective
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Preventive
  • Log Management
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Detective
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
  • Monitor and Evaluate Occurrences
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Preventive
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Leadership and high level objectives Preventive
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Detective
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Detective
    Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 Human Resources management Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Preventive
  • Process or Activity
    32
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Request extensions for submissions to governing bodies, as necessary. CC ID 16955 Leadership and high level objectives Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Detective
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Preventive
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Detective
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Detective
    Mitigate the threats to an auditor's independence. CC ID 17282
    [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1
    In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Audits and risk management Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Preventive
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Preventive
    Identify interviewees. CC ID 16290 Audits and risk management Preventive
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Detective
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Detective
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Corrective
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Detective
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Privacy protection for information and data Preventive
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Preventive
  • Records Management
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
  • Systems Design, Build, and Implementation
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)]
    Leadership and high level objectives Preventive
  • Technical Security
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
  • Testing
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Detective
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Preventive
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Preventive
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Detective
    Report audit findings to interested personnel and affected parties. CC ID 01152
    [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.]
    Audits and risk management Detective
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Detective
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Preventive
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Detective
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Detective
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Detective
    Determine the implementation status of in scope controls. CC ID 06981 Audits and risk management Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Detective
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Preventive
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Detective
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Detective
    Submit an audit report that is complete. CC ID 01145
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Detective
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Detective
    Determine the effectiveness of risk control measures. CC ID 06601
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Detective
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d)
    The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.]
    Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Conduct tests and evaluate training. CC ID 06672
    [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.]
    Human Resources management Detective
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
  • Training
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Provide new hires limited network access to complete computer-based training. CC ID 17008 Human Resources management Preventive
    Submit applications for professional certification. CC ID 16192 Human Resources management Preventive
    Approve training plans, as necessary. CC ID 17193 Human Resources management Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Detective
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Preventive
    Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 Human Resources management Preventive
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Preventive
    Include insider threats in the security awareness program. CC ID 16963 Human Resources management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Preventive
    Include risk management in the security awareness program. CC ID 13040 Human Resources management Preventive
    Conduct personal data processing training. CC ID 13757 Human Resources management Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Preventive
    Include cloud security in the security awareness program. CC ID 13039 Human Resources management Preventive
    Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 Human Resources management Preventive
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Preventive
    Include identity and access management in the security awareness program. CC ID 17013 Human Resources management Preventive
    Include the encryption process in the security awareness program. CC ID 17014 Human Resources management Preventive
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Preventive
    Include data management in the security awareness program. CC ID 17010 Human Resources management Preventive
    Include e-mail and electronic messaging in the security awareness program. CC ID 17012 Human Resources management Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Preventive
    Include social networking in the security awareness program. CC ID 17011 Human Resources management Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Preventive
    Conduct tampering prevention training. CC ID 11875 Human Resources management Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Preventive
Common Controls and
mandates by Classification
76 Mandated Controls - bold    
49 Implied Controls - italic     805 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
930 Total
  • Corrective
    16
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Correct errors and deficiencies in a timely manner. CC ID 13501 Leadership and high level objectives Business Processes
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1
    If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2.
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Monitoring and measurement Behavior
    Assign the Board of Directors to address audit findings. CC ID 12396 Audits and risk management Human Resources Management
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Establish/Maintain Documentation
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Process or Activity
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Audits and Risk Management
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Establish/Maintain Documentation
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Establish/Maintain Documentation
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Business Processes
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Establish/Maintain Documentation
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Establish/Maintain Documentation
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Actionable Reports or Measurements
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Behavior
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Business Processes
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675
    [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2]
    Privacy protection for information and data Communicate
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
  • Detective
    94
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Enforce a continuous Quality Control system. CC ID 01005
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h)
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Leadership and high level objectives Business Processes
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Testing
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Business Processes
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Business Processes
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Investigate
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Business Processes
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Process or Activity
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Testing
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Process or Activity
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Process or Activity
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Investigate
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Monitor and Evaluate Occurrences
    Report audit findings to interested personnel and affected parties. CC ID 01152
    [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.]
    Audits and risk management Testing
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Testing
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Testing
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Audits and Risk Management
    Determine if requested services create a threat to independence. CC ID 16823
    [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)]
    Audits and risk management Audits and Risk Management
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Audits and Risk Management
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Audits and Risk Management
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Establish/Maintain Documentation
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952
    [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1]
    Audits and risk management Audits and Risk Management
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Audits and Risk Management
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Audits and Risk Management
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Investigate
    Audit information systems, as necessary. CC ID 13010 Audits and risk management Investigate
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Investigate
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Testing
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Testing
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Audits and Risk Management
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Process or Activity
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Testing
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Process or Activity
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Testing
    Determine the implementation status of in scope controls. CC ID 06981 Audits and risk management Testing
    Determine the effectiveness of in scope controls. CC ID 06984
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Testing
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Audits and Risk Management
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Audits and Risk Management
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Audits and Risk Management
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Audits and Risk Management
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Audits and Risk Management
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Audits and Risk Management
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Audits and Risk Management
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Testing
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Testing
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Behavior
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Process or Activity
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Process or Activity
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Process or Activity
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Behavior
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Audits and Risk Management
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Testing
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Testing
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Audits and Risk Management
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Investigate
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Establish/Maintain Documentation
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Human Resources Management
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Audits and Risk Management
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Audits and Risk Management
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)]
    Audits and risk management Establish/Maintain Documentation
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Establish/Maintain Documentation
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Investigate
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Process or Activity
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Log Management
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Establish/Maintain Documentation
    Submit an audit report that is complete. CC ID 01145
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Testing
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Audits and Risk Management
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Audits and risk management Testing
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Human Resources Management
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Testing
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Establish/Maintain Documentation
    Determine the effectiveness of risk control measures. CC ID 06601
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)]
    Audits and risk management Testing
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d)
    The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.]
    Human Resources management Testing
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Human Resources Management
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Human Resources Management
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Establish/Maintain Documentation
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Human Resources Management
    Document the security clearance procedure results. CC ID 01635 Human Resources management Establish/Maintain Documentation
    Document all training in a training record. CC ID 01423 Human Resources management Establish/Maintain Documentation
    Conduct tests and evaluate training. CC ID 06672
    [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.]
    Human Resources management Testing
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Training
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Training
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Monitor and Evaluate Occurrences
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Monitor and Evaluate Occurrences
    Grant registration after competence and integrity is verified. CC ID 16802
    [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1
    {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2]
    Operational management Behavior
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Data and Information Management
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
  • IT Impact Zone
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Harmonization Methods and Manual of Style CC ID 06095 Harmonization Methods and Manual of Style IT Impact Zone
  • Preventive
    813
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain a reporting methodology program. CC ID 02072 Leadership and high level objectives Business Processes
    Establish, implement, and maintain communication protocols. CC ID 12245 Leadership and high level objectives Establish/Maintain Documentation
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Leadership and high level objectives Actionable Reports or Measurements
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Communicate
    Include reporting to governing bodies in the external reporting plan. CC ID 12923
    [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.]
    Leadership and high level objectives Communicate
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Communicate
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Establish/Maintain Documentation
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Establish/Maintain Documentation
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Establish/Maintain Documentation
    Request extensions for submissions to governing bodies, as necessary. CC ID 16955 Leadership and high level objectives Process or Activity
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain a Quality Management framework. CC ID 07196
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Leadership and high level objectives Establish/Maintain Documentation
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Establish/Maintain Documentation
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Communicate
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Communicate
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Establish/Maintain Documentation
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)
    {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Communicate
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Communicate
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Establish/Maintain Documentation
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Establish/Maintain Documentation
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Establish/Maintain Documentation
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Establish/Maintain Documentation
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Establish/Maintain Documentation
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Systems Design, Build, and Implementation
    Include resource management in the quality management system. CC ID 15026
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Establish/Maintain Documentation
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Establish/Maintain Documentation
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Establish/Maintain Documentation
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Establish/Maintain Documentation
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Establish/Maintain Documentation
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Establish/Maintain Documentation
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)]
    Leadership and high level objectives Systems Design, Build, and Implementation
    Establish, implement, and maintain a financial management program. CC ID 13228
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b)
    The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Establish/Maintain Documentation
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Communicate
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Business Processes
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Business Processes
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Business Processes
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Business Processes
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Business Processes
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Testing
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Establish/Maintain Documentation
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Process or Activity
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Process or Activity
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Business Processes
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Establish/Maintain Documentation
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain financial resource management procedures. CC ID 16642
    [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.]
    Leadership and high level objectives Establish/Maintain Documentation
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Establish/Maintain Documentation
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Business Processes
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Establish/Maintain Documentation
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Establish/Maintain Documentation
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Establish/Maintain Documentation
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Testing
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Business Processes
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Business Processes
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Testing
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Testing
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Testing
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Communicate
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Establish/Maintain Documentation
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Business Processes
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Establish/Maintain Documentation
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Establish/Maintain Documentation
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Establish/Maintain Documentation
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Establish/Maintain Documentation
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Business Processes
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Establish/Maintain Documentation
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Process or Activity
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Establish/Maintain Documentation
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Establish/Maintain Documentation
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Establish/Maintain Documentation
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Establish/Maintain Documentation
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Establish/Maintain Documentation
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Establish/Maintain Documentation
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Establish/Maintain Documentation
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Establish/Maintain Documentation
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Establish/Maintain Documentation
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Establish/Maintain Documentation
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Establish/Maintain Documentation
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Establish/Maintain Documentation
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Establish/Maintain Documentation
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Establish/Maintain Documentation
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Establish/Maintain Documentation
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Establish/Maintain Documentation
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Establish/Maintain Documentation
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Establish/Maintain Documentation
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Establish/Maintain Documentation
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Establish/Maintain Documentation
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Establish/Maintain Documentation
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Establish/Maintain Documentation
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Establish/Maintain Documentation
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Establish/Maintain Documentation
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Establish/Maintain Documentation
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Establish/Maintain Documentation
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Establish/Maintain Documentation
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Establish/Maintain Documentation
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Process or Activity
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Establish/Maintain Documentation
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Establish/Maintain Documentation
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Establish/Maintain Documentation
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Establish/Maintain Documentation
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Establish/Maintain Documentation
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Establish/Maintain Documentation
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Establish/Maintain Documentation
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Establish/Maintain Documentation
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Establish/Maintain Documentation
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Business Processes
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Data and Information Management
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Data and Information Management
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Business Processes
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Establish/Maintain Documentation
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Establish/Maintain Documentation
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Establish/Maintain Documentation
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Data and Information Management
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Data and Information Management
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Data and Information Management
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Data and Information Management
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Data and Information Management
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Data and Information Management
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Data and Information Management
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Data and Information Management
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Data and Information Management
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Establish/Maintain Documentation
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Establish/Maintain Documentation
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Establish/Maintain Documentation
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Establish/Maintain Documentation
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Establish/Maintain Documentation
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Establish/Maintain Documentation
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Establish/Maintain Documentation
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Establish/Maintain Documentation
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Establish/Maintain Documentation
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Establish/Maintain Documentation
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Establish/Maintain Documentation
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Establish/Maintain Documentation
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Establish/Maintain Documentation
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Establish/Maintain Documentation
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Establish/Maintain Documentation
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Establish/Maintain Documentation
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Communicate
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain financial reports. CC ID 14770
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Establish/Maintain Documentation
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Establish/Maintain Documentation
    Include the business need justification for lost value in the financial report. CC ID 15588 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Communicate
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Establish/Maintain Documentation
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Establish/Maintain Documentation
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Establish/Maintain Documentation
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Establish/Maintain Documentation
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Establish/Maintain Documentation
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Establish/Maintain Documentation
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Communicate
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Monitoring and measurement Establish/Maintain Documentation
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.]
    Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a Statement of Compliance. CC ID 12499 Audits and risk management Establish/Maintain Documentation
    Publish a Statement of Compliance for the organization's external requirements. CC ID 12350
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)]
    Audits and risk management Communicate
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)]
    Audits and risk management Establish Roles
    Manage supply chain audits. CC ID 01203 Audits and risk management Audits and Risk Management
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Audits and Risk Management
    Rotate auditors, as necessary. CC ID 15589
    [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.]
    Audits and risk management Audits and Risk Management
    Withdraw the approvals of auditors, as necessary. CC ID 17260
    [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1.
    Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2.
    Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.]
    Audits and risk management Business Processes
    Define the qualification requirements for auditors. CC ID 17259
    [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a)
    Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3.
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c)
    The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d)
    {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1
    Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a)
    A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b)
    The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1
    In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.
    Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.
    Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.]
    Audits and risk management Human Resources Management
    Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 Audits and risk management Communicate
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Audits and risk management Establish Roles
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Establish Roles
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Establish Roles
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Establish Roles
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Establish Roles
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Establish Roles
    Define and assign the external auditor's roles and responsibilities. CC ID 00683
    [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.]
    Audits and risk management Establish Roles
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Audits and Risk Management
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Establish/Maintain Documentation
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Establish/Maintain Documentation
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Establish/Maintain Documentation
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Establish/Maintain Documentation
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Establish/Maintain Documentation
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Establish/Maintain Documentation
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Audits and Risk Management
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Establish/Maintain Documentation
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Establish/Maintain Documentation
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Establish/Maintain Documentation
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Audits and Risk Management
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)
    The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.
    The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5.
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.
    {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.]
    Audits and risk management Audits and Risk Management
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Establish/Maintain Documentation
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Establish/Maintain Documentation
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Behavior
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Behavior
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Establish/Maintain Documentation
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an audit program. CC ID 00684
    [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Establish/Maintain Documentation
    Assign the audit to impartial auditors. CC ID 07118
    [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1.
    {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.]
    Audits and risk management Establish Roles
    Define what constitutes a threat to independence. CC ID 16824
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Audits and risk management Audits and Risk Management
    Mitigate the threats to an auditor's independence. CC ID 17282
    [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1
    Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3.
    {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1
    In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)]
    Audits and risk management Process or Activity
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Audits and risk management Behavior
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit program. CC ID 15236 Audits and risk management Establish/Maintain Documentation
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Audits and Risk Management
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Establish/Maintain Documentation
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Process or Activity
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Establish/Maintain Documentation
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Establish/Maintain Documentation
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Audits and Risk Management
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Audits and Risk Management
    Include facility locations in the audit assertion's in scope system description. CC ID 17261 Audits and risk management Establish/Maintain Documentation
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Audits and Risk Management
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Audits and Risk Management
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Audits and Risk Management
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Audits and Risk Management
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Establish/Maintain Documentation
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Establish/Maintain Documentation
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Establish/Maintain Documentation
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Audits and Risk Management
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Establish/Maintain Documentation
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Establish/Maintain Documentation
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Establish/Maintain Documentation
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Establish/Maintain Documentation
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Establish/Maintain Documentation
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Establish/Maintain Documentation
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Establish/Maintain Documentation
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Establish/Maintain Documentation
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Establish/Maintain Documentation
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Establish/Maintain Documentation
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Establish/Maintain Documentation
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Establish/Maintain Documentation
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Establish/Maintain Documentation
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Establish/Maintain Documentation
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Establish/Maintain Documentation
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Establish/Maintain Documentation
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Establish/Maintain Documentation
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Establish/Maintain Documentation
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Establish/Maintain Documentation
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Establish/Maintain Documentation
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Establish/Maintain Documentation
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Establish/Maintain Documentation
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Audits and Risk Management
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Business Processes
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Audits and Risk Management
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Establish/Maintain Documentation
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Investigate
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Establish/Maintain Documentation
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Establish/Maintain Documentation
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Establish/Maintain Documentation
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Establish/Maintain Documentation
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Audits and Risk Management
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Establish/Maintain Documentation
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Establish/Maintain Documentation
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Establish/Maintain Documentation
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Audits and Risk Management
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Establish/Maintain Documentation
    Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 Audits and risk management Audits and Risk Management
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Establish/Maintain Documentation
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Establish/Maintain Documentation
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Establish/Maintain Documentation
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Establish/Maintain Documentation
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Establish/Maintain Documentation
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Establish/Maintain Documentation
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Establish/Maintain Documentation
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Establish/Maintain Documentation
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Establish/Maintain Documentation
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Establish/Maintain Documentation
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Establish/Maintain Documentation
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Establish/Maintain Documentation
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Establish/Maintain Documentation
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Establish/Maintain Documentation
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Establish/Maintain Documentation
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Establish/Maintain Documentation
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Establish/Maintain Documentation
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Establish/Maintain Documentation
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Establish/Maintain Documentation
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Establish/Maintain Documentation
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Establish/Maintain Documentation
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Establish/Maintain Documentation
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Establish/Maintain Documentation
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Establish/Maintain Documentation
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Establish/Maintain Documentation
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Communicate
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Establish/Maintain Documentation
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Establish/Maintain Documentation
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Establish/Maintain Documentation
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Establish/Maintain Documentation
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Communicate
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Establish/Maintain Documentation
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Establish/Maintain Documentation
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Establish/Maintain Documentation
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Behavior
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Audits and Risk Management
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Business Processes
    Audit in scope audit items and compliance documents. CC ID 06730
    [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1.
    Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Audits and risk management Audits and Risk Management
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Actionable Reports or Measurements
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Establish/Maintain Documentation
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Establish/Maintain Documentation
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180
    [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d)
    Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d)
    In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)]
    Audits and risk management Establish/Maintain Documentation
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Records Management
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Testing
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Audits and Risk Management
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Establish/Maintain Documentation
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Establish/Maintain Documentation
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Process or Activity
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Establish/Maintain Documentation
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Testing
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Audits and Risk Management
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Audits and Risk Management
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Audits and Risk Management
    Refrain from using audit evidence that is not sufficient. CC ID 17163 Audits and risk management Audits and Risk Management
    Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 Audits and risk management Communicate
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Testing
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Human Resources Management
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Process or Activity
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Process or Activity
    Identify interviewees. CC ID 16290 Audits and risk management Process or Activity
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Process or Activity
    Establish and maintain work papers, as necessary. CC ID 13891
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)
    The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)]
    Audits and risk management Establish/Maintain Documentation
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Establish/Maintain Documentation
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Establish/Maintain Documentation
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Establish/Maintain Documentation
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Establish/Maintain Documentation
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Establish/Maintain Documentation
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518
    [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)]
    Audits and risk management Audits and Risk Management
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Establish/Maintain Documentation
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Establish/Maintain Documentation
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Establish/Maintain Documentation
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Establish/Maintain Documentation
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Audits and Risk Management
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Establish/Maintain Documentation
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Establish/Maintain Documentation
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Monitor and Evaluate Occurrences
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Establish Roles
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Business Processes
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Monitor and Evaluate Occurrences
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Business Processes
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Process or Activity
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Establish/Maintain Documentation
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.]
    Audits and risk management Audits and Risk Management
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Business Processes
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Audits and Risk Management
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Establish/Maintain Documentation
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Establish/Maintain Documentation
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the audit report. CC ID 17263 Audits and risk management Establish/Maintain Documentation
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Audits and Risk Management
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Establish/Maintain Documentation
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Establish/Maintain Documentation
    Include that the auditee did not provide comments in the audit report. CC ID 16849 Audits and risk management Establish/Maintain Documentation
    Include written agreements in the audit report. CC ID 17266 Audits and risk management Establish/Maintain Documentation
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Establish/Maintain Documentation
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Establish/Maintain Documentation
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Establish/Maintain Documentation
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Establish/Maintain Documentation
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Establish/Maintain Documentation
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Establish/Maintain Documentation
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Establish/Maintain Documentation
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Establish/Maintain Documentation
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Establish/Maintain Documentation
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Actionable Reports or Measurements
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Actionable Reports or Measurements
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)]
    Audits and risk management Actionable Reports or Measurements
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Establish/Maintain Documentation
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Establish/Maintain Documentation
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Establish/Maintain Documentation
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Establish/Maintain Documentation
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Actionable Reports or Measurements
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Establish/Maintain Documentation
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Establish/Maintain Documentation
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Establish/Maintain Documentation
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Establish/Maintain Documentation
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Establish/Maintain Documentation
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Establish/Maintain Documentation
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Establish/Maintain Documentation
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Establish/Maintain Documentation
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Establish/Maintain Documentation
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Establish/Maintain Documentation
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Establish/Maintain Documentation
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Establish/Maintain Documentation
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Establish/Maintain Documentation
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Establish/Maintain Documentation
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Establish/Maintain Documentation
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Establish/Maintain Documentation
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Audits and Risk Management
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Establish/Maintain Documentation
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Establish/Maintain Documentation
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Establish/Maintain Documentation
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Establish/Maintain Documentation
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Establish/Maintain Documentation
    Include the cost of corrective action in the audit report. CC ID 17015 Audits and risk management Audits and Risk Management
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Establish/Maintain Documentation
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Establish/Maintain Documentation
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Establish/Maintain Documentation
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Establish/Maintain Documentation
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Establish/Maintain Documentation
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Audits and Risk Management
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Establish/Maintain Documentation
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Establish/Maintain Documentation
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Actionable Reports or Measurements
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Establish/Maintain Documentation
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Establish/Maintain Documentation
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Establish/Maintain Documentation
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Establish/Maintain Documentation
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Audits and Risk Management
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Behavior
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Establish/Maintain Documentation
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Establish/Maintain Documentation
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Establish/Maintain Documentation
    Include the results of the business impact analysis in the audit report. CC ID 17208 Audits and risk management Establish/Maintain Documentation
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Establish/Maintain Documentation
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Establish/Maintain Documentation
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Establish/Maintain Documentation
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Establish/Maintain Documentation
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Establish/Maintain Documentation
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Establish/Maintain Documentation
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Establish/Maintain Documentation
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Establish/Maintain Documentation
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Establish/Maintain Documentation
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Establish/Maintain Documentation
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Establish/Maintain Documentation
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Establish/Maintain Documentation
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Establish/Maintain Documentation
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Actionable Reports or Measurements
    Include the written signature of the auditor's organization in the audit report. CC ID 13897
    [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.]
    Audits and risk management Establish/Maintain Documentation
    Include a statement that additional reports are being submitted in the audit report. CC ID 16848 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Audits and risk management Establish/Maintain Documentation
    Define the roles and responsibilities for distributing the audit report. CC ID 16845 Audits and risk management Human Resources Management
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Communicate
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Communicate
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Behavior
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Establish/Maintain Documentation
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Establish/Maintain Documentation
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Business Processes
    Accept the audit report. CC ID 07025 Audits and risk management Establish/Maintain Documentation
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Human Resources Management
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963
    [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1
    Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.]
    Audits and risk management Establish/Maintain Documentation
    Assess the quality of the audit program in regards to its documentation. CC ID 11622
    [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)
    Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)]
    Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Establish/Maintain Documentation
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Establish/Maintain Documentation
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Establish/Maintain Documentation
    Include the allocation of resources in the audit plan. CC ID 15251 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Establish/Maintain Documentation
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Establish/Maintain Documentation
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Establish/Maintain Documentation
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Establish/Maintain Documentation
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Establish/Maintain Documentation
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Establish/Maintain Documentation
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Establish/Maintain Documentation
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Establish/Maintain Documentation
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Communicate
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a disclosure report. CC ID 15521
    [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.]
    Audits and risk management Establish/Maintain Documentation
    Include goals and targets in the disclosure report. CC ID 16339
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Audits and risk management Establish/Maintain Documentation
    Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 Audits and risk management Establish/Maintain Documentation
    Include a description of assurance processes in the disclosure report. CC ID 16031
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)]
    Audits and risk management Establish/Maintain Documentation
    Include how material topics are managed in the disclosure report. CC ID 15657 Audits and risk management Establish/Maintain Documentation
    Include disclosures for each material topic in the disclosure report. CC ID 15658 Audits and risk management Establish/Maintain Documentation
    Include a description of how the organization manages training and education in the disclosure report. CC ID 15875
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)]
    Audits and risk management Establish/Maintain Documentation
    Include a description of professional development programs in the disclosure report. CC ID 15880 Audits and risk management Establish/Maintain Documentation
    Include a description of professional development assistance in the disclosure report. CC ID 15879 Audits and risk management Establish/Maintain Documentation
    Include a description of transition assistance programs in the disclosure report. CC ID 15878 Audits and risk management Establish/Maintain Documentation
    Include the governance structure in the disclosure report. CC ID 15840
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)]
    Audits and risk management Establish/Maintain Documentation
    Include stakeholder representation in the disclosure report. CC ID 15847 Audits and risk management Establish/Maintain Documentation
    Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 Audits and risk management Establish/Maintain Documentation
    Include the ownership structure in the disclosure report. CC ID 15822
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)]
    Audits and risk management Establish/Maintain Documentation
    Include the shareholding structure in the disclosure report. CC ID 16093 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667
    [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.]
    Audits and risk management Communicate
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Human Resources Management
    Define and assign audit committees, as necessary. CC ID 14788
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1
    Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources management Human Resources Management
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796
    [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1]
    Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Establish Roles
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Establish Roles
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Human Resources Management
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Communicate
    Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 Human Resources management Communicate
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Human Resources Management
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Establish/Maintain Documentation
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Human Resources Management
    Establish and maintain security clearances. CC ID 01634 Human Resources management Human Resources Management
    Train all personnel and third parties, as necessary. CC ID 00785
    [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.]
    Human Resources management Behavior
    Provide new hires limited network access to complete computer-based training. CC ID 17008 Human Resources management Training
    Establish, implement, and maintain an education methodology. CC ID 06671
    [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)]
    Human Resources management Business Processes
    Support certification programs as viable training programs. CC ID 13268
    [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.]
    Human Resources management Human Resources Management
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Establish/Maintain Documentation
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Establish/Maintain Documentation
    Submit applications for professional certification. CC ID 16192 Human Resources management Training
    Retrain all personnel, as necessary. CC ID 01362
    [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1]
    Human Resources management Behavior
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Behavior
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Behavior
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Behavior
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Behavior
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Human Resources Management
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Establish/Maintain Documentation
    Approve training plans, as necessary. CC ID 17193 Human Resources management Training
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Training
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Training
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Training
    Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 Human Resources management Training
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Training
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Establish/Maintain Documentation
    Include ethical culture in the security awareness program. CC ID 12801 Human Resources management Human Resources Management
    Include insider threats in the security awareness program. CC ID 16963 Human Resources management Training
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Training
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Human Resources Management
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Training
    Include risk management in the security awareness program. CC ID 13040 Human Resources management Training
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Behavior
    Conduct personal data processing training. CC ID 13757 Human Resources management Training
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Training
    Include cloud security in the security awareness program. CC ID 13039 Human Resources management Training
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Establish/Maintain Documentation
    Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 Human Resources management Training
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Establish/Maintain Documentation
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Establish/Maintain Documentation
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Communicate
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Establish/Maintain Documentation
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Establish/Maintain Documentation
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Establish/Maintain Documentation
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Establish/Maintain Documentation
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Establish/Maintain Documentation
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Training
    Document security awareness requirements. CC ID 12146 Human Resources management Establish/Maintain Documentation
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Establish/Maintain Documentation
    Include identity and access management in the security awareness program. CC ID 17013 Human Resources management Training
    Include the encryption process in the security awareness program. CC ID 17014 Human Resources management Training
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Establish/Maintain Documentation
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Training
    Include data management in the security awareness program. CC ID 17010 Human Resources management Training
    Include e-mail and electronic messaging in the security awareness program. CC ID 17012 Human Resources management Training
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Establish/Maintain Documentation
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Training
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Training
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Training
    Include social networking in the security awareness program. CC ID 17011 Human Resources management Training
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Training
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Establish/Maintain Documentation
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Establish/Maintain Documentation
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Establish/Maintain Documentation
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Establish/Maintain Documentation
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Establish/Maintain Documentation
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Human Resources Management
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Human Resources Management
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Establish/Maintain Documentation
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Human Resources Management
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Training
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Human Resources management Establish/Maintain Documentation
    Conduct tampering prevention training. CC ID 11875 Human Resources management Training
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Training
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Training
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Training
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Training
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Training
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Training
    Conduct crime prevention training. CC ID 06350 Human Resources management Behavior
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e)
    The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.]
    Human Resources management Establish/Maintain Documentation
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Human Resources management Establish/Maintain Documentation
    Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 Human Resources management Monitor and Evaluate Occurrences
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194
    [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)]
    Human Resources management Communicate
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an ethics program. CC ID 11496
    [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1.
    The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)]
    Human Resources management Human Resources Management
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 Human Resources management Communicate
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 Human Resources management Behavior
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Investigate
    Establish, implement, and maintain an ethical culture. CC ID 12781 Human Resources management Behavior
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Monitor and Evaluate Occurrences
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Human Resources management Monitor and Evaluate Occurrences
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Business Processes
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Business Processes
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Communicate
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Establish/Maintain Documentation
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Behavior
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Behavior
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Behavior
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources management Human Resources Management
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Human Resources Management
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Behavior
    Establish, implement, and maintain a registration database. CC ID 15048
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.
    Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1
    Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Operational management Data and Information Management
    Implement access restrictions for information in the registration database. CC ID 17235 Operational management Data and Information Management
    Include registration numbers in the registration database. CC ID 17272
    [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)]
    Operational management Data and Information Management
    Include electronic signatures in the registration database. CC ID 17281
    [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1]
    Operational management Data and Information Management
    Include other registrations in the registration database. CC ID 17274
    [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)]
    Operational management Data and Information Management
    Include the owners and shareholders in the registration database. CC ID 17273
    [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)]
    Operational management Data and Information Management
    Include contact details in the registration database. CC ID 15109
    [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3.
    As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b)
    As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c)
    As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d)
    As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g)
    As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)]
    Operational management Establish/Maintain Documentation
    Include personal data in the registration database, as necessary. CC ID 15108 Operational management Establish/Maintain Documentation
    Publish the registration information in the registration database in an official language. CC ID 17280
    [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1.
    Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1]
    Operational management Data and Information Management
    Make the registration database available to the public. CC ID 15107
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Operational management Communicate
    Maintain non-public information in a protected area in the registration database. CC ID 17237 Operational management Data and Information Management
    Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 Operational management Business Processes
    Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 Operational management Data and Information Management
    Update registration information upon changes. CC ID 17275
    [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1]
    Operational management Data and Information Management
    Maintain the accuracy of registry information published in registration databases. CC ID 16402 Operational management Data and Information Management
    Maintain ease of use for information in the registration database. CC ID 17239
    [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.]
    Operational management Data and Information Management
    Include all required information in the registration database. CC ID 15106
    [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c)
    As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e)
    {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2.
    {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2.
    As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b)
    {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.]
    Operational management Data and Information Management
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Notify the supervisory authority. CC ID 00472
    [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.
    Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.]
    Privacy protection for information and data Behavior
    Establish, implement, and maintain approval applications. CC ID 16778
    [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Business Processes
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Communicate
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Establish/Maintain Documentation
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Business Processes
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Process or Activity
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606
    [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1]
    Privacy protection for information and data Process or Activity
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Communicate
    Respond to questions about submissions in a timely manner. CC ID 16930 Privacy protection for information and data Communicate
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)]
    Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Behavior
    Respond to data access requests in an official language. CC ID 17176 Privacy protection for information and data Communicate
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain data disclosure procedures. CC ID 00133
    [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.]
    Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 Privacy protection for information and data Communicate
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Data and Information Management
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Data and Information Management
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Communicate
    Establish, implement, and maintain data request denial procedures. CC ID 00434
    [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2
    The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1]
    Privacy protection for information and data Establish/Maintain Documentation
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Privacy protection for information and data Data and Information Management
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Data and Information Management
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Data and Information Management
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441
    [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)]
    Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Process or Activity
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600
    [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)]
    Privacy protection for information and data Data and Information Management
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444
    [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)]
    Privacy protection for information and data Data and Information Management
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Data and Information Management
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Data and Information Management
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Data and Information Management
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Data and Information Management
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Privacy protection for information and data Data and Information Management
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Communicate
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Data and Information Management
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Process or Activity
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Data and Information Management
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Data and Information Management
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Communicate
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Data and Information Management
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Privacy protection for information and data Communicate
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Data and Information Management
    Provide data at a cost that is not excessive. CC ID 00430 Privacy protection for information and data Data and Information Management
    Provide records or data in a reasonable manner. CC ID 00431 Privacy protection for information and data Data and Information Management
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Data and Information Management
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Data and Information Management
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Data and Information Management
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Data and Information Management
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.]
    Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360
    [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1.
    Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1
    The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)]
    Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Notify the public and other agencies after a penalty becomes final. CC ID 06217
    [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.]
    Privacy protection for information and data Behavior
    Structure the language of compliance documents. CC ID 06098 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Standardize word usage. CC ID 06104 Harmonization Methods and Manual of Style Establish/Maintain Documentation
    Write policies and instructions using clear and conspicuous language. CC ID 16286
    [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.]
    Harmonization Methods and Manual of Style Establish/Maintain Documentation